[HN Gopher] Hacking Kia: Remotely controlling cars with just a l...
___________________________________________________________________
Hacking Kia: Remotely controlling cars with just a license plate
Author : speckx
Score : 566 points
Date : 2024-09-26 14:22 UTC (1 days ago)
(HTM) web link (samcurry.net)
(TXT) w3m dump (samcurry.net)
| ivewonyoung wrote:
| Does Kia have a bug bounty like Tesla does? Tesla paid out 200k
| and a Tesla a few months ago.
| daghamm wrote:
| Almost all vehicle manufacturers have bug bounty programs of
| some kind (open or closed) but I seriously doubt Kia is one of
| them.
|
| BTW, the Tesla bug from April is really scary. $100K is peanuts
| for the ability to remotely control the engine from an adjacent
| vehicle.
| pwagland wrote:
| Any source for this issue, I could not find any reference,
| but am not doubting that it exists.
| daghamm wrote:
| Not yet fully public, sorry :(
|
| I will give you one hint: cars have sensors that are read
| wirelessly by ECUs on the internal (unprotected) network.
| voxadam wrote:
| From https://www.hyundaiusa.com/us/en/vulnerability-disclosure:
| In submitting reports, please note that although Hyundai Motor
| America sincerely values vulnerability reports, we do not
| provide monetary compensation ("bounties") or non-
| monetary remuneration in exchange for submitted reports. This
| program is only meant to facilitate the responsible
| reporting and resolution of cybersecurity
| vulnerabilities.
|
| Note: Kia is owned by Hyundai.
| omoikane wrote:
| Kia America Vulnerability Disclosure Policy:
|
| https://www.kia.com/us/en/vulnerability.html
| Please also note that we do not award bounties for reporting
| vulnerabilities.
| myself248 wrote:
| "thanks to a simple website bug AND TELEMATICS HARDWARE in the
| vehicles that had absolutely no relevance to their ability to get
| from point A to point B"
| josefritzishere wrote:
| Can we stop connecting cars to the internet now?
| bell-cot wrote:
| Why would any of the decision makers want to do that? It's not
| like 99.9% of consumers appear willing to pay 10 cents more for
| an unconnected car.
| squidgedcricket wrote:
| The only way a connected car would be cheaper is if money is
| made from the data sent over the connection. Clearly that's
| the case right now.
|
| Up-front NRE, per unit HW, perpetual cloud backend
| maintenance. There's a lot of cost to connect a car to the
| internet. It should be a luxury option that I can decline to
| have installed.
| sroussey wrote:
| Recalls that can be fixed with over the air updates is a
| large financial reason to connect cars to the internet.
|
| Personally, I'd rather connect to my WiFi where I have
| control, but that's a lot to ask for regular consumers.
| barbazoo wrote:
| My Kia Niro _is_ connected to the internet yet I can 't
| OTA apply anything. Updates to the navigation data
| (~80GB) have to be done via USB and recall related
| updates have to get applied by the manufacturer. So I get
| 100% of the attack surface and ~0% of the convenience.
| sroussey wrote:
| Oh god, that's terrible!
|
| I wonder how many years that will take. Five years?
| barbazoo wrote:
| I'm trying to imagine time when I _would_ want my car to be
| connected to the internet. Hard to come up with, other than
| remote locking, that 's it for me. Not sure that's worth the
| attack surface.
|
| What I _do_ find useful is the car having "cellular
| connectivity" to make emergency calls. But that doesn't require
| internet connectivity.
| supportengineer wrote:
| Tesla does it very well. My Tesla connects to my home wi-fi.
| When it's parked in the driveway it can download and install
| firmware updates. They are somewhat frequent. Other than
| major UI changes, I have been happy with the way they add
| features and ensure stability.
|
| With the app it's very useful to be able to find out the
| location of the car, the status of the doors and windows, the
| current mileage, and be able to control the climate (Dog
| Mode, etc), warm up on cold mornings, cool down in summer.
| You can also get important notifications (i.e. Climate mode
| on for a long time, Door/Window is open, etc )
|
| You might knock the remote climate feature but if you have
| dogs/kids/elderly it really improves their quality of life.
|
| There's another recent feature which supports streaming music
| such as Apple Music, without your phone needed. This is
| convenient and useful.
|
| Tesla charges $9.99 USD a month for this which I find to be
| extremely reasonable. ( I am an SRE and I know what it takes
| to maintain scalable secure infrastructures )
| wannacboatmovie wrote:
| GM introduced this functionality 25 years ago with OnStar.
| It's been around so long the technology is considered
| legacy with support farmed out to Filipinos.
|
| The fact that your car needs "somewhat frequent" updates
| doesn't concern you? Cars are effectively appliances, they
| should work right the first time, with minor updates here
| and there to fix serious issues which can be done in the
| safety of a shop at next scheduled service, and not risk
| pulling a Rivian and bricking the entire fleet at the push
| of a button.
| ninalanyon wrote:
| The over the air updates to my 2015 Tesla S have added
| features as well as fixing bugs.
| prmoustache wrote:
| features...or distractions?
| fragmede wrote:
| there are things they managed to fix in software that you
| thought would need to be fixed in hardware
| barbazoo wrote:
| Kia charges more than that IIRC and has none of those
| notifications, which would actually be useful (e.g. window
| open).
| WorldWideWebb wrote:
| Tesla does a lot of the "slick" features very well, but at
| least for me, they have been failing miserably at the
| basics:
|
| - customer service: took 3 weeks to get my last service
| appointment, so I couldn't drive my car for that long
| (service was because the charge port door wouldn't open);
| was not told that when I had to replace the touchscreen (it
| had bubbles in it and I live in a very moderate climate), I
| would no longer have a radio.
|
| - basic/critical features being poorly designed or
| seemingly had little thought put into them: see the above
| charge port door issue; window seals that drip going
| through the car wash; no physical controls for anything so
| you have to focus on the touchscreen while driving; other
| random fit and finish issues just due to substandard
| workmanship.
|
| - substandard software: frequent issues and bugs with basic
| operation; after my touchscreen was replaced, the glove box
| pin no longer opens the glove box (minor nit, but
| annoying); loads of other random little annoyances.
| briffle wrote:
| My 2015 vehicle has remote start on the remote. Its very
| handy in cold and hot extremes to start a few min early, and
| then let it warm up or cool down.
|
| My 2020 Subary only does remote start if you pay the monthly
| fee for their access (confusingly called Starlink), and
| requires the 'subaru app'
|
| I hate it.
|
| https://www.subaru.com/subaru-starlink/starlink-safety-
| and-s...
| OptionOfT wrote:
| https://parts.subaru.com/p/Subaru_2020_/Remote-Engine-
| Starte...
|
| Not sure how you program it to your car, but I would get it
| just so I don't need to use an app.
| jshdhehe wrote:
| Gonna keep me 2012 toyota a biiiit longer then. Sorry
| climate.
| smeej wrote:
| This is why I keep my mechanic in business repairing my '07
| Prius.
|
| I'm starting to wonder if I'm the only one left in the world
| who would rather the internet _not_ eat me alive.
| krunck wrote:
| Yes, we can still modify our cars as we please. Maybe it won't
| be legal. But we are able to. And we should.
| maxwell wrote:
| On the contrary-- _preventing_ modification of cars is
| illegal in my state.
| supportengineer wrote:
| At least have a hard toggle switch mandated just like the
| button for emergency flashers.
| sxcurity wrote:
| Stop connecting vehicles to the internet pls & thanks
| yupyupyups wrote:
| Ok, I wont.
| carabiner wrote:
| Thanks.
| AdamJacobMuller wrote:
| If it's done well, there are some useful features there.
|
| App unlock, remote start + remote temperature control. All very
| useful.
|
| I couldn't imagine buying a car without carplay now.
| rwmj wrote:
| Sorry no. App unlock is a stupid anti-feature, do people
| genuinely think it's better than pressing a keyfob?
|
| Remote start _is_ very useful in very cold climates, but
| guess what, it doesn 't need a phone, an app or the internet.
| My friend in a snowy part of Japan had a radio keyfob that
| did this literally 10 or more years ago. As long as you were
| within about 100 ft of the car you could switch it on and
| turn on the heaters.
| AyyEye wrote:
| I installed an aftermarket remote start kit in the 90s. It
| cost less than $100.
| kube-system wrote:
| Many of the earlier aftermarket remote start kits were
| cheap and simple because the vehicles had fewer security
| features. They are more complex and expensive today, and
| some are questionable in their implementation.
| tspike wrote:
| Right, the point is that complexity is unnecessary.
| AyyEye wrote:
| And yet, weirdly, my insecure 1990s era car wasn't able
| to be controlled over the internet and didn't have a
| direct data link to my insurance company.
| toomuchtodo wrote:
| I use my Tesla app to lock and unlock our vehicles all the
| time, in all cases outside of RF range. I have a Twilio
| number wired up I can call, enter a 10 digit code, and it
| will unlock and enable the vehicle to drive in the event I
| have lost my phone and keycard. These are material quality
| of life improvements.
|
| Physical access is required to exploit any unauthorized
| access to the vehicle. What are you going to do? Steal my
| change?
| roywiggins wrote:
| Is it really so much better than an RF keyfob that it's
| worth connecting your car to the Internet for?
| toomuchtodo wrote:
| Yes, I accept the risk and threat model. RF fobs are
| compromised frequently as well. Unless you rip the
| cellular module out of my vehicles, I will find it, and
| someone is just going to break the window if they want
| in.
|
| Edit: Non connected cars for the risk adverse, connected
| cars for those with the risk appetite. The market will
| self sort, even if telematics requires more regulatory
| oversight (they do!).
|
| https://www.google.com/search?q=fob+relaying+theft+attack
| roywiggins wrote:
| Of course, with this Kia attack, it didn't matter if you
| had never used or activated the feature, it was still
| vulnerable. With keyfobs you can just not use it or
| destroy it if you are worried about relay attacks.
|
| Connecting every car to the Internet at all times just in
| case their owners might want to activate a remote start
| feature at some point is _nuts_.
| potato3732842 wrote:
| >Yes, I accept the risk and threat model.
|
| >Edit: Non connected cars for the risk adverse, connected
| cars for those with the risk appetite. The market will
| self sort, even if telematics requires more regulatory
| oversight (they do!).
