This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
bnralt 86 days ago [-]
> it fed a crime wave, something a number of US cities are suing Kia over
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
ethbr1 86 days ago [-]
It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.
Anything political doesn't have to be only this reason or only that reason. "Both" is an option too.
- Kia fucked up, to make more $
- Some cities have ineffective enforcement
rcthompson 86 days ago [-]
> car thefts
To be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.
grecy 86 days ago [-]
> It's fair to say that a company which makes cars that can be stolen with only a USB socket bears significant culpability for car thefts.
WHAT?
I don’t have my wallet on a chain, do I have some responsibility if I get pickpocketed?
These criminals are breaking the law, it is ENTIRELY their fault. Any other interpretation has way, way too many logic holes and strange consequences that says it’s our fault when a criminal willingly breaks the law.
ethbr1 86 days ago [-]
We're talking about different things.
If your car gets stolen, that's your problem.
If suddenly a massive number of cars are stolen, that's the government's problem. (As now police forces have to deal with criminals trivially obtaining getaway cars)
So it seems reasonable that the manufacturer in question should be sued for the cost of the additional police resources required.
grecy 85 days ago [-]
> If suddenly a massive number of cars are stolen, that's the government's problem.
I have no idea why you jump to that conclusion.
The problem is clearly the person breaking the law.
But anyway, going with what you said...
> So it seems reasonable that the manufacturer in question should be sued
Wait, if it's the government's problem, then THEY should be sued for not requiring manufacturers to have these anti-theft devices (as the Canadian government does). The auto manufacturer is building cars precisely as the US government mandated them to.
It seems like you're trying to bend logic to blame anyone and everyone other than the people who are breaking the law.
ethbr1 85 days ago [-]
I'm not sure where you're reading that the thief shouldn't also be charged. That's obvious, but if you need me to spell it out: yes.
What I'm talking about is how companies should bear liability for the social consequences of their choices.
The linked page doesn’t define ‘social consequences of their choices’ nor do any of the linked or cited texts, and most don’t even touch on the issue of differences between ‘companies’ making a choice and individuals within the companies making a choice.
Is there a more credible source?
kortilla 86 days ago [-]
I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
ethbr1 86 days ago [-]
So if a window manufacturer decides to save money and not put latches on their windows, enabling them to be opened from the outside at will, and home invasions spike, that manufacturer isn't a large part of the problem?
bombcar 86 days ago [-]
Part of the problem and the only cause are not the same thing.
Both Kia and the thieves can be in the wrong. Trying to break it down to one cause is never going to work.
Some car will always be the easiest to steal. People should always take reasonable precautions. But crime is still crime; if someone leaves their car running with the door unlocked as they run into the store and it gets stolen - they made a mistake but the criminal did a crime.
brookst 86 days ago [-]
Your use of “only cause” was the first in this discussion.
Lots of people get sued for lots of things. Nowhere does it say that suits can succeed only if the defendant is the sole cause of the problem. See: Takata air bags. Huge liability, but in any given incident it wouldn’t be a problem unless someone else caused an accident. Yet Takata does not get to say “or defective product wouldn’t have been a problem if Mr. Doofus hadn’t rear-ended you”
Binary is great for computers, less good in legal thinking.
RHSeeger 85 days ago [-]
> Your use of “only cause” was the first in this discussion.
No, but this statement implied Kia wasn't at fault because someone else committed the crime...
> I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So sure, that was the first use of "only cause"; in the same way that "there was 1 light" and "there weren't multiple lights" aren't the same words; but they contain the same information.
kortilla 86 days ago [-]
What an asinine comparison. The criminal maintains full criminal liability even if the it’s an easy crime.
singleshot_ 85 days ago [-]
He was talking about civil liability. The concept you’ve tripped over here is called intervening superseding causes and the criminal only destroys the tortfeasor’s liability if his intervening criminal cause is unforeseeable.
Here, because the entire purpose of car immobilizers is theft protection, the thief is foreseeable and his crime does not supersede.
I’m a little troubled by your use of the word “asinine” in this context.
whatwhaaaaat 85 days ago [-]
What about door locks? Or the ignition that had to be ripped out to use the usb stick trick? Does everyone have to use a club or hidden kill switch to not have them blamed.
I’d be willing to guess you won’t use this word salad when describing sexual crimes.
ethbr1 85 days ago [-]
> Or the ignition that had to be ripped out to use the usb stick trick?
If by "ripped out," you mean depressing a tab and then pulling it out.
Literacy is important. I’m arguing that the criminal’s bad act does not necessarily break the chain of causation that makes Kia liable. You’re projecting that I’m blaming the consumer.
potato3732842 86 days ago [-]
No they are not. At best they are a minor contributor. If people want security latches and whatnot they can buy them and pay accordingly. An easy to steal care beats no car every day of the week.
I live in a not great part of what's arguably the bluest state in the nation (which is to say this isn't some dumb red state "tough on crime" thing) and I can't imagine someone being able to go around checking windows or car doors for very long without a free ride in a cop car. Windows here are unlatched from May to September. I bet a lot of those houses have Kias in the driveway that they've had no theft problems with as we only have about a dozen car thefts per year here.
Ford Superduties over a huge year range can be stolen much the same way (you also have to punch out a lock before taking a screwdriver to the column) until very recently as PATS was not standard on the higher GVW stuff but those are expensive trucks so shitting on them doesn't scratch the same "validate my $50k purchase of something else" itch that crapping on Kia does.
RHSeeger 85 days ago [-]
And yet we have laws that disallow things that the buyer could just avoid by not purchasing. Because, as a society, we find it unacceptable for vendors to do certain things. And we hold them at fault if the do bad things, even if the buyer had the option to not buy it in the first place.
That being said, how many people buying Kias _knew_ the problem existed? You can't make an educated choice if the information isn't really available to be educated about.
incrediblydumb 84 days ago [-]
lol check out rochester ny car theft stats!
lukan 86 days ago [-]
But that would be loud, not good for theft.
Opening a window or door silent requires a whole different set of special skills.
naming_the_user 86 days ago [-]
There's a lot of this sort of thing in the UK at the moment which is really baffling to me.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Retric 86 days ago [-]
It’s far more expensive than you may assume.
Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.
naming_the_user 86 days ago [-]
I'm aware that it's expensive but the alternative is pretty horrific.
A person that goes about assaulting people is a significant drain on society. It's not even just monetary, it ruins trust, it ruins the relations between the people who aren't antisocial. It also has the moral hazard effect of increasing the number of others that see that this behaviour ultimately goes unpunished.
As far as I'm concerned, there are very few legitimate reasons to raise taxes, but police and prisons are one of them, they are not problems that individuals can solve in the private sector.
xattt 86 days ago [-]
There was another discussion around the Cannonball run, and how it should be allowed because no one gets hurt.
In a way it does, because it ruins trust as the participants treat your presence on the road like an inconvenience.
CraigJPerry 86 days ago [-]
>> treat your presence on the road like an inconvenience
Aren’t we all a bit guilty of that? Maybe not all the time - when I see an ambulance whizz past or a fire truck, I’m appreciative of their efforts.
But everyone else? You’re just in the way ultimately. There isn’t much pleasure to be derived in waiting around for someone to have their fair turn at the intersection or whatever.
Obviously as a rational human I’m quite capable of suppressing such thoughts and generally abide by the traffic laws, but the point still stands.
fennecfoxy 82 days ago [-]
I don't mind at all, waiting for my turn on the road. What I do mind is not receiving it in kind - in London a lot of people refuse to let you in, they see getting from A to B as some sort of competition. Meanwhile, I'll let a car in in front of me if I have the opportunity, only to be denied it when I need to slip in from a minor road during rush hour. Humans are a selfish species, thank evolution and resource contention.
xattt 84 days ago [-]
Most folks don’t get on the road with a superiority complex. If we don’t believe in goodwill actions of others, society falls apart.
tomp 86 days ago [-]
> Locking 1,000 people up for a decade costs ~1 billion dollars.
This is a purely political decision, not an inherent cost of jailing.
Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
And obviously jail is supposed to be cheaper than non-jail life in the first place, because you’re not paying for luxury, just food, (cheap) rent and security.
quickthrowman 86 days ago [-]
That cost includes paying all of the staff (guards, admin, medical, social workers, etc) and maintaining the building(s) and infrastructure, I’m surprised it’s only $100k a year.
potato3732842 86 days ago [-]
>Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
That's not nearly as bad as I was expecting considering that for every 1-2 prisoners there's a ~$100k employee.
tomp 86 days ago [-]
But why? I mean, just put each prisoner in a separate cell, why would you need more than 1 employee per 20-50 prisoners? Ok, maybe 3, for 24 hour rotation... Make sure you never unlock more than a single cell, and keep guns, lots of guns.
pcwalton 85 days ago [-]
You need lots of doctors, especially with an aging prison population. Doctors aren't cheap. Not to mention the cost of medicine, which can get very expensive when you consider things like end stage cancer drugs for elderly prisoners who can't be released because they're serving LWOP, and it all must be paid for by the state.
Or consider institution GED classes. You might say, those can easily go on the chopping block to save some money. But then you end up with inmates who are released without a high school diploma and, lacking educational opportunities, are more likely to return to crime. Then they go back into the prison system where they use more state resources than if they had just been given education in the first place. It's easy to imagine scenarios in which programs like that are worthwhile in the long term purely for fiscal reasons even if you care 0% about the welfare of criminals themselves.
sokoloff 85 days ago [-]
Prisoners should have access to healthcare and education at a similar level as provided for the general population. Other than security-related cost increases, the government is already bearing those costs.
