These days everything needs to be connected to remote servers via the internet, whether it’s one’s TV, fridge or even that new car you just bought. A recently discovered (and already patched) vulnerability concerning Kia cars was a doozy in this regard, as a fairly straightforward series of steps allowed for any attacker to obtain the vehicle identification number (VIN) from the license plate, and from there become registered as the car’s owner on Kia’s network. The hack and the way it was discovered is described in great detail on [Sam Curry]’s website, along with the timeline of its discovery.
Notable is that this isn’t the first vulnerability discovered in Kia’s HTTP-based APIs, with [Sam] this time taking a poke at the dealer endpoints. To his surprise, he was able to register as a dealer and obtain a valid session ID using which he could then proceed to query Kia’s systems for a user’s registered email address and phone number.
With a specially crafted tool to automate the entire process, this information was then used to demote the car’s owner and register the attacker as the primary owner. After this the attacker was free to lock/unlock the doors, honk to his heart’s content, locate the car and start/stop the vehicle. The vulnerability affected all Kia cars made after 2013, with the victim having no indication of their vehicle having been hijacked in this manner. Aside from the doors randomly locking, the quaint honking and engine turning on/off at a whim, of course.
Perhaps the scariest part about this kind of vulnerability is that it could have allowed an attacker to identify a vulnerable parked car, gained access, before getting into the car, starting the engine and driving away. As long as these remote APIs allow for such levels of control, one might hope that one day car manufacturers will take security somewhat more serious, as this is only the latest in a seemingly endless series of amusingly terrifying security vulnerabilities that require nothing more than some bored hackers with HTTP query crafting tools to discover.
How many people legitimately use these features anyway? How hard is it to just get in your car and start it
In winter my morning commute is a 2km walk through suburbia. I swear every third house I walk by has an idling car in the driveway, just so their owner can have a warm tush on their sad drive to work.
So, yeah, an awful lot do use them, despite the no-idling bylaw here.
“idling” is pretty well defined. It’s usually >10min from a cold start, or leaving the engine running after you pull in/over.
You shouldn’t be driving a car before you let the engine come up to operating temperature. Having a remote start is good on a snowy/icey day.
Sometimes the only way to get the ice of a window is to use the heat/de-icer. And the car needs to be on to do it.
Could I go out and start it with a key? Sure.
Then I either sit out there for 5-10 minutes, or I come back in and track a bunch of snow with me.
It’s not just a luxury.
It can be a functional upgrade in some parts of the world.
Luxury!
When I was a kid we had to start a small fire under the oil pan of our dad’s tractor.
No joke. During that blizzard that ripped through Texas a few years ago, it was so cold we couldn’t move the tractor because the the lift and the attachment were sitting on the ground and the hydraulics wouldn’t operate. (We don’t use hi-vis hydraulic fluid in this region.) So out comes the propane heater and we point it at the back of the tractor until it warms up enough to move.
This is such a first world problem. Ridiculous.
Well most of the 3rd is not in a snow area. But you knew that
This is only necessary on old carburated cars, or if one did not put the appropriate oil, or in extreme cold weather. In the latter case an engine heater is preferable anyway. In a perfect world with sensible people, one would also expect people who live in such conditions to buy a car that fits inside their garage…
One would hope that new builds have garages big enough to fit a car in. Sadly, these days, they do not. Parking is either non existent, off road, or on road. Garages become little more than storerooms or bedrooms.
Letting a car idle to get it up to temperature is not good for it. Driving normally at modest revs is the best.
Wrong. It’s bad to let a car idle cold to bring it up to temperature, better to drive it from cold to bring it up to temperature. From the sounds of things, wherever Paul is then engine heaters aren’t a thing or people are too poor to invest in one. In more civilised (and cold) societies engine block heaters are what you use, either electrically powered or fuel powered.
Actually you are ruining the engine if you are idling the engine up to operating temperature all the time. Too much gas needs to be pumped to cold engine which flushes oil away everywhere and all bearings rely on consistent oil films nowadays.
Just put electric heater inside to heat insides so all you need is quickly clean windshield and start driving. Just go easy with the throttle until engine has heated to operating temperature.
Once you clear any obstructive ice, you don’t need to come to full thermostat-regulated operating temperature before driving a modern car. You just need to get enough heat in the oil to make sure everything’s lubricated enough under the conditions you need to drive. If you’re not immediately getting on a highway and will be driving gently for a few minutes anyway, then depending on the particular engine and oil type, the difference in idling or setting off immediately might be pretty minimal. To the point that by the time you shouldn’t really be driving it at a certain temperature, I suspect you’d be better off with the block heater instead of idling.