|
| Seems contradictory. What risk are you actually accepting
| if we're all forced to kick in for some regulator that
| protects you from the majority of the risk?
| toomuchtodo wrote:
| DHS, CISA and NHTSA already exist to provide cyber
| regulatory mechanisms at the intersection of automotive
| and telematics or other software/connected scope. If an
| entity ships shit, apply punitive punishment to the
| offender (NHTSA forces software updates as recalls today,
| but can do much more). Software and connectedness is not
| going away [1] [2], so secure software development,
| actual QA, and real change management must be strongly
| encouraged through incentives. "The beatings will
| continue until the security posture improves."
|
| [1] https://www.techradar.com/pro/security/hackers-are-
| increasin...
|
| [2] https://www.cisa.gov/news-
| events/alerts/2024/09/25/threat-ac...
| almostnormal wrote:
| Risk/threat I would accept. Leaking data - to telcos by
| constantly being connected to some cell tower and
| explicitly to the manufacturer whatever they decide to
| transmit - is the part I don't like.
|
| I don't even carry a phone for that reason.
| natch wrote:
| Nice lifehack; I'm going to do this. Please share more if
| you have them.
| somehnguy wrote:
| Remote start via phone is still useful in cold climates.
| While getting a ride with a friend to my car left at some
| location I've been able to start & get it warmed up before
| we even got off the highway.
|
| It was nice and warm by the time I arrived to it. With only
| a keyfob it would have still been ice cold.
|
| Absolutely not a necessary feature, but I miss it (free
| MyLink subscription expired and I won't pay for it).
| toast0 wrote:
| For safety, you're really not supposed to remote start a
| vehicle if you can't observe it / are in contact with
| someone who is observing it. Lots of potential hazards,
| but it can be convenient.
| Kirby64 wrote:
| With an EV, this isn't a concern. No tailpipe fumes or
| whatnot to worry about. Also, in pretty much any public
| space where you would park it (i.e., outside of your own
| garage), this isn't a concern either.
| Rebelgecko wrote:
| Can you give an example of a hazard? I genuinely can't
| think of one- at least on my car, when you remote start
| it is still locked so it's not like anyone can get in and
| drive it away (and even if someone breaks in I don't
| think it'll go into Drive without a key in the vehicle)
| toast0 wrote:
| If the tailpipe is restricted (by snow, say), you're
| likely to damage the car. If it runs poorly when it
| starts, and it's unsupervised, it could result in damage
| that would have been avoided if you were present and shut
| it down in a reasonable amount of time.
|
| If someone is working on the car (authorized or not),
| they may be injured if it starts without their knowledge.
|
| If it's parked indoors, exhaust gasses are likely to
| build up, leading to a dangerous situation. If you have
| multiple drivers, maybe someone else moved it and you
| didn't know.
| Rebelgecko wrote:
| Ah gotcha, it sounds like most of those problems are
| limited to internal combustion engines
| somehnguy wrote:
| I'm OK with the risks in exchange for the convenience :)
| Kirby64 wrote:
| Automatic unlock with a phone is not an anti feature. If it
| replaces your key fob completely, then it's one less thing
| you have to carry. I haven't carried keys of any kind
| for... 6 years at this point?
|
| Also, remote start/temp control that works no matter the
| distance as long as there's internet connectivity is
| superior to a radio based implementation. There's plenty of
| places that are largely RF impermeable, or otherwise
| distance is too far. If you're in a store, 100ft is barely
| any distance, especially with the layers of concrete in the
| way.
| devilbunny wrote:
| > I haven't carried keys of any kind for... 6 years at
| this point?
|
| You do you, of course, but I've absolutely relied on
| physical keys on numerous occasions over the years even
| when electronic methods exist.
|
| Garage door spring broke or power is out, and battery
| died on your electronic house lock? You're not getting
| in.
|
| Keyless fob ignition car ends up in a very strange state
| where, even though I have the fob in my hand and the car
| is running, it won't respond because the doors were
| locked from the inside by the dog? Happened.
|
| Actually had that conversation about the house with my
| wife when she didn't carry house keys: do you want to
| find yourself stuck out of the house while the pets
| freeze or boil because you didn't just carry a damned
| key?
| asdasdsddd wrote:
| The time I save pays for a locksmith many times over. I
| also give my friends/my condo spares so this is never
| actually an issue.
| Kirby64 wrote:
| > Garage door spring broke or power is out, and battery
| died on your electronic house lock? You're not getting
| in.
|
| How, exactly, would this happen simultaneously? Any
| reasonable system should alert you when batteries in your
| locks are running low. Unless you brazenly disregard
| those warnings (since, the low battery at least on mine
| means you still have... weeks left of battery), you will
| always have access. Also, with multiple entry-points into
| the house, you'd need ALL door locks to have their
| batteries die simultaneously. And the power to be out.
| That's a level of redundancy that is just unreasonable.
|
| > Actually had that conversation about the house with my
| wife when she didn't carry house keys: do you want to
| find yourself stuck out of the house while the pets
| freeze or boil because you didn't just carry a damned
| key?
|
| In what world would your pets die because you got locked
| out of the house? You should have AC/heating... and in
| some sort of power outage event (which, also, would
| require you to not be home either), your pets are
| certainly not going to freeze/overheat immediately. In
| such a crazy unrealistic scenario, breaking a window or
| drilling out a lock is a straightforward solution. But
| also, that would require so many multiple events to
| happen simultaneously (to get to needing to break a
| window) that it will never reasonably happen.
| grahamj wrote:
| Yep. I've forgotten or lost keys in the past and been
| locked out, but never have all of my e-locks and garage
| died at once.
| camtarn wrote:
| In the UK, and I'm guessing a lot of other parts of the
| world, many people live in apartments with only a single
| entrance door.
|
| Pets which require medications on a schedule might become
| very ill without them. But yes, I suspect that any
| country where the weather is enough to kill your pet
| should probably be running AC/heat on a thermostat
| instead of manual. (Here in the UK, we rarely have AC,
| and a lot of people just put on heat manually when
| they're cold - but our weather is pretty mild.)
|
| Personally I would never rely on a phone to get me into a
| house or vehicle. Mine runs out of battery too
| frequently. I've already been bitten by not being able to
| take a bus because my phone died and I couldn't pay for a
| ticket.
| Kirby64 wrote:
| Smart locks typically have more option than just a phone
| to open them. Keypad, fingerprint, etc.
|
| For ones that support Apple's Homekey, it doesn't even
| matter if your battery runs out. Apple devices still
| provide Homekey via NFC even with a dead phone.
|
| I don't think this exists yet for car keys, although I
| know there's work on UltraWide Band key support.
|
| Also, this seems substanially less fragile than just...
| losing a pair of keys. It's not evitable that your
| battery in your lock runs out (again, unless you ignore
| warnings), but losing your keys is one of those 'hard to
| prepare for' events.
|
| Migitation for losing your keys could just be keeping a
| spare key with a neighbor/friend/whatever... but, well,
| you can do that with an e-lock too (cause they all have
| regular keys for true backup).
| camtarn wrote:
| > Smart locks typically have more option than just a
| phone to open them. Keypad, fingerprint, etc.
|
| Ah, that's a fair point.
|
| > Apple devices still provide Homekey via NFC even with a
| dead phone.
|
| Huh, that's neat. I haven't come across that as I'm not
| an Apple user.
| jdminhbg wrote:
| > Keyless fob ignition car ends up in a very strange
| state where, even though I have the fob in my hand and
| the car is running, it won't respond because the doors
| were locked from the inside by the dog? Happened.
|
| This is a good reason to have your car connected to the
| internet, you can use your app to turn it off and unlock
| it.
| SoftTalker wrote:
| > the doors were locked from the inside by the dog
|
| That happened to me once. Keys were in the car too. We
| had to try to get the dog to step on the button again to
| unlock the car, which she eventually did. Glad it wasn't
| a hot day.
| taneliv wrote:
| I've found myself stuck out of the office in minus
| fifteen degrees because the keylock app had stopped
| working due to a backend upgrade gone subtly bad.
|
| Fortunately this was in an urban area and I could find a
| cafe that was open within the walking distance. I don't
| know if they allowed pets to thaw in there. It took about
| an hour for maintenance to open the doors (with a damned
| key) and let people in.
| mavamaarten wrote:
| Locking my car through the app is a genuinely useful
| feature. Ever parked, left your car, and thought to
| yourself "damn, did I lock my car?". Just lock it through
| the app.
|
| I've had to fetch something from my car while my gf had the
| car keys with her, I could just open it with my phone. It's
| useful.
| nucleardog wrote:
| My key fob has two way communication and like a half mile
| range in urban areas.
|
| If I ever park and wonder "damn did I lock my car" I can
| look at my key fob and see if it has a locked or unlocked
| padlock on it. As long as I remember sometime within like
| 20 minutes of parking (assuming I spend 20 minutes
| walking away from it in a straight line), I can lock it
| if I _did_ forget. I'll get confirmation that it locked
| if I do that and the command makes it through.
|
| Mine also works even where there's no cell reception!
|
| Which is all to say... I'd prefer better key fobs instead
| of cellular modems and cloud services.
| Tempest1981 wrote:
| Do any auto manufacturers offer this?
|
| I see several aftermarket systems here:
| https://www.popularmechanics.com/cars/a34512303/best-
| remote-...
| nucleardog wrote:
| Doubt it. Mine's aftermarket. The manufacturer doesn't
| offer remote start on their manual transmission vehicles
| so I had to get an aftermarket system if I wanted remote
| start for those -50 days. Mine's a little older / less
| fancy than some of those linked[0] but essentially the
| same.
|
| I doubt it would ever solve my problem (they're still not
| going to offer half the functionality on a M/T vehicle),
| but there's no reason they couldn't offer something like
| this as a couple hundred dollar option on most of their
| vehicles. They already basically have all the hardware in
| the car I figure.
|
| [0] https://www.compustar.com/remotes/pro-t12/
| asdasdsddd wrote:
| I dont want to carry another stupid fob around. My goal in
| life is to carry a dumb smart phone that can unlock
| anything.
| cryptonector wrote:
| Remote start is also useful in hot climates, and for
| similar reasons.
| AyyEye wrote:
| It's never well done.