Retric 82 days ago [-]
Prisons can’t cheaply leverage the normal healthcare system. Sending someone to a dentist / hospital etc requires they remain unable to escape through the entire process which inherently adds overhead. Having healthcare workers on staff creates mismatches between their workload and the size of the prison population.
tomp 85 days ago [-]
I don’t get it. Sounds like all the things the state would offer anyways - education and healthcare for poor people…
chefandy 84 days ago [-]
Yeah but in a prison it's more difficult to use bureaucracy and shame to stop people from utilizing those services.
Loudergood 86 days ago [-]
7 Days a week, vacation/sick coverage, facilities/food/admin
potato3732842 86 days ago [-]
>But why?
Low key jobs program at the expense of taxpayers IMO.
incrediblydumb 84 days ago [-]
do you just make shit up? you are seriously arguing that the "employee per prisoner" ratio is way way better than public schools.
Retric 82 days ago [-]
Prisons operate 24/7 365, so unless you’re thinking of having zero guards for most of the day your estimate is wildly off. Further, there’s real concern that people will escape their cells so there’s a real desire for manpower not just people to watch monitors.
Add admin staff etc, and the numbers escalate quickly.
staunton 86 days ago [-]
They just have no space left in the jails, what can you do... I guess they hope that as long as protesters get a spot the damage to society will be manageable.
wesselbindt 86 days ago [-]
Canada, a bit more liberal than the US, probably has plenty of cities with such policies in place too. Yet, no crime wave there. These waves were a result of Kia's choices, and quite obviously so.
We're not talking about car theft in general, but about the specific crime waves that occurred after the rollout of the less than secure Kias in the US and the Kias with the proper security measures in Canada.
edouard-harris 86 days ago [-]
There's no Kia-specific crime wave in Canada as far as I know (I live there). But there's absolutely a general crime wave of car thefts in Canada, and it's quite plausibly tied to recent policy choices. Of course the effect of policy is going to be additive to the effect of blunders like Kia's. But there's good reason to think it has enough impact on its own to be worth discussing.
themaninthedark 86 days ago [-]
I'm kind curious, did Canada have the same spike in the "knockout game" that the US did?
If it did, that would point to a US and Canada crime trend correlation. If not, then you can't just say that the one static variable, city/county level policy and the independent variable, immobilizers, are the only factors.
You have different criminal populations, societal values, amounts of government aid, rehabilitation programs, etc that all play into the analysis.
86 days ago [-]
walrushunter 86 days ago [-]
[flagged]
coding123 86 days ago [-]
[flagged]
solraph 86 days ago [-]
Even for the most heinous crimes, the death penalty has one massive glaring practical problem.
What if the sentenced person is actually innocent? No amount of apologies or recompensation will bring that person back.
a-french-anon 86 days ago [-]
That's not a practical but a moral one. Practically speaking, the errors would be extremely rare and the gains for the whole society massive.
dpassens 86 days ago [-]
How is any error rate, no matter how small, acceptable when it comes to killing people?
SideburnsOfDoom 86 days ago [-]
Parent poster a-french-anon may be wrong or at least is making unsubstantiated wishful claims about costs and benefits - "the errors would be extremely rare" - would they really? And would they be evenly spread over in-groups and out-groups?
But at least the question "how is that acceptable?" is in fact a question of a moral nature. It's unacceptable, but it is unacceptable because it is immoral.
Dylan16807 85 days ago [-]
How is any error rate, no matter how small, acceptable when it comes to locking people up for the rest of their lives?
While I don't like the death penalty I don't think it's that different from a very long sentence. I don't think it makes sense to say that any punishment needs an absolutely perfect error rate.
wesselbindt 86 days ago [-]
Given how flagrantly governments have been using pedophiles as an excuse for curtailing our right to privacy, I don't trust them to execute civilians for this reason (or any). False convictions (intentionally so, in worse-governed countries) are a thing, and I do not cheer for the prospect of giving the government yet another reason to murder its citizens.
Advocacy in favor of the death penalty is never about "death penalty for murderers/rapists" but "death penalty for people convicted of being murderers/rapists". Practice has shown there's a big difference
IanCal 86 days ago [-]
At its core, a death penalty is permission for the government to kill its own citizens.
That's a pretty big step, and to me it requires a lot of benefits to justify.
coding123 83 days ago [-]
Many people that escape prison kill people immediately after doing so. Either in the process of running from the law or simply taking over a house for a few days of cover.
It seems to me like taking care of business before that happens is a more beneficial thing.
wallaBBB 86 days ago [-]
Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007.
Basically there is something to put on (lack of) regulations as well as on HKMC.
Sohcahtoa82 86 days ago [-]
In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!
Insane to me that so many people believe this...
beerandt 86 days ago [-]
The problem isn't that we need better locks, but that we need locks at all.
Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.
You're focusing on the wrong govt policies.
killdozer 86 days ago [-]
Please, nobody ever left their doors unlocked all the time, if trust was _really_ that high there wouldn't have been locks at all.
Loughla 86 days ago [-]
We did when I was a kid. Nobody locked their doors in my town. In fact multiple people just had blanks over the holes meant for deadbolts.
Then the local powerplant shut down, and the manufacturing associated with it left as well. The largest employer in the area besides those two moved operations to China. Then methamphetamine became popular and then heroin, too.
Now you can't leave anything unlocked or outside.
consteval 82 days ago [-]
> We did when I was a kid. Nobody locked their doors in my town. In fact multiple people just had blanks over the holes meant for deadbolts.
Yeah, because you guys had a warped perception of crime.
Virtually all crime now is significantly lower than it was just 20 years ago. You might not believe that, but it's true!
What's happening here is people's perceptions are being warped, almost certainly due to political propaganda. But the numbers don't lie, just take a look at the Bureau of Justice Statistics.
Loughla 76 days ago [-]
I hear you, and nationally that is probably true. But locally it's just not. There genuinely wasn't crime here outside of drunk fights once a year at the local pool hall.
Now there is genuine crime. Drugs and murder.
I'm not saying you're wrong. I'm saying that your argument doesn't apply on the local scale. Using macro data for micro experience is a bad idea.
This is also the reason that argument falls flat in a lot of places.
jpsouth 86 days ago [-]
For the majority of my childhood and teenage years the door was never locked. I don’t think it’s a British thing to leave your keys on the seat, but they were always in the hallway, right next to the unlocked door (like everyone else I knew).
I’m trying to think of the point this changed, and I can’t, but I would guess around 2008-2010 or so.
beerandt 86 days ago [-]
I'm sorry you never got the chance to live in a high-trust area.
A lot harder to find one now.
albedoa 86 days ago [-]
Yikes. This is more of an incredible claim than the counter. I'm shocked that you are willing to make it so confidently.
kortilla 86 days ago [-]
We did when I was a kid and my uncle still does. It’s sad that it’s hard for you to fathom safe communities.
82 days ago [-]
cobbaut 84 days ago [-]
For sure we did. Our backdoor, and that of all the neighbours was unlocked day and night. Same for my grandmothers' house and her neighbours. 1970s.
Dalewyn 86 days ago [-]
Or to put it another way:
Social problems and regressions cannot be resolved with ever more esoteric technological or draconian political solutions.
windexh8er 86 days ago [-]
Maybe that's the goal. By creating the Kia Boyz situation, through omission of proven controls used in other countries, we created a nice conduit for more draconian measures.
worik 86 days ago [-]
There are political solutions
throw10920 86 days ago [-]
Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.
This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.
fearmerchant 85 days ago [-]
Forty-nine states recklessly allow florists to sell flowers without a license. Only the good people of Louisiana are safe from dangers of unregulated flower purchases.
dsr_ 86 days ago [-]
It doesn't need to be the population believing that regulations are completely unnecessary.
It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.
throw10920 86 days ago [-]
That's absolutely true (and a very good point), but that's not what the GP was claiming.
op00to 86 days ago [-]
I’ll certainly never buy another Korean car.
thfuran 86 days ago [-]
And never an American one after the Pinto, and never a German one after the VW testing scam, and never a Japanese one after the recent safety scandal? I guess you can still get a Jaguar, so your mechanic won't complain.
Dylan16807 85 days ago [-]
VW didn't really affect the customers.
How big of a difference was the actual safety of the Japanese cars? Are the corrected numbers poor, or still pretty good?
worik 86 days ago [-]
I drive a car made in the 1990s
I was planning to upgrade it
I might not...
thfuran 86 days ago [-]
I had been planning to keep driving my car for quite some time, but recently it's developed a weird engine noise and a check engine light that nobody can resolve. I'm not sure I'll be able to give EV charging a few more years to sort itself out.
vasco 86 days ago [-]
From my understanding immobilizer bypass tools are cheap and plenty.
acdha 86 days ago [-]
Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.
wallaBBB 86 days ago [-]
Not really. At least not for those immobilizers that don't use "proprietary" ciphers.
Automotive loves security through obscurity until it bites them in the ass.
Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)
But you are right that there are many (older models) that use ciphers with know quick exploits:
TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
mozman 86 days ago [-]
you can just reprogram a new seed via canbus, don’t need to brute force it
wallaBBB 86 days ago [-]
Those type of attacks (CAN injections) are very OEM specific, and come from deep insider knowledge, not something you fuck around and find out.
I’m assuming you’re referring to Toyota, but anyways please give direct reference to the attack you’re referring to.
