Hacking Kia: Remotely Controlling Cars With Just a License Plate.

dumb cars will be worth their weight in gold soon

Yeah... fuck this shit. This is part of the reason I still drive a nearly 20 year old vehicle. It has features I want, and can't be stolen via fucking API calls. Absolute insanity.

I think Hyundai/Kia group has done unfathomable damage to their brands. Kia, despite being a budget brand, wants to be seen as a legit competitor to Toyota or at least Nissan. Their corner cutting with the immobilizers and the resulting "USB" theft shit was bad enough. Now this exploit.

There's just no good reason to have anything beyond the radio/nav etc in a car connected to the Internet. Remote start can be done with just the key.

Let the fucking hacking begin. Fuck these assholes. They are milking people out of their last penny, and on top of that they're selling people's driving data to data brokers who sell it to insurance companies that jack up prices.

FYI: From the article: “These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously.”

I’ve noticed a lot of issues showing up for the Kia and Hyundai cars security wise. I wonder if they’re having issues because there’s more focus on those cars or if their security is really that bad.

This is the problem with digital serfdom, those lording it over us aren't perfect either. Not only should we be able to connect our cars to our own server, we should be able inspect provided server implementation to see if it's a bag of nails.

This is why you have to install the latest software updates on your license plate. One time I let my gas cap firmware get outdated and someone downloaded my car.

Why does a car need to be connected to the internet? A reliable rule of conduct in aeronautics is that systems which are deemed critical to safety are air gapped from the systems which are connected to the internet, so in the event that those systems are compromised by malware or hackers, the safety critical systems won't also be compromised.

Why is it seemingly taking automotive manufacturers so long to catch on to this principle? Before anyone mentions downloadable features, I do not see that as a means of justification. Like with videogames, if you're paying good money for a product, that product should already be finished by release. Hiding content that should already exist on a car is egregious and the normalisation of it incentivizes manufacturers to release vehicles that are incomplete and should not have been released in their current state.

Nice writeup

I know the majority of you hate Tesla, but security is something they do take more seriously. They even take part in pwn2own to help find vulnerabilities.

All auto manufacturers should be taking part in that.

Nothing like winning a car to get people to try and break into it publicly.

Edit: Also details on the 2025 event in January just recently announced. https://www.zerodayinitiative.com/blog/2024/9/23/announcing-pwn2own-automotive-for-2025

smiles contentedly in 2003 1.8T Jetta 5MT