This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
> it fed a crime wave, something a number of US cities are suing Kia over
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
There's a lot of this sort of thing in the UK at the moment which is really baffling to me.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Canada, a bit more liberal than the US, probably has plenty of cities with such policies in place too. Yet, no crime wave there. These waves were a result of Kia's choices, and quite obviously so.
Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007.
Basically there is something to put on (lack of) regulations as well as on HKMC.
In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!
> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.
I'm about to take delivery of a Toyota Sienna in Canada, and despite it being a minivan, it's a Toyota which are popular to steal right now. I plan to use both a steering wheel and accelerator pedal club. I've watched videos of both devices being rendered futile in less than 60 seconds but I hope that it will deter the less determined thieves. Then, after my kids have thoroughly destroyed the interior, I will hope that it gets stolen.
Because car manufacturers have such a clear decision making role in the legal and judicial process of a place like Milwaukee. It can't be that the government simply realized that they aren't legally obliged to deal with any problems the populace have and simply let them eat cake in a 21st century way.
Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!
The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.
Something kinda like that was done, TikTok apparently algorithmically identified likely 'drivers' and flooded them with videos instructing and glorifying taking the cars for a joyride... while other platforms did not promote and even took those videos down.
Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?
A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service
This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.
Any stealership shouldn’t be able to lookup information about any active/sold car. These interactions need to have consent (authorization) from car owner. These authorizations should be short lived and can be revoked at any time.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
This is absurd. If there was a screen on the infotainment system where you could allow (temporarily!) the local service center of your choice to access your car remotely, fine. Otherwise, no thanks.
> What if a dealership employee uses this to stalk an ex or something?
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.
That is incorrect, as per the article Kia ties the VIN number to the car’s functionality. The author used a 3rd party service to convert the license plate number to VIN.
License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.
The article isn't clear, but it sounds like the cars were already being tracked, only now also "unauthorized" people could track them (when before, only Kia and car dealers could track your car).
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Almost all modern cars have a way of providing or grabbing location data, however most manufactures do not "Spy" on your car by default, this would violate CCPA, colorados privacy act, GDPR... ETC. The users need to opt-in to telematics data. For example in Hyundai case when you create a "Blue link" account and accept their terms of service you are connecting whatever vehicle you have verified on your account to their telematics system, and subsequently opting in to tracking.
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
The EFF [1] is less optimistic that all of this spying is opt-in and clearly-stated (instead of buried in legalese), and Wired [2] likewise mentions cases where it's opt-out instead of -in.
Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.
Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.
Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.
As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
Readit News
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
Anything political doesn't have to be only this reason or only that reason. "Both" is an option too.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Dead Comment
Insane to me that so many people believe this...
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
This couldn't be the same state where they tried to just bribe a foreign company known for exploitative labor practices to set up a facility there could it: https://en.wikipedia.org/wiki/Wisconn_Valley_Science_and_Tec....
Edit: ah! I think you meant engine immobilizer
Requiring a breath or a specific key signal are both interlocks.
I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.
Dead Comment
Dead Comment
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P...
Dead Comment
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
[1] https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
[2] https://web.archive.org/web/20240705093406/https://www.wired...
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
https://www.kianiroforum.com/threads/how-to-remove-head-unit...
[1] https://www.youtube.com/watch?v=d9FbBgG2axE
I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
App unlock, remote start + remote temperature control. All very useful.
I couldn't imagine buying a car without carplay now.
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?