Keep in mind any need for expensive equipment is already a deterrent for many.
Probably why great grandparent used that phrase. ;)
hnav 86 days ago [-]
1-4k for the tools that they then amortize across many cars stolen and stripped or shipped overseas.
dmoy 86 days ago [-]
Idk what the pattern is where you are, but the majority of stolen cars where I am are not sold or stripped or anything like that. They're used for N days and then ditched somewhere. Used either for joyriding, living in, crash&grab, or whatever.
One of my old neighbors had their same car stolen like 2-3 times, always ditched and found after some number of days missing.
acdha 86 days ago [-]
That was the big shift here for the Kia mess. Normally the thieves tend to be professionals so the stolen ones are at a port or being stripped soon afterwards, but when that hit TikTok there were a lot more joyrides and brief use for theft/robbery because it was a bunch of teenagers who didn’t have much of a plan.
adolph 86 days ago [-]
> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
Terr_ 86 days ago [-]
> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
levocardia 86 days ago [-]
This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.
tptacek 86 days ago [-]
I've posted this point a couple times on HN and I guess I will keep posting until people stop expressing surprise that trivially stealable cars are a precursor to carjackings. I'm not dunking, there's no good reason for people to intuit that! But it's a really important thing to understand.
potato3732842 86 days ago [-]
I'd really like to see a citation for carjackings going up more than any other crime that a stolen car enables.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
tptacek 86 days ago [-]
Carjacked cars are usually recovered. They're not carjacked so they can be sold on some weird car black market.
op00to 86 days ago [-]
All stolen cars are usually recovered. The recovery rate is something like 85%.
Terr_ 86 days ago [-]
I worry that single percentage might be hiding some complexities like a subcategory of cars with a much lower recovery rate, or having the term "recovered" encompassing "as scrap".
jshdhehe 86 days ago [-]
Or the same car keeps getting stolen as someone else suggested. So the % of distinct cars may be lower.
adolph 86 days ago [-]
Thanks and thanks to the upthread explanations.
Part of what makes it unintuitive is the specificity:
* Why Milwaukee and Chicago instead of everywhere?
* Why carjacking and not a general increase in crimes that could be facilitated by an unassociated car (bank robbery, toll violations, etc)?
tptacek 86 days ago [-]
The phenomenon started in Milwaukee (the "Kia Boys" challenge), and I happen to live in Chicagoland, which experienced a huge wave of carjackings immediately afterwards. I have one of them recorded on my Nest camera in the alley behind my house. Nothing in particular about those two cities otherwise.
As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
dangptacek 86 days ago [-]
[dead]
kgermino 86 days ago [-]
FWIW the associated crime wave was much broader than carjacking (and I’m actually not aware of a particular increase in carjackings specifically due to the Kia issues but I don’t know) but the Kia issues seem to have started in Milwaukee.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
jeffbee 86 days ago [-]
I question whether Milwaukee and Chicago are outstanding examples. I looked at a few reputable sources and those cities nor their states seem to be extremes in terms of car theft rates. Most of these law enforcement agencies are not specifically breaking our carjacking.
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
Tool_of_Society 86 days ago [-]
Hell Mississippi as a state might soon pass Chicago in murder rate per capita. Chicago last year had a murder rate of 22.85 per 100,000 while Mississippi had a murder rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama had 18.6..
tptacek 86 days ago [-]
Chicago isn't even in the top 10 per capita. It's just a very big city that everybody forgets is a very big city.
anarticle 86 days ago [-]
"Places like" include Philadelphia. It's not a closed set, just some examples. I have friends that have had their KIA stolen this way, and others that have outright sold their car to get a different brand due to how prevalent it is here.
reaperducer 86 days ago [-]
Why Milwaukee and Chicago instead of everywhere?
It wasn't just in those cities, it was nationwide. The poster was using those cities as examples because they are familiar to him.
jshdhehe 86 days ago [-]
Like cyber exploits then. Get someone to click a link to download something then access their email to send someone else an email and so on.
bombcar 86 days ago [-]
Having a stolen car means the easiest way to identify someone is now non-identifying. It’s a great precursor to avoid being tracked.
mass_and_energy 86 days ago [-]
We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.
SpaghettiCthulu 86 days ago [-]
Too bad the only thing our current government can think to do is ban the FlipperZero.
zerd 86 days ago [-]
Just wait, next they'll ban USB cables.
voidmain0001 86 days ago [-]
I'm about to take delivery of a Toyota Sienna in Canada, and despite it being a minivan, it's a Toyota which are popular to steal right now. I plan to use both a steering wheel and accelerator pedal club. I've watched videos of both devices being rendered futile in less than 60 seconds but I hope that it will deter the less determined thieves. Then, after my kids have thoroughly destroyed the interior, I will hope that it gets stolen.
ndileas 86 days ago [-]
Have you considered not living in such an environment of fear? I have no idea of your circumstances, but this is something I see in my local relatives all the time. They buy ring cams and security systems, scrutinize nextdoor, etc. In reality, they are incomparably rich and safe compared to most. Personally I refuse to buy into this nonsense and just go about my life, despite living in a place that's far more dangerous by the numbers.
voidmain0001 86 days ago [-]
You're mistaken. I'm not cowering in fear or fright as you imagine. I am merely pragmatic considering I have waited two years for the vehicle to be delivered and I know that if it's stolen the insurance company will not payout for a replacement vehicle. It will payout what I paid but a slightly used replacement will cost more than what I am about pay due to the constrained market for these vehicles. As for your circumstance, I'm glad you have come to a reasoning that is suitable to you.
fragmede 85 days ago [-]
> waited two years for the vehicle to be delivered
For a Toyota Sienna? Which option package on that thing did you get? That's wild!
voidmain0001 73 days ago [-]
XSE AWD. I don't think options/models matter with the Sienna. Rather, Toyota is very behind on its hybrid vehicle production. The Sienna is only available as a hybrid.
mardifoufs 86 days ago [-]
I mean it depends. In Toronto you could do that (and I usually agree with you about say, home security), but then you don't really choose where you get to park your car every time. And in a way I'd be more stressed to know that I could lose my car if I parked it somewhere that I don't know, and that I can't do anything about it once it gets stolen, versus just putting 2 locks.
But again, I totally agree with you about the weirdness of people going full military compounds in residential areas.
Because car manufacturers have such a clear decision making role in the legal and judicial process of a place like Milwaukee. It can't be that the government simply realized that they aren't legally obliged to deal with any problems the populace have and simply let them eat cake in a 21st century way.
How did the insurance companies respond to this? They should have made the cars extremely expensive to insure, no?
incrediblydumb 84 days ago [-]
Largely driven? You're forgetting at least one variable
roberttod 86 days ago [-]
I wasn't sure what an "interlock" was, and it's a breathalyzer that prevents the vehicle from starting. Was that a mistake?
Edit: ah! I think you meant engine immobilizer
Dylan16807 85 days ago [-]
interlock. noun. an arrangement in which the operation of one part or mechanism automatically brings about or prevents the operation of another
Requiring a breath or a specific key signal are both interlocks.
Eumenes 86 days ago [-]
> something a number of US cities are suing Kia over
I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.
tptacek 86 days ago [-]
They're being sued because they deliberately made the cars easier to steal in the US than they are elsewhere.
userbinator 86 days ago [-]
In some places in the US, you can leave your doors open and car unlocked and no one will touch it. Perhaps a friendly neighbour may remind you, but that's about it.
As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.
Cars (and other things) being easy to steal isn't the problem.
tptacek 86 days ago [-]
I have to lock my car doors. There isn't anyone within 10 square miles of me who feels like they live in a maximum-security prison.
dangitman 86 days ago [-]
[dead]
hackernoops 86 days ago [-]
Sounds like you live in Stockholm. (syndrome)
dangitman 86 days ago [-]
[dead]
wasteduniverse 86 days ago [-]
Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!
tptacek 86 days ago [-]
Since Kia/Hyundai is the only automotive group to have this problem, I'm going to go ahead continuing to blame them.
piva00 86 days ago [-]
I agree and still it's also the lack of regulation that enabled it to happen, and 2nd order effects of it is the increase in carjackings.
It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.
searealist 86 days ago [-]
Of course you are. The alternative is to blame the governments (of places like Chicago or Milwaukee), or the people doing the theft.
BoorishBears 86 days ago [-]
Why are those alternatives for you?
I find it very easy to hold the governments, people, and companies as all culpable in the own way.
bombcar 86 days ago [-]
Exactly. The situation should be examined like the NTSB does for plane crashes, usually a proximate cause and other contributing causes.
Kia is a joke car manufacturer. It’s surprising that they are still able to sell cars and stay in business
randomstring 86 days ago [-]
The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.
jshdhehe 86 days ago [-]
If you get 10x MoM growth you can lobby for it to be legal next year
nullc 85 days ago [-]
Something kinda like that was done, TikTok apparently algorithmically identified likely 'drivers' and flooded them with videos instructing and glorifying taking the cars for a joyride... while other platforms did not promote and even took those videos down.
trinsic2 86 days ago [-]
[flagged]
aftbit 86 days ago [-]
Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?
lambada 86 days ago [-]
A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
aftbit 86 days ago [-]
In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
conductr 86 days ago [-]
Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service
folmar 86 days ago [-]
This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.
xyst 86 days ago [-]
Any stealership shouldn’t be able to lookup information about any active/sold car. These interactions need to have consent (authorization) from car owner. These authorizations should be short lived and can be revoked at any time.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
belthesar 86 days ago [-]
That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
amluto 86 days ago [-]
This is absurd. If there was a screen on the infotainment system where you could allow (temporarily!) the local service center of your choice to access your car remotely, fine. Otherwise, no thanks.
dns_snek 86 days ago [-]
> What if a dealership employee uses this to stalk an ex or something?