| bigstrat2003 wrote:
| It was well done on my previous car and current car. So it
| would appear that your claim does not hold.
| natch wrote:
| It's very well done in my car.
| yreg wrote:
| It's well done in Tesla.
| FriedPickles wrote:
| Unlock via Bluetooth is perfectly viable without internet
| connection (unless you mean unlocking it for someone else?).
| Remote start and temp control should probably work from a few
| hundred feet away. If only phones had a longer range local
| radio, perhaps something like Zigbee. Maybe WiFi direct?
| whiplash451 wrote:
| It just doesn't have to be the internet.
| lowkj wrote:
| CarPlay doesn't use your car's internet, it uses your phone's
| internet. That's part of the whole beauty of it.
| krferriter wrote:
| Yeah, important distinction
| natch wrote:
| Please explain how in your mind are they doing remote
| climate control, then?
| mplewis wrote:
| Through the car's cellular connection.
| natch wrote:
| Lol, duh, thanks. So, guessing they can't stream video
| from the dashcam cameras remotely in that car.
| natch wrote:
| Why do you give CarPlay credit for those features? No need
| for CarPlay for any of those. What do you get from CarPlay
| that you don't get from a connected car without CarPlay?
| yjftsjthsd-h wrote:
| > What do you get from CarPlay that you don't get from a
| connected car without CarPlay?
|
| Software quality and security updates on the internet-
| facing component.
| natch wrote:
| You are under the impression that Teslas can't get
| software and security updates? Which happen to be free,
| btw.
| morkalork wrote:
| If the car manufacturer can remote unlock and start your car
| for you, it can be abused by a hacker in same way. It's the
| exact same argument against backdoors in encryption for the
| government, if a backdoor works for them, it'll work for
| hackers too.
| CatWChainsaw wrote:
| Well aren't you a precious little princess. I have none of
| that. It's very unlikely my early 2000s car will ever be
| attacked in this manner. I am going to maintain that car as
| long as possible. Enjoy your ticking time bomb.
| kkfx wrote:
| Well... There is no reason to have a middleman like the OEM, so
| the car could be connected just with the formal owner (i.e.
| with a personal subdomain o dyndns), FLOSS stack under users
| control and some hard limits (like you can't act on the car if
| it moving and so on).
| Rebelgecko wrote:
| I would guess 99.9% of car owners who use the app would not
| set up a personal subdomain or manage a FLOSS stack
| thfuran wrote:
| I don't think you have enough nines.
| kkfx wrote:
| No doubt today, but in another very realistic in the sense
| that's perfectly logic and possible since more than a
| decade, where government have digital IDs who are smart-
| cards not crapplications, and with them certified mails
| with a personal domain and the ISP router is just a FLOSS
| homeserver (as it is actually, being GNU/Linux embedded
| machines with a tailored PBX, Samba to offer usb network
| storage, CUPS for serving a usb-connected printer and so
| on, just a bit more powerful and open.
|
| In such world thanks to the commonality of FLOSS we have
| dedicated distros and package for such iron, widespread
| enough to be commonly available in users hands. As a result
| the security risks are still more than zero but much, much
| less and many who could since their car is their own, not
| owned for real by the OEM, they could simply cut the
| connection if they do want so.
|
| Such open world could be done in few years by laws, and
| anything is already there since decades. It's a matter of
| knowledge and will.
| johnsutor wrote:
| With the advent of "Kia Boys" and now this, it's a miracle people
| still buy Kias.
| thrtythreeforty wrote:
| They have the best EV architecture on the planet currently;
| despite all the hacking issues, I'm still considering an EV6
| for my next vehicle. Probably with a yanked cell radio fuse...
| solarpunk wrote:
| can you explain what you mean by ev architecture?
| i80and wrote:
| Hyundai and Kia use an 800V high voltage electrical system.
| The upshot is their vehicles charge _scary_ fast, peaking
| in the mid 200kW 's
| thrtythreeforty wrote:
| Exactly. It makes a DC fast charge session (on a
| reasonably spec'd charger) take 20 minutes, not an hour
| like on competing EVs that _peak_ at 150kW.
|
| EV companies haven't _quite_ figured out that the only
| two things consumers care about are range and charge rate
| (well, and cost, but there 's an untapped market of
| people willing to pay if the featureset is there).
| Everyone has settled on 300mi range, which in my opinion
| is a little low but workable (at 80mph you'd have to stop
| every 3.5 hours), but for some reason nobody can get
| their act together on charge rate. Consumers need to
| purchase a car for their 99th percentile use case, which
| for much of America includes at least one road trip per
| year. The DC fast charge experience is basically the
| whole story there.
| MostlyStable wrote:
| Obviously better charge rate would be better, and would
| be a bigger improvement than more range, but I've found
| that long road trips (10+ hours total driving time) with
| my 2023 Hyundai Kona, peak charge rate of ~70kW, is
| tolerable. I'd like my next EV (whenever I get it), to
| have a higher charge rate, but if I'm being honest, I'd
| care more other features such as V2H capability and
| physical media/HVAC controls. Now, fundamentally there is
| no reason that I _should_ have to choose between these
| options. They are orthoganal, but if I was choosing
| between different vehicles, I 'd give up charge speed to
| get those other features.
| i80and wrote:
| Agreed, but just a nit: cars that charge at 150kW peak
| tend to 10-80 in about 30 minutes, not an hour.
|
| Source: my ID.4
| neallindsay wrote:
| Lucid and Porsche also have comparable internal voltages,
| but of course they are much more expensive than Hyundai
| and Kia.
| speedgoose wrote:
| In addition to the privacy and security issues, they also
| have a substandard infotainment still running Android 4.
| buggeryorkshire wrote:
| Android 4? I had a 2017 Kia Ceed where I hacked the head
| unit, and I'm sure that was at least Android 6?
| speedgoose wrote:
| Older cars may have newer Android versions. People say
| that the Ioniq 5 is still running Android 4.4, but I
| havn't verified myself.
| hypeatei wrote:
| Cars are essential to living in America except for a few
| cities. Car manufacturers can basically do whatever they want.
|
| There was a recent YouTube video with a car thief that
| basically showcased a "special" tablet that could get any car
| started in a minute by plugging into the OBD port. Pretty
| shitty security model if it relies on no tablets getting out.
| moe_sc wrote:
| Do you have a link to the video?
| hypeatei wrote:
| https://youtube.com/watch?v=YS2K_quFWuY
|
| Note: the technical details are very lacking so it may not
| be that interesting to most here. tl;dw: there is a
| reseller that shouldn't be selling the tablets to
| "unauthorized" people and some other tidbits about how the
| thief operates.
| myself248 wrote:
| If someone's already inside the car, I expect them to be able
| to hotwire it eventually.
|
| The trouble is when manufacturers extend the CAN bus out to
| the smart headlights or something, and it's the same bus that
| the body control sits on, so they can just send a door-unlock
| message...
| mass_and_energy wrote:
| I wonder how many LEAs knew of this and used it to bypass having
| to get a warrant, instead of responsibly disclosing it for the
| benefit of public safety.
| bena wrote:
| The warrant is still necessary, evidence obtained through
| illicit means is generally not acceptable.
| bobbylarrybobby wrote:
| Technically you don't need a warrant if you just ask for the
| data and it's handed over. You only need a warrant if someone
| doesn't want to hand over the data.
| bena wrote:
| But that's not what this would be, this would be gaining
| access to the system without permission.
|
| It doesn't matter if my door has shitty locks, you still
| can't enter my house unless I invite you.
| fragmede wrote:
| if this metaphorical door is already open and something
| is in plain view though. I guess the question is what
| constitutes plain view digitally.
| alistairSH wrote:
| True, but parallel construction/evidence laundering is a
| thing.
| like_any_other wrote:
| The article isn't clear, but it sounds like the cars were
| _already_ being tracked, only now also "unauthorized" people
| could track them (when before, only Kia and car dealers could
| track your car).
|
| Why is it okay for Kia/manufacturers to spy on our cars, and only
| a problem when others do it? This attitude is pervasive in
| reporting on hacks like these - the initial spying by
| corporations is always given a pass (or rather, it is implied
| that's not even "tracking", as the title implies the tracking
| happened only _after_ the hack).
| datax2 wrote:
| Almost all modern cars have a way of providing or grabbing
| location data, however most manufactures do not "Spy" on your
| car by default, this would violate CCPA, colorados privacy act,
| GDPR... ETC. The users need to opt-in to telematics data. For
| example in Hyundai case when you create a "Blue link" account
| and accept their terms of service you are connecting whatever
| vehicle you have verified on your account to their telematics
| system, and subsequently opting in to tracking.
|
| Manufactures like VW/Audi place an opt out within the vehicle
| itself so if you opt out of telematics in the vehicle you are
| in a full privacy mode and the manufacture cannot get the data
| or override this request. This covers the scenario if other
| "Users" of the vehicle are driving and would choose to opt out
| outside of the main users/owner.
|
| So some bake it into your app registration and signup, and some
| leave it in the vehicle. The gist is you can opt out, and if
| the manufacturer does not respect that you have grounds to sue,
| Currently there is a lawsuit against GM/Caddy because a user
| did not opt-in to Usage Based Insurance, but their information
| was captured and brokered blocking them from acquiring new
| insurance.
| like_any_other wrote:
| The EFF [1] is less optimistic that all of this spying is
| opt-in and clearly-stated (instead of buried in legalese),
| and Wired [2] likewise mentions cases where it's opt-out
| instead of -in.
|
| [1] https://www.eff.org/deeplinks/2024/03/how-figure-out-
| what-yo...
|
| [2] https://web.archive.org/web/20240705093406/https://www.wi
| red...
| adgjlsfhk1 wrote:
| often the opt in is buried in 15 pages of paperwork when you
| buy the vehicle
| dang wrote:
| (this was originally posted in
| https://news.ycombinator.com/item?id=41657833 but we merged
| that thread hither)
| busymom0 wrote:
| Did you reply to the wrong parent thread?
| yieldcrv wrote:
| Kia Boys Who Code
| bityard wrote:
| Well, I am already pretty firmly against buying any car that
| requires you to create an account online to "activate" the
| vehicle. But I definitely won't buy another Kia anyway, based on
| the fact that our last one burned a quart of oil every thousand
| miles WELL before it hit the 100k mark.
