this post was submitted on 26 Sep 2024
528 points (98.0% liked)

Technology

58752 readers
4747 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
528
Hacking Kia: Remotely Controlling Cars With Just a License Plate. (samcurry.net)
submitted 3 weeks ago by [email protected] to c/[email protected]
138 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 131 points 3 weeks ago (9 children)

dumb cars will be worth their weight in gold soon

[–] [email protected] 62 points 3 weeks ago (6 children)

Just like how manual cars became anti theft.

[–] [email protected] 8 points 3 weeks ago

My friend has his Kia broken into and started, but it’s a standard so they ditched it hahaha

[–] [email protected] 7 points 3 weeks ago (3 children)

That's if you can find one for an affordable price.

load more comments (3 replies)
load more comments (4 replies)
[–] [email protected] 45 points 3 weeks ago (1 children)

My car got dumbed for me because they killed the 3g network it was running on

[–] [email protected] 57 points 3 weeks ago (2 children)

Just because you can't use it doesn't mean a hacker can't. If someone discovered a vulnerability in the 3g handshake or encryption protocol, it could be an avenue for an RCE.

[–] [email protected] 16 points 3 weeks ago

Especially when there are no security updates anymore. They should just rip out any possible receiver there is for mobile communication

[–] [email protected] 11 points 3 weeks ago

Honestly if someone manages to figure that out I would want to know, that way I can finally use my cars remote start 😄

[–] [email protected] 8 points 3 weeks ago (1 children)

I wish, but most people don't know / care about this stuff, it's not going to really percolate into the public consciousness .

According to the dealership my car isn't worth it's weight grass clippings because it's too old.

load more comments (1 replies)
[–] [email protected] 6 points 3 weeks ago (3 children)

You could just find and disable the wireless modems.

[–] [email protected] 43 points 3 weeks ago (2 children)

Cool just like trying to replace a blower motor in a modern car feel free to rip the entire dash out only to find out it has a second antenna all the way in the back underneath the spare tire also behind a tail light which somehow requires you to remove the muffler to get to....

[–] [email protected] 8 points 2 weeks ago (1 children)

Or just pull this fuse for the module?

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 15 points 3 weeks ago (4 children)

You'd probably have more luck installing a signal jammer in your car.

The best you can hope for is a rootkit and some Linux-based OS for cars to be developed so you can take full control.

[–] [email protected] 15 points 3 weeks ago

FWIW there is a cottage industry for OnStar disable/delete mods for GM vehicles. It can be done, usually without breaking too much else of the car's electronic functionality.

[–] [email protected] 10 points 3 weeks ago (1 children)

I'd rather poke the GSM modem with a screwdriver.

load more comments (1 replies)
[–] [email protected] 7 points 3 weeks ago

Also, jammers are illegal pretty much everywhere.

load more comments (1 replies)
load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 94 points 3 weeks ago (1 children)

Yeah... fuck this shit. This is part of the reason I still drive a nearly 20 year old vehicle. It has features I want, and can't be stolen via fucking API calls. Absolute insanity.

I think Hyundai/Kia group has done unfathomable damage to their brands. Kia, despite being a budget brand, wants to be seen as a legit competitor to Toyota or at least Nissan. Their corner cutting with the immobilizers and the resulting "USB" theft shit was bad enough. Now this exploit.

[–] [email protected] 23 points 3 weeks ago (24 children)

They're just terrible cars. I've had two...they were great until they weren't. I literally had a screw fall out of the headliner the other day bringing it home from a nearly 1000$ exhaust patch/repair. It's not 10 years old yet and only has 60k miles.

The other one has had the engine replaced already (under warranty thank god).

We are likely replacing both of them next year. I'm never buying a Kia again.

[–] [email protected] 6 points 2 weeks ago

My Toyota with 300k+ miles has cost me $285 in repairs minus maintenance costs. I’ll likely get at least another 100k. Just placing these goalposts here…

load more comments (23 replies)
[–] [email protected] 56 points 3 weeks ago (45 children)

There's just no good reason to have anything beyond the radio/nav etc in a car connected to the Internet. Remote start can be done with just the key.

[–] [email protected] 69 points 3 weeks ago (2 children)

You know what fuck builtin nav. Connect it to my phone and let that be it for navigation.

[–] [email protected] 33 points 3 weeks ago (3 children)

And same for music. What year is this 2010?

load more comments (3 replies)
[–] [email protected] 9 points 2 weeks ago

Plus if you use your phone for nav you can use whatever maps you like. My city is mapped pretty good on openstreetmap so that's what I use.

[–] [email protected] 8 points 2 weeks ago (1 children)

I would say even those don't need Internet. Navigation can be updated using a USB drive, and I have a phone for audio so I just need bluetooth.