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
dns_snek 86 days ago [-]
For those who seem to believe I'm exaggerating this:
Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.
poxrud 86 days ago [-]
That is incorrect, as per the article Kia ties the VIN number to the car’s functionality. The author used a 3rd party service to convert the license plate number to VIN.
Most states have the data publicly available if you know where to look or how to request.
_rs 86 days ago [-]
Uhh this seems like a big fact to gloss over, and something I am quite surprised by. Could you point to any examples as I’m having a hard time finding anything available publicly from any DMVs/states
pests 85 days ago [-]
In Michigan anyone can do a in-person plate lookup for about $15 and it comes back with complete registration information including name and address. VIN and car details as well.
bombcar 85 days ago [-]
That’s usually the kicker - requests have to be done in person but other than that there’s not much limitation.
_rs 84 days ago [-]
The $15 makes this pretty hard to scale too. The link someone posted was $0.05/request. I'd love to see how/where you can get this data in bulk from a primary source.
aftbit 86 days ago [-]
License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.
k8sToGo 86 days ago [-]
What if the internet is used for that?
lofaszvanitt 86 days ago [-]
Security is an afterthought... nobody cares, until shit hits the fan.
throwaway984393 86 days ago [-]
[dead]
like_any_other 87 days ago [-]
The article isn't clear, but it sounds like the cars were already being tracked, only now also "unauthorized" people could track them (when before, only Kia and car dealers could track your car).
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Almost all modern cars have a way of providing or grabbing location data, however most manufactures do not "Spy" on your car by default, this would violate CCPA, colorados privacy act, GDPR... ETC. The users need to opt-in to telematics data. For example in Hyundai case when you create a "Blue link" account and accept their terms of service you are connecting whatever vehicle you have verified on your account to their telematics system, and subsequently opting in to tracking.
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
like_any_other 87 days ago [-]
The EFF [1] is less optimistic that all of this spying is opt-in and clearly-stated (instead of buried in legalese), and Wired [2] likewise mentions cases where it's opt-out instead of -in.
often the opt in is buried in 15 pages of paperwork when you buy the vehicle
emsign 86 days ago [-]
Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.
EricE 86 days ago [-]
If you own a car since about 2010 onwards it's probably ratting you out already.
If your car's old enough, though, it may be still stuck with a 3G modem that is no longer capable of phoning home.
cryptonector 86 days ago [-]
Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.
s3p 86 days ago [-]
It's so funny how people arguing for commonsense ability to disable car cellular are laughed at. See the Kia Niro forum:
The price of that feature (constant tracking of your vehicle's location) is not worth it in a world where entities who sell or give away that location data without the vehicle owner's explicit, intentional, actually-informed consent do not go to superjail forever.
umbra07 86 days ago [-]
not worth it to you
Roark66 86 days ago [-]
Why does it have to track your bloody location all the time though? Why not make it so it just logs in to the server every 5 minutes and asks. "Have I been stolen?" and if the answer is yes it activates. Better yet, mandate all software like this is open source so no manufacturer can claim one thing and do another.
And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.
It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I
grahamj 86 days ago [-]
I question some of this though. I have an older Kia that I’m pretty sure has no cell modem yet the support table shows it can be geolocated.
lofaszvanitt 86 days ago [-]
After your phone which is the ultimate oppressor device, now your car is also snitching on you. Nice future ahead of us.
bityard 87 days ago [-]
Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.
barbazoo 87 days ago [-]
> car that requires you to create an account online to "activate" the vehicle
I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.
sahmeepee 87 days ago [-]
As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
mikepurvis 86 days ago [-]
It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
hunter2_ 86 days ago [-]
In my VW, the cellular modem and something I actually use (I think it's the Bluetooth microphone) are in the same module, so pulling the fuse or disabling it in the CAN gateway would be too heavy-handed. I would need to spend hours getting to, and into, the module. Or maybe replace the antenna with an effective dummy load / terminator? Tons of trim work. Luckily it's old enough to be 2G, and my understanding is most towers no longer speak to it, so I haven't pursued it further.
0cf8612b2e1e 86 days ago [-]
But if it is not online, you will not be able to download the latest patches. Like the ones that prevent new remote exploits.
tspike 86 days ago [-]
How did we ever survive without computerized vehicles?
mandevil 86 days ago [-]
We tolerated worse gas mileage (computer controlled fuel injection, transmission, etc.), safety (anti-lock brakes), etc. We added computers because we wanted to lessen the effects of climate change and keep more people alive.
biorach 86 days ago [-]
You're using a broad definition of "computer".
We've had these features for decades now, until recently the logic was handled by microcontrollers. It's not clear that the functionality requires computing devices also capable of data gathering, storage and upload.
Roark66 86 days ago [-]
>"climate change"
Not really. Personal vehicles are responsible for such miniscule portion of co2 emissions it barely matters.
Emission regulations enjoy popular support because of city air quality, not climate change. Yes, people tolerate taxes on CO2 emitted by their vehicles (do you have that in the US BTW?) because it has a very beneficial side effect of also limiting particulates and NOx CO and such emissions that actually killed hundreds of people every year in major city centers. Also caused lifelong disability for many children(asthma).
pushupentry1219 86 days ago [-]
Instead we got people like VW rigging their firmware to report emissions falsely so they could look better.
throwaway984393 86 days ago [-]
[dead]
nis0s 86 days ago [-]
I was just going to say the same as it's stated pretty early in the article
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
jdminhbg 86 days ago [-]
> As the article says, you don't need an active subscription to be vulnerable.
OP was talking about not buying a car that requires a subscription to activate, not about whether the subscription makes you vulnerable.
01HNNWZ0MV43FF 87 days ago [-]
Otherwise it spies on you with no account
raxxorraxor 86 days ago [-]
That is unusual. They give 7 years warranty compared to European or US cars manufacturers and it often shows why. They are indeed dependable.
sxcurity 87 days ago [-]
Stop connecting vehicles to the internet pls & thanks
kkfx 86 days ago [-]
Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
Rebelgecko 86 days ago [-]
I would guess 99.9% of car owners who use the app would not set up a personal subdomain or manage a FLOSS stack
kkfx 86 days ago [-]
No doubt today, but in another very realistic in the sense that's perfectly logic and possible since more than a decade, where government have digital IDs who are smart-cards not crapplications, and with them certified mails with a personal domain and the ISP router is just a FLOSS homeserver (as it is actually, being GNU/Linux embedded machines with a tailored PBX, Samba to offer usb network storage, CUPS for serving a usb-connected printer and so on, just a bit more powerful and open.
In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.
Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.
thfuran 86 days ago [-]
I don't think you have enough nines.
yupyupyups 87 days ago [-]
Ok, I wont.
carabiner 87 days ago [-]
Thanks.
AdamJacobMuller 87 days ago [-]
If it's done well, there are some useful features there.
App unlock, remote start + remote temperature control. All very useful.
I couldn't imagine buying a car without carplay now.
rwmj 87 days ago [-]
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
AyyEye 86 days ago [-]
I installed an aftermarket remote start kit in the 90s. It cost less than $100.
kube-system 86 days ago [-]
Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.
tspike 86 days ago [-]
Right, the point is that complexity is unnecessary.
AyyEye 86 days ago [-]
And yet, weirdly, my insecure 1990s era car wasn't able to be controlled over the internet and didn't have a direct data link to my insurance company.
86 days ago [-]
mavamaarten 86 days ago [-]
Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
nucleardog 86 days ago [-]
My key fob has two way communication and like a half mile range in urban areas.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
Doubt it. Mine's aftermarket. The manufacturer doesn't offer remote start on their manual transmission vehicles so I had to get an aftermarket system if I wanted remote start for those -50 days. Mine's a little older / less fancy than some of those linked[0] but essentially the same.
I doubt it would ever solve my problem (they're still not going to offer half the functionality on a M/T vehicle), but there's no reason they couldn't offer something like this as a couple hundred dollar option on most of their vehicles. They already basically have all the hardware in the car I figure.
Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
toast0 86 days ago [-]
For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.
Kirby64 86 days ago [-]
With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.
Rebelgecko 86 days ago [-]
Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)
toast0 86 days ago [-]
If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
Rebelgecko 86 days ago [-]
Ah gotcha, it sounds like most of those problems are limited to internal combustion engines
somehnguy 86 days ago [-]
I'm OK with the risks in exchange for the convenience :)
cryptonector 86 days ago [-]
Remote start is also useful in hot climates, and for similar reasons.
asdasdsddd 86 days ago [-]
I dont want to carry another stupid fob around. My goal in life is to carry a dumb smart phone that can unlock anything.
Kirby64 86 days ago [-]
Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
devilbunny 86 days ago [-]
> I haven’t carried keys of any kind for… 6 years at this point?
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
Kirby64 86 days ago [-]
> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
camtarn 86 days ago [-]
In the UK, and I'm guessing a lot of other parts of the world, many people live in apartments with only a single entrance door.
Pets which require medications on a schedule might become very ill without them. But yes, I suspect that any country where the weather is enough to kill your pet should probably be running AC/heat on a thermostat instead of manual. (Here in the UK, we rarely have AC, and a lot of people just put on heat manually when they're cold - but our weather is pretty mild.)