| barbazoo wrote:
| > car that requires you to create an account online to
| "activate" the vehicle
|
| I have a 2023 Kia and that's not necessary. You only need the
| account if you want to use the optional online services.
| sahmeepee wrote:
| As the article says, you don't need an active subscription to
| be vulnerable. In this case it seems that if the model
| supports the features at all, you are vulnerable.
|
| This makes sense, because they want people to be able to
| subscribe to their services later without having to visit the
| dealership, so they make it possible to remotely enable the
| service.
|
| I'm not sure if you can buy a tinfoil hat for a car.
| nis0s wrote:
| I was just going to say the same as it's stated pretty
| early in the article
|
| > These attacks could be executed remotely on any hardware-
| equipped vehicle in about 30 seconds, regardless of whether
| it had an active Kia Connect subscription.
|
| If this should tell companies anything is that most of
| these services should be opt-in instead of opt-out in favor
| of security and privacy.
| mikepurvis wrote:
| It should be possible to physically disable the cellular
| modem in the vehicle, wherever that is. I have a 2020 Volvo
| that is definitely online, waiting for me to activate some
| pricey online subscription that I don't want or need.
|
| Would be nice to have a organized online database of how to
| disconnect various "smart" devices-- cars, TVs, appliances,
| etc.
| 0cf8612b2e1e wrote:
| But if it is not online, you will not be able to download
| the latest patches. Like the ones that prevent new remote
| exploits.
| tspike wrote:
| How did we ever survive without computerized vehicles?
| mandevil wrote:
| We tolerated worse gas mileage (computer controlled fuel
| injection, transmission, etc.), safety (anti-lock
| brakes), etc. We added computers because we wanted to
| lessen the effects of climate change and keep more people
| alive.
| pushupentry1219 wrote:
| Instead we got people like VW rigging their firmware to
| report emissions falsely so they could look better.
| Roark66 wrote:
| >"climate change"
|
| Not really. Personal vehicles are responsible for such
| miniscule portion of co2 emissions it barely matters.
|
| Emission regulations enjoy popular support because of
| city air quality, not climate change. Yes, people
| tolerate taxes on CO2 emitted by their vehicles (do you
| have that in the US BTW?) because it has a very
| beneficial side effect of also limiting particulates and
| NOx CO and such emissions that actually killed hundreds
| of people every year in major city centers. Also caused
| lifelong disability for many children(asthma).
| biorach wrote:
| You're using a broad definition of "computer". We've had
| these features for decades now, until recently the logic
| was handled by microcontrollers. It's not clear that the
| functionality requires computing devices also capable of
| data gathering, storage and upload.
| hunter2_ wrote:
| In my VW, the cellular modem and something I actually use
| (I think it's the Bluetooth microphone) are in the same
| module, so pulling the fuse or disabling it in the CAN
| gateway would be too heavy-handed. I would need to spend
| hours getting to, and into, the module. Or maybe replace
| the antenna with an effective dummy load / terminator?
| Tons of trim work. Luckily it's old enough to be 2G, and
| my understanding is most towers no longer speak to it, so
| I haven't pursued it further.
| jdminhbg wrote:
| > As the article says, you don't need an active
| subscription to be vulnerable.
|
| OP was talking about not buying a car that requires a
| subscription to activate, not about whether the
| subscription makes you vulnerable.
| 01HNNWZ0MV43FF wrote:
| Otherwise it spies on you with no account
| raxxorraxor wrote:
| That is unusual. They give 7 years warranty compared to
| European or US cars manufacturers and it often shows why. They
| are indeed dependable.
| alexandersvozil wrote:
| i cannot connect to kia anymore, would have bot worked in me
| meindnoch wrote:
| What if we had laws that required car manufacturers to have
| software with slightly better quality than the utter syphilitic
| diarrhea they currently ship?
| outworlder wrote:
| Hardware companies usually suck at doing software.
| diego_moita wrote:
| Ok, lesson learned. Thank you.
|
| I have a Kia Niro EV Wind 2024 and just cancelled my account at
| Kia Connect.
|
| Yes, I felt stupid. But a little less stupid now.
|
| Edit: does anyone know how I could disable Kia's remote access to
| my car? Is there any antenna I could cover with tin foil or a
| chip that can be disconnected?
| aftbit wrote:
| >These attacks could be executed remotely on any hardware-
| equipped vehicle in about 30 seconds, regardless of whether it
| had an active Kia Connect subscription.
| bluSCALE4 wrote:
| Don't feel stupid, feel a little angry. The only thing you
| could have done to prevent this was not buy a Kia.
| sjamaan wrote:
| Like the other brands are any better...
| EricE wrote:
| It's hardly unique to Kia!
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| tptacek wrote:
| This won't have nearly the same impact, but when you're
| considering how vulnerabilities like this might influence your
| future purchasing decisions, remember that Kia's decision to omit
| interlocks from their US vehicles (but not Canadian ones!) led to
| a nationwide epidemic of Kia thefts so large it fed a crime wave,
| something a number of US cities are suing Kia over. If you've
| read about carjacking waves in places like Milwaukee and Chicago:
| that was largely driven by a decision Kia made, which resulted in
| the nationwide deployment of a giant fleet of "burner" cars that
| could be stolen with nothing but a bent USB cable.
| wasteduniverse wrote:
| Don't anthropomorphize the lawnmower and blame Kia for this,
| blame the NHTSA for making it legal to skimp out on
| immobilizers in the first place. Regulations matter!
| tptacek wrote:
| Since Kia/Hyundai is the only automotive group to have this
| problem, I'm going to go ahead continuing to blame them.
| piva00 wrote:
| I agree and still it's also the lack of regulation that
| enabled it to happen, and 2nd order effects of it is the
| increase in carjackings.
|
| It's a pretty good argument for the regulation, since
| everyone else is already doing it just make it the
| standard.
| searealist wrote:
| Of course you are. The alternative is to blame the
| governments (of places like Chicago or Milwaukee), or the
| people doing the theft.
| BoorishBears wrote:
| Why are those alternatives for you?
|
| I find it very easy to hold the governments, people, and
| companies as all culpable in the own way.
| bombcar wrote:
| Exactly. The situation should be examined like the NTSB
| does for plane crashes, usually a proximate cause and
| other contributing causes.
|
| Maybe we'll see a return of The Club(tm)
| cryptonector wrote:
| Lmao, good reference to u/bcantrill.
| rideontime wrote:
| ?
| lambda wrote:
| https://news.ycombinator.com/item?id=10040429
| pengaru wrote:
| > Volkswagen has entered the chat
| jshdhehe wrote:
| Wow they will not live that down!
| adolph wrote:
| > If you've read about carjacking waves in places like
| Milwaukee and Chicago: that was largely driven by a decision
| Kia made, which resulted in the nationwide deployment of a
| giant fleet of "burner" cars that could be stolen with nothing
| but a bent USB cable.
|
| "A nationwide epidemic of Kia thefts" seems to be a natural
| consequence of decreased security. However, that carjacking in
| Milwaukee and Chicago specifically would follow from a
| nationwide omission of interlocks is not obvious as the
| vehicles are easily stolen without the need for personal
| confrontation. What is the connection of Kia interlocks to
| carjacking in Milwaukee and Chicago?
| Terr_ wrote:
| > However, that carjacking in Milwaukee and Chicago
| specifically would follow from a nationwide omission of
| interlocks is not obvious as the vehicles are easily stolen
| without the need for personal confrontation.
|
| I think parent-poster means that the easily-stolen cars are
| being used as _tools_ of carjacking, rather than the targets
| of it. In particular, carjacking that occurs by somehow
| provoking a victim to stop on the highway shoulder, a
| location where attackers can 't exactly arrive by foot or bus
| or bike. That way they don't involve a vehicle that might be
| observed and traced back to them.
|
| An alternate explanation is that they meant to write
| something like "theft" and accidentally put down "carjacking"
| instead.
| levocardia wrote:
| This is correct, the usual procedure is: steal kia or
| hyundai with your friends using the no-interlock exploit
| --> find other cars to carjack (at gunpoint), or
| individuals to rob --> ditch stolen cars when no longer
| needed. Exploit no-pursuit policies as needed.
| tptacek wrote:
| I've posted this point a couple times on HN and I guess I
| will keep posting until people stop expressing surprise
| that trivially stealable cars are a precursor to
| carjackings. I'm not dunking, there's no good reason for
| people to intuit that! But it's a really important thing
| to understand.
| adolph wrote:
| Thanks and thanks to the upthread explanations.
|
| Part of what makes it unintuitive is the specificity:
| * Why Milwaukee and Chicago instead of everywhere?
| * Why carjacking and not a general increase in crimes
| that could be facilitated by an unassociated car (bank
| robbery, toll violations, etc)?
| kgermino wrote:
| FWIW the associated crime wave was much broader than
| carjacking (and I'm actually not aware of a particular
| increase in carjackings specifically due to the Kia
| issues but I don't know) but the Kia issues seem to have
| started in Milwaukee.
|
| For whatever reason, it became A Thing here more than a
| year before it went national. Car thefts in Milwaukee
| more than doubled (entirely due to a stupidly large
| increase in Kia/Hyundai thefts) and we got a reputation
| for Kia thefts before it became a national issue
| jeffbee wrote:
| I question whether Milwaukee and Chicago are outstanding
| examples. I looked at a few reputable sources and those
| cities nor their states seem to be extremes in terms of
| car theft rates. Most of these law enforcement agencies
| are not specifically breaking our carjacking.
|
| Random presentation of car theft stats comparing Chicago
| to a handful of others. We hear a lot about Chicago
| because many have a vested interest in deflecting
| discussions about crime. When was the last time you heard
| about the insane motor vehicle theft rate of Dallas? http
| s://public.tableau.com/shared/W2KZH4JC7?:display_count=y.
| ..
| Tool_of_Society wrote:
| Hell Mississippi as a state might soon pass Chicago in
| murder rate per capita. Chicago last year had a murder
| rate of 22.85 per 100,000 while Mississippi had a murder
| rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama
| had 18.6..
| tptacek wrote:
| Chicago isn't even in the top 10 per capita. It's just a
| _very_ big city that everybody forgets is a very big
| city.
