This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
> it fed a crime wave, something a number of US cities are suing Kia over
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
To be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.
> It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.
WHAT?
I don’t have my wallet on a chain, do I have some responsibility if I get pickpocketed?
These criminals are breaking the law, it is ENTIRELY their fault. Any other interpretation has way, way too many logic holes and strange consequences that says it’s our fault when a criminal willingly breaks the law.
If suddenly a massive number of cars are stolen, that's the government's problem. (As now police forces have to deal with criminals trivially obtaining getaway cars)
So it seems reasonable that the manufacturer in question should be sued for the cost of the additional police resources required.
> If suddenly a massive number of cars are stolen, that's the government's problem.
I have no idea why you jump to that conclusion.
The problem is clearly the person breaking the law.
But anyway, going with what you said...
> So it seems reasonable that the manufacturer in question should be sued
Wait, if it's the government's problem, then THEY should be sued for not requiring manufacturers to have these anti-theft devices (as the Canadian government does). The auto manufacturer is building cars precisely as the US government mandated them to.
It seems like you're trying to bend logic to blame anyone and everyone other than the people who are breaking the law.
The linked page doesn’t define ‘social consequences of their choices’ nor do any of the linked or cited texts, and most don’t even touch on the issue of differences between ‘companies’ making a choice and individuals within the companies making a choice.
I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So if a window manufacturer decides to save money and not put latches on their windows, enabling them to be opened from the outside at will, and home invasions spike, that manufacturer isn't a large part of the problem?
Part of the problem and the only cause are not the same thing.
Both Kia and the thieves can be in the wrong. Trying to break it down to one cause is never going to work.
Some car will always be the easiest to steal. People should always take reasonable precautions. But crime is still crime; if someone leaves their car running with the door unlocked as they run into the store and it gets stolen - they made a mistake but the criminal did a crime.
Your use of “only cause” was the first in this discussion.
Lots of people get sued for lots of things. Nowhere does it say that suits can succeed only if the defendant is the sole cause of the problem. See: Takata air bags. Huge liability, but in any given incident it wouldn’t be a problem unless someone else caused an accident. Yet Takata does not get to say “or defective product wouldn’t have been a problem if Mr. Doofus hadn’t rear-ended you”
Binary is great for computers, less good in legal thinking.
> Your use of “only cause” was the first in this discussion.
No, but this statement implied Kia wasn't at fault because someone else committed the crime...
> I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So sure, that was the first use of "only cause"; in the same way that "there was 1 light" and "there weren't multiple lights" aren't the same words; but they contain the same information.
He was talking about civil liability. The concept you’ve tripped over here is called intervening superseding causes and the criminal only destroys the tortfeasor’s liability if his intervening criminal cause is unforeseeable.
Here, because the entire purpose of car immobilizers is theft protection, the thief is foreseeable and his crime does not supersede.
I’m a little troubled by your use of the word “asinine” in this context.
What about door locks? Or the ignition that had to be ripped out to use the usb stick trick? Does everyone have to use a club or hidden kill switch to not have them blamed.
I’d be willing to guess you won’t use this word salad when describing sexual crimes.
No they are not. At best they are a minor contributor. If people want security latches and whatnot they can buy them and pay accordingly. An easy to steal care beats no car every day of the week.
I live in a not great part of what's arguably the bluest state in the nation (which is to say this isn't some dumb red state "tough on crime" thing) and I can't imagine someone being able to go around checking windows or car doors for very long without a free ride in a cop car. Windows here are unlatched from May to September. I bet a lot of those houses have Kias in the driveway that they've had no theft problems with as we only have about a dozen car thefts per year here.
Ford Superduties over a huge year range can be stolen much the same way (you also have to punch out a lock before taking a screwdriver to the column) until very recently as PATS was not standard on the higher GVW stuff but those are expensive trucks so shitting on them doesn't scratch the same "validate my $50k purchase of something else" itch that crapping on Kia does.
And yet we have laws that disallow things that the buyer could just avoid by not purchasing. Because, as a society, we find it unacceptable for vendors to do certain things. And we hold them at fault if the do bad things, even if the buyer had the option to not buy it in the first place.
That being said, how many people buying Kias _knew_ the problem existed? You can't make an educated choice if the information isn't really available to be educated about.
There's a lot of this sort of thing in the UK at the moment which is really baffling to me.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.
I'm aware that it's expensive but the alternative is pretty horrific.
A person that goes about assaulting people is a significant drain on society. It's not even just monetary, it ruins trust, it ruins the relations between the people who aren't antisocial. It also has the moral hazard effect of increasing the number of others that see that this behaviour ultimately goes unpunished.
As far as I'm concerned, there are very few legitimate reasons to raise taxes, but police and prisons are one of them, they are not problems that individuals can solve in the private sector.
>> treat your presence on the road like an inconvenience
Aren’t we all a bit guilty of that? Maybe not all the time - when I see an ambulance whizz past or a fire truck, I’m appreciative of their efforts.
But everyone else? You’re just in the way ultimately. There isn’t much pleasure to be derived in waiting around for someone to have their fair turn at the intersection or whatever.
Obviously as a rational human I’m quite capable of suppressing such thoughts and generally abide by the traffic laws, but the point still stands.
> Locking 1,000 people up for a decade costs ~1 billion dollars.
This is a purely political decision, not an inherent cost of jailing.
Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
And obviously jail is supposed to be cheaper than non-jail life in the first place, because you’re not paying for luxury, just food, (cheap) rent and security.
But why? I mean, just put each prisoner in a separate cell, why would you need more than 1 employee per 20-50 prisoners? Ok, maybe 3, for 24 hour rotation... Make sure you never unlock more than a single cell, and keep guns, lots of guns.
You need lots of doctors, especially with an aging prison population. Doctors aren't cheap. Not to mention the cost of medicine, which can get very expensive when you consider things like end stage cancer drugs for elderly prisoners who can't be released because they're serving LWOP, and it all must be paid for by the state.
Or consider institution GED classes. You might say, those can easily go on the chopping block to save some money. But then you end up with inmates who are released without a high school diploma and, lacking educational opportunities, are more likely to return to crime. Then they go back into the prison system where they use more state resources than if they had just been given education in the first place. It's easy to imagine scenarios in which programs like that are worthwhile in the long term purely for fiscal reasons even if you care 0% about the welfare of criminals themselves.
Prisoners should have access to healthcare and education at a similar level as provided for the general population. Other than security-related cost increases, the government is already bearing those costs.
That cost includes paying all of the staff (guards, admin, medical, social workers, etc) and maintaining the building(s) and infrastructure, I’m surprised it’s only $100k a year.
They just have no space left in the jails, what can you do... I guess they hope that as long as protesters get a spot the damage to society will be manageable.
Canada, a bit more liberal than the US, probably has plenty of cities with such policies in place too. Yet, no crime wave there. These waves were a result of Kia's choices, and quite obviously so.
We're not talking about car theft in general, but about the specific crime waves that occurred after the rollout of the less than secure Kias in the US and the Kias with the proper security measures in Canada.
There's no Kia-specific crime wave in Canada as far as I know (I live there). But there's absolutely a general crime wave of car thefts in Canada, and it's quite plausibly tied to recent policy choices. Of course the effect of policy is going to be additive to the effect of blunders like Kia's. But there's good reason to think it has enough impact on its own to be worth discussing.
I'm kind curious, did Canada have the same spike in the "knockout game" that the US did?
If it did, that would point to a US and Canada crime trend correlation. If not, then you can't just say that the one static variable, city/county level policy and the independent variable, immobilizers, are the only factors.
You have different criminal populations, societal values, amounts of government aid, rehabilitation programs, etc that all play into the analysis.
Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007.
Basically there is something to put on (lack of) regulations as well as on HKMC.
In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!
The problem isn't that we need better locks, but that we need locks at all.
Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.
We did when I was a kid. Nobody locked their doors in my town. In fact multiple people just had blanks over the holes meant for deadbolts.
Then the local powerplant shut down, and the manufacturing associated with it left as well. The largest employer in the area besides those two moved operations to China. Then methamphetamine became popular and then heroin, too.
For the majority of my childhood and teenage years the door was never locked. I don’t think it’s a British thing to leave your keys on the seat, but they were always in the hallway, right next to the unlocked door (like everyone else I knew).
I’m trying to think of the point this changed, and I can’t, but I would guess around 2008-2010 or so.
Maybe that's the goal. By creating the Kia Boyz situation, through omission of proven controls used in other countries, we created a nice conduit for more draconian measures.
Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.
This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.
Forty-nine states recklessly allow florists to sell flowers without a license. Only the good people of Louisiana are safe from dangers of unregulated flower purchases.
It doesn't need to be the population believing that regulations are completely unnecessary.
It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.
And never an American one after the Pinto, and never a German one after the VW testing scam, and never a Japanese one after the recent safety scandal? I guess you can still get a Jaguar, so your mechanic won't complain.
I had been planning to keep driving my car for quite some time, but recently it's developed a weird engine noise and a check engine light that nobody can resolve. I'm not sure I'll be able to give EV charging a few more years to sort itself out.
Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.
