Hacking Kia: Remotely Controlling Cars with Just a License Plate

239 pointsposted 9 hours ago
by speckx
(samcurry.net)

143 Comments

tptacek

5 hours ago

This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.

wallaBBB

3 hours ago

Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007. Basically there is something to put on (lack of) regulations as well as on HKMC.

Sohcahtoa82

2 hours ago

In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!

Insane to me that so many people believe this...

throw10920

25 minutes ago

Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.

This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.

dsr_

16 minutes ago

It doesn't need to be the population believing that regulations are completely unnecessary.

It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.

op00to

33 minutes ago

I’ll certainly never buy another Korean car.

thfuran

25 minutes ago

And never an American one after the Pinto, and never a German one after the VW testing scam, and never a Japanese one after the recent safety scandal? I guess you can still get a Jaguar, so your mechanic won't complain.

vasco

2 hours ago

From my understanding immobilizer bypass tools are cheap and plenty.

acdha

2 hours ago

Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.

wallaBBB

26 minutes ago

Not really. At least not for those immobilizers that don't use "proprietary" ciphers. Automotive loves security through obscurity until it bites them in the ass. Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)

But you are right that there are many (older models) that use ciphers with know quick exploits: TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.

NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.

mozman

16 minutes ago

you can just reprogram a new seed via canbus, don’t need to brute force it

mass_and_energy

2 hours ago

We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.

SpaghettiCthulu

an hour ago

Too bad the only thing our current government can think to do is ban the FlipperZero.

Eumenes

3 hours ago

> something a number of US cities are suing Kia over

I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.

tptacek

2 hours ago

They're being sued because they deliberately made the cars easier to steal in the US than they are elsewhere.

adolph

5 hours ago

> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.

"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?

Terr_

4 hours ago

> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.

I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.

An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.

levocardia

4 hours ago

This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.

tptacek

4 hours ago

I've posted this point a couple times on HN and I guess I will keep posting until people stop expressing surprise that trivially stealable cars are a precursor to carjackings. I'm not dunking, there's no good reason for people to intuit that! But it's a really important thing to understand.

potato3732842

2 hours ago

I'd really like to see a citation for carjackings going up more than any other crime that a stolen car enables.

Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.

tptacek

an hour ago

Carjacked cars are usually recovered. They're not carjacked so they can be sold on some weird car black market.

op00to

30 minutes ago

All stolen cars are usually recovered. The recovery rate is something like 85%.

adolph

3 hours ago

Thanks and thanks to the upthread explanations.

Part of what makes it unintuitive is the specificity:

  * Why Milwaukee and Chicago instead of everywhere?
  * Why carjacking and not a general increase in crimes that could be facilitated by an unassociated car (bank robbery, toll violations, etc)?

tptacek

2 hours ago

The phenomenon started in Milwaukee (the "Kia Boys" challenge), and I happen to live in Chicagoland, which experienced a huge wave of carjackings immediately afterwards. I have one of them recorded on my Nest camera in the alley behind my house. Nothing in particular about those two cities otherwise.

As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.

kgermino

3 hours ago

FWIW the associated crime wave was much broader than carjacking (and I’m actually not aware of a particular increase in carjackings specifically due to the Kia issues but I don’t know) but the Kia issues seem to have started in Milwaukee.

For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue

anarticle

32 minutes ago

"Places like" include Philadelphia. It's not a closed set, just some examples. I have friends that have had their KIA stolen this way, and others that have outright sold their car to get a different brand due to how prevalent it is here.

jeffbee

2 hours ago

I question whether Milwaukee and Chicago are outstanding examples. I looked at a few reputable sources and those cities nor their states seem to be extremes in terms of car theft rates. Most of these law enforcement agencies are not specifically breaking our carjacking.

Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...

Tool_of_Society

2 hours ago

Hell Mississippi as a state might soon pass Chicago in murder rate per capita. Chicago last year had a murder rate of 22.85 per 100,000 while Mississippi had a murder rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama had 18.6..

tptacek

an hour ago

Chicago isn't even in the top 10 per capita. It's just a very big city that everybody forgets is a very big city.

reaperducer

2 hours ago

Why Milwaukee and Chicago instead of everywhere?

It wasn't just in those cities, it was nationwide. The poster was using those cities as examples because they are familiar to him.

wasteduniverse

5 hours ago

Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!

tptacek

4 hours ago

Since Kia/Hyundai is the only automotive group to have this problem, I'm going to go ahead continuing to blame them.

piva00

3 hours ago

I agree and still it's also the lack of regulation that enabled it to happen, and 2nd order effects of it is the increase in carjackings.

It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.

pengaru

3 hours ago

> Volkswagen has entered the chat

randomstring

5 hours ago

The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.

aftbit

5 hours ago

Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?

lambada

4 hours ago

A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).

If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.

Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.

aftbit

4 hours ago

In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.

So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.

In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.

The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.

Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.