| tptacek wrote:
| The phenomenon started in Milwaukee (the "Kia Boys"
| challenge), and I happen to live in Chicagoland, which
| experienced a huge wave of carjackings immediately
| afterwards. I have one of them recorded on my Nest camera
| in the alley behind my house. Nothing in particular about
| those two cities otherwise.
|
| As the sibling points out: it's a broader issue than just
| carjackings --- but the carjackings themselves were
| novel, scared the shit out of people in a way that
| stochastic-seeming strong arm robberies don't. The
| headline here is: it was a gravely negligent thing for
| Kia to have done; I hope they lose their shirts.
| reaperducer wrote:
| _Why Milwaukee and Chicago instead of everywhere?_
|
| It wasn't just in those cities, it was nationwide. The
| poster was using those cities as examples because they
| are familiar to him.
| anarticle wrote:
| "Places like" include Philadelphia. It's not a closed
| set, just some examples. I have friends that have had
| their KIA stolen this way, and others that have outright
| sold their car to get a different brand due to how
| prevalent it is here.
| potato3732842 wrote:
| I'd really like to see a citation for carjackings going
| up more than any other crime that a stolen car enables.
|
| Cars are hard to fence and if you have a stolen car
| there's other crimes you can commit that have similar
| upsides and lower sentences/risks. For example ATMs never
| run over your buddies or shoot back at you.
| tptacek wrote:
| Carjacked cars are usually recovered. They're not
| carjacked so they can be sold on some weird car black
| market.
| op00to wrote:
| All stolen cars are usually recovered. The recovery rate
| is something like 85%.
| Terr_ wrote:
| I worry that single percentage might be hiding some
| complexities like a subcategory of cars with a much lower
| recovery rate, or having the term "recovered"
| encompassing "as scrap".
| jshdhehe wrote:
| Or the same car keeps getting stolen as someone else
| suggested. So the % of distinct cars may be lower.
| jshdhehe wrote:
| Like cyber exploits then. Get someone to click a link to
| download something then access their email to send
| someone else an email and so on.
| bombcar wrote:
| Having a stolen car means the easiest way to identify
| someone is now non-identifying. It's a great precursor to
| avoid being tracked.
| Eumenes wrote:
| > something a number of US cities are suing Kia over
|
| I can think of nothing more American than suing car
| manufactures because they're too easy to steal. The US is truly
| screwed.
| dangitman wrote:
| Eh, if we were really that litigious (or if our being
| litigious were at all effective) gun manufacturers would have
| been sued into oblivion a long time ago.
| tptacek wrote:
| They're being sued because they deliberately made the cars
| _easier_ to steal in the US than they are elsewhere.
| userbinator wrote:
| In some places in the US, you can leave your doors open and
| car unlocked and no one will touch it. Perhaps a friendly
| neighbour may remind you, but that's about it.
|
| As much as some narrative wants us to think, we don't need
| to be forced to live in effectively the same conditions as
| a maximum-security prison in order to have no crime.
|
| Cars (and other things) being easy to steal isn't the
| problem.
| tptacek wrote:
| I have to lock my car doors. There isn't anyone within 10
| square miles of me who feels like they live in a maximum-
| security prison.
| hackernoops wrote:
| Sounds like you live in Stockholm. (syndrome)
| wallaBBB wrote:
| Regarding the Kia Boyz - immobilizers have been mandatory in
| most of Europe since late 90s, in Canada since 2007. Basically
| there is something to put on (lack of) regulations as well as
| on HKMC.
| Sohcahtoa82 wrote:
| In the USA, we believe we don't need regulations, the Free
| Market(tm) will punish corporations that don't behave in a
| way that benefits their customers!
|
| Insane to me that so many people believe this...
| op00to wrote:
| I'll certainly never buy another Korean car.
| thfuran wrote:
| And never an American one after the Pinto, and never a
| German one after the VW testing scam, and never a
| Japanese one after the recent safety scandal? I guess you
| can still get a Jaguar, so your mechanic won't complain.
| worik wrote:
| I drive a car made in the 1990s
|
| I was planning to upgrade it
|
| I might not...
| thfuran wrote:
| I had been planning to keep driving my car for quite some
| time, but recently it's developed a weird engine noise
| and a check engine light that nobody can resolve. I'm not
| sure I'll be able to give EV charging a few more years to
| sort itself out.
| throw10920 wrote:
| Citation needed for the claim any significant fraction of
| the US population believe that regulations are completely
| unnecessary.
|
| This runs directly contrary to my lived experience here, so
| unless you can provide evidence it sure seems like you're
| just stereotyping an entire nation to engage in ideological
| warfare.
| dsr_ wrote:
| It doesn't need to be the population believing that
| regulations are completely unnecessary.
|
| It just needs to be a sufficient number of politicians
| understanding that their donors and prospective donors
| find specific regulation of their industry overbearing.
| throw10920 wrote:
| That's absolutely true (and a very good point), but
| that's not what the GP was claiming.
| vasco wrote:
| From my understanding immobilizer bypass tools are cheap and
| plenty.
| acdha wrote:
| Even if that's true, they are clearly nowhere near as
| "cheap and plenty" as watching a Tik Tok video. The spike
| in crime was far greater than normal random variation.
| wallaBBB wrote:
| Not really. At least not for those immobilizers that don't
| use "proprietary" ciphers. Automotive loves security
| through obscurity until it bites them in the ass. Today
| most manufacturers have moved to AES128, which is not cheap
| to brute force, especially if there is a rolling code
| (should be the case for many)
|
| But you are right that there are many (older models) that
| use ciphers with know quick exploits: TI's DTS40/DTS80
| (40/80bit, proprietary cipher, in many cases terrible
| entropy), models from Toyota, HKMC, Tesla. About 6s to
| crack in many cases.
|
| NXP's HTAG2 - most commonly used one in the '00s - 48bit
| proprietary cipher, a lot less exploited in the wild than
| the TI's disastrous two variants.
| mozman wrote:
| you can just reprogram a new seed via canbus, don't need
| to brute force it
| wallaBBB wrote:
| Those type of attacks (CAN injections) are very OEM
| specific, and come from deep insider knowledge, not
| something you fuck around and find out. I'm assuming
| you're referring to Toyota, but anyways please give
| direct reference to the attack you're referring to.
|
| Keep in mind any need for expensive equipment is already
| a deterrent for many.
| hnav wrote:
| 1-4k for the tools that they then amortize across many
| cars stolen and stripped or shipped overseas.
| dmoy wrote:
| Idk what the pattern is where you are, but the majority
| of stolen cars where I am are not sold or stripped or
| anything like that. They're used for N days and then
| ditched somewhere. Used either for joyriding, living in,
| crash&grab, or whatever.
|
| One of my old neighbors had their same car stolen like
| 2-3 times, always ditched and found after some number of
| days missing.
| acdha wrote:
| That was the big shift here for the Kia mess. Normally
| the thieves tend to be professionals so the stolen ones
| are at a port or being stripped soon afterwards, but when
| that hit TikTok there were a lot more joyrides and brief
| use for theft/robbery because it was a bunch of teenagers
| who didn't have much of a plan.
| gregmac wrote:
| We have a phrase for that, "security by obscurity" https:
| //en.m.wikipedia.org/wiki/Security_through_obscurity
| ethbr1 wrote:
| Probably why great grandparent used that phrase. ;)
| mass_and_energy wrote:
| We Canucks needs all the features we can get to stop cars from
| being stolen, without exaggeration a car is stolen in Canada
| every 5 minutes on average.
| SpaghettiCthulu wrote:
| Too bad the only thing our current government can think to do
| is ban the FlipperZero.
| zerd wrote:
| Just wait, next they'll ban USB cables.
| emptybits wrote:
| Fellow Canuck here. Yes, that statistic is sadly, insanely
| true. And some background ...
| https://www.bbc.com/news/articles/cy79dq2n093o
| voidmain0001 wrote:
| I'm about to take delivery of a Toyota Sienna in Canada, and
| despite it being a minivan, it's a Toyota which are popular
| to steal right now. I plan to use both a steering wheel and
| accelerator pedal club. I've watched videos of both devices
| being rendered futile in less than 60 seconds but I hope that
| it will deter the less determined thieves. Then, after my
| kids have thoroughly destroyed the interior, I will hope that
| it gets stolen.
| ndileas wrote:
| Have you considered not living in such an environment of
| fear? I have no idea of your circumstances, but this is
| something I see in my local relatives all the time. They
| buy ring cams and security systems, scrutinize nextdoor,
| etc. In reality, they are incomparably rich and safe
| compared to most. Personally I refuse to buy into this
| nonsense and just go about my life, despite living in a
| place that's far more dangerous by the numbers.
| mardifoufs wrote:
| I mean it depends. In Toronto you could do that (and I
| usually agree with you about say, home security), but
| then you don't really choose where you get to park your
| car every time. And in a way I'd be more stressed to know
| that I could lose my car if I parked it somewhere that I
| don't know, and that I can't do anything about it once it
| gets stolen, versus just putting 2 locks.
|
| But again, I totally agree with you about the weirdness
| of people going full military compounds in residential
| areas.
| voidmain0001 wrote:
| You're mistaken. I'm not cowering in fear or fright as
| you imagine. I am merely pragmatic considering I have
| waited two years for the vehicle to be delivered and I
| know that if it's stolen the insurance company will not
| payout for a replacement vehicle. It will payout what I
| paid but a slightly used replacement will cost more than
| what I am about pay due to the constrained market for
| these vehicles. As for your circumstance, I'm glad you
| have come to a reasoning that is suitable to you.
| bnralt wrote:
| > it fed a crime wave, something a number of US cities are
| suing Kia over
|
| A large part of the crime wave stems from the policies these
| cities implemented. Many times from the same leaders who are
| suing Kia now.
|
| For instance, a friend got their car stolen in D.C. After they
| caught the guy, they let him go with no consequences, because
| they said he was under 25 and it was the first time they caught
| him. D.C. recently put a convicted murderer on the sentencing
| commission who believes that this kind of "it's not really
| their fault if they're under 25" thinking should be extended to
| murders as well.
|
| Local politicians even told us there wasn't a crime wave, and
| that it was just a fake narrative. Then when that stopped
| working, they started pointing fingers at everyone else they
| could.
