Mastodawn

Heads up to Kia owners/potential buyers: Today, a group of independent security researchers revealed that they'd found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/

Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

WIRED

Genomicalist 🧬🦠🧫👩‍💻Sep 26, 2024

@briankrebs #internetofshit

Matt Hall Sep 26, 2024

So... That seems like a big deal.

excited for the mastodon rise Sep 26, 2024

@briankrebs Can we regulate this? Car owners should be able to physically depower all data radios in the car with the flick of a switch. Like, a physical switch that disconnects power from this part of the car.

I need a new car, and I cannot and will not buy one until this tracking shit is put to bed. Which means I'll probably have to buy a "classic" car at this point.

Fish Id Wardrobe ⁂Sep 26, 2024

@qkslvrwolf @briankrebs Not in the EU, which mandates that all new vehicles must have a built in mobile link to the police — which _probably_ only turns on when you press a button.

1101base2 Sep 26, 2024

@qkslvrwolf @briankrebs
Maybe not a flick of the switch but a specific fuse that controls all of these devices. Problem is most of this tech is so central to a card operation now it won't operate of it is missing...

excited for the mastodon rise Sep 26, 2024

@1101base2 yeah whatever the mechanism, but yeah the " doesn't work without it" is Not Ok

Nonya Bidniss 🥥🌴Sep 26, 2024

@briankrebs I read the story and I have the impression that if you never put the app on your phone you're ok??? I hate all these connected cars and if or when I have to get a new car I won't be installing any app on my phone. I don't care about any blinkenlights that won't work without it.

Krupo Sep 26, 2024

@Nonya_Bidniss @briankrebs they said even cars on dealer lots (which presumably aren't registered) would be affected and were tested....

Nonya Bidniss 🥥🌴Sep 26, 2024

@krupo Ah that's right, good point. @briankrebs

T.J. Crowder Sep 27, 2024

@krupo I'd assume those cars were registered to a phone at the dealership for showing off the phone-related features.

Krupo Sep 27, 2024

@tjcrowdertech doubtful based on my car dealership experiences.

Highly doubtful.

The article itself has an embedded video where they talk about having to take a little longer to hack the car if they need to associate it to a profile / account if it hadn't been setup already. And still hackable.

So that testimonial evidence is even more convincing.

int%rmitt]nt sig^al. ...~!...)Sep 26, 2024

@briankrebs
This is why I maintain a >20 year old [redacted] with buttons and knobs.
As an aside paper maps cannot track your motions.

epiPelagic Puck Sep 26, 2024

@nrmacdonald
25 yo Cherokee here and I love my old rat truck. I hop in dripping with salt water from boating/swimming and head home without worrying. She looks good for her age, but I don't have to fuss with her.

Now I just have to worry about a "smart" car doing something dumb to her.

bojkotiMalbona Sep 26, 2024

@nrmacdonald Well you’re also untrackable if you use OSMand (offline maps) with only the GPS receiver enabled and everything else off with airplane mode on. Short of being targetted by nation states, of course.

The only realistic tracking would then be by license plate readers.

Bicycles are king in this respect.

ideogram Sep 26, 2024

@bojkotiMalbona
Good point. I have an old car and an electric bike but I fear what I will do when the car dies.
@nrmacdonald

Ahimsa Sep 26, 2024

@briankrebs
Can anyone confirm that this only happens if you enable the Kia Connect feature?

Edit: FAQ page for the Kia Connect feature

https://owners.kia.com/content/owners/en/faqs.html

FAQs

Crispy Gnome Chomsky Sep 26, 2024

@briankrebs I was wondering if this only affected people who registered for the underlying service, and it turns out - according the the researchers - that it does not. "These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription" https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.html

Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates

Kia fixes vulnerabilities that allowed remote car control using only a license plate. Patch issued

The Hacker News

Michael Weiss Sep 26, 2024

@rose @briankrebs this makes sense, given that the flow was intended for dealers.

Kevin P. Fleming Sep 26, 2024

@briankrebs My trusty 2017 Sportage isn't connected and never will be.

Tim Wallace Sep 26, 2024

@briankrebs happy that I live in Massachusetts where the right to repair law has caused Kia to not activate the system!

Jo - pièce de résistance Sep 26, 2024

@briankrebs I’m sure that won’t be weaponized…🙄

Patrick Morris Miller Sep 26, 2024

@briankrebs Dammit, cars should not have IP addresses.

Nicole Parsons Sep 26, 2024

Beware of innocent seeming cables...

https://www.theverge.com/23321517/omg-elite-cable-hacker-tool-review-defcon

https://counterespionage.com/malicious-usb-cables/

The O․MG Elite cable is a scarily stealthy hacker tool

The new O.MG Elite cable, released at Def Con 30, is a hacking tool that can function as a keylogger, perform keystroke injection attacks with DuckyScript, and exfiltrate data to a remote server using a built-in Wi-Fi access point.

The Verge

JD Sep 26, 2024

@briankrebs oh snap, them Kia kids are at it again!
Fr though I hope they release a fix soon.

Krupo Sep 26, 2024

@JDGeoShack @briankrebs wired is horribly paywalled but the impression I got is that Kia maybe fixed it?

"Appears to have fixed the vulnerability in its web portal" followed by lack of more comment.

Barry Rowlingson Sep 26, 2024

@briankrebs Looks like Bobby Tables has got a driving license now...

Giles Edwards Sep 26, 2024

@briankrebs Question from the guy trying dearly not to become a technophobe:

Are there any modern electric-car options which do not feature network integration?

Jan ☕🎼🎹☁️🏋️‍♂️Sep 26, 2024

@briankrebs I'm curious if this hits Hyundai cars too.They use a lot of the same stuff.

Oliver D. Reithmaier Sep 26, 2024

@briankrebs if you can't hack it, is it really KIA?

Paolo Redaelli Sep 26, 2024

@briankrebs
The lesson is never ever connect a car to be network or to your smartphone, especially if this relies on an external service

Paolo Redaelli Sep 27, 2024

@Salvo sadly it seems to it is not enough since every "recent" #kia car is susceptible to this attack, even those whose owner has not subscribed to online services… 😭

Salvo Sep 27, 2024

@paoloredaelli I blame Musk.
Not just because it is the thing to do on Mastodon, but because the whole “let