One of those ‘convenience’ things. My co-workers love their remote-start … and all from an app on cell-phone (some from a fob). :rolleyes:
Personally, I’d like my car ‘off the air’ at all times. One less thing that can be exploited. But convenience trumps ‘security’ and ‘anonymous/privacy’ in this case (and in a ‘lot’ of other cases). People seem not to care either. I do….
As for idling … Your gas (your money), do as you please.
Well the remote start doesn’t actually put the car in gear or anything … So if I want to air condition the thing from “incompatible with life” to “Texas summer” before I get in, and not leave the keys to a thief – these apps are great.
I work in the automotive industry. KIAs may be nice, but I have long not recommended buying them after test-driving a Rondo.
There is not a single new car that rates buying.
It’s like they don’t teach KISS at automotive engineering schools anymore.
They’ve gotten entirely too good at making cars disposable.
As an engineer I was impressed.
After 50+ years of working on their ‘warranty timer’ GM got skunked at the finish line by Benz.
Formerly worked in the automotive industry and for more than a decade have given the same advice. It almost amazes me how many people continue to buy these things. Almost. Then again, with firms like “JD Power and Associates” rating vehicles with comical things such as “highest initial build quality” and the Doug DeMuros of the interwebs continuing the trope of “They’re much better than they used to be!” and even more outright laughable claims that they’re “better than XYZ brand” (always BMW, Mercedes, Honda, Toyota, et al) it shouldn’t really come as much of a surprise.
This is why I disconnected the 4G on my current vehicle. Remove connector. install 50ohm terminator. done.
I have no interest, or dosh, for the remote start subscription. ($US30/month, I think, on top of the $30 for the we-wont-come road service)
Like to dis-connect antenna in my Subaru…. But they hide it behind the unnecessary screen on the front dash. Not up to tearing the dash apart… yet…. I also declined all subscriptions they try to up-sell you. But that doesn’t stop them from still getting ‘telemetry’ and ‘listening’ if ‘they’ want to (legally or not).
For me, it is behind the glove box. Not to bad to get to. Hardest part was getting all of the data to locate it, ID the impedance for the line, and the proper connector. Fortunately, the breakout itn’t internal, so separate connectors for 4G, GPS, and AM/FM, despite shared antenna (apparently…. Not sure how GPS is sharing, but that is another $20/month, so I don’t care. My Garmin works fine. The AM/FM quality makes it quite clear that the antenna is suboptimal, though). Some vehicles apparently make it more interesting….
As I said before … let your cell-phone, Garmin, etc. be your infotainment/directions devices if want that capability. Keep it out of the car system or at very least ‘make it an option’ when ordering to not include them. Let the car just ‘power’ the device(s). Only reason I have the ‘extras’ is it came ‘standard’ that way. :(
“Not sure how GPS is sharing, but that is another $20/month”
A month! That is what I paid for my Garmin (used).
hence….
Why must you put in a 50ohm terminator? Can’t you just simply disconnect it? Or must you do it that way to avoid keeping getting error messages on the console?
Without a terminator, the RF modem can still communicate when it’s close enough to a cell tower.
At radio frequencies, unterminated coaxial cables are lossy antennas, and are perfectly capable of receiving and transmitting, although at very reduced range. A good, properly-matched terminator will reduce that susceptibility hugely – probably by at least a factor of 10, and likely much more.
Interesting – where I work is a radio quiet zone (for interference reasons). A colleague bought a new VW car about 10 years go, asked the dealer how to turn off the radio. Their response was firstly why? Followed by can’t be done.
Since then he’s been driving to work in his GFs ‘dumb’ car and she got an upgrade :)
I think the scariest part is not that they could unlock your car and steal it. It’s that they could start the engine, and potentially run you or someone else over in the process. Or they could stop it whilst you’re driving, which could also be pretty catastrophic.
While your just changing the oil…. As an example … Or changing a serpentine belt, or …
Yes, because you should never disconnect the battery while working on your car….
You definitely should not.
The ECU will forget some settings, the stereo might require an unique unlock code from the dealer and the “new” battery might have to be coded into the ECU for it to charge properly.
Only time I have is when changing out the battery. New Starter … Where it makes sense to do so. Nor, do you disconnect the battery to change tires, fill the fluids…
Also I change default options and dislike having to re-input them (Seat belt ding for one). Wish they’d just store in a ‘flash’ memory even though that might add $1 to the sticker price….