Not really. At least not for those immobilizers that don't use "proprietary" ciphers.
Automotive loves security through obscurity until it bites them in the ass.
Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)
But you are right that there are many (older models) that use ciphers with know quick exploits:
TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
Those type of attacks (CAN injections) are very OEM specific, and come from deep insider knowledge, not something you fuck around and find out.
I’m assuming you’re referring to Toyota, but anyways please give direct reference to the attack you’re referring to.
Keep in mind any need for expensive equipment is already a deterrent for many.
Idk what the pattern is where you are, but the majority of stolen cars where I am are not sold or stripped or anything like that. They're used for N days and then ditched somewhere. Used either for joyriding, living in, crash&grab, or whatever.
One of my old neighbors had their same car stolen like 2-3 times, always ditched and found after some number of days missing.
That was the big shift here for the Kia mess. Normally the thieves tend to be professionals so the stolen ones are at a port or being stripped soon afterwards, but when that hit TikTok there were a lot more joyrides and brief use for theft/robbery because it was a bunch of teenagers who didn’t have much of a plan.
> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.
I've posted this point a couple times on HN and I guess I will keep posting until people stop expressing surprise that trivially stealable cars are a precursor to carjackings. I'm not dunking, there's no good reason for people to intuit that! But it's a really important thing to understand.
I'd really like to see a citation for carjackings going up more than any other crime that a stolen car enables.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
I worry that single percentage might be hiding some complexities like a subcategory of cars with a much lower recovery rate, or having the term "recovered" encompassing "as scrap".
Part of what makes it unintuitive is the specificity:
* Why Milwaukee and Chicago instead of everywhere?
* Why carjacking and not a general increase in crimes that could be facilitated by an unassociated car (bank robbery, toll violations, etc)?
The phenomenon started in Milwaukee (the "Kia Boys" challenge), and I happen to live in Chicagoland, which experienced a huge wave of carjackings immediately afterwards. I have one of them recorded on my Nest camera in the alley behind my house. Nothing in particular about those two cities otherwise.
As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
FWIW the associated crime wave was much broader than carjacking (and I’m actually not aware of a particular increase in carjackings specifically due to the Kia issues but I don’t know) but the Kia issues seem to have started in Milwaukee.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
I question whether Milwaukee and Chicago are outstanding examples. I looked at a few reputable sources and those cities nor their states seem to be extremes in terms of car theft rates. Most of these law enforcement agencies are not specifically breaking our carjacking.
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
Hell Mississippi as a state might soon pass Chicago in murder rate per capita. Chicago last year had a murder rate of 22.85 per 100,000 while Mississippi had a murder rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama had 18.6..
"Places like" include Philadelphia. It's not a closed set, just some examples. I have friends that have had their KIA stolen this way, and others that have outright sold their car to get a different brand due to how prevalent it is here.
We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.
I'm about to take delivery of a Toyota Sienna in Canada, and despite it being a minivan, it's a Toyota which are popular to steal right now. I plan to use both a steering wheel and accelerator pedal club. I've watched videos of both devices being rendered futile in less than 60 seconds but I hope that it will deter the less determined thieves. Then, after my kids have thoroughly destroyed the interior, I will hope that it gets stolen.
Have you considered not living in such an environment of fear? I have no idea of your circumstances, but this is something I see in my local relatives all the time. They buy ring cams and security systems, scrutinize nextdoor, etc. In reality, they are incomparably rich and safe compared to most. Personally I refuse to buy into this nonsense and just go about my life, despite living in a place that's far more dangerous by the numbers.
You're mistaken. I'm not cowering in fear or fright as you imagine. I am merely pragmatic considering I have waited two years for the vehicle to be delivered and I know that if it's stolen the insurance company will not payout for a replacement vehicle. It will payout what I paid but a slightly used replacement will cost more than what I am about pay due to the constrained market for these vehicles. As for your circumstance, I'm glad you have come to a reasoning that is suitable to you.
I mean it depends. In Toronto you could do that (and I usually agree with you about say, home security), but then you don't really choose where you get to park your car every time. And in a way I'd be more stressed to know that I could lose my car if I parked it somewhere that I don't know, and that I can't do anything about it once it gets stolen, versus just putting 2 locks.
But again, I totally agree with you about the weirdness of people going full military compounds in residential areas.
Because car manufacturers have such a clear decision making role in the legal and judicial process of a place like Milwaukee. It can't be that the government simply realized that they aren't legally obliged to deal with any problems the populace have and simply let them eat cake in a 21st century way.
In some places in the US, you can leave your doors open and car unlocked and no one will touch it. Perhaps a friendly neighbour may remind you, but that's about it.
As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.
Cars (and other things) being easy to steal isn't the problem.
Eh, if we were really that litigious (or if our being litigious were at all effective) gun manufacturers would have been sued into oblivion a long time ago.
Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!
The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.
Something kinda like that was done, TikTok apparently algorithmically identified likely 'drivers' and flooded them with videos instructing and glorifying taking the cars for a joyride... while other platforms did not promote and even took those videos down.
Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?
A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service
This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.
Any stealership shouldn’t be able to lookup information about any active/sold car. These interactions need to have consent (authorization) from car owner. These authorizations should be short lived and can be revoked at any time.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
This is absurd. If there was a screen on the infotainment system where you could allow (temporarily!) the local service center of your choice to access your car remotely, fine. Otherwise, no thanks.
> What if a dealership employee uses this to stalk an ex or something?
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.
That is incorrect, as per the article Kia ties the VIN number to the car’s functionality. The author used a 3rd party service to convert the license plate number to VIN.
Uhh this seems like a big fact to gloss over, and something I am quite surprised by. Could you point to any examples as I’m having a hard time finding anything available publicly from any DMVs/states
In Michigan anyone can do a in-person plate lookup for about $15 and it comes back with complete registration information including name and address. VIN and car details as well.
The $15 makes this pretty hard to scale too. The link someone posted was $0.05/request. I'd love to see how/where you can get this data in bulk from a primary source.
License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.
The article isn't clear, but it sounds like the cars were already being tracked, only now also "unauthorized" people could track them (when before, only Kia and car dealers could track your car).
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Almost all modern cars have a way of providing or grabbing location data, however most manufactures do not "Spy" on your car by default, this would violate CCPA, colorados privacy act, GDPR... ETC. The users need to opt-in to telematics data. For example in Hyundai case when you create a "Blue link" account and accept their terms of service you are connecting whatever vehicle you have verified on your account to their telematics system, and subsequently opting in to tracking.
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
The EFF [1] is less optimistic that all of this spying is opt-in and clearly-stated (instead of buried in legalese), and Wired [2] likewise mentions cases where it's opt-out instead of -in.
Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.
Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.
The price of that feature (constant tracking of your vehicle's location) is not worth it in a world where entities who sell or give away that location data without the vehicle owner's explicit, intentional, actually-informed consent do not go to superjail forever.
Why does it have to track your bloody location all the time though? Why not make it so it just logs in to the server every 5 minutes and asks. "Have I been stolen?" and if the answer is yes it activates. Better yet, mandate all software like this is open source so no manufacturer can claim one thing and do another.
And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.
It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I
Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.
As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
In my VW, the cellular modem and something I actually use (I think it's the Bluetooth microphone) are in the same module, so pulling the fuse or disabling it in the CAN gateway would be too heavy-handed. I would need to spend hours getting to, and into, the module. Or maybe replace the antenna with an effective dummy load / terminator? Tons of trim work. Luckily it's old enough to be 2G, and my understanding is most towers no longer speak to it, so I haven't pursued it further.
We tolerated worse gas mileage (computer controlled fuel injection, transmission, etc.), safety (anti-lock brakes), etc. We added computers because we wanted to lessen the effects of climate change and keep more people alive.
You're using a broad definition of "computer".
We've had these features for decades now, until recently the logic was handled by microcontrollers. It's not clear that the functionality requires computing devices also capable of data gathering, storage and upload.
Not really. Personal vehicles are responsible for such miniscule portion of co2 emissions it barely matters.
Emission regulations enjoy popular support because of city air quality, not climate change. Yes, people tolerate taxes on CO2 emitted by their vehicles (do you have that in the US BTW?) because it has a very beneficial side effect of also limiting particulates and NOx CO and such emissions that actually killed hundreds of people every year in major city centers. Also caused lifelong disability for many children(asthma).
I was just going to say the same as it's stated pretty early in the article
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
In Massachusetts, Kia has disabled Kia Connect for all vehicles purchased over the past few years. Any data collected by cars must be made accessible to third-party shops, and Kia opted to disable any data collection (and thus disable Connect entirely) rather than allow that to happen. It doesn't matter where you actually live — as long as you bought in MA, the car's VIN is locked out and no one can do anything about it. You're typically told this at the very end of the sales process, after everything is signed, and it's framed as "oh, by the way, MA has a terrible right-to-repair law that has forced Kia to disable Connect, you should write your state senator."