| ethbr1 wrote:
| It's fair to say that a company which makes cars that can be
| stolen with only a USB socket bears significant culpability
| for car thefts.
|
| Anything political doesn't have to be only this reason or
| only that reason. "Both" is an option too. -
| Kia fucked up, to make more $ - Some cities have
| ineffective enforcement
| rcthompson wrote:
| > car thefts
|
| To be specific, I don't think the cities are suing over the
| car thefts. If I understand correctly, they're suing
| because the availability of easily hacked Kia cars enabled
| a wave of other crimes, because the criminals knew they had
| easy access to a getaway vehicle that couldn't be traced
| back to them.
| kortilla wrote:
| I'll take victim blaming for $200, Alex. Breaking into a
| house is easy as a rock through the window but we don't sue
| homebuilders for not putting in stronger glass.
| ethbr1 wrote:
| So if a window manufacturer decides to save money and not
| put latches on their windows, enabling them to be opened
| from the outside at will, and home invasions spike, that
| manufacturer isn't a large part of the problem?
| bombcar wrote:
| Part of the problem and the only cause are not the same
| thing.
|
| Both Kia and the thieves can be in the wrong. Trying to
| break it down to one cause is never going to work.
|
| Some car will always be the easiest to steal. People
| should always take reasonable precautions. But crime is
| still crime; if someone leaves their car running with the
| door unlocked as they run into the store and it gets
| stolen - they made a mistake but the criminal did a
| crime.
| brookst wrote:
| Your use of "only cause" was the first in this
| discussion.
|
| Lots of people get sued for lots of things. Nowhere does
| it say that suits can succeed only if the defendant is
| the sole cause of the problem. See: Takata air bags. Huge
| liability, but in any given incident it wouldn't be a
| problem unless someone else caused an accident. Yet
| Takata does not get to say "or defective product wouldn't
| have been a problem if Mr. Doofus hadn't rear-ended you"
|
| Binary is great for computers, less good in legal
| thinking.
| kortilla wrote:
| What an asinine comparison. The criminal maintains full
| criminal liability even if the it's an easy crime.
| singleshot_ wrote:
| He was talking about civil liability. The concept you've
| tripped over here is called intervening superseding
| causes and the criminal only destroys the tortfeasor's
| liability if his intervening criminal cause is
| unforeseeable.
|
| Here, because the entire purpose of car immobilizers is
| theft protection, the thief is foreseeable and his crime
| does not supersede.
|
| I'm a little troubled by your use of the word "asinine"
| in this context.
| potato3732842 wrote:
| No they are not. At best they are a minor contributor. If
| people want security latches and whatnot they can buy
| them and pay accordingly. An easy to steal care beats no
| car every day of the week.
|
| I live in a not great part of what's arguably the bluest
| state in the nation (which is to say this isn't some dumb
| red state "tough on crime" thing) and I can't imagine
| someone being able to go around checking windows or car
| doors for very long without a free ride in a cop car.
| Windows here are unlatched from May to September. I bet a
| lot of those houses have Kias in the driveway that
| they've had no theft problems with as we only have about
| a dozen car thefts per year here.
|
| Ford Superduties over a huge year range can be stolen
| much the same way (you also have to punch out a lock
| before taking a screwdriver to the column) until very
| recently as PATS was not standard on the higher GVW stuff
| but those are expensive trucks so shitting on them
| doesn't scratch the same "validate my $50k purchase of
| something else" itch that crapping on Kia does.
| lukan wrote:
| But that would be loud, not good for theft. Opening a
| window or door silent requires a whole different set of
| special skills.
| grecy wrote:
| > _It 's fair to say that a company which makes cars that
| can be stolen with only a USB socket bears significant
| culpability for car thefts._
|
| WHAT?
|
| I don't have my wallet on a chain, do I have some
| responsibility if I get pickpocketed?
|
| These criminals are breaking the law, it is ENTIRELY their
| fault. Any other interpretation has way, way too many logic
| holes and strange consequences that says it's our fault
| when a criminal willingly breaks the law.
| ethbr1 wrote:
| We're talking about different things.
|
| If your car gets stolen, that's your problem.
|
| If suddenly a massive number of cars are stolen, that's
| the government's problem. (As now police forces have to
| deal with criminals trivially obtaining getaway cars)
|
| So it seems reasonable that the manufacturer in question
| should be sued for the cost of the additional police
| resources required.
| grecy wrote:
| > _If suddenly a massive number of cars are stolen, that
| 's the government's problem._
|
| I have no idea why you jump to that conclusion.
|
| The problem is clearly the person breaking the law.
|
| But anyway, going with what you said...
|
| > _So it seems reasonable that the manufacturer in
| question should be sued_
|
| Wait, if it's the government's problem, then THEY should
| be sued for not requiring manufacturers to have these
| anti-theft devices (as the Canadian government does). The
| auto manufacturer is building cars precisely as the US
| government mandated them to.
|
| It seems like you're trying to bend logic to blame anyone
| and everyone other than the people who are breaking the
| law.
| naming_the_user wrote:
| There's a lot of this sort of thing in the UK at the moment
| which is really baffling to me.
|
| One extreme is the death sentence, sure.
|
| But on the other end it feels as if there are constant
| stories of career criminals who just do thing after thing
| after thing. It's not like someone just accidentally gets
| caught up in multiple assaults/robberies/break-ins etc. At
| some point you have to just think, okay, there's no
| rehabilitating this guy, how do we minimise the damage to
| society.
| staunton wrote:
| They just have no space left in the jails, what can you
| do... I guess they hope that as long as protesters get a
| spot the damage to society will be manageable.
| Retric wrote:
| It's far more expensive than you may assume.
|
| Locking 1,000 people up for a decade costs ~1 billion
| dollars. So even slightly more aggressive policies get
| expensive fast, and a surprising number of people "age out"
| of these kinds of crimes. It's not clear if it's hormones
| or what but you'll see people with extensive rap sheets who
| end up as productive members of society in their 30's or
| 40's and beyond.
| naming_the_user wrote:
| I'm aware that it's expensive but the alternative is
| pretty horrific.
|
| A person that goes about assaulting people is a
| significant drain on society. It's not even just
| monetary, it ruins trust, it ruins the relations between
| the people who aren't antisocial. It also has the moral
| hazard effect of increasing the number of others that see
| that this behaviour ultimately goes unpunished.
|
| As far as I'm concerned, there are very few legitimate
| reasons to raise taxes, but police and prisons are one of
| them, they are not problems that individuals can solve in
| the private sector.
| xattt wrote:
| There was another discussion around the Cannonball run,
| and how it should be allowed because no one gets hurt.
|
| In a way it does, because it ruins trust as the
| participants treat your presence on the road like an
| inconvenience.
| CraigJPerry wrote:
| >> treat your presence on the road like an inconvenience
|
| Aren't we all a bit guilty of that? Maybe not all the
| time - when I see an ambulance whizz past or a fire
| truck, I'm appreciative of their efforts.
|
| But everyone else? You're just in the way ultimately.
| There isn't much pleasure to be derived in waiting around
| for someone to have their fair turn at the intersection
| or whatever.
|
| Obviously as a rational human I'm quite capable of
| suppressing such thoughts and generally abide by the
| traffic laws, but the point still stands.
| tomp wrote:
| > Locking 1,000 people up for a decade costs ~1 billion
| dollars.
|
| This is a purely political decision, not an inherent cost
| of jailing.
|
| Your number comes down to $100k per person per year.
| That's just insane. Many _families_ earn less than that
| (post-tax)!
|
| And obviously jail is supposed to be _cheaper_ than non-
| jail life in the first place, because you're not paying
| for luxury, just food, (cheap) rent and security.
| potato3732842 wrote:
| >Your number comes down to $100k per person per year.
| That's just insane. Many families earn less than that
| (post-tax)!
|
| That's not nearly as bad as I was expecting considering
| that for every 1-2 prisoners there's a ~$100k employee.
| tomp wrote:
| But why? I mean, just put each prisoner in a separate
| cell, why would you need more than 1 employee per 20-50
| prisoners? Ok, maybe 3, for 24 hour rotation... Make sure
| you never unlock more than a single cell, and keep guns,
| lots of guns.
| potato3732842 wrote:
| >But why?
|
| Low key jobs program at the expense of taxpayers IMO.
| Loudergood wrote:
| 7 Days a week, vacation/sick coverage,
| facilities/food/admin
| pcwalton wrote:
| You need lots of doctors, especially with an aging prison
| population. Doctors aren't cheap. Not to mention the cost
| of medicine, which can get very expensive when you
| consider things like end stage cancer drugs for elderly
| prisoners who can't be released because they're serving
| LWOP, and it all must be paid for by the state.
|
| Or consider institution GED classes. You might say, those
| can easily go on the chopping block to save some money.
| But then you end up with inmates who are released without
| a high school diploma and, lacking educational
| opportunities, are more likely to return to crime. Then
| they go back into the prison system where they use more
| state resources than if they had just been given
| education in the first place. It's easy to imagine
| scenarios in which programs like that are worthwhile in
| the long term _purely for fiscal reasons_ even if you
| care 0% about the welfare of criminals themselves.
| tomp wrote:
| I don't get it. Sounds like all the things the state
| would offer anyways - education and healthcare for poor
| people...
| quickthrowman wrote:
| That cost includes paying all of the staff (guards,
| admin, medical, social workers, etc) and maintaining the
| building(s) and infrastructure, I'm surprised it's only
| $100k a year.
| wesselbindt wrote:
| Canada, a bit more liberal than the US, probably has plenty
| of cities with such policies in place too. Yet, no crime wave
| there. These waves were a result of Kia's choices, and quite
| obviously so.
| TMWNN wrote:
| >Yet, no crime wave there.
|
| On the contrary, Canada's rate of stolen cars is only 10%
| less than the US despite having very few port cities.
| <https://www.bbc.com/news/articles/cy79dq2n093o>
| wesselbindt wrote:
| We're not talking about car theft in general, but about
| the specific crime waves that occurred after the rollout
| of the less than secure Kias in the US and the Kias with
| the proper security measures in Canada.