You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.

conductr

4 hours ago

Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service

belthesar

2 hours ago

That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.

If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.

folmar

3 hours ago

This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.

troyvit

2 hours ago

Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.

aftbit

36 minutes ago

License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.

k8sToGo

3 hours ago

What if the internet is used for that?

lofaszvanitt

3 hours ago

Security is an afterthought... nobody cares, until shit hits the fan.

dns_snek

3 hours ago

> What if a dealership employee uses this to stalk an ex or something?

Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.

emsign

4 hours ago

Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.

cryptonector

3 hours ago

Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.

grahamj

3 hours ago

I question some of this though. I have an older Kia that I’m pretty sure has no cell modem yet the support table shows it can be geolocated.

lofaszvanitt

3 hours ago

After your phone which is the ultimate oppressor device, now your car is also snitching on you. Nice future ahead of us.

bityard

5 hours ago

Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.

barbazoo

5 hours ago

> car that requires you to create an account online to "activate" the vehicle

I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.

sahmeepee

5 hours ago

As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.

This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.

I'm not sure if you can buy a tinfoil hat for a car.

mikepurvis

5 hours ago

It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.

Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.

hunter2_

4 hours ago

In my VW, the cellular modem and something I actually use (I think it's the Bluetooth microphone) are in the same module, so pulling the fuse or disabling it in the CAN gateway would be too heavy-handed. I would need to spend hours getting to, and into, the module. Or maybe replace the antenna with an effective dummy load / terminator? Tons of trim work. Luckily it's old enough to be 2G, and my understanding is most towers no longer speak to it, so I haven't pursued it further.

0cf8612b2e1e

4 hours ago

But if it is not online, you will not be able to download the latest patches. Like the ones that prevent new remote exploits.

tspike

4 hours ago

How did we ever survive without computerized vehicles?

mandevil

2 hours ago

We tolerated worse gas mileage (computer controlled fuel injection, transmission, etc.), safety (anti-lock brakes), etc. We added computers because we wanted to lessen the effects of climate change and keep more people alive.

nis0s

5 hours ago

I was just going to say the same as it's stated pretty early in the article

> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.

If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.

jdminhbg

2 hours ago

> As the article says, you don't need an active subscription to be vulnerable.

OP was talking about not buying a car that requires a subscription to activate, not about whether the subscription makes you vulnerable.

mlsu

5 hours ago

There are no new cars on the market today that don't have a slew of connected """features""", right?

Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.

cryptonector

3 hours ago

In the U.S., by 2026, all new cars must have a "kill switch", and that includes a remote operation. The requirement is about preventing drunk driving, but it's being interpreted by many to require a kill switch.

Here's the NHTSA report to Congress about this:

https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...

> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.

Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.

notjulianjaynes

3 hours ago

I wonder how well current adaptive cruise control/collision prevention technology works to help someone safely drive drunk. I don't own a car with these features but once rented a 2021 Nissan for a road trip and just set the cruise control to 70 and it would maintain a safe distance from other cars automatically down to like 20 mph iirc. I didn't, but I probably could have been drunk and driven that car without much issue, not that I am advocating for this.

There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.

cryptonector

2 hours ago

If I ever get pulled over for weaving I might just blame it on lane assist.

MarkusWandel

5 hours ago

Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian market) is actually pretty old school. Yes, it has the keyless unlock and even a remote engine start button on the keyfob (can be disabled, thankfully - car is parked inside and we have kids!) But no cellular connectivity, no wifi, and all the touchscreen stuff is "extra icing" - all the controls you need are there in physical form except for some radio and cell phone call functions. Yes, the car may be vulnerable to signal boost kind of attacks (to pretend the keyfob is nearby when it's not) and possibly the "pop off a headlight and get into the CANbus" attack. But no cloud dependency and no way for the cloud to reach in and mess things up. Also, the software it does have seems "debugged" based on a year of using it.

gnopgnip

4 hours ago

You can pull the fuse on a ford maverick and it physically disables the telemetry. You could also opt out and disable it through the settings. Remote start from your keyfob still works. As expected remote start, seeing where you parked, remotely locking the car through the ford app will not work.

hollow-moe

3 hours ago

depends how wide is your definition of "connected features". all modern vehicles in the EU are required to have the eCall feature which uses cell to send your location in case of a crash. Since the hardware is in there I have absolutely no faith in car makers/govs to not use it for other purposes (now or in the future) https://en.m.wikipedia.org/wiki/ECall

akyuu

4 hours ago

It would be interesting to have a list of modern cars without these kind of connected features, but I haven't found any.

bdcravens

4 hours ago

Cut the cords to the cellular module

sxcurity

9 hours ago

Stop connecting vehicles to the internet pls & thanks

kkfx

5 hours ago

Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).

Rebelgecko

2 hours ago

I would guess 99.9% of car owners who use the app would not set up a personal subdomain or manage a FLOSS stack

thfuran

20 minutes ago

I don't think you have enough nines.