It's... interesting to see just how easy it is to access this functionality if the VIN check is bypassed.
its brought about a lot of shops that can rip the electronic tracking devices out of your car pretty easily too, which is nice in case you don't feel like being someone's datapoint
Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
No doubt today, but in another very realistic in the sense that's perfectly logic and possible since more than a decade, where government have digital IDs who are smart-cards not crapplications, and with them certified mails with a personal domain and the ISP router is just a FLOSS homeserver (as it is actually, being GNU/Linux embedded machines with a tailored PBX, Samba to offer usb network storage, CUPS for serving a usb-connected printer and so on, just a bit more powerful and open.
In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.
Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.
Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
My key fob has two way communication and like a half mile range in urban areas.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
Doubt it. Mine's aftermarket. The manufacturer doesn't offer remote start on their manual transmission vehicles so I had to get an aftermarket system if I wanted remote start for those -50 days. Mine's a little older / less fancy than some of those linked[0] but essentially the same.
I doubt it would ever solve my problem (they're still not going to offer half the functionality on a M/T vehicle), but there's no reason they couldn't offer something like this as a couple hundred dollar option on most of their vehicles. They already basically have all the hardware in the car I figure.
Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.
With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.
Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)
If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
> I haven’t carried keys of any kind for… 6 years at this point?
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
I've found myself stuck out of the office in minus fifteen degrees because the keylock app had stopped working due to a backend upgrade gone subtly bad.
Fortunately this was in an urban area and I could find a cafe that was open within the walking distance. I don't know if they allowed pets to thaw in there. It took about an hour for maintenance to open the doors (with a damned key) and let people in.
> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
In the UK, and I'm guessing a lot of other parts of the world, many people live in apartments with only a single entrance door.
Pets which require medications on a schedule might become very ill without them. But yes, I suspect that any country where the weather is enough to kill your pet should probably be running AC/heat on a thermostat instead of manual. (Here in the UK, we rarely have AC, and a lot of people just put on heat manually when they're cold - but our weather is pretty mild.)
Personally I would never rely on a phone to get me into a house or vehicle. Mine runs out of battery too frequently. I've already been bitten by not being able to take a bus because my phone died and I couldn't pay for a ticket.
Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
For ones that support Apple's Homekey, it doesn't even matter if your battery runs out. Apple devices still provide Homekey via NFC even with a dead phone.
I don't think this exists yet for car keys, although I know there's work on UltraWide Band key support.
Also, this seems substanially less fragile than just... losing a pair of keys. It's not evitable that your battery in your lock runs out (again, unless you ignore warnings), but losing your keys is one of those 'hard to prepare for' events.
Migitation for losing your keys could just be keeping a spare key with a neighbor/friend/whatever... but, well, you can do that with an e-lock too (cause they all have regular keys for true backup).
> the doors were locked from the inside by the dog
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
I didn't want it off. It was New Orleans in summer. I wanted it unlocked.
I suppose you could dream up some situation in which the fob is outside the car, someone is inside, creepy people come up and take the fob, and you want to be protected by locking from the inside.
But in that case, internet unlocking should be blocked as well, right?
It was a very bizarre experience. Anyway, wouldn't have mattered: it's my wife's car, not mine. So I wouldn't have the app.
I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
There are no new cars on the market today that don't have a slew of connected """features""", right?
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
In the U.S., by 2026, all new cars must have a "kill switch", and that includes a remote operation. The requirement is about preventing drunk driving, but it's being interpreted by many to require a kill switch.
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
I wonder how well current adaptive cruise control/collision prevention technology works to help someone safely drive drunk. I don't own a car with these features but once rented a 2021 Nissan for a road trip and just set the cruise control to 70 and it would maintain a safe distance from other cars automatically down to like 20 mph iirc. I didn't, but I probably could have been drunk and driven that car without much issue, not that I am advocating for this.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian market) is actually pretty old school. Yes, it has the keyless unlock and even a remote engine start button on the keyfob (can be disabled, thankfully - car is parked inside and we have kids!) But no cellular connectivity, no wifi, and all the touchscreen stuff is "extra icing" - all the controls you need are there in physical form except for some radio and cell phone call functions. Yes, the car may be vulnerable to signal boost kind of attacks (to pretend the keyfob is nearby when it's not) and possibly the "pop off a headlight and get into the CANbus" attack. But no cloud dependency and no way for the cloud to reach in and mess things up. Also, the software it does have seems "debugged" based on a year of using it.
You can pull the fuse on a ford maverick and it physically disables the telemetry. You could also opt out and disable it through the settings. Remote start from your keyfob still works. As expected remote start, seeing where you parked, remotely locking the car through the ford app will not work.
depends how wide is your definition of "connected features". all modern vehicles in the EU are required to have the eCall feature which uses cell to send your location in case of a crash. Since the hardware is in there I have absolutely no faith in car makers/govs to not use it for other purposes (now or in the future) https://en.m.wikipedia.org/wiki/ECall
As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
I wonder how many LEAs knew of this and used it to bypass having to get a warrant, instead of responsibly disclosing it for the benefit of public safety.
Technically you don't need a warrant if you just ask for the data and it's handed over. You only need a warrant if someone doesn't want to hand over the data.
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
>These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Connecticut Kia Boyz here? Imagine in some states it's not a felony to steal Kias if you're under 18, so they do it for fun and even sell them for rides 100$ each.
There is a great Channel 5 documentary on youtube about it, definitely recommend to check it!
Internet connected vehicles are a mistake. Enough time out there and mistakes will get re-introduced. If it’s not Kia, it will be someone else.
You should be able to take out the internet connectivity as a consumer. The fact that this exploit worked even if the consumer wasn’t subscribed is wild.
I am impressed that you were able to contact relevant folks at Kia. I tried contacting their security team via Kia's customer service and Twitter and was repeatedly told they don't have anyone working on security, vulnerabilities, etc. My favorite was when they redirected my call to roadside assistance (twice).
> The License Plate to VIN form uses a third-party API to convert license plate number to VIN
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.
In submitting reports, please note that although Hyundai Motor America sincerely
values vulnerability reports, we do not provide monetary compensation (“bounties”)
or non-monetary remuneration in exchange for submitted reports. This program is
only meant to facilitate the responsible reporting and resolution of cybersecurity
vulnerabilities.
What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?
I'm trying to imagine time when I would want my car to be connected to the internet. Hard to come up with, other than remote locking, that's it for me. Not sure that's worth the attack surface.
What I do find useful is the car having "cellular connectivity" to make emergency calls. But that doesn't require internet connectivity.
My 2015 vehicle has remote start on the remote. Its very handy in cold and hot extremes to start a few min early, and then let it warm up or cool down.
My 2020 Subary only does remote start if you pay the monthly fee for their access (confusingly called Starlink), and requires the 'subaru app'
Tesla does it very well. My Tesla connects to my home wi-fi. When it's parked in the driveway it can download and install firmware updates. They are somewhat frequent. Other than major UI changes, I have been happy with the way they add features and ensure stability.
With the app it's very useful to be able to find out the location of the car, the status of the doors and windows, the current mileage, and be able to control the climate (Dog Mode, etc), warm up on cold mornings, cool down in summer. You can also get important notifications (i.e. Climate mode on for a long time, Door/Window is open, etc )
You might knock the remote climate feature but if you have dogs/kids/elderly it really improves their quality of life.
There's another recent feature which supports streaming music such as Apple Music, without your phone needed. This is convenient and useful.
Tesla charges $9.99 USD a month for this which I find to be extremely reasonable. ( I am an SRE and I know what it takes to maintain scalable secure infrastructures )
GM introduced this functionality 25 years ago with OnStar. It's been around so long the technology is considered legacy with support farmed out to Filipinos.
The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.
Tesla does a lot of the “slick” features very well, but at least for me, they have been failing miserably at the basics:
- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.
- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.
- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.
The only way a connected car would be cheaper is if money is made from the data sent over the connection. Clearly that's the case right now.
Up-front NRE, per unit HW, perpetual cloud backend maintenance. There's a lot of cost to connect a car to the internet. It should be a luxury option that I can decline to have installed.
My Kia Niro is connected to the internet yet I can't OTA apply anything. Updates to the navigation data (~80GB) have to be done via USB and recall related updates have to get applied by the manufacturer. So I get 100% of the attack surface and ~0% of the convenience.
They have the best EV architecture on the planet currently; despite all the hacking issues, I'm still considering an EV6 for my next vehicle. Probably with a yanked cell radio fuse...
Exactly. It makes a DC fast charge session (on a reasonably spec'd charger) take 20 minutes, not an hour like on competing EVs that peak at 150kW.
EV companies haven't quite figured out that the only two things consumers care about are range and charge rate (well, and cost, but there's an untapped market of people willing to pay if the featureset is there). Everyone has settled on 300mi range, which in my opinion is a little low but workable (at 80mph you'd have to stop every 3.5 hours), but for some reason nobody can get their act together on charge rate. Consumers need to purchase a car for their 99th percentile use case, which for much of America includes at least one road trip per year. The DC fast charge experience is basically the whole story there.
Obviously better charge rate would be better, and would be a bigger improvement than more range, but I've found that long road trips (10+ hours total driving time) with my 2023 Hyundai Kona, peak charge rate of ~70kW, is tolerable. I'd like my next EV (whenever I get it), to have a higher charge rate, but if I'm being honest, I'd care more other features such as V2H capability and physical media/HVAC controls. Now, fundamentally there is no reason that I should have to choose between these options. They are orthoganal, but if I was choosing between different vehicles, I'd give up charge speed to get those other features.