Personally I would never rely on a phone to get me into a house or vehicle. Mine runs out of battery too frequently. I've already been bitten by not being able to take a bus because my phone died and I couldn't pay for a ticket.
Kirby64 86 days ago [-]
Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
For ones that support Apple's Homekey, it doesn't even matter if your battery runs out. Apple devices still provide Homekey via NFC even with a dead phone.
I don't think this exists yet for car keys, although I know there's work on UltraWide Band key support.
Also, this seems substanially less fragile than just... losing a pair of keys. It's not evitable that your battery in your lock runs out (again, unless you ignore warnings), but losing your keys is one of those 'hard to prepare for' events.
Migitation for losing your keys could just be keeping a spare key with a neighbor/friend/whatever... but, well, you can do that with an e-lock too (cause they all have regular keys for true backup).
camtarn 86 days ago [-]
> Smart locks typically have more option than just a phone to open them. Keypad, fingerprint, etc.
Ah, that's a fair point.
> Apple devices still provide Homekey via NFC even with a dead phone.
Huh, that's neat. I haven't come across that as I'm not an Apple user.
grahamj 86 days ago [-]
Yep. I’ve forgotten or lost keys in the past and been locked out, but never have all of my e-locks and garage died at once.
taneliv 86 days ago [-]
I've found myself stuck out of the office in minus fifteen degrees because the keylock app had stopped working due to a backend upgrade gone subtly bad.
Fortunately this was in an urban area and I could find a cafe that was open within the walking distance. I don't know if they allowed pets to thaw in there. It took about an hour for maintenance to open the doors (with a damned key) and let people in.
asdasdsddd 86 days ago [-]
The time I save pays for a locksmith many times over. I also give my friends/my condo spares so this is never actually an issue.
SoftTalker 86 days ago [-]
> the doors were locked from the inside by the dog
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
jdminhbg 86 days ago [-]
> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
devilbunny 85 days ago [-]
I didn't want it off. It was New Orleans in summer. I wanted it unlocked.
I suppose you could dream up some situation in which the fob is outside the car, someone is inside, creepy people come up and take the fob, and you want to be protected by locking from the inside.
But in that case, internet unlocking should be blocked as well, right?
It was a very bizarre experience. Anyway, wouldn't have mattered: it's my wife's car, not mine. So I wouldn't have the app.
jdminhbg 83 days ago [-]
I also don't understand the weird rules key fobs and locks have, the states seem totally divorced from the real world.
But part of the nice thing about the app is that there's no cost to having extra "keys," so there's no reason to not have the app for your wife's car on your phone.
devilbunny 74 days ago [-]
I would have to have Mercedes.Me service (which we do not) and be willing to let them spy on everything we do. No thanks.
When I press unlock on the fob for my 2001 car, it unlocks unless the battery is dead. I can even reprogram it for two brand-new fobs without going to a dealer.
toomuchtodo 86 days ago [-]
I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
roywiggins 86 days ago [-]
Is it really so much better than an RF keyfob that it's worth connecting your car to the Internet for?
toomuchtodo 86 days ago [-]
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
potato3732842 86 days ago [-]
>Yes, I accept the risk and threat model.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
toomuchtodo 86 days ago [-]
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
I don't even carry a phone for that reason.
natch 86 days ago [-]
Nice lifehack; I'm going to do this. Please share more if you have them.
lowkj 86 days ago [-]
CarPlay doesn't use your car's internet, it uses your phone's internet. That's part of the whole beauty of it.
natch 86 days ago [-]
Please explain how in your mind are they doing remote climate control, then?
mplewis 86 days ago [-]
Through the car’s cellular connection.
natch 86 days ago [-]
Lol, duh, thanks. So, guessing they can't stream video from the dashcam cameras remotely in that car.
krferriter 86 days ago [-]
Yeah, important distinction
FriedPickles 87 days ago [-]
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
morkalork 86 days ago [-]
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
CatWChainsaw 86 days ago [-]
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
natch 86 days ago [-]
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
yjftsjthsd-h 86 days ago [-]
> What do you get from CarPlay that you don't get from a connected car without CarPlay?
Software quality and security updates on the internet-facing component.
natch 86 days ago [-]
You are under the impression that Teslas can't get software and security updates? Which happen to be free, btw.
whiplash451 86 days ago [-]
It just doesn’t have to be the internet.
AyyEye 87 days ago [-]
It's never well done.
bigstrat2003 86 days ago [-]
It was well done on my previous car and current car. So it would appear that your claim does not hold.
yreg 86 days ago [-]
It's well done in Tesla.
ric2b 84 days ago [-]
Tesla's have been hacked multiple times in the past as well.
natch 86 days ago [-]
It's very well done in my car.
jmyeet 86 days ago [-]
Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
mlsu 86 days ago [-]
There are no new cars on the market today that don't have a slew of connected """features""", right?
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
cryptonector 86 days ago [-]
In the U.S., by 2026, all new cars must have a "kill switch", and that includes a remote operation. The requirement is about preventing drunk driving, but it's being interpreted by many to require a kill switch.
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
notjulianjaynes 86 days ago [-]
I wonder how well current adaptive cruise control/collision prevention technology works to help someone safely drive drunk. I don't own a car with these features but once rented a 2021 Nissan for a road trip and just set the cruise control to 70 and it would maintain a safe distance from other cars automatically down to like 20 mph iirc. I didn't, but I probably could have been drunk and driven that car without much issue, not that I am advocating for this.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
cryptonector 86 days ago [-]
If I ever get pulled over for weaving I might just blame it on lane assist.
MarkusWandel 86 days ago [-]
Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian market) is actually pretty old school. Yes, it has the keyless unlock and even a remote engine start button on the keyfob (can be disabled, thankfully - car is parked inside and we have kids!) But no cellular connectivity, no wifi, and all the touchscreen stuff is "extra icing" - all the controls you need are there in physical form except for some radio and cell phone call functions. Yes, the car may be vulnerable to signal boost kind of attacks (to pretend the keyfob is nearby when it's not) and possibly the "pop off a headlight and get into the CANbus" attack. But no cloud dependency and no way for the cloud to reach in and mess things up. Also, the software it does have seems "debugged" based on a year of using it.
You can pull the fuse on a ford maverick and it physically disables the telemetry. You could also opt out and disable it through the settings. Remote start from your keyfob still works. As expected remote start, seeing where you parked, remotely locking the car through the ford app will not work.
akyuu 86 days ago [-]
It would be interesting to have a list of modern cars without these kind of connected features, but I haven't found any.
hollow-moe 86 days ago [-]
depends how wide is your definition of "connected features". all modern vehicles in the EU are required to have the eCall feature which uses cell to send your location in case of a crash. Since the hardware is in there I have absolutely no faith in car makers/govs to not use it for other purposes (now or in the future) https://en.m.wikipedia.org/wiki/ECall
bdcravens 86 days ago [-]
Cut the cords to the cellular module
mithr 86 days ago [-]
In Massachusetts, Kia has disabled Kia Connect for all vehicles purchased over the past few years. Any data collected by cars must be made accessible to third-party shops, and Kia opted to disable any data collection (and thus disable Connect entirely) rather than allow that to happen. It doesn't matter where you actually live — as long as you bought in MA, the car's VIN is locked out and no one can do anything about it. You're typically told this at the very end of the sales process, after everything is signed, and it's framed as "oh, by the way, MA has a terrible right-to-repair law that has forced Kia to disable Connect, you should write your state senator."
It's... interesting to see just how easy it is to access this functionality if the VIN check is bypassed.
stainablesteel 86 days ago [-]
its brought about a lot of shops that can rip the electronic tracking devices out of your car pretty easily too, which is nice in case you don't feel like being someone's datapoint
r00fus 86 days ago [-]
As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
seanw444 86 days ago [-]
> but at least my vehicle isn't ripe for theft/abuse.
From this particular vulnerability. If anything, I'd still be concerned.
floatrock 86 days ago [-]
Yeah, but it shows Kia at least works with security researchers instead of suing them into everythings-fine silence.
mass_and_energy 87 days ago [-]
I wonder how many LEAs knew of this and used it to bypass having to get a warrant, instead of responsibly disclosing it for the benefit of public safety.
bena 87 days ago [-]
The warrant is still necessary, evidence obtained through illicit means is generally not acceptable.
bobbylarrybobby 87 days ago [-]
Technically you don't need a warrant if you just ask for the data and it's handed over. You only need a warrant if someone doesn't want to hand over the data.
bena 86 days ago [-]
But that's not what this would be, this would be gaining access to the system without permission.
It doesn't matter if my door has shitty locks, you still can't enter my house unless I invite you.
fragmede 86 days ago [-]
if this metaphorical door is already open and something is in plain view though. I guess the question is what constitutes plain view digitally.
alistairSH 87 days ago [-]
True, but parallel construction/evidence laundering is a thing.
exabrial 86 days ago [-]
By law, we need to be able to disconnect cars from the cell network. This is stupid.
divbzero 86 days ago [-]
By law, we need to be able to disconnect any product whose core functionality does not depend on the network.
86 days ago [-]
diego_moita 87 days ago [-]
Ok, lesson learned. Thank you.
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
aftbit 86 days ago [-]
>These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Don't feel stupid, feel a little angry. The only thing you could have done to prevent this was not buy a Kia.
sjamaan 86 days ago [-]
Like the other brands are any better...