Bizarrely Fast & Furious did a bit on this in one of the later movies (Charlize Theron’s character uses cars with self-driving features to swarm & kill someone) and the world seems to have ignored the fact that’s actually entirely possible and very poorly protected against.
Car manufacturers have spent the last 20 years in a gimmicks arms-race with no real thought about the drawbacks for security or repairability and it sucks, looking around it’s very hard to find any modern car that doesn’t have some utterly stupid BS in it.
It’s time to start charging these companies for negligence, because that’s what it is.
Hmm – something like a different responsible disclosure scheme:
1. Hackers/researches don’t contact companies building stuff like cars, industrial control device, medical devices and whatnot directly but an international agency (under the UN or something?) instead.
2. This Agency is tasked with getting the companies to fix their shit and doling out monetary punishments to them.
3. The amount of money is roughly matched to the potential risk to human life, nature, etc.. by an international court like thing?
Maybe not a bad idea (in principle) but I’m sure there are few “cans of worms” in there… :-/
Let’s let the government pick economic winners and losers!
What can possibly go wrong?
The Koreans have made their bed.
It just takes time for new car buyers to get clued.
Look at what’s happening to VW (all brands) right now.
It took 20+ years of awful cars, but finally the morons that love status symbols and car loans are figuring it out.
Eventually, there will be no more JATCO CVTs. Same slow process.
But monthly payment for depreciating assets people are the some of the dumbest alive.
Takes many beatings for things to get through thick skulls.
UN? LOL…Not no. F-no! Are you nuts?
They’ll try to turn it into wealth transfer to shithole countries.
Ah.
You’re like that, then.
Yes , I am – and proud of that ;)
Whether the asset in question depreciates or appreciates matters not to the fact that a loan is about opportunity cost.
It’s the capability to spy on everywhere I go that bothers me about these connected cars. ‘Course in 2026 I think they’ve mandated remote shutdown by the cops I the US. I’m sure it will be a crime to disable this “feature”.
Most car trips are less than 30 miles.
I don’t own a car, don’t want one, don’t need one.
I prefer riding a bike anyways…. 2 or 3 or 4 wheels, pedals, and a chain.
Can’t get simpler than that.
Unless you are sick and need to drive to doctors. Or it’s freezing cold or boiling hot or raning for two weeks straight (Welcome to central Europe.). Unless you need large things from hobby shops few times a month. Or when commute by bike is completely suicidal because you don’t live in an utopia like Netherlands.
I also live in central Europe and most of your “issues” are solved by good clothes. And to go to the doctor you also can take the bus (and a mask), because I wouldn’t recommend operating a 2 ton vehicle while beeing sick.
And we all together should definitely start working on a world where nobody has to be afraid of going by bike.
I live in Bavaria, lived 11 years in a hilly rural area called Hallertau, all without car. I again have one, third hand Renault Clio. Why? Flu influenced heart and lungs, took 7 months to heal, heart rate was astronomical after just a few metres up a hill.
I was good before, and the year after again, but I never want to torture my body like that again.
Can you get any hops on the cheap? Just asking…
I live in northern Europe and bike every day all year, even in the freezing winter or when it’s raining. You just have to wear the right clothes, and in the winter studded tyres helps too.
Thinking you are not able to use a bike all year around is a very car brain mindset.
I thinkyou are what they call in statistics a Black Swan.
Not really, I’m just not american ;)
You should be glad to have the fortune of a healthy, strong body and mind.
Not everyone has that, and so not everyone can use your solution.
So glad I have an older car, and I’m glad it’s not a Kia.
Same here. While I like the idea of an electric car, it is not possible for me. I live in an apartment in a big city without any public charging infrastructure. As well I’d very much like to avoid all the unnecessary tech in new cars.
Using the car’s VIN seems a bad idea for it’s online features; it is by law visible from the outside, so if you can surreptitiously read it you don’t need the license plate lookup.
Seems like we need jammers for our own vehicles, or a service to terminate their antennas into a dummy load inside a faraday cage. One would hope the WiFi/Cell modem is just a module you could pull the fuse to. But at some point it will be coded into the main ECU, if not built directly into it.
Remove SIM.
“Remove SIM.”
Welcome to the world of e-SIMs, where physical removal is not an option.
I – honest to God – had this as part of my dream last night, and am now finding the article. I woke up with a nice thought that my 2010 Civic will be fine from these kinds of attacks.