Cars are essential to living in America except for a few cities. Car manufacturers can basically do whatever they want.
There was a recent YouTube video with a car thief that basically showcased a "special" tablet that could get any car started in a minute by plugging into the OBD port. Pretty shitty security model if it relies on no tablets getting out.
If someone's already inside the car, I expect them to be able to hotwire it eventually.
The trouble is when manufacturers extend the CAN bus out to the smart headlights or something, and it's the same bus that the body control sits on, so they can just send a door-unlock message...
Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.
"thanks to a simple website bug AND TELEMATICS HARDWARE in the vehicles that had absolutely no relevance to their ability to get from point A to point B"
This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
> it fed a crime wave, something a number of US cities are suing Kia over
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.
Anything political doesn't have to be only this reason or only that reason. "Both" is an option too.
> car thefts
To be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.
> It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.
WHAT?
I don’t have my wallet on a chain, do I have some responsibility if I get pickpocketed?
These criminals are breaking the law, it is ENTIRELY their fault. Any other interpretation has way, way too many logic holes and strange consequences that says it’s our fault when a criminal willingly breaks the law.
We're talking about different things.
If your car gets stolen, that's your problem.
If suddenly a massive number of cars are stolen, that's the government's problem. (As now police forces have to deal with criminals trivially obtaining getaway cars)
So it seems reasonable that the manufacturer in question should be sued for the cost of the additional police resources required.
> If suddenly a massive number of cars are stolen, that's the government's problem.
I have no idea why you jump to that conclusion.
The problem is clearly the person breaking the law.
But anyway, going with what you said...
> So it seems reasonable that the manufacturer in question should be sued
Wait, if it's the government's problem, then THEY should be sued for not requiring manufacturers to have these anti-theft devices (as the Canadian government does). The auto manufacturer is building cars precisely as the US government mandated them to.
It seems like you're trying to bend logic to blame anyone and everyone other than the people who are breaking the law.
I'm not sure where you're reading that the thief shouldn't also be charged. That's obvious, but if you need me to spell it out: yes.
What I'm talking about is how companies should bear liability for the social consequences of their choices.
According to what legal theory?
Negligence
https://en.m.wikipedia.org/wiki/Tort#Negligence
The linked page doesn’t define ‘social consequences of their choices’ nor do any of the linked or cited texts, and most don’t even touch on the issue of differences between ‘companies’ making a choice and individuals within the companies making a choice.
Is there a more credible source?
I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So if a window manufacturer decides to save money and not put latches on their windows, enabling them to be opened from the outside at will, and home invasions spike, that manufacturer isn't a large part of the problem?
Part of the problem and the only cause are not the same thing.
Both Kia and the thieves can be in the wrong. Trying to break it down to one cause is never going to work.
Some car will always be the easiest to steal. People should always take reasonable precautions. But crime is still crime; if someone leaves their car running with the door unlocked as they run into the store and it gets stolen - they made a mistake but the criminal did a crime.
Your use of “only cause” was the first in this discussion.
Lots of people get sued for lots of things. Nowhere does it say that suits can succeed only if the defendant is the sole cause of the problem. See: Takata air bags. Huge liability, but in any given incident it wouldn’t be a problem unless someone else caused an accident. Yet Takata does not get to say “or defective product wouldn’t have been a problem if Mr. Doofus hadn’t rear-ended you”
Binary is great for computers, less good in legal thinking.
> Your use of “only cause” was the first in this discussion.
No, but this statement implied Kia wasn't at fault because someone else committed the crime...
> I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So sure, that was the first use of "only cause"; in the same way that "there was 1 light" and "there weren't multiple lights" aren't the same words; but they contain the same information.
What an asinine comparison. The criminal maintains full criminal liability even if the it’s an easy crime.
He was talking about civil liability. The concept you’ve tripped over here is called intervening superseding causes and the criminal only destroys the tortfeasor’s liability if his intervening criminal cause is unforeseeable.
Here, because the entire purpose of car immobilizers is theft protection, the thief is foreseeable and his crime does not supersede.
I’m a little troubled by your use of the word “asinine” in this context.
What about door locks? Or the ignition that had to be ripped out to use the usb stick trick? Does everyone have to use a club or hidden kill switch to not have them blamed.
I’d be willing to guess you won’t use this word salad when describing sexual crimes.
> Or the ignition that had to be ripped out to use the usb stick trick?
If by "ripped out," you mean depressing a tab and then pulling it out.
https://m.youtube.com/watch?v=bTeVgfPM0Xw&t=357s
No they are not. At best they are a minor contributor. If people want security latches and whatnot they can buy them and pay accordingly. An easy to steal care beats no car every day of the week.
I live in a not great part of what's arguably the bluest state in the nation (which is to say this isn't some dumb red state "tough on crime" thing) and I can't imagine someone being able to go around checking windows or car doors for very long without a free ride in a cop car. Windows here are unlatched from May to September. I bet a lot of those houses have Kias in the driveway that they've had no theft problems with as we only have about a dozen car thefts per year here.
Ford Superduties over a huge year range can be stolen much the same way (you also have to punch out a lock before taking a screwdriver to the column) until very recently as PATS was not standard on the higher GVW stuff but those are expensive trucks so shitting on them doesn't scratch the same "validate my $50k purchase of something else" itch that crapping on Kia does.
And yet we have laws that disallow things that the buyer could just avoid by not purchasing. Because, as a society, we find it unacceptable for vendors to do certain things. And we hold them at fault if the do bad things, even if the buyer had the option to not buy it in the first place.
That being said, how many people buying Kias _knew_ the problem existed? You can't make an educated choice if the information isn't really available to be educated about.
lol check out rochester ny car theft stats!
But that would be loud, not good for theft. Opening a window or door silent requires a whole different set of special skills.
There's a lot of this sort of thing in the UK at the moment which is really baffling to me.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
It’s far more expensive than you may assume.
Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.
I'm aware that it's expensive but the alternative is pretty horrific.
A person that goes about assaulting people is a significant drain on society. It's not even just monetary, it ruins trust, it ruins the relations between the people who aren't antisocial. It also has the moral hazard effect of increasing the number of others that see that this behaviour ultimately goes unpunished.
As far as I'm concerned, there are very few legitimate reasons to raise taxes, but police and prisons are one of them, they are not problems that individuals can solve in the private sector.
There was another discussion around the Cannonball run, and how it should be allowed because no one gets hurt.
In a way it does, because it ruins trust as the participants treat your presence on the road like an inconvenience.
>> treat your presence on the road like an inconvenience
Aren’t we all a bit guilty of that? Maybe not all the time - when I see an ambulance whizz past or a fire truck, I’m appreciative of their efforts.
But everyone else? You’re just in the way ultimately. There isn’t much pleasure to be derived in waiting around for someone to have their fair turn at the intersection or whatever.
Obviously as a rational human I’m quite capable of suppressing such thoughts and generally abide by the traffic laws, but the point still stands.
Most folks don’t get on the road with a superiority complex. If we don’t believe in goodwill actions of others, society falls apart.
> Locking 1,000 people up for a decade costs ~1 billion dollars.
This is a purely political decision, not an inherent cost of jailing.
Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
And obviously jail is supposed to be cheaper than non-jail life in the first place, because you’re not paying for luxury, just food, (cheap) rent and security.
>Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
That's not nearly as bad as I was expecting considering that for every 1-2 prisoners there's a ~$100k employee.
But why? I mean, just put each prisoner in a separate cell, why would you need more than 1 employee per 20-50 prisoners? Ok, maybe 3, for 24 hour rotation... Make sure you never unlock more than a single cell, and keep guns, lots of guns.
You need lots of doctors, especially with an aging prison population. Doctors aren't cheap. Not to mention the cost of medicine, which can get very expensive when you consider things like end stage cancer drugs for elderly prisoners who can't be released because they're serving LWOP, and it all must be paid for by the state.
Or consider institution GED classes. You might say, those can easily go on the chopping block to save some money. But then you end up with inmates who are released without a high school diploma and, lacking educational opportunities, are more likely to return to crime. Then they go back into the prison system where they use more state resources than if they had just been given education in the first place. It's easy to imagine scenarios in which programs like that are worthwhile in the long term purely for fiscal reasons even if you care 0% about the welfare of criminals themselves.
Prisoners should have access to healthcare and education at a similar level as provided for the general population. Other than security-related cost increases, the government is already bearing those costs.
I don’t get it. Sounds like all the things the state would offer anyways - education and healthcare for poor people…
Yeah but in a prison it's more difficult to use bureaucracy and shame to stop people from utilizing those services.
7 Days a week, vacation/sick coverage, facilities/food/admin
>But why?
Low key jobs program at the expense of taxpayers IMO.
do you just make shit up? you are seriously arguing that the "employee per prisoner" ratio is way way better than public schools.
That cost includes paying all of the staff (guards, admin, medical, social workers, etc) and maintaining the building(s) and infrastructure, I’m surprised it’s only $100k a year.