86 days ago [-]
gloosx 86 days ago [-]
Connecticut Kia Boyz here? Imagine in some states it's not a felony to steal Kias if you're under 18, so they do it for fun and even sell them for rides 100$ each.
There is a great Channel 5 documentary on youtube about it, definitely recommend to check it!
vlark 86 days ago [-]
I just want a car that is as dumb as it can be while meeting all federal regulations to the highest degree. How hard can that be?
georgeburdell 86 days ago [-]
I’ve been telling my friends who want to avoid Tesla that an electric Kia is still a Kia
m_kos 86 days ago [-]
I am impressed that you were able to contact relevant folks at Kia. I tried contacting their security team via Kia's customer service and Twitter and was repeatedly told they don't have anyone working on security, vulnerabilities, etc. My favorite was when they redirected my call to roadside assistance (twice).
grubbs 86 days ago [-]
Glad my VW only had a 3G antenna built in. No longer works in the US.
xyst 86 days ago [-]
Internet connected vehicles are a mistake. Enough time out there and mistakes will get re-introduced. If it’s not Kia, it will be someone else.
You should be able to take out the internet connectivity as a consumer. The fact that this exploit worked even if the consumer wasn’t subscribed is wild.
Car companies just can’t do tech.
cryptonector 86 days ago [-]
> The License Plate to VIN form uses a third-party API to convert license plate number to VIN
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
BenjiWiebe 86 days ago [-]
I don't think the police are using this software. I'm pretty sure they have their own official access to governmental (DMV) records.
86 days ago [-]
bdcravens 86 days ago [-]
EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.
schaefer 86 days ago [-]
My brother owns a Kia, and the constant auto break-ins are negatively impacting his mental health.
ivewonyoung 87 days ago [-]
Does Kia have a bug bounty like Tesla does? Tesla paid out 200k and a Tesla a few months ago.
In submitting reports, please note that although Hyundai Motor America sincerely
values vulnerability reports, we do not provide monetary compensation (“bounties”)
or non-monetary remuneration in exchange for submitted reports. This program is
only meant to facilitate the responsible reporting and resolution of cybersecurity
vulnerabilities.
"I never hear the ancaps and the hardcore libertarians in my comments section... complain about Section 1201 of the DMCA. I wish I did more often."
grishka 86 days ago [-]
If I'll ever buy a car, it won't have any network interfaces.
croes 86 days ago [-]
Strike two on KIA's car security after the USB cable disaster
yieldcrv 87 days ago [-]
Kia Boys Who Code
nkrisc 86 days ago [-]
Maybe other manufacturers are also this bad, but I know Kia is this bad. I’m never buying a Kia.
But wait, they patched this! Yeah, but they also shipped it.
theflyingpigeon 86 days ago [-]
Kia is a terrible brand anyways
meindnoch 87 days ago [-]
What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?
outworlder 86 days ago [-]
Hardware companies usually suck at doing software.
86 days ago [-]
dopylitty 86 days ago [-]
[flagged]
psunavy03 86 days ago [-]
Today I learned that counterintelligence and sabotage concerns about a major geopolitical rival are "xenophobic trade war reasons."
wahern 86 days ago [-]
I think you misunderstood the insinuation.[1] I believe they're suggesting that otherwise legitimate vulnerability concerns are discounted in favor of a laissez faire market policy unless and until the concerns are framed by a xenophobic narrative. IOW, xenophobia trumps capitalism, but not measured security concerns.
[1] But that's why sarcasm is usually frowned upon on HN.
bluSCALE4 86 days ago [-]
Why would the average consumer car about intelligence of a foreign state? I, for one, have no fear of China presently but the climate in the USA isn't very pro free speech.
kube-system 86 days ago [-]
They don't (at least, not in peace time), but the US government does. They also buy cars.
Also the concerns of the average consumer aren't a really good barometer for what should be legal. Most consumers gladly sign up for services that violate their privacy, because they don't understand the consequences at the time of purchase. Also people are pretty bad at estimating risks of unknown certainty even when they do know about them. If 'buyer-beware' worked, there would be no need for consumer protection law... but this segment of the law has originated from necessity.
lostmsu 86 days ago [-]
You missed the obvious elephant in the room with the word sabotage.
potato3732842 86 days ago [-]
Cars are regulated to high heaven. They don't regulate software quality because the unholy union of big business and government that is the current US auto sector and its regulators have yet to find a way or need to do so that benefits them.
almatabata 86 days ago [-]
If it only impacted automakers they might do it. However if you apply this standard to cars you will have to apply it to a lot of other sectors. After all why stop at car makers. Why should other appliances not get the same treatment like IoT as well? A lot of other companies would hate to have this standard applied to them hence they lobby against it as well.
86 days ago [-]
josefritzishere 87 days ago [-]
Can we stop connecting cars to the internet now?
barbazoo 87 days ago [-]
I'm trying to imagine time when I would want my car to be connected to the internet. Hard to come up with, other than remote locking, that's it for me. Not sure that's worth the attack surface.
What I do find useful is the car having "cellular connectivity" to make emergency calls. But that doesn't require internet connectivity.
briffle 87 days ago [-]
My 2015 vehicle has remote start on the remote. Its very handy in cold and hot extremes to start a few min early, and then let it warm up or cool down.
My 2020 Subary only does remote start if you pay the monthly fee for their access (confusingly called Starlink), and requires the 'subaru app'
Not sure how you program it to your car, but I would get it just so I don't need to use an app.
jshdhehe 86 days ago [-]
Gonna keep me 2012 toyota a biiiit longer then. Sorry climate.
supportengineer 87 days ago [-]
Tesla does it very well. My Tesla connects to my home wi-fi. When it's parked in the driveway it can download and install firmware updates. They are somewhat frequent. Other than major UI changes, I have been happy with the way they add features and ensure stability.
With the app it's very useful to be able to find out the location of the car, the status of the doors and windows, the current mileage, and be able to control the climate (Dog Mode, etc), warm up on cold mornings, cool down in summer. You can also get important notifications (i.e. Climate mode on for a long time, Door/Window is open, etc )
You might knock the remote climate feature but if you have dogs/kids/elderly it really improves their quality of life.
There's another recent feature which supports streaming music such as Apple Music, without your phone needed. This is convenient and useful.
Tesla charges $9.99 USD a month for this which I find to be extremely reasonable. ( I am an SRE and I know what it takes to maintain scalable secure infrastructures )
wannacboatmovie 87 days ago [-]
GM introduced this functionality 25 years ago with OnStar. It's been around so long the technology is considered legacy with support farmed out to Filipinos.
The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.
ninalanyon 87 days ago [-]
The over the air updates to my 2015 Tesla S have added features as well as fixing bugs.
prmoustache 87 days ago [-]
features...or distractions?
fragmede 86 days ago [-]
there are things they managed to fix in software that you thought would need to be fixed in hardware
WorldWideWebb 87 days ago [-]
Tesla does a lot of the “slick” features very well, but at least for me, they have been failing miserably at the basics:
- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.
- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.
- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.
barbazoo 87 days ago [-]
Kia charges more than that IIRC and has none of those notifications, which would actually be useful (e.g. window open).
87 days ago [-]
smeej 87 days ago [-]
This is why I keep my mechanic in business repairing my '07 Prius.
I'm starting to wonder if I'm the only one left in the world who would rather the internet not eat me alive.
supportengineer 87 days ago [-]
At least have a hard toggle switch mandated just like the button for emergency flashers.
bell-cot 87 days ago [-]
Why would any of the decision makers want to do that? It's not like 99.9% of consumers appear willing to pay 10 cents more for an unconnected car.
squidgedcricket 87 days ago [-]
The only way a connected car would be cheaper is if money is made from the data sent over the connection. Clearly that's the case right now.
Up-front NRE, per unit HW, perpetual cloud backend maintenance. There's a lot of cost to connect a car to the internet. It should be a luxury option that I can decline to have installed.
sroussey 87 days ago [-]
Recalls that can be fixed with over the air updates is a large financial reason to connect cars to the internet.
Personally, I’d rather connect to my WiFi where I have control, but that’s a lot to ask for regular consumers.
barbazoo 87 days ago [-]
My Kia Niro is connected to the internet yet I can't OTA apply anything. Updates to the navigation data (~80GB) have to be done via USB and recall related updates have to get applied by the manufacturer. So I get 100% of the attack surface and ~0% of the convenience.
sroussey 86 days ago [-]
Oh god, that’s terrible!
I wonder how many years that will take. Five years?
krunck 87 days ago [-]
Yes, we can still modify our cars as we please. Maybe it won't be legal. But we are able to. And we should.
maxwell 87 days ago [-]
On the contrary—preventing modification of cars is illegal in my state.
87 days ago [-]
johnsutor 87 days ago [-]
With the advent of "Kia Boys" and now this, it's a miracle people still buy Kias.
thrtythreeforty 87 days ago [-]
They have the best EV architecture on the planet currently; despite all the hacking issues, I'm still considering an EV6 for my next vehicle. Probably with a yanked cell radio fuse...
solarpunk 87 days ago [-]
can you explain what you mean by ev architecture?
i80and 87 days ago [-]
Hyundai and Kia use an 800V high voltage electrical system. The upshot is their vehicles charge scary fast, peaking in the mid 200kW's
thrtythreeforty 87 days ago [-]
Exactly. It makes a DC fast charge session (on a reasonably spec'd charger) take 20 minutes, not an hour like on competing EVs that peak at 150kW.