AdamJacobMuller

5 hours ago

If it's done well, there are some useful features there.

App unlock, remote start + remote temperature control. All very useful.

I couldn't imagine buying a car without carplay now.

rwmj

5 hours ago

Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?

Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.

AyyEye

5 hours ago

I installed an aftermarket remote start kit in the 90s. It cost less than $100.

kube-system

5 hours ago

Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.

tspike

4 hours ago

Right, the point is that complexity is unnecessary.

somehnguy

5 hours ago

Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.

It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.

Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).

toast0

4 hours ago

For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.

Rebelgecko

2 hours ago

Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)

toast0

an hour ago

If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.

If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.

If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.

Kirby64

3 hours ago

With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.

cryptonector

3 hours ago

Remote start is also useful in hot climates, and for similar reasons.

mavamaarten

4 hours ago

Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.

I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.

asdasdsddd

3 hours ago

I dont want to carry another stupid fob around. My goal in life is to carry a dumb smart phone that can unlock anything.

Kirby64

5 hours ago

Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?

Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.

devilbunny

4 hours ago

> I haven’t carried keys of any kind for… 6 years at this point?

You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.

Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.

Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.

Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?

Kirby64

3 hours ago

> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.

How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.

> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?

In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.

grahamj

3 hours ago

Yep. I’ve forgotten or lost keys in the past and been locked out, but never have all of my e-locks and garage died at once.

jdminhbg

2 hours ago

> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.

This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.

asdasdsddd

3 hours ago

The time I save pays for a locksmith many times over. I also give my friends/my condo spares so this is never actually an issue.

toomuchtodo

5 hours ago

I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.

Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?

roywiggins

5 hours ago

Is it really so much better than an RF keyfob that it's worth connecting your car to the Internet for?

toomuchtodo

5 hours ago

Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.

Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).

https://www.google.com/search?q=fob+relaying+theft+attack

potato3732842

4 hours ago

>Yes, I accept the risk and threat model.

>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).

Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?

toomuchtodo

4 hours ago

DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."

[1] https://www.techradar.com/pro/security/hackers-are-increasin...

[2] https://www.cisa.gov/news-events/alerts/2024/09/25/threat-ac...

roywiggins

5 hours ago

Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.

Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.

almostnormal

4 hours ago

Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.

I don't even carry a phone for that reason.

natch

5 hours ago

Nice lifehack; I'm going to do this. Please share more if you have them.

lowkj

5 hours ago

CarPlay doesn't use your car's internet, it uses your phone's internet. That's part of the whole beauty of it.

natch

5 hours ago

Please explain how in your mind are they doing remote climate control, then?

mplewis

4 hours ago

Through the car’s cellular connection.

FriedPickles

5 hours ago

Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?

morkalork

4 hours ago

If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.

natch

5 hours ago

Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?

yjftsjthsd-h

4 hours ago

> What do you get from CarPlay that you don't get from a connected car without CarPlay?

Software quality and security updates on the internet-facing component.

whiplash451

5 hours ago

It just doesn’t have to be the internet.

AyyEye

5 hours ago

It's never well done.

yreg

3 hours ago

It's well done in Tesla.

bigstrat2003

5 hours ago

It was well done on my previous car and current car. So it would appear that your claim does not hold.

natch

5 hours ago

It's very well done in my car.

r00fus

5 hours ago

As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."

Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.

seanw444

an hour ago

> but at least my vehicle isn't ripe for theft/abuse.

From this particular vulnerability. If anything, I'd still be concerned.

exabrial

3 hours ago

By law, we need to be able to disconnect cars from the cell network. This is stupid.

divbzero

3 hours ago

By law, we need to be able to disconnect any product whose core functionality does not depend on the network.

grubbs

3 hours ago

Glad my VW only had a 3G antenna built in. No longer works in the US.

cryptonector

4 hours ago

> The License Plate to VIN form uses a third-party API to convert license plate number to VIN

I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?

vlark

2 hours ago

I just want a car that is as dumb as it can be while meeting all federal regulations to the highest degree. How hard can that be?

bdcravens

4 hours ago

EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.

jmyeet

4 hours ago

Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.

There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.

Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.

That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?

georgeburdell

4 hours ago

I’ve been telling my friends who want to avoid Tesla that an electric Kia is still a Kia

diego_moita

5 hours ago

Ok, lesson learned. Thank you.

I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.

Yes, I felt stupid. But a little less stupid now.

Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?

aftbit

5 hours ago

>These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.

bluSCALE4

5 hours ago

Don't feel stupid, feel a little angry. The only thing you could have done to prevent this was not buy a Kia.

not_a_dane

5 hours ago

How much time would you need to redevelop KIAtool with AI?

meindnoch

5 hours ago

What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?

outworlder

15 minutes ago

Hardware companies usually suck at doing software.

alexandersvozil

5 hours ago

i cannot connect to kia anymore, would have bot worked in me