They just have no space left in the jails, what can you do... I guess they hope that as long as protesters get a spot the damage to society will be manageable.
Canada, a bit more liberal than the US, probably has plenty of cities with such policies in place too. Yet, no crime wave there. These waves were a result of Kia's choices, and quite obviously so.
>Yet, no crime wave there.
On the contrary, Canada's rate of stolen cars is only 10% less than the US despite having very few port cities. <https://www.bbc.com/news/articles/cy79dq2n093o>
We're not talking about car theft in general, but about the specific crime waves that occurred after the rollout of the less than secure Kias in the US and the Kias with the proper security measures in Canada.
There's no Kia-specific crime wave in Canada as far as I know (I live there). But there's absolutely a general crime wave of car thefts in Canada, and it's quite plausibly tied to recent policy choices. Of course the effect of policy is going to be additive to the effect of blunders like Kia's. But there's good reason to think it has enough impact on its own to be worth discussing.
I'm kind curious, did Canada have the same spike in the "knockout game" that the US did?
If it did, that would point to a US and Canada crime trend correlation. If not, then you can't just say that the one static variable, city/county level policy and the independent variable, immobilizers, are the only factors.
You have different criminal populations, societal values, amounts of government aid, rehabilitation programs, etc that all play into the analysis.
Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007. Basically there is something to put on (lack of) regulations as well as on HKMC.
In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!
Insane to me that so many people believe this...
The problem isn't that we need better locks, but that we need locks at all.
Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.
You're focusing on the wrong govt policies.
Please, nobody ever left their doors unlocked all the time, if trust was _really_ that high there wouldn't have been locks at all.
We did when I was a kid. Nobody locked their doors in my town. In fact multiple people just had blanks over the holes meant for deadbolts.
Then the local powerplant shut down, and the manufacturing associated with it left as well. The largest employer in the area besides those two moved operations to China. Then methamphetamine became popular and then heroin, too.
Now you can't leave anything unlocked or outside.
I'm sorry you never got the chance to live in a high-trust area.
A lot harder to find one now.
For sure we did. Our backdoor, and that of all the neighbours was unlocked day and night. Same for my grandmothers' house and her neighbours. 1970s.
Yikes. This is more of an incredible claim than the counter. I'm shocked that you are willing to make it so confidently.
For the majority of my childhood and teenage years the door was never locked. I don’t think it’s a British thing to leave your keys on the seat, but they were always in the hallway, right next to the unlocked door (like everyone else I knew).
I’m trying to think of the point this changed, and I can’t, but I would guess around 2008-2010 or so.
We did when I was a kid and my uncle still does. It’s sad that it’s hard for you to fathom safe communities.
Or to put it another way:
Social problems and regressions cannot be resolved with ever more esoteric technological or draconian political solutions.
Maybe that's the goal. By creating the Kia Boyz situation, through omission of proven controls used in other countries, we created a nice conduit for more draconian measures.
There are political solutions
Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.
This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.
Forty-nine states recklessly allow florists to sell flowers without a license. Only the good people of Louisiana are safe from dangers of unregulated flower purchases.
It doesn't need to be the population believing that regulations are completely unnecessary.
It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.
That's absolutely true (and a very good point), but that's not what the GP was claiming.
I’ll certainly never buy another Korean car.
And never an American one after the Pinto, and never a German one after the VW testing scam, and never a Japanese one after the recent safety scandal? I guess you can still get a Jaguar, so your mechanic won't complain.
VW didn't really affect the customers.
How big of a difference was the actual safety of the Japanese cars? Are the corrected numbers poor, or still pretty good?
I drive a car made in the 1990s
I was planning to upgrade it
I might not...
I had been planning to keep driving my car for quite some time, but recently it's developed a weird engine noise and a check engine light that nobody can resolve. I'm not sure I'll be able to give EV charging a few more years to sort itself out.
From my understanding immobilizer bypass tools are cheap and plenty.
Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.
Not really. At least not for those immobilizers that don't use "proprietary" ciphers. Automotive loves security through obscurity until it bites them in the ass. Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)
But you are right that there are many (older models) that use ciphers with know quick exploits: TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
you can just reprogram a new seed via canbus, don’t need to brute force it
Those type of attacks (CAN injections) are very OEM specific, and come from deep insider knowledge, not something you fuck around and find out. I’m assuming you’re referring to Toyota, but anyways please give direct reference to the attack you’re referring to.
Keep in mind any need for expensive equipment is already a deterrent for many.
We have a phrase for that, "security by obscurity" https://en.m.wikipedia.org/wiki/Security_through_obscurity
Probably why great grandparent used that phrase. ;)
1-4k for the tools that they then amortize across many cars stolen and stripped or shipped overseas.
Idk what the pattern is where you are, but the majority of stolen cars where I am are not sold or stripped or anything like that. They're used for N days and then ditched somewhere. Used either for joyriding, living in, crash&grab, or whatever.
One of my old neighbors had their same car stolen like 2-3 times, always ditched and found after some number of days missing.
That was the big shift here for the Kia mess. Normally the thieves tend to be professionals so the stolen ones are at a port or being stripped soon afterwards, but when that hit TikTok there were a lot more joyrides and brief use for theft/robbery because it was a bunch of teenagers who didn’t have much of a plan.
> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.
I've posted this point a couple times on HN and I guess I will keep posting until people stop expressing surprise that trivially stealable cars are a precursor to carjackings. I'm not dunking, there's no good reason for people to intuit that! But it's a really important thing to understand.
I'd really like to see a citation for carjackings going up more than any other crime that a stolen car enables.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
Carjacked cars are usually recovered. They're not carjacked so they can be sold on some weird car black market.
All stolen cars are usually recovered. The recovery rate is something like 85%.
I worry that single percentage might be hiding some complexities like a subcategory of cars with a much lower recovery rate, or having the term "recovered" encompassing "as scrap".
Or the same car keeps getting stolen as someone else suggested. So the % of distinct cars may be lower.
Thanks and thanks to the upthread explanations.
Part of what makes it unintuitive is the specificity:
The phenomenon started in Milwaukee (the "Kia Boys" challenge), and I happen to live in Chicagoland, which experienced a huge wave of carjackings immediately afterwards. I have one of them recorded on my Nest camera in the alley behind my house. Nothing in particular about those two cities otherwise.
As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
FWIW the associated crime wave was much broader than carjacking (and I’m actually not aware of a particular increase in carjackings specifically due to the Kia issues but I don’t know) but the Kia issues seem to have started in Milwaukee.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
I question whether Milwaukee and Chicago are outstanding examples. I looked at a few reputable sources and those cities nor their states seem to be extremes in terms of car theft rates. Most of these law enforcement agencies are not specifically breaking our carjacking.
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
Hell Mississippi as a state might soon pass Chicago in murder rate per capita. Chicago last year had a murder rate of 22.85 per 100,000 while Mississippi had a murder rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama had 18.6..
Chicago isn't even in the top 10 per capita. It's just a very big city that everybody forgets is a very big city.
"Places like" include Philadelphia. It's not a closed set, just some examples. I have friends that have had their KIA stolen this way, and others that have outright sold their car to get a different brand due to how prevalent it is here.
Why Milwaukee and Chicago instead of everywhere?
It wasn't just in those cities, it was nationwide. The poster was using those cities as examples because they are familiar to him.
Like cyber exploits then. Get someone to click a link to download something then access their email to send someone else an email and so on.
Having a stolen car means the easiest way to identify someone is now non-identifying. It’s a great precursor to avoid being tracked.
We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.
Too bad the only thing our current government can think to do is ban the FlipperZero.
Just wait, next they'll ban USB cables.
I'm about to take delivery of a Toyota Sienna in Canada, and despite it being a minivan, it's a Toyota which are popular to steal right now. I plan to use both a steering wheel and accelerator pedal club. I've watched videos of both devices being rendered futile in less than 60 seconds but I hope that it will deter the less determined thieves. Then, after my kids have thoroughly destroyed the interior, I will hope that it gets stolen.
Have you considered not living in such an environment of fear? I have no idea of your circumstances, but this is something I see in my local relatives all the time. They buy ring cams and security systems, scrutinize nextdoor, etc. In reality, they are incomparably rich and safe compared to most. Personally I refuse to buy into this nonsense and just go about my life, despite living in a place that's far more dangerous by the numbers.
You're mistaken. I'm not cowering in fear or fright as you imagine. I am merely pragmatic considering I have waited two years for the vehicle to be delivered and I know that if it's stolen the insurance company will not payout for a replacement vehicle. It will payout what I paid but a slightly used replacement will cost more than what I am about pay due to the constrained market for these vehicles. As for your circumstance, I'm glad you have come to a reasoning that is suitable to you.
> waited two years for the vehicle to be delivered
For a Toyota Sienna? Which option package on that thing did you get? That's wild!
I mean it depends. In Toronto you could do that (and I usually agree with you about say, home security), but then you don't really choose where you get to park your car every time. And in a way I'd be more stressed to know that I could lose my car if I parked it somewhere that I don't know, and that I can't do anything about it once it gets stolen, versus just putting 2 locks.