EV companies haven't quite figured out that the only two things consumers care about are range and charge rate (well, and cost, but there's an untapped market of people willing to pay if the featureset is there). Everyone has settled on 300mi range, which in my opinion is a little low but workable (at 80mph you'd have to stop every 3.5 hours), but for some reason nobody can get their act together on charge rate. Consumers need to purchase a car for their 99th percentile use case, which for much of America includes at least one road trip per year. The DC fast charge experience is basically the whole story there.
MostlyStable 87 days ago [-]
Obviously better charge rate would be better, and would be a bigger improvement than more range, but I've found that long road trips (10+ hours total driving time) with my 2023 Hyundai Kona, peak charge rate of ~70kW, is tolerable. I'd like my next EV (whenever I get it), to have a higher charge rate, but if I'm being honest, I'd care more other features such as V2H capability and physical media/HVAC controls. Now, fundamentally there is no reason that I should have to choose between these options. They are orthoganal, but if I was choosing between different vehicles, I'd give up charge speed to get those other features.
i80and 87 days ago [-]
Agreed, but just a nit: cars that charge at 150kW peak tend to 10-80 in about 30 minutes, not an hour.
Source: my ID.4
neallindsay 87 days ago [-]
Lucid and Porsche also have comparable internal voltages, but of course they are much more expensive than Hyundai and Kia.
speedgoose 87 days ago [-]
In addition to the privacy and security issues, they also have a substandard infotainment still running Android 4.
buggeryorkshire 86 days ago [-]
Android 4? I had a 2017 Kia Ceed where I hacked the head unit, and I'm sure that was at least Android 6?
speedgoose 86 days ago [-]
Older cars may have newer Android versions. People say that the Ioniq 5 is still running Android 4.4, but I havn't verified myself.
hypeatei 87 days ago [-]
Cars are essential to living in America except for a few cities. Car manufacturers can basically do whatever they want.
There was a recent YouTube video with a car thief that basically showcased a "special" tablet that could get any car started in a minute by plugging into the OBD port. Pretty shitty security model if it relies on no tablets getting out.
myself248 87 days ago [-]
If someone's already inside the car, I expect them to be able to hotwire it eventually.
The trouble is when manufacturers extend the CAN bus out to the smart headlights or something, and it's the same bus that the body control sits on, so they can just send a door-unlock message...
Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.
87 days ago [-]
myself248 87 days ago [-]
"thanks to a simple website bug AND TELEMATICS HARDWARE in the vehicles that had absolutely no relevance to their ability to get from point A to point B"
87 days ago [-]
alexandersvozil 87 days ago [-]
i cannot connect to kia anymore, would have bot worked in me
not_a_dane 86 days ago [-]
How much time would you need to redevelop KIAtool with AI?
A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
Anything political doesn't have to be only this reason or only that reason. "Both" is an option too.
To be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.
WHAT?
I don’t have my wallet on a chain, do I have some responsibility if I get pickpocketed?
These criminals are breaking the law, it is ENTIRELY their fault. Any other interpretation has way, way too many logic holes and strange consequences that says it’s our fault when a criminal willingly breaks the law.
If your car gets stolen, that's your problem.
If suddenly a massive number of cars are stolen, that's the government's problem. (As now police forces have to deal with criminals trivially obtaining getaway cars)
So it seems reasonable that the manufacturer in question should be sued for the cost of the additional police resources required.
I have no idea why you jump to that conclusion.
The problem is clearly the person breaking the law.
But anyway, going with what you said...
> So it seems reasonable that the manufacturer in question should be sued
Wait, if it's the government's problem, then THEY should be sued for not requiring manufacturers to have these anti-theft devices (as the Canadian government does). The auto manufacturer is building cars precisely as the US government mandated them to.
It seems like you're trying to bend logic to blame anyone and everyone other than the people who are breaking the law.
What I'm talking about is how companies should bear liability for the social consequences of their choices.
https://en.m.wikipedia.org/wiki/Tort#Negligence
Is there a more credible source?
Both Kia and the thieves can be in the wrong. Trying to break it down to one cause is never going to work.
Some car will always be the easiest to steal. People should always take reasonable precautions. But crime is still crime; if someone leaves their car running with the door unlocked as they run into the store and it gets stolen - they made a mistake but the criminal did a crime.
Lots of people get sued for lots of things. Nowhere does it say that suits can succeed only if the defendant is the sole cause of the problem. See: Takata air bags. Huge liability, but in any given incident it wouldn’t be a problem unless someone else caused an accident. Yet Takata does not get to say “or defective product wouldn’t have been a problem if Mr. Doofus hadn’t rear-ended you”
Binary is great for computers, less good in legal thinking.
No, but this statement implied Kia wasn't at fault because someone else committed the crime...
> I’ll take victim blaming for $200, Alex. Breaking into a house is easy as a rock through the window but we don’t sue homebuilders for not putting in stronger glass.
So sure, that was the first use of "only cause"; in the same way that "there was 1 light" and "there weren't multiple lights" aren't the same words; but they contain the same information.
Here, because the entire purpose of car immobilizers is theft protection, the thief is foreseeable and his crime does not supersede.
I’m a little troubled by your use of the word “asinine” in this context.
I’d be willing to guess you won’t use this word salad when describing sexual crimes.
If by "ripped out," you mean depressing a tab and then pulling it out.
https://m.youtube.com/watch?v=bTeVgfPM0Xw&t=357s
I live in a not great part of what's arguably the bluest state in the nation (which is to say this isn't some dumb red state "tough on crime" thing) and I can't imagine someone being able to go around checking windows or car doors for very long without a free ride in a cop car. Windows here are unlatched from May to September. I bet a lot of those houses have Kias in the driveway that they've had no theft problems with as we only have about a dozen car thefts per year here.
Ford Superduties over a huge year range can be stolen much the same way (you also have to punch out a lock before taking a screwdriver to the column) until very recently as PATS was not standard on the higher GVW stuff but those are expensive trucks so shitting on them doesn't scratch the same "validate my $50k purchase of something else" itch that crapping on Kia does.
That being said, how many people buying Kias _knew_ the problem existed? You can't make an educated choice if the information isn't really available to be educated about.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.
A person that goes about assaulting people is a significant drain on society. It's not even just monetary, it ruins trust, it ruins the relations between the people who aren't antisocial. It also has the moral hazard effect of increasing the number of others that see that this behaviour ultimately goes unpunished.
As far as I'm concerned, there are very few legitimate reasons to raise taxes, but police and prisons are one of them, they are not problems that individuals can solve in the private sector.
In a way it does, because it ruins trust as the participants treat your presence on the road like an inconvenience.
Aren’t we all a bit guilty of that? Maybe not all the time - when I see an ambulance whizz past or a fire truck, I’m appreciative of their efforts.
But everyone else? You’re just in the way ultimately. There isn’t much pleasure to be derived in waiting around for someone to have their fair turn at the intersection or whatever.
Obviously as a rational human I’m quite capable of suppressing such thoughts and generally abide by the traffic laws, but the point still stands.
This is a purely political decision, not an inherent cost of jailing.
Your number comes down to $100k per person per year. That’s just insane. Many families earn less than that (post-tax)!
And obviously jail is supposed to be cheaper than non-jail life in the first place, because you’re not paying for luxury, just food, (cheap) rent and security.
That's not nearly as bad as I was expecting considering that for every 1-2 prisoners there's a ~$100k employee.
Or consider institution GED classes. You might say, those can easily go on the chopping block to save some money. But then you end up with inmates who are released without a high school diploma and, lacking educational opportunities, are more likely to return to crime. Then they go back into the prison system where they use more state resources than if they had just been given education in the first place. It's easy to imagine scenarios in which programs like that are worthwhile in the long term purely for fiscal reasons even if you care 0% about the welfare of criminals themselves.
Low key jobs program at the expense of taxpayers IMO.
Add admin staff etc, and the numbers escalate quickly.
On the contrary, Canada's rate of stolen cars is only 10% less than the US despite having very few port cities. <https://www.bbc.com/news/articles/cy79dq2n093o>
If it did, that would point to a US and Canada crime trend correlation. If not, then you can't just say that the one static variable, city/county level policy and the independent variable, immobilizers, are the only factors.
You have different criminal populations, societal values, amounts of government aid, rehabilitation programs, etc that all play into the analysis.
What if the sentenced person is actually innocent? No amount of apologies or recompensation will bring that person back.
But at least the question "how is that acceptable?" is in fact a question of a moral nature. It's unacceptable, but it is unacceptable because it is immoral.
While I don't like the death penalty I don't think it's that different from a very long sentence. I don't think it makes sense to say that any punishment needs an absolutely perfect error rate.
Advocacy in favor of the death penalty is never about "death penalty for murderers/rapists" but "death penalty for people convicted of being murderers/rapists". Practice has shown there's a big difference
That's a pretty big step, and to me it requires a lot of benefits to justify.
It seems to me like taking care of business before that happens is a more beneficial thing.
Insane to me that so many people believe this...
Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.
You're focusing on the wrong govt policies.
Then the local powerplant shut down, and the manufacturing associated with it left as well. The largest employer in the area besides those two moved operations to China. Then methamphetamine became popular and then heroin, too.
Now you can't leave anything unlocked or outside.
Yeah, because you guys had a warped perception of crime.
Virtually all crime now is significantly lower than it was just 20 years ago. You might not believe that, but it's true!