The only network connection I want in my car is to notify emergency services if the airbags go off.

load more comments (1 replies)
load more comments (43 replies)
[–] [email protected] 47 points 3 weeks ago (1 children)

Let the fucking hacking begin. Fuck these assholes. They are milking people out of their last penny, and on top of that they're selling people's driving data to data brokers who sell it to insurance companies that jack up prices.

[–] [email protected] 16 points 2 weeks ago (2 children)

Let the fucking hacking begin. Fuck these assholes.

Then you're gonna hack the company, not the endusers' cars.

Right?

Right?

[–] [email protected] 9 points 2 weeks ago

The ones on the dealership lot

load more comments (1 replies)
[–] [email protected] 41 points 2 weeks ago (1 children)

FYI: From the article: “These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously.

load more comments (1 replies)
[–] [email protected] 28 points 3 weeks ago (4 children)

I’ve noticed a lot of issues showing up for the Kia and Hyundai cars security wise. I wonder if they’re having issues because there’s more focus on those cars or if their security is really that bad.

[–] [email protected] 37 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

The Kia/Hyundai "challenge" where people were stealing their cars with a USB cord is because they opted not to include an immobilizer in US models for a decade. Every other car brand had them as standard. Kia even had them as standard in non US cars, but because the USA stupidly does not have a law about it, they opted to drastically reduce car security to save a few dollars per car.

This has made them prime targets, as people know they make bad security choices whenever they can save a buck.

So a bit of both, I expect.

load more comments (1 replies)
[–] [email protected] 9 points 3 weeks ago

Both probably. I’m sure a lot of cars have problems like this, but they just haven’t been found and there are already known vulnerabilities to focus on.

load more comments (2 replies)
[–] [email protected] 21 points 2 weeks ago (1 children)

This is the problem with digital serfdom, those lording it over us aren't perfect either. Not only should we be able to connect our cars to our own server, we should be able inspect provided server implementation to see if it's a bag of nails.

[–] [email protected] 7 points 2 weeks ago

aren't perfect either

You misspelled "are fucking morons" :)

[–] [email protected] 18 points 2 weeks ago (1 children)

This is why you have to install the latest software updates on your license plate. One time I let my gas cap firmware get outdated and someone downloaded my car.

load more comments (1 replies)
[–] [email protected] 13 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Why does a car need to be connected to the internet? A reliable rule of conduct in aeronautics is that systems which are deemed critical to safety are air gapped from the systems which are connected to the internet, so in the event that those systems are compromised by malware or hackers, the safety critical systems won't also be compromised.

Why is it seemingly taking automotive manufacturers so long to catch on to this principle? Before anyone mentions downloadable features, I do not see that as a means of justification. Like with videogames, if you're paying good money for a product, that product should already be finished by release. Hiding content that should already exist on a car is egregious and the normalisation of it incentivizes manufacturers to release vehicles that are incomplete and should not have been released in their current state.

load more comments (2 replies)
[–] [email protected] 10 points 3 weeks ago

Nice writeup

[–] [email protected] 7 points 2 weeks ago* (last edited 2 weeks ago) (4 children)

I know the majority of you hate Tesla, but security is something they do take more seriously. They even take part in pwn2own to help find vulnerabilities.

All auto manufacturers should be taking part in that.

Nothing like winning a car to get people to try and break into it publicly.

Edit: Also details on the 2025 event in January just recently announced. https://www.zerodayinitiative.com/blog/2024/9/23/announcing-pwn2own-automotive-for-2025

[–] [email protected] 15 points 2 weeks ago (1 children)

I have my money on Tesla being the first cloud-connected car (that phrase shouldn't exist) to be hacked and push a malicious firmware that will cause all cars to simultaneously activate self driving and to pull a hard left at a specific time (time bomb).

[–] [email protected] 6 points 2 weeks ago* (last edited 2 weeks ago)

You should watch - Leave the World Behind

You might be right, but I don't think it'll be because their cars are the easiest to hack, it'll be because they have the most cars out there capable of doing this and it'd be more impactful attack if successful.

(edit: Also they'd be able to exert the most control on their cars with the software/sensors available today at scale. E.g they could more easily have the car drive around until it finds a pedestrian to hit)

(edit: Further, you can make the most changes to a Tesla as they have one of the more (or probably most) advanced OTA update capabilities)

They are definitely a prime target.

load more comments (3 replies)
[–] [email protected] 6 points 2 weeks ago (2 children)

smiles contentedly in 2003 1.8T Jetta 5MT

load more comments (2 replies)
load more comments
view more: next ›