But again, I totally agree with you about the weirdness of people going full military compounds in residential areas.
Fellow Canuck here. Yes, that statistic is sadly, insanely true. And some background ... https://www.bbc.com/news/articles/cy79dq2n093o
Because car manufacturers have such a clear decision making role in the legal and judicial process of a place like Milwaukee. It can't be that the government simply realized that they aren't legally obliged to deal with any problems the populace have and simply let them eat cake in a 21st century way.
This couldn't be the same state where they tried to just bribe a foreign company known for exploitative labor practices to set up a facility there could it: https://en.wikipedia.org/wiki/Wisconn_Valley_Science_and_Tec....
Largely driven? You're forgetting at least one variable
How did the insurance companies respond to this? They should have made the cars extremely expensive to insure, no?
I wasn't sure what an "interlock" was, and it's a breathalyzer that prevents the vehicle from starting. Was that a mistake?
Edit: ah! I think you meant engine immobilizer
interlock. noun. an arrangement in which the operation of one part or mechanism automatically brings about or prevents the operation of another
Requiring a breath or a specific key signal are both interlocks.
> something a number of US cities are suing Kia over
I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.
They're being sued because they deliberately made the cars easier to steal in the US than they are elsewhere.
In some places in the US, you can leave your doors open and car unlocked and no one will touch it. Perhaps a friendly neighbour may remind you, but that's about it.
As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.
Cars (and other things) being easy to steal isn't the problem.
I have to lock my car doors. There isn't anyone within 10 square miles of me who feels like they live in a maximum-security prison.
Sounds like you live in Stockholm. (syndrome)
Eh, if we were really that litigious (or if our being litigious were at all effective) gun manufacturers would have been sued into oblivion a long time ago.
Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!
Since Kia/Hyundai is the only automotive group to have this problem, I'm going to go ahead continuing to blame them.
I agree and still it's also the lack of regulation that enabled it to happen, and 2nd order effects of it is the increase in carjackings.
It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.
Of course you are. The alternative is to blame the governments (of places like Chicago or Milwaukee), or the people doing the theft.
Why are those alternatives for you?
I find it very easy to hold the governments, people, and companies as all culpable in the own way.
Exactly. The situation should be examined like the NTSB does for plane crashes, usually a proximate cause and other contributing causes.
Maybe we’ll see a return of The Club™
> Volkswagen has entered the chat
Wow they will not live that down!
Lmao, good reference to u/bcantrill.
?
https://news.ycombinator.com/item?id=10040429
Kia is a joke car manufacturer. It’s surprising that they are still able to sell cars and stay in business
The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.
If you get 10x MoM growth you can lobby for it to be legal next year
Something kinda like that was done, TikTok apparently algorithmically identified likely 'drivers' and flooded them with videos instructing and glorifying taking the cars for a joyride... while other platforms did not promote and even took those videos down.
Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?
A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service
This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.
Any stealership shouldn’t be able to lookup information about any active/sold car. These interactions need to have consent (authorization) from car owner. These authorizations should be short lived and can be revoked at any time.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
This is absurd. If there was a screen on the infotainment system where you could allow (temporarily!) the local service center of your choice to access your car remotely, fine. Otherwise, no thanks.
> What if a dealership employee uses this to stalk an ex or something?
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
For those who seem to believe I'm exaggerating this:
https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P...
Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.
That is incorrect, as per the article Kia ties the VIN number to the car’s functionality. The author used a 3rd party service to convert the license plate number to VIN.
Maybe this? $0.05 per request
https://platetovin.com/about#pricing
But how are they getting the data?
Most states have the data publicly available if you know where to look or how to request.
Uhh this seems like a big fact to gloss over, and something I am quite surprised by. Could you point to any examples as I’m having a hard time finding anything available publicly from any DMVs/states
In Michigan anyone can do a in-person plate lookup for about $15 and it comes back with complete registration information including name and address. VIN and car details as well.
That’s usually the kicker - requests have to be done in person but other than that there’s not much limitation.
The $15 makes this pretty hard to scale too. The link someone posted was $0.05/request. I'd love to see how/where you can get this data in bulk from a primary source.
License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.
What if the internet is used for that?
Security is an afterthought... nobody cares, until shit hits the fan.
The article isn't clear, but it sounds like the cars were already being tracked, only now also "unauthorized" people could track them (when before, only Kia and car dealers could track your car).
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
(this was originally posted in https://news.ycombinator.com/item?id=41657833 but we merged that thread hither)
Did you reply to the wrong parent thread?
Almost all modern cars have a way of providing or grabbing location data, however most manufactures do not "Spy" on your car by default, this would violate CCPA, colorados privacy act, GDPR... ETC. The users need to opt-in to telematics data. For example in Hyundai case when you create a "Blue link" account and accept their terms of service you are connecting whatever vehicle you have verified on your account to their telematics system, and subsequently opting in to tracking.
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
The EFF [1] is less optimistic that all of this spying is opt-in and clearly-stated (instead of buried in legalese), and Wired [2] likewise mentions cases where it's opt-out instead of -in.
[1] https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
[2] https://web.archive.org/web/20240705093406/https://www.wired...
often the opt in is buried in 15 pages of paperwork when you buy the vehicle
Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.
If you own a car since about 2010 onwards it's probably ratting you out already.
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
If your car's old enough, though, it may be still stuck with a 3G modem that is no longer capable of phoning home.
Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.
It's so funny how people arguing for commonsense ability to disable car cellular are laughed at. See the Kia Niro forum:
https://www.kianiroforum.com/threads/how-to-remove-head-unit...
OTOH, OnStar's remote disable feature is pretty compelling for consumers. It's not hard to find YouTube videos [1] of thieves being thwarted safely.
[1] https://www.youtube.com/watch?v=d9FbBgG2axE
The price of that feature (constant tracking of your vehicle's location) is not worth it in a world where entities who sell or give away that location data without the vehicle owner's explicit, intentional, actually-informed consent do not go to superjail forever.
not worth it to you
Why does it have to track your bloody location all the time though? Why not make it so it just logs in to the server every 5 minutes and asks. "Have I been stolen?" and if the answer is yes it activates. Better yet, mandate all software like this is open source so no manufacturer can claim one thing and do another.
And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.
It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I
I question some of this though. I have an older Kia that I’m pretty sure has no cell modem yet the support table shows it can be geolocated.
After your phone which is the ultimate oppressor device, now your car is also snitching on you. Nice future ahead of us.
Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.
> car that requires you to create an account online to "activate" the vehicle
I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.
As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
In my VW, the cellular modem and something I actually use (I think it's the Bluetooth microphone) are in the same module, so pulling the fuse or disabling it in the CAN gateway would be too heavy-handed. I would need to spend hours getting to, and into, the module. Or maybe replace the antenna with an effective dummy load / terminator? Tons of trim work. Luckily it's old enough to be 2G, and my understanding is most towers no longer speak to it, so I haven't pursued it further.
But if it is not online, you will not be able to download the latest patches. Like the ones that prevent new remote exploits.
How did we ever survive without computerized vehicles?
We tolerated worse gas mileage (computer controlled fuel injection, transmission, etc.), safety (anti-lock brakes), etc. We added computers because we wanted to lessen the effects of climate change and keep more people alive.
You're using a broad definition of "computer". We've had these features for decades now, until recently the logic was handled by microcontrollers. It's not clear that the functionality requires computing devices also capable of data gathering, storage and upload.
>"climate change"
Not really. Personal vehicles are responsible for such miniscule portion of co2 emissions it barely matters.
Emission regulations enjoy popular support because of city air quality, not climate change. Yes, people tolerate taxes on CO2 emitted by their vehicles (do you have that in the US BTW?) because it has a very beneficial side effect of also limiting particulates and NOx CO and such emissions that actually killed hundreds of people every year in major city centers. Also caused lifelong disability for many children(asthma).
Instead we got people like VW rigging their firmware to report emissions falsely so they could look better.
I was just going to say the same as it's stated pretty early in the article
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
> As the article says, you don't need an active subscription to be vulnerable.
OP was talking about not buying a car that requires a subscription to activate, not about whether the subscription makes you vulnerable.
Otherwise it spies on you with no account
That is unusual. They give 7 years warranty compared to European or US cars manufacturers and it often shows why. They are indeed dependable.
In Massachusetts, Kia has disabled Kia Connect for all vehicles purchased over the past few years. Any data collected by cars must be made accessible to third-party shops, and Kia opted to disable any data collection (and thus disable Connect entirely) rather than allow that to happen. It doesn't matter where you actually live — as long as you bought in MA, the car's VIN is locked out and no one can do anything about it. You're typically told this at the very end of the sales process, after everything is signed, and it's framed as "oh, by the way, MA has a terrible right-to-repair law that has forced Kia to disable Connect, you should write your state senator."