| edouard-harris wrote:
| There's no Kia-specific crime wave in Canada as far as I
| know (I live there). But there's absolutely a general
| crime wave of car thefts in Canada, and it's quite
| plausibly tied to recent policy choices. Of course the
| effect of policy is going to be additive to the effect of
| blunders like Kia's. But there's good reason to think it
| has enough impact on its own to be worth discussing.
| themaninthedark wrote:
| I'm kind curious, did Canada have the same spike in the
| "knockout game" that the US did?
|
| If it did, that would point to a US and Canada crime
| trend correlation. If not, then you can't just say that
| the one static variable, city/county level policy and the
| independent variable, immobilizers, are the only factors.
|
| You have different criminal populations, societal values,
| amounts of government aid, rehabilitation programs, etc
| that all play into the analysis.
| sidewndr46 wrote:
| Because car manufacturers have such a clear decision making
| role in the legal and judicial process of a place like
| Milwaukee. It can't be that the government simply realized that
| they aren't legally obliged to deal with any problems the
| populace have and simply let them eat cake in a 21st century
| way.
|
| This couldn't be the same state where they tried to just bribe
| a foreign company known for exploitative labor practices to set
| up a facility there could it: https://en.wikipedia.org/wiki/Wis
| conn_Valley_Science_and_Tec....
| xyst wrote:
| Kia is a joke car manufacturer. It's surprising that they are
| still able to sell cars and stay in business
| roberttod wrote:
| I wasn't sure what an "interlock" was, and it's a breathalyzer
| that prevents the vehicle from starting. Was that a mistake?
|
| Edit: ah! I think you meant engine immobilizer
| sandos wrote:
| How did the insurance companies respond to this? They should
| have made the cars extremely expensive to insure, no?
| aftbit wrote:
| Wait a moment, the key vulnerability appears to be that anyone
| could register as a dealer, but also any dealer could lookup
| information on any Kia even if they didn't sell it or if it was
| already activated!? That seems insane. What if a dealership
| employee uses this to stalk an ex or something?
| lambada wrote:
| A Kia authorised dealer being able to look up any Kia has some
| very useful benefits (for the dealer, and thus Kia).
|
| If a customer has moved into the area and you're now their
| local dealer they're more likely to come to you for any
| problems, including ones involving remote connectivity
| problems. Being able to see the state of the car on Kia's
| systems is important for that.
|
| Is this a tradeoff? Absolutely. Can you make the argument the
| trade off isn't worth it? Absolutely. But I don't think it's an
| unfathomably unreasonable decision to have their dealers able
| to help customers, even if that customer didn't purchase the
| car from that dealer.
| conductr wrote:
| Those aren't the only options. It would be trivial change to
| allow any dealer to request access to any vehicle and have it
| tied to the active employees SSO or something similar that at
| least leave an audit trail and prevents such random access.
| Allowing anyone to be a dealer is the real oversight. They
| could put some checks in place also to prevent the stalker
| situation GP mentioned. It's always going to be possible but
| reduces risk a lot if employee just has to ask someone else
| to approve their access request, even if it's just a rubber
| stamp process making sure the vehicle is actually in need of
| some service
| aftbit wrote:
| In my opinion, the better way to design such a thing would be
| for there to be a private key held in a secure environment
| inside the car which is used to sign credentials which offer
| entitlements to some set of features.
|
| So for example, when provisioning the car initially, the
| dealer would plug into the OBDii port, authenticate to the
| car itself, and then request that the car sign a JWT (or
| similar) which contains the new owner's email address or Kia
| account ID as well as the list of commands that a user is
| able to trigger.
|
| In your scenario, they would plug into the OBDii port,
| authenticate to the car, and sign a JWT with a short
| expiration time that allows them to query whatever they need
| to know about the car from the Kia servers.
|
| The biggest thing you would lose in this case is the ability
| for _any_ dealer to geolocate any car that they don't have
| physical access to, which could have beneficial use cases
| like tracking a stolen car. On the other hand, you trade that
| for actual security against any dealership tracking any car
| without physical access for a huge range of nefarious
| reasons.
|
| Of course, those use cases like repossessing the car or
| tracking a stolen vehicle would still be possible. In the
| former, the bank or dealership could store a token that
| allows tracking location, with an expiration date a few
| months after the end of the lease or loan period. In the
| latter, the customer could track the car directly from their
| account, assuming they had already signed up at the time the
| car was stolen.
|
| You could still keep a very limited unauthenticated endpoint
| available to every dealer that would only answer the question
| "what is the connection status for this vehicle?" That is a
| bit of an information leak, but nowhere near as bad as being
| able to real-time geolocate any vehicle or find any owner's
| email address just given a VIN.
| folmar wrote:
| This is quite common in Europe. There is normally no special
| relationship with the original dealer and the service history
| is centralised for most manufacturers.
| belthesar wrote:
| That's not a benefit to me if I can't control how someone
| gets access to my vehicle, dealership or not. If I want a
| dealership to be able to assist me, I should have to
| authorize that dealership to have access, and have the power
| to revoke it at any time. Same for the car manufacturer. It
| ideally should include some combination of factors including
| a cryptographic secret in the car, and some secret I control.
| Transfer of ownership should involve using my car's secret
| and my car's secret to transfer access to those features.
|
| If you feel like this sound like an asinine level of
| requirements in order for me to feel okay with this
| featureset, I'd require the same level of controls for any
| incredibly expensive, and potentially dangerous liability in
| my control that has some sort of remote backdoor access via a
| cloud. All of this "value add" ends up being an expense and a
| liability to me at the end of the day.
| xyst wrote:
| Any stealership shouldn't be able to lookup information about
| any active/sold car. These interactions need to have consent
| (authorization) from car owner. These authorizations should
| be short lived and can be revoked at any time.
|
| Any of this sound familiar? Yea that's because it's a flow
| (oauth) used by many companies to control access to assets.
|
| Car companies are just not meant to do tech. So common shit
| like this is ignored.
|
| If these car manufacturers can barely shit out barely usable
| "infotainment" systems. Why the fuck are they diving into
| remote access technology?
| amluto wrote:
| This is absurd. If there was a screen on the infotainment
| system where you could allow (temporarily!) the local service
| center of your choice to access your car remotely, fine.
| Otherwise, no thanks.
| lofaszvanitt wrote:
| Security is an afterthought... nobody cares, until shit hits
| the fan.
| dns_snek wrote:
| > What if a dealership employee uses this to stalk an ex or
| something?
|
| Yes, and everyone should remember this the next time these
| companies and their lobbyist run TV ads telling you that your
| wives and daughters will be stalked and raped in a parking lot
| if Right to repair is allowed to pass.
| dns_snek wrote:
| For those who seem to believe I'm exaggerating this:
|
| https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P.
| ..
| k8sToGo wrote:
| What if the internet is used for that?
| troyvit wrote:
| Yeah for some reason I find it so creepy that Kia ties your
| license plate number to your car's functionality. I don't know
| why but I feel like those two things should operate
| exclusively.
| aftbit wrote:
| License plates are incredibly insecure. They are a short,
| easy to automatically recognize ID that is expensive to
| change, and it is a crime to drive while they are covered.
| poxrud wrote:
| That is incorrect, as per the article Kia ties the VIN number
| to the car's functionality. The author used a 3rd party
| service to convert the license plate number to VIN.
| Tempest1981 wrote:
| Maybe this? $0.05 per request
|
| https://platetovin.com/about#pricing
|
| But how are they getting the data?
| bombcar wrote:
| Most states have the data publicly available if you know
| where to look or how to request.
| _rs wrote:
| Uhh this seems like a big fact to gloss over, and
| something I am quite surprised by. Could you point to any
| examples as I'm having a hard time finding anything
| available publicly from any DMVs/states
| mlsu wrote:
| There are no new cars on the market today that don't have a slew
| of connected """features""", right?
|
| Will it ever be possible to have a non-connected car? If so, how?
| What would it actually take? This is not a ranty rhetorical
| question -- I'm actually wondering.
| MarkusWandel wrote:
| Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian
| market) is actually pretty old school. Yes, it has the keyless
| unlock and even a remote engine start button on the keyfob (can
| be disabled, thankfully - car is parked inside and we have
| kids!) But no cellular connectivity, no wifi, and all the
| touchscreen stuff is "extra icing" - all the controls you need
| are there in physical form except for some radio and cell phone
| call functions. Yes, the car may be vulnerable to signal boost
| kind of attacks (to pretend the keyfob is nearby when it's not)
| and possibly the "pop off a headlight and get into the CANbus"
| attack. But no cloud dependency and no way for the cloud to
| reach in and mess things up. Also, the software it does have
| seems "debugged" based on a year of using it.
| gen3 wrote:
| Your Honda almost certainly has HondaLink, which connects via
| cellular https://www.honda.ca/en/hondalink/hondalink-2?year=2
| 023&mode... and they're probably selling your location data
| to databrokers https://www.eff.org/deeplinks/2024/03/how-
| figure-out-what-yo...
| MarkusWandel wrote:
| Glad to say it doesn't. Only the top-of-the-line "Touring"
| model is shown as compatible with HondaLink.
| BossingAround wrote:
| In the EU, IIRC, 2024 is the year that EU starts mandating a
| bunch of stuff in vehicles (most notably, speed limiter
| IIUIC).
| akyuu wrote:
| It would be interesting to have a list of modern cars without
| these kind of connected features, but I haven't found any.
| bdcravens wrote:
| Cut the cords to the cellular module
| gnopgnip wrote:
| You can pull the fuse on a ford maverick and it physically
| disables the telemetry. You could also opt out and disable it
| through the settings. Remote start from your keyfob still
| works. As expected remote start, seeing where you parked,
| remotely locking the car through the ford app will not work.
| cryptonector wrote:
| In the U.S., by 2026, all new cars must have a "kill switch",
| and that includes a remote operation. The requirement is about
| preventing drunk driving, but it's being interpreted by many to
| require a kill switch.
|
| Here's the NHTSA report to Congress about this:
|
| https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...
|
| > Section 24220, "ADVANCED IMPAIRED DRIVING TECHNOLOGY," of the
| Bipartisan Infrastructure Law (BIL), enacted as the
| Infrastructure Investment and Jobs Act (IIJA), directed that
| "not later than 3 years after the date of enactment of this
| Act, the Secretary shall issue a final rule prescribing a
| Federal motor vehicle safety standard (FMVSS) under section
| 30111 of title 49, United States Code, that requires passenger
| motor vehicles manufactured after the effective date of that
| standard to be equipped with advanced drunk and impaired
| driving prevention technology." Further, the issuance of the
| final rule is subject to subsection (e) "Timing," which
| provides for an extension of the deadline if the FMVSS cannot
| meet the requirements of 49 USC 30111.
|
| Now, I don't see anything in there about a "rmeote switch", and
| I don't understand how the "remote" bit would work to prevent
| DUI.
| notjulianjaynes wrote:
| I wonder how well current adaptive cruise control/collision
| prevention technology works to _help_ someone safely drive
| drunk. I don 't own a car with these features but once rented
| a 2021 Nissan for a road trip and just set the cruise control
| to 70 and it would maintain a safe distance from other cars
| automatically down to like 20 mph iirc. I didn't, but I
| probably could have been drunk and driven that car without
| much issue, not that I am advocating for this.
|
| There's probably already a bunch of data being collected
| about cars parked at e.g. a bar for a few hours that's being
| used to train some AI to detect driving behaviors associated
| with drunk driving or something like that.
| cryptonector wrote:
| If I ever get pulled over for weaving I might just blame it
| on lane assist.
| EricE wrote:
| Anything in the last 10 years is probably ratting you out
| already.
