These days everything needs to be connected to remote servers via the internet, whether it’s one’s TV, fridge or even that new car you just bought. A recently discovered (and already patched) vulnerability concerning Kia cars was a doozy in this regard, as a fairly straightforward series of steps allowed for any attacker to obtain the vehicle identification number (VIN) from the license plate, and from there become registered as the car’s owner on Kia’s network. The hack and the way it was discovered is described in great detail on [Sam Curry]’s website, along with the timeline of its discovery.
Notable is that this isn’t the first vulnerability discovered in Kia’s HTTP-based APIs, with [Sam] this time taking a poke at the dealer endpoints. To his surprise, he was able to register as a dealer and obtain a valid session ID using which he could then proceed to query Kia’s systems for a user’s registered email address and phone number.
With a specially crafted tool to automate the entire process, this information was then used to demote the car’s owner and register the attacker as the primary owner. After this the attacker was free to lock/unlock the doors, honk to his heart’s content, locate the car and start/stop the vehicle. The vulnerability affected all Kia cars made after 2013, with the victim having no indication of their vehicle having been hijacked in this manner. Aside from the doors randomly locking, the quaint honking and engine turning on/off at a whim, of course.
Perhaps the scariest part about this kind of vulnerability is that it could have allowed an attacker to identify a vulnerable parked car, gained access, before getting into the car, starting the engine and driving away. As long as these remote APIs allow for such levels of control, one might hope that one day car manufacturers will take security somewhat more serious, as this is only the latest in a seemingly endless series of amusingly terrifying security vulnerabilities that require nothing more than some bored hackers with HTTP query crafting tools to discover.
How many people legitimately use these features anyway? How hard is it to just get in your car and start it
In winter my morning commute is a 2km walk through suburbia. I swear every third house I walk by has an idling car in the driveway, just so their owner can have a warm tush on their sad drive to work.
So, yeah, an awful lot do use them, despite the no-idling bylaw here.
“idling” is pretty well defined. It’s usually >10min from a cold start, or leaving the engine running after you pull in/over.
You shouldn’t be driving a car before you let the engine come up to operating temperature. Having a remote start is good on a snowy/icey day.
Sometimes the only way to get the ice of a window is to use the heat/de-icer. And the car needs to be on to do it.
Could I go out and start it with a key? Sure.
Then I either sit out there for 5-10 minutes, or I come back in and track a bunch of snow with me.
It’s not just a luxury.
It can be a functional upgrade in some parts of the world.
One of those ‘convenience’ things. My co-workers love their remote-start … and all from an app on cell-phone (some from a fob). :rolleyes:
Personally, I’d like my car ‘off the air’ at all times. One less thing that can be exploited. But convenience trumps ‘security’ and ‘anonymous/privacy’ in this case (and in a ‘lot’ of other cases). People seem not to care either. I do….
As for idling … Your gas (your money), do as you please.
I work in the automotive industry. KIAs may be nice, but I have long not recommended buying them after test-driving a Rondo.
There is not a single new car that rates buying.
It’s like they don’t teach KISS at automotive engineering schools anymore.
They’ve gotten entirely too good at making cars disposable.
As an engineer I was impressed.
After 50+ years of working on their ‘warranty timer’ GM got skunked at the finish line by Benz.
This is why I disconnected the 4G on my current vehicle. Remove connector. install 50ohm terminator. done.
I have no interest, or dosh, for the remote start subscription. ($US30/month, I think, on top of the $30 for the we-wont-come road service)
Like to dis-connect antenna in my Subaru…. But they hide it behind the unnecessary screen on the front dash. Not up to tearing the dash apart… yet…. I also declined all subscriptions they try to up-sell you. But that doesn’t stop them from still getting ‘telemetry’ and ‘listening’ if ‘they’ want to (legally or not).
For me, it is behind the glove box. Not to bad to get to. Hardest part was getting all of the data to locate it, ID the impedance for the line, and the proper connector. Fortunately, the breakout itn’t internal, so separate connectors for 4G, GPS, and AM/FM, despite shared antenna (apparently…. Not sure how GPS is sharing, but that is another $20/month, so I don’t care. My Garmin works fine. The AM/FM quality makes it quite clear that the antenna is suboptimal, though). Some vehicles apparently make it more interesting….
As I said before … let your cell-phone, Garmin, etc. be your infotainment/directions devices if want that capability. Keep it out of the car system or at very least ‘make it an option’ when ordering to not include them. Let the car just ‘power’ the device(s). Only reason I have the ‘extras’ is it came ‘standard’ that way. :(
“Not sure how GPS is sharing, but that is another $20/month”
A month! That is what I paid for my Garmin (used).
hence….
I think the scariest part is not that they could unlock your car and steal it. It’s that they could start the engine, and potentially run you or someone else over in the process. Or they could stop it whilst you’re driving, which could also be pretty catastrophic.
While your just changing the oil…. As an example … Or changing a serpentine belt, or …
It’s time to start charging these companies for negligence, because that’s what it is.