It's... interesting to see just how easy it is to access this functionality if the VIN check is bypassed.
its brought about a lot of shops that can rip the electronic tracking devices out of your car pretty easily too, which is nice in case you don't feel like being someone's datapoint
Stop connecting vehicles to the internet pls & thanks
Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
I would guess 99.9% of car owners who use the app would not set up a personal subdomain or manage a FLOSS stack
No doubt today, but in another very realistic in the sense that's perfectly logic and possible since more than a decade, where government have digital IDs who are smart-cards not crapplications, and with them certified mails with a personal domain and the ISP router is just a FLOSS homeserver (as it is actually, being GNU/Linux embedded machines with a tailored PBX, Samba to offer usb network storage, CUPS for serving a usb-connected printer and so on, just a bit more powerful and open.
In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.
Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.
I don't think you have enough nines.
Ok, I wont.
Thanks.
If it's done well, there are some useful features there.
App unlock, remote start + remote temperature control. All very useful.
I couldn't imagine buying a car without carplay now.
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
I installed an aftermarket remote start kit in the 90s. It cost less than $100.
Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.
Right, the point is that complexity is unnecessary.
And yet, weirdly, my insecure 1990s era car wasn't able to be controlled over the internet and didn't have a direct data link to my insurance company.
Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
My key fob has two way communication and like a half mile range in urban areas.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
Do any auto manufacturers offer this?
I see several aftermarket systems here: https://www.popularmechanics.com/cars/a34512303/best-remote-...
Doubt it. Mine's aftermarket. The manufacturer doesn't offer remote start on their manual transmission vehicles so I had to get an aftermarket system if I wanted remote start for those -50 days. Mine's a little older / less fancy than some of those linked[0] but essentially the same.
I doubt it would ever solve my problem (they're still not going to offer half the functionality on a M/T vehicle), but there's no reason they couldn't offer something like this as a couple hundred dollar option on most of their vehicles. They already basically have all the hardware in the car I figure.
[0] https://www.compustar.com/remotes/pro-t12/
Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.
With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.
Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)
If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
Ah gotcha, it sounds like most of those problems are limited to internal combustion engines
I'm OK with the risks in exchange for the convenience :)
Remote start is also useful in hot climates, and for similar reasons.
I dont want to carry another stupid fob around. My goal in life is to carry a dumb smart phone that can unlock anything.
Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
> I haven’t carried keys of any kind for… 6 years at this point?
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
I've found myself stuck out of the office in minus fifteen degrees because the keylock app had stopped working due to a backend upgrade gone subtly bad.
Fortunately this was in an urban area and I could find a cafe that was open within the walking distance. I don't know if they allowed pets to thaw in there. It took about an hour for maintenance to open the doors (with a damned key) and let people in.
> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
In the UK, and I'm guessing a lot of other parts of the world, many people live in apartments with only a single entrance door.
Pets which require medications on a schedule might become very ill without them. But yes, I suspect that any country where the weather is enough to kill your pet should probably be running AC/heat on a thermostat instead of manual. (Here in the UK, we rarely have AC, and a lot of people just put on heat manually when they're cold - but our weather is pretty mild.)
Personally I would never rely on a phone to get me into a house or vehicle. Mine runs out of battery too frequently. I've already been bitten by not being able to take a bus because my phone died and I couldn't pay for a ticket.
Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
For ones that support Apple's Homekey, it doesn't even matter if your battery runs out. Apple devices still provide Homekey via NFC even with a dead phone.
I don't think this exists yet for car keys, although I know there's work on UltraWide Band key support.
Also, this seems substanially less fragile than just... losing a pair of keys. It's not evitable that your battery in your lock runs out (again, unless you ignore warnings), but losing your keys is one of those 'hard to prepare for' events.
Migitation for losing your keys could just be keeping a spare key with a neighbor/friend/whatever... but, well, you can do that with an e-lock too (cause they all have regular keys for true backup).
> Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
Ah, that's a fair point.
> Apple devices still provide Homekey via NFC even with a dead phone.
Huh, that's neat. I haven't come across that as I'm not an Apple user.
Yep. I’ve forgotten or lost keys in the past and been locked out, but never have all of my e-locks and garage died at once.
The time I save pays for a locksmith many times over. I also give my friends/my condo spares so this is never actually an issue.
> the doors were locked from the inside by the dog
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
I didn't want it off. It was New Orleans in summer. I wanted it unlocked.
I suppose you could dream up some situation in which the fob is outside the car, someone is inside, creepy people come up and take the fob, and you want to be protected by locking from the inside.
But in that case, internet unlocking should be blocked as well, right?
It was a very bizarre experience. Anyway, wouldn't have mattered: it's my wife's car, not mine. So I wouldn't have the app.
I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Is it really so much better than an RF keyfob that it's worth connecting your car to the Internet for?
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
https://www.google.com/search?q=fob+relaying+theft+attack
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
>Yes, I accept the risk and threat model.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
[1] https://www.techradar.com/pro/security/hackers-are-increasin...
[2] https://www.cisa.gov/news-events/alerts/2024/09/25/threat-ac...
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
I don't even carry a phone for that reason.
Nice lifehack; I'm going to do this. Please share more if you have them.
CarPlay doesn't use your car's internet, it uses your phone's internet. That's part of the whole beauty of it.
Please explain how in your mind are they doing remote climate control, then?
Through the car’s cellular connection.
Lol, duh, thanks. So, guessing they can't stream video from the dashcam cameras remotely in that car.
Yeah, important distinction
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
> What do you get from CarPlay that you don't get from a connected car without CarPlay?
Software quality and security updates on the internet-facing component.
You are under the impression that Teslas can't get software and security updates? Which happen to be free, btw.
It just doesn’t have to be the internet.
It's never well done.
It was well done on my previous car and current car. So it would appear that your claim does not hold.
It's well done in Tesla.
Tesla's have been hacked multiple times in the past as well.
It's very well done in my car.
There are no new cars on the market today that don't have a slew of connected """features""", right?
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
In the U.S., by 2026, all new cars must have a "kill switch", and that includes a remote operation. The requirement is about preventing drunk driving, but it's being interpreted by many to require a kill switch.
Here's the NHTSA report to Congress about this:
https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
I wonder how well current adaptive cruise control/collision prevention technology works to help someone safely drive drunk. I don't own a car with these features but once rented a 2021 Nissan for a road trip and just set the cruise control to 70 and it would maintain a safe distance from other cars automatically down to like 20 mph iirc. I didn't, but I probably could have been drunk and driven that car without much issue, not that I am advocating for this.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
If I ever get pulled over for weaving I might just blame it on lane assist.
Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian market) is actually pretty old school. Yes, it has the keyless unlock and even a remote engine start button on the keyfob (can be disabled, thankfully - car is parked inside and we have kids!) But no cellular connectivity, no wifi, and all the touchscreen stuff is "extra icing" - all the controls you need are there in physical form except for some radio and cell phone call functions. Yes, the car may be vulnerable to signal boost kind of attacks (to pretend the keyfob is nearby when it's not) and possibly the "pop off a headlight and get into the CANbus" attack. But no cloud dependency and no way for the cloud to reach in and mess things up. Also, the software it does have seems "debugged" based on a year of using it.
Your Honda almost certainly has HondaLink, which connects via cellular https://www.honda.ca/en/hondalink/hondalink-2?year=2023&mode... and they're probably selling your location data to databrokers https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
Glad to say it doesn't. Only the top-of-the-line "Touring" model is shown as compatible with HondaLink.
In the EU, IIRC, 2024 is the year that EU starts mandating a bunch of stuff in vehicles (most notably, speed limiter IIUIC).
Anything in the last 10 years is probably ratting you out already.
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
You can pull the fuse on a ford maverick and it physically disables the telemetry. You could also opt out and disable it through the settings. Remote start from your keyfob still works. As expected remote start, seeing where you parked, remotely locking the car through the ford app will not work.
It would be interesting to have a list of modern cars without these kind of connected features, but I haven't found any.
depends how wide is your definition of "connected features". all modern vehicles in the EU are required to have the eCall feature which uses cell to send your location in case of a crash. Since the hardware is in there I have absolutely no faith in car makers/govs to not use it for other purposes (now or in the future) https://en.m.wikipedia.org/wiki/ECall
Cut the cords to the cellular module
As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
> but at least my vehicle isn't ripe for theft/abuse.
From this particular vulnerability. If anything, I'd still be concerned.
Yeah, but it shows Kia at least works with security researchers instead of suing them into everythings-fine silence.
Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
I wonder how many LEAs knew of this and used it to bypass having to get a warrant, instead of responsibly disclosing it for the benefit of public safety.
The warrant is still necessary, evidence obtained through illicit means is generally not acceptable.
Technically you don't need a warrant if you just ask for the data and it's handed over. You only need a warrant if someone doesn't want to hand over the data.
But that's not what this would be, this would be gaining access to the system without permission.
It doesn't matter if my door has shitty locks, you still can't enter my house unless I invite you.
if this metaphorical door is already open and something is in plain view though. I guess the question is what constitutes plain view digitally.
True, but parallel construction/evidence laundering is a thing.
By law, we need to be able to disconnect cars from the cell network. This is stupid.
By law, we need to be able to disconnect any product whose core functionality does not depend on the network.
Ok, lesson learned. Thank you.
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
>These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
It's hardly unique to Kia!
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
Don't feel stupid, feel a little angry. The only thing you could have done to prevent this was not buy a Kia.