What's happening here is people's perceptions are being warped, almost certainly due to political propaganda. But the numbers don't lie, just take a look at the Bureau of Justice Statistics.
Now there is genuine crime. Drugs and murder.
I'm not saying you're wrong. I'm saying that your argument doesn't apply on the local scale. Using macro data for micro experience is a bad idea.
This is also the reason that argument falls flat in a lot of places.
I’m trying to think of the point this changed, and I can’t, but I would guess around 2008-2010 or so.
A lot harder to find one now.
Social problems and regressions cannot be resolved with ever more esoteric technological or draconian political solutions.
This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.
It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.
How big of a difference was the actual safety of the Japanese cars? Are the corrected numbers poor, or still pretty good?
I was planning to upgrade it
I might not...
But you are right that there are many (older models) that use ciphers with know quick exploits: TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
Keep in mind any need for expensive equipment is already a deterrent for many.
One of my old neighbors had their same car stolen like 2-3 times, always ditched and found after some number of days missing.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
Part of what makes it unintuitive is the specificity:
As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
It wasn't just in those cities, it was nationwide. The poster was using those cities as examples because they are familiar to him.
For a Toyota Sienna? Which option package on that thing did you get? That's wild!
But again, I totally agree with you about the weirdness of people going full military compounds in residential areas.
This couldn't be the same state where they tried to just bribe a foreign company known for exploitative labor practices to set up a facility there could it: https://en.wikipedia.org/wiki/Wisconn_Valley_Science_and_Tec....
Edit: ah! I think you meant engine immobilizer
Requiring a breath or a specific key signal are both interlocks.
I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.
As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.
Cars (and other things) being easy to steal isn't the problem.
It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.
I find it very easy to hold the governments, people, and companies as all culpable in the own way.
Maybe we’ll see a return of The Club™
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.
Car companies are just not meant to do tech. So common shit like this is ignored.
If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P...
https://platetovin.com/about#pricing
But how are they getting the data?
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
[1] https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
[2] https://web.archive.org/web/20240705093406/https://www.wired...
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
https://www.kianiroforum.com/threads/how-to-remove-head-unit...
[1] https://www.youtube.com/watch?v=d9FbBgG2axE
And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.
It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I
I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
Not really. Personal vehicles are responsible for such miniscule portion of co2 emissions it barely matters.
Emission regulations enjoy popular support because of city air quality, not climate change. Yes, people tolerate taxes on CO2 emitted by their vehicles (do you have that in the US BTW?) because it has a very beneficial side effect of also limiting particulates and NOx CO and such emissions that actually killed hundreds of people every year in major city centers. Also caused lifelong disability for many children(asthma).
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
OP was talking about not buying a car that requires a subscription to activate, not about whether the subscription makes you vulnerable.
In such world thanks to the commonality of FLOSS we have dedicated distros and package for such iron, widespread enough to be commonly available in users hands. As a result the security risks are still more than zero but much, much less and many who could since their car is their own, not owned for real by the OEM, they could simply cut the connection if they do want so.
Such open world could be done in few years by laws, and anything is already there since decades. It's a matter of knowledge and will.
App unlock, remote start + remote temperature control. All very useful.
I couldn't imagine buying a car without carplay now.
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
I see several aftermarket systems here: https://www.popularmechanics.com/cars/a34512303/best-remote-...
I doubt it would ever solve my problem (they're still not going to offer half the functionality on a M/T vehicle), but there's no reason they couldn't offer something like this as a couple hundred dollar option on most of their vehicles. They already basically have all the hardware in the car I figure.
[0] https://www.compustar.com/remotes/pro-t12/
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
Pets which require medications on a schedule might become very ill without them. But yes, I suspect that any country where the weather is enough to kill your pet should probably be running AC/heat on a thermostat instead of manual. (Here in the UK, we rarely have AC, and a lot of people just put on heat manually when they're cold - but our weather is pretty mild.)
Personally I would never rely on a phone to get me into a house or vehicle. Mine runs out of battery too frequently. I've already been bitten by not being able to take a bus because my phone died and I couldn't pay for a ticket.
For ones that support Apple's Homekey, it doesn't even matter if your battery runs out. Apple devices still provide Homekey via NFC even with a dead phone.
I don't think this exists yet for car keys, although I know there's work on UltraWide Band key support.
Also, this seems substanially less fragile than just... losing a pair of keys. It's not evitable that your battery in your lock runs out (again, unless you ignore warnings), but losing your keys is one of those 'hard to prepare for' events.
Migitation for losing your keys could just be keeping a spare key with a neighbor/friend/whatever... but, well, you can do that with an e-lock too (cause they all have regular keys for true backup).
Ah, that's a fair point.
> Apple devices still provide Homekey via NFC even with a dead phone.
Huh, that's neat. I haven't come across that as I'm not an Apple user.
Fortunately this was in an urban area and I could find a cafe that was open within the walking distance. I don't know if they allowed pets to thaw in there. It took about an hour for maintenance to open the doors (with a damned key) and let people in.
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
I suppose you could dream up some situation in which the fob is outside the car, someone is inside, creepy people come up and take the fob, and you want to be protected by locking from the inside.
But in that case, internet unlocking should be blocked as well, right?
It was a very bizarre experience. Anyway, wouldn't have mattered: it's my wife's car, not mine. So I wouldn't have the app.
But part of the nice thing about the app is that there's no cost to having extra "keys," so there's no reason to not have the app for your wife's car on your phone.
When I press unlock on the fob for my 2001 car, it unlocks unless the battery is dead. I can even reprogram it for two brand-new fobs without going to a dealer.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
https://www.google.com/search?q=fob+relaying+theft+attack
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
[1] https://www.techradar.com/pro/security/hackers-are-increasin...
[2] https://www.cisa.gov/news-events/alerts/2024/09/25/threat-ac...
I don't even carry a phone for that reason.
Software quality and security updates on the internet-facing component.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
Here's the NHTSA report to Congress about this:
https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
It's... interesting to see just how easy it is to access this functionality if the VIN check is bypassed.
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
From this particular vulnerability. If anything, I'd still be concerned.
It doesn't matter if my door has shitty locks, you still can't enter my house unless I invite you.
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
There is a great Channel 5 documentary on youtube about it, definitely recommend to check it!
You should be able to take out the internet connectivity as a consumer. The fact that this exploit worked even if the consumer wasn’t subscribed is wild.
Car companies just can’t do tech.
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
https://www.kia.com/us/en/vulnerability.html
BTW, the Tesla bug from April is really scary. $100K is peanuts for the ability to remotely control the engine from an adjacent vehicle.
I will give you one hint: cars have sensors that are read wirelessly by ECUs on the internal (unprotected) network.
https://www.youtube.com/watch?v=1n0AI5aemUY
"I never hear the ancaps and the hardcore libertarians in my comments section... complain about Section 1201 of the DMCA. I wish I did more often."
But wait, they patched this! Yeah, but they also shipped it.
[1] But that's why sarcasm is usually frowned upon on HN.
Also the concerns of the average consumer aren't a really good barometer for what should be legal. Most consumers gladly sign up for services that violate their privacy, because they don't understand the consequences at the time of purchase. Also people are pretty bad at estimating risks of unknown certainty even when they do know about them. If 'buyer-beware' worked, there would be no need for consumer protection law... but this segment of the law has originated from necessity.
What I do find useful is the car having "cellular connectivity" to make emergency calls. But that doesn't require internet connectivity.
My 2020 Subary only does remote start if you pay the monthly fee for their access (confusingly called Starlink), and requires the 'subaru app'
I hate it.
https://www.subaru.com/subaru-starlink/starlink-safety-and-s...
Not sure how you program it to your car, but I would get it just so I don't need to use an app.
With the app it's very useful to be able to find out the location of the car, the status of the doors and windows, the current mileage, and be able to control the climate (Dog Mode, etc), warm up on cold mornings, cool down in summer. You can also get important notifications (i.e. Climate mode on for a long time, Door/Window is open, etc )
You might knock the remote climate feature but if you have dogs/kids/elderly it really improves their quality of life.
There's another recent feature which supports streaming music such as Apple Music, without your phone needed. This is convenient and useful.
Tesla charges $9.99 USD a month for this which I find to be extremely reasonable. ( I am an SRE and I know what it takes to maintain scalable secure infrastructures )
The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.
- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.
- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.
- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.
I'm starting to wonder if I'm the only one left in the world who would rather the internet not eat me alive.
Up-front NRE, per unit HW, perpetual cloud backend maintenance. There's a lot of cost to connect a car to the internet. It should be a luxury option that I can decline to have installed.
Personally, I’d rather connect to my WiFi where I have control, but that’s a lot to ask for regular consumers.
I wonder how many years that will take. Five years?
EV companies haven't quite figured out that the only two things consumers care about are range and charge rate (well, and cost, but there's an untapped market of people willing to pay if the featureset is there). Everyone has settled on 300mi range, which in my opinion is a little low but workable (at 80mph you'd have to stop every 3.5 hours), but for some reason nobody can get their act together on charge rate. Consumers need to purchase a car for their 99th percentile use case, which for much of America includes at least one road trip per year. The DC fast charge experience is basically the whole story there.
Source: my ID.4
There was a recent YouTube video with a car thief that basically showcased a "special" tablet that could get any car started in a minute by plugging into the OBD port. Pretty shitty security model if it relies on no tablets getting out.
The trouble is when manufacturers extend the CAN bus out to the smart headlights or something, and it's the same bus that the body control sits on, so they can just send a door-unlock message...
Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.