> car thefts

To be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.

> It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.

WHAT?

I don’t have my wallet on a chain, do I have some responsibility if I get pickpocketed?

These criminals are breaking the law, it is ENTIRELY their fault. Any other interpretation has way, way too many logic holes and strange consequences that says it’s our fault when a criminal willingly breaks the law.

I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.

It’s far more expensive than you may assume.

Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.

They just have no space left in the jails, what can you do... I guess they hope that as long as protesters get a spot the damage to society will be manageable.

>Yet, no crime wave there.

On the contrary, Canada's rate of stolen cars is only 10% less than the US despite having very few port cities. <https://www.bbc.com/news/articles/cy79dq2n093o>

[flagged]

Even for the most heinous crimes, the death penalty has one massive glaring practical problem.

What if the sentenced person is actually innocent? No amount of apologies or recompensation will bring that person back.

Given how flagrantly governments have been using pedophiles as an excuse for curtailing our right to privacy, I don't trust them to execute civilians for this reason (or any). False convictions (intentionally so, in worse-governed countries) are a thing, and I do not cheer for the prospect of giving the government yet another reason to murder its citizens.

Advocacy in favor of the death penalty is never about "death penalty for murderers/rapists" but "death penalty for people convicted of being murderers/rapists". Practice has shown there's a big difference

The problem isn't that we need better locks, but that we need locks at all.

Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.

You're focusing on the wrong govt policies.

Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.

This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.

I’ll certainly never buy another Korean car.

Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.

Not really. At least not for those immobilizers that don't use "proprietary" ciphers. Automotive loves security through obscurity until it bites them in the ass. Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)

But you are right that there are many (older models) that use ciphers with know quick exploits: TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.

NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.

This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.

Just wait, next they'll ban USB cables.

Have you considered not living in such an environment of fear? I have no idea of your circumstances, but this is something I see in my local relatives all the time. They buy ring cams and security systems, scrutinize nextdoor, etc. In reality, they are incomparably rich and safe compared to most. Personally I refuse to buy into this nonsense and just go about my life, despite living in a place that's far more dangerous by the numbers.

In some places in the US, you can leave your doors open and car unlocked and no one will touch it. Perhaps a friendly neighbour may remind you, but that's about it.

As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.

Cars (and other things) being easy to steal isn't the problem.

I agree and still it's also the lack of regulation that enabled it to happen, and 2nd order effects of it is the increase in carjackings.

It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.

Of course you are. The alternative is to blame the governments (of places like Chicago or Milwaukee), or the people doing the theft.

Wow they will not live that down!

?

Maybe this? $0.05 per request

https://platetovin.com/about#pricing

But how are they getting the data?

The price of that feature (constant tracking of your vehicle's location) is not worth it in a world where entities who sell or give away that location data without the vehicle owner's explicit, intentional, actually-informed consent do not go to superjail forever.

Why does it have to track your bloody location all the time though? Why not make it so it just logs in to the server every 5 minutes and asks. "Have I been stolen?" and if the answer is yes it activates. Better yet, mandate all software like this is open source so no manufacturer can claim one thing and do another.

And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.

It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I

It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.

Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.

I was just going to say the same as it's stated pretty early in the article

> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.

If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.

> As the article says, you don't need an active subscription to be vulnerable.

OP was talking about not buying a car that requires a subscription to activate, not about whether the subscription makes you vulnerable.

No doubt today, but in another very realistic in the sense that's perfectly logic and possible since more than a decade, where government have digital IDs who are smart-cards not crapplications, and with them certified mails with a personal domain and the ISP router is just a FLOSS homeserver (as it is actually, being GNU/Linux embedded machines with a tailored PBX, Samba to offer usb network storage, CUPS for serving a usb-connected printer and so on, just a bit more powerful and open.

In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.

Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.

I don't think you have enough nines.

I installed an aftermarket remote start kit in the 90s. It cost less than $100.

Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.

I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.

Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.

It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.

Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).

Remote start is also useful in hot climates, and for similar reasons.

I dont want to carry another stupid fob around. My goal in life is to carry a dumb smart phone that can unlock anything.

Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?

Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.

I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.

Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?

Please explain how in your mind are they doing remote climate control, then?

Yeah, important distinction

> What do you get from CarPlay that you don't get from a connected car without CarPlay?

Software quality and security updates on the internet-facing component.

It was well done on my previous car and current car. So it would appear that your claim does not hold.

It's well done in Tesla.

It's very well done in my car.

If I ever get pulled over for weaving I might just blame it on lane assist.

Glad to say it doesn't. Only the top-of-the-line "Touring" model is shown as compatible with HondaLink.

But that's not what this would be, this would be gaining access to the system without permission.

It doesn't matter if my door has shitty locks, you still can't enter my house unless I invite you.

Not yet fully public, sorry :(

I will give you one hint: cars have sensors that are read wirelessly by ECUs on the internal (unprotected) network.

I think you misunderstood the insinuation.[1] I believe they're suggesting that otherwise legitimate vulnerability concerns are discounted in favor of a laissez faire market policy unless and until the concerns are framed by a xenophobic narrative. IOW, xenophobia trumps capitalism, but not measured security concerns.

[1] But that's why sarcasm is usually frowned upon on HN.

Why would the average consumer car about intelligence of a foreign state? I, for one, have no fear of China presently but the climate in the USA isn't very pro free speech.

If it only impacted automakers they might do it. However if you apply this standard to cars you will have to apply it to a lot of other sectors. After all why stop at car makers. Why should other appliances not get the same treatment like IoT as well? A lot of other companies would hate to have this standard applied to them hence they lobby against it as well.

https://parts.subaru.com/p/Subaru_2020_/Remote-Engine-Starte...

Not sure how you program it to your car, but I would get it just so I don't need to use an app.

Gonna keep me 2012 toyota a biiiit longer then. Sorry climate.

GM introduced this functionality 25 years ago with OnStar. It's been around so long the technology is considered legacy with support farmed out to Filipinos.

The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.

Tesla does a lot of the “slick” features very well, but at least for me, they have been failing miserably at the basics:

- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.

- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.

- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.

Kia charges more than that IIRC and has none of those notifications, which would actually be useful (e.g. window open).

Recalls that can be fixed with over the air updates is a large financial reason to connect cars to the internet.

Personally, I’d rather connect to my WiFi where I have control, but that’s a lot to ask for regular consumers.

Hyundai and Kia use an 800V high voltage electrical system. The upshot is their vehicles charge scary fast, peaking in the mid 200kW's

Android 4? I had a 2017 Kia Ceed where I hacked the head unit, and I'm sure that was at least Android 6?

https://youtube.com/watch?v=YS2K_quFWuY

Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.