Like the other brands are any better...
Connecticut Kia Boyz here? Imagine in some states it's not a felony to steal Kias if you're under 18, so they do it for fun and even sell them for rides 100$ each.
There is a great Channel 5 documentary on youtube about it, definitely recommend to check it!
I just want a car that is as dumb as it can be while meeting all federal regulations to the highest degree. How hard can that be?
I’ve been telling my friends who want to avoid Tesla that an electric Kia is still a Kia
Internet connected vehicles are a mistake. Enough time out there and mistakes will get re-introduced. If it’s not Kia, it will be someone else.
You should be able to take out the internet connectivity as a consumer. The fact that this exploit worked even if the consumer wasn’t subscribed is wild.
Car companies just can’t do tech.
I am impressed that you were able to contact relevant folks at Kia. I tried contacting their security team via Kia's customer service and Twitter and was repeatedly told they don't have anyone working on security, vulnerabilities, etc. My favorite was when they redirected my call to roadside assistance (twice).
Glad my VW only had a 3G antenna built in. No longer works in the US.
> The License Plate to VIN form uses a third-party API to convert license plate number to VIN
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
I don't think the police are using this software. I'm pretty sure they have their own official access to governmental (DMV) records.
EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.
My brother owns a Kia, and the constant auto break-ins are negatively impacting his mental health.
A day ago Louis Rossman posted on Youtube: Mazda requires $100+ subscription for remote start after filing DMCA takedown of open source program"
https://www.youtube.com/watch?v=1n0AI5aemUY
"I never hear the ancaps and the hardcore libertarians in my comments section... complain about Section 1201 of the DMCA. I wish I did more often."
Does Kia have a bug bounty like Tesla does? Tesla paid out 200k and a Tesla a few months ago.
From https://www.hyundaiusa.com/us/en/vulnerability-disclosure:
Note: Kia is owned by Hyundai.Kia America Vulnerability Disclosure Policy:
https://www.kia.com/us/en/vulnerability.html
Almost all vehicle manufacturers have bug bounty programs of some kind (open or closed) but I seriously doubt Kia is one of them.
BTW, the Tesla bug from April is really scary. $100K is peanuts for the ability to remotely control the engine from an adjacent vehicle.
Any source for this issue, I could not find any reference, but am not doubting that it exists.
Not yet fully public, sorry :(
I will give you one hint: cars have sensors that are read wirelessly by ECUs on the internal (unprotected) network.
If I'll ever buy a car, it won't have any network interfaces.
Strike two on KIA's car security after the USB cable disaster
Kia Boys Who Code
Maybe other manufacturers are also this bad, but I know Kia is this bad. I’m never buying a Kia.
But wait, they patched this! Yeah, but they also shipped it.
Kia is a terrible brand anyways
What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?
Hardware companies usually suck at doing software.
Can we stop connecting cars to the internet now?
I'm trying to imagine time when I would want my car to be connected to the internet. Hard to come up with, other than remote locking, that's it for me. Not sure that's worth the attack surface.
What I do find useful is the car having "cellular connectivity" to make emergency calls. But that doesn't require internet connectivity.
My 2015 vehicle has remote start on the remote. Its very handy in cold and hot extremes to start a few min early, and then let it warm up or cool down.
My 2020 Subary only does remote start if you pay the monthly fee for their access (confusingly called Starlink), and requires the 'subaru app'
I hate it.
https://www.subaru.com/subaru-starlink/starlink-safety-and-s...
https://parts.subaru.com/p/Subaru_2020_/Remote-Engine-Starte...
Not sure how you program it to your car, but I would get it just so I don't need to use an app.
Gonna keep me 2012 toyota a biiiit longer then. Sorry climate.
Tesla does it very well. My Tesla connects to my home wi-fi. When it's parked in the driveway it can download and install firmware updates. They are somewhat frequent. Other than major UI changes, I have been happy with the way they add features and ensure stability.
With the app it's very useful to be able to find out the location of the car, the status of the doors and windows, the current mileage, and be able to control the climate (Dog Mode, etc), warm up on cold mornings, cool down in summer. You can also get important notifications (i.e. Climate mode on for a long time, Door/Window is open, etc )
You might knock the remote climate feature but if you have dogs/kids/elderly it really improves their quality of life.
There's another recent feature which supports streaming music such as Apple Music, without your phone needed. This is convenient and useful.
Tesla charges $9.99 USD a month for this which I find to be extremely reasonable. ( I am an SRE and I know what it takes to maintain scalable secure infrastructures )
GM introduced this functionality 25 years ago with OnStar. It's been around so long the technology is considered legacy with support farmed out to Filipinos.
The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.
The over the air updates to my 2015 Tesla S have added features as well as fixing bugs.
features...or distractions?
there are things they managed to fix in software that you thought would need to be fixed in hardware
Tesla does a lot of the “slick” features very well, but at least for me, they have been failing miserably at the basics:
- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.
- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.
- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.
Kia charges more than that IIRC and has none of those notifications, which would actually be useful (e.g. window open).
This is why I keep my mechanic in business repairing my '07 Prius.
I'm starting to wonder if I'm the only one left in the world who would rather the internet not eat me alive.
At least have a hard toggle switch mandated just like the button for emergency flashers.
Why would any of the decision makers want to do that? It's not like 99.9% of consumers appear willing to pay 10 cents more for an unconnected car.
The only way a connected car would be cheaper is if money is made from the data sent over the connection. Clearly that's the case right now.
Up-front NRE, per unit HW, perpetual cloud backend maintenance. There's a lot of cost to connect a car to the internet. It should be a luxury option that I can decline to have installed.
Recalls that can be fixed with over the air updates is a large financial reason to connect cars to the internet.
Personally, I’d rather connect to my WiFi where I have control, but that’s a lot to ask for regular consumers.
My Kia Niro is connected to the internet yet I can't OTA apply anything. Updates to the navigation data (~80GB) have to be done via USB and recall related updates have to get applied by the manufacturer. So I get 100% of the attack surface and ~0% of the convenience.
Oh god, that’s terrible!
I wonder how many years that will take. Five years?
Yes, we can still modify our cars as we please. Maybe it won't be legal. But we are able to. And we should.
On the contrary—preventing modification of cars is illegal in my state.
With the advent of "Kia Boys" and now this, it's a miracle people still buy Kias.
They have the best EV architecture on the planet currently; despite all the hacking issues, I'm still considering an EV6 for my next vehicle. Probably with a yanked cell radio fuse...
can you explain what you mean by ev architecture?
Hyundai and Kia use an 800V high voltage electrical system. The upshot is their vehicles charge scary fast, peaking in the mid 200kW's
Exactly. It makes a DC fast charge session (on a reasonably spec'd charger) take 20 minutes, not an hour like on competing EVs that peak at 150kW.
EV companies haven't quite figured out that the only two things consumers care about are range and charge rate (well, and cost, but there's an untapped market of people willing to pay if the featureset is there). Everyone has settled on 300mi range, which in my opinion is a little low but workable (at 80mph you'd have to stop every 3.5 hours), but for some reason nobody can get their act together on charge rate. Consumers need to purchase a car for their 99th percentile use case, which for much of America includes at least one road trip per year. The DC fast charge experience is basically the whole story there.
Obviously better charge rate would be better, and would be a bigger improvement than more range, but I've found that long road trips (10+ hours total driving time) with my 2023 Hyundai Kona, peak charge rate of ~70kW, is tolerable. I'd like my next EV (whenever I get it), to have a higher charge rate, but if I'm being honest, I'd care more other features such as V2H capability and physical media/HVAC controls. Now, fundamentally there is no reason that I should have to choose between these options. They are orthoganal, but if I was choosing between different vehicles, I'd give up charge speed to get those other features.
Agreed, but just a nit: cars that charge at 150kW peak tend to 10-80 in about 30 minutes, not an hour.
Source: my ID.4
Lucid and Porsche also have comparable internal voltages, but of course they are much more expensive than Hyundai and Kia.
In addition to the privacy and security issues, they also have a substandard infotainment still running Android 4.
Android 4? I had a 2017 Kia Ceed where I hacked the head unit, and I'm sure that was at least Android 6?
Older cars may have newer Android versions. People say that the Ioniq 5 is still running Android 4.4, but I havn't verified myself.
Cars are essential to living in America except for a few cities. Car manufacturers can basically do whatever they want.
There was a recent YouTube video with a car thief that basically showcased a "special" tablet that could get any car started in a minute by plugging into the OBD port. Pretty shitty security model if it relies on no tablets getting out.
If someone's already inside the car, I expect them to be able to hotwire it eventually.
The trouble is when manufacturers extend the CAN bus out to the smart headlights or something, and it's the same bus that the body control sits on, so they can just send a door-unlock message...
Do you have a link to the video?
https://youtube.com/watch?v=YS2K_quFWuY
Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.
"thanks to a simple website bug AND TELEMATICS HARDWARE in the vehicles that had absolutely no relevance to their ability to get from point A to point B"
i cannot connect to kia anymore, would have bot worked in me
How much time would you need to redevelop KIAtool with AI?