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| hollow-moe wrote:
| depends how wide is your definition of "connected features".
| all modern vehicles in the EU are required to have the eCall
| feature which uses cell to send your location in case of a
| crash. Since the hardware is in there I have absolutely no
| faith in car makers/govs to not use it for other purposes (now
| or in the future) https://en.m.wikipedia.org/wiki/ECall
| r00fus wrote:
| As a Kia owner, this was what I was hoping for immediate term,
| FTA: "These vulnerabilities have since been fixed, this tool was
| never released, and the Kia team has validated this was never
| exploited maliciously."
|
| Kia still has a lot of work to do because of bad decisions, but
| at least my vehicle isn't ripe for theft/abuse.
| seanw444 wrote:
| > but at least my vehicle isn't ripe for theft/abuse.
|
| From this particular vulnerability. If anything, I'd still be
| concerned.
| floatrock wrote:
| Yeah, but it shows Kia at least works with security
| researchers instead of suing them into everythings-fine
| silence.
| randomstring wrote:
| The obvious next step is to crawl the whole database of
| vulnerable Kia cars and create a "ride share" app that shows you
| the nearest Kia and unlocks it for you.
| jshdhehe wrote:
| If you get 10x MoM growth you can lobby for it to be legal next
| year
| not_a_dane wrote:
| How much time would you need to redevelop KIAtool with AI?
| jmyeet wrote:
| Where's the strict product liability here? Like, if Kia is making
| a car that's easy to steal and it gets stolen, why isn't that
| Kia's fault and they're responsible for the damages? We're
| talking gross negligence here.
|
| There have been demonstrations of hacking cars remotely to gain
| control of it. You could quite literally kill someone this way.
| This should 100% be the responsibility of the car maker.
|
| Why do we let these companies get away with poor security? It's
| well beyond time we hold them financially and legally responsible
| for foreseeable outcomes from poor security practices.
|
| That doesn't mean any vulnerability incurs liability necessarily.
| A 0day might not meet the bar for gross negligence. But what if
| you were told about the vulnerability and refused to upate the
| software for 2 years because a recall like that costs money? Or
| what if you released software using versions with known
| vulnerabilities because you don't want to pay for upgrading all
| the dependencies?
| bdcravens wrote:
| EV6 owner here. Scary stuff, but honestly, I'm not shocked. I
| feel like the EV6 is one of the better available EVs, but is
| hindered by Kia, based on the experience I've had dealing with
| the app and the dealerships.
| georgeburdell wrote:
| I've been telling my friends who want to avoid Tesla that an
| electric Kia is still a Kia
| cryptonector wrote:
| > The License Plate to VIN form uses a third-party API to convert
| license plate number to VIN
|
| I guess that exists to make life easier for police. And because
| all patrol car laptops nation-wide need this, it really can't be
| authenticated meaningfully?
| BenjiWiebe wrote:
| I don't think the police are using this software. I'm pretty
| sure they have their own official access to governmental (DMV)
| records.
| emsign wrote:
| Looks to me like all cars sold by KIA are still owned by KIA. I'm
| not worried about that exploit at all, it has been fixed. I'm
| terrified about how much data about a car and therefore about the
| "owner" is available to KIA. That's totally insane.
| cryptonector wrote:
| Not just KIA. Most if not all major automobile manufacturers
| track a huge amount of data on the vehicles [and their
| owners/operators]. For example, many vehicles come with that
| OnStar thing, and so they have a baseband processor and even
| LTE as well as a GPS receiver, and it's always on even if you
| don't pay for the service, which means that the manufacturer
| gets to know your vehicle's location and all the places you go
| and the routes you take.
| hathawsh wrote:
| OTOH, OnStar's remote disable feature is pretty compelling
| for consumers. It's not hard to find YouTube videos [1] of
| thieves being thwarted safely.
|
| [1] https://www.youtube.com/watch?v=d9FbBgG2axE
| simoncion wrote:
| The price of that feature (constant tracking of your
| vehicle's location) is not worth it in a world where
| entities who sell or give away that location data without
| the vehicle owner's explicit, intentional, actually-
| informed consent do not go to superjail forever.
| umbra07 wrote:
| not worth it _to you_
| Roark66 wrote:
| Why does it have to track your bloody location all the time
| though? Why not make it so it just logs in to the server
| every 5 minutes and asks. "Have I been stolen?" and if the
| answer is yes it activates. Better yet, mandate all
| software like this is open source so no manufacturer can
| claim one thing and do another.
|
| And before anyone says "but the thief can swap the ECU
| before it calls home and if it was continously reporting at
| least there would be a trail where he did it" it is silly.
| Let's say there indeed is a gps trail leading from in front
| of your house to some alleyway or a forest. Do you think
| the car is still there? Nope.
|
| It is a common fallacy. The manufacturer wants to steal
| your privacy and gives you a useful feature tied to it. Oh,
| do you want to be able to switch the car off remotely when
| it's stolen or not? If so we need to know where you drive
| for next 20 years. And if you ever drove over 80mph we're
| using this to decline your warranty BTW. I
| s3p wrote:
| It's so funny how people arguing for commonsense ability to
| disable car cellular are laughed at. See the Kia Niro forum:
|
| https://www.kianiroforum.com/threads/how-to-remove-head-
| unit...
| lofaszvanitt wrote:
| After your phone which is the ultimate oppressor device, now
| your car is also snitching on you. Nice future ahead of us.
| grahamj wrote:
| I question some of this though. I have an older Kia that I'm
| pretty sure has no cell modem yet the support table shows it
| can be geolocated.
| EricE wrote:
| If you own a car since about 2010 onwards it's probably ratting
| you out already.
|
| https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
| ThinkingGuy wrote:
| If your car's old enough, though, it may be still stuck with
| a 3G modem that is no longer capable of phoning home.
| exabrial wrote:
| By law, we need to be able to disconnect cars from the cell
| network. This is stupid.
| divbzero wrote:
| By law, we need to be able to disconnect any product whose core
| functionality does not depend on the network.
| grubbs wrote:
| Glad my VW only had a 3G antenna built in. No longer works in the
| US.
| vlark wrote:
| I just want a car that is as dumb as it can be while meeting all
| federal regulations to the highest degree. How hard can that be?
| CatWChainsaw wrote:
| A day ago Louis Rossman posted on Youtube: Mazda requires $100+
| subscription for remote start after filing DMCA takedown of open
| source program"
|
| https://www.youtube.com/watch?v=1n0AI5aemUY
|
| "I never hear the ancaps and the hardcore libertarians in my
| comments section... complain about Section 1201 of the DMCA. I
| wish I did more often."
| croes wrote:
| Strike two on KIA's car security after the USB cable disaster
| nkrisc wrote:
| Maybe other manufacturers are also this bad, but I know Kia is
| this bad. I'm never buying a Kia.
|
| But wait, they patched this! Yeah, but they also shipped it.
| theflyingpigeon wrote:
| Kia is a terrible brand anyways
| schaefer wrote:
| My brother owns a Kia, and the constant auto break-ins are
| negatively impacting his mental health.
| grishka wrote:
| If I'll ever buy a car, it won't have any network interfaces.
| m_kos wrote:
| I am impressed that you were able to contact relevant folks at
| Kia. I tried contacting their security team via Kia's customer
| service and Twitter and was repeatedly told they don't have
| anyone working on security, vulnerabilities, etc. My favorite was
| when they redirected my call to roadside assistance (twice).
| gloosx wrote:
| Connecticut Kia Boyz here? Imagine in some states it's not a
| felony to steal Kias if you're under 18, so they do it for fun
| and even sell them for rides 100$ each.
|
| There is a great Channel 5 documentary on youtube about it,
| definitely recommend to check it!
| xyst wrote:
| Internet connected vehicles are a mistake. Enough time out there
| and mistakes will get re-introduced. If it's not Kia, it will be
| someone else.
|
| You should be able to take out the internet connectivity as a
| consumer. The fact that this exploit worked even if the consumer
| wasn't subscribed is wild.
|
| Car companies just can't do tech.
| mithr wrote:
| In Massachusetts, Kia has disabled Kia Connect for all vehicles
| purchased over the past few years. Any data collected by cars
| must be made accessible to third-party shops, and Kia opted to
| disable any data collection (and thus disable Connect entirely)
| rather than allow that to happen. It doesn't matter where you
| actually live -- as long as you bought in MA, the car's VIN is
| locked out and no one can do anything about it. You're typically
| told this at the very end of the sales process, after everything
| is signed, and it's framed as "oh, by the way, MA has a terrible
| right-to-repair law that has forced Kia to disable Connect, you
| should write your state senator."
|
| It's... interesting to see just how easy it is to access this
| functionality if the VIN check is bypassed.
| stainablesteel wrote:
| its brought about a lot of shops that can rip the electronic
| tracking devices out of your car pretty easily too, which is
| nice in case you don't feel like being someone's datapoint
___________________________________________________________________
(page generated 2024-09-27 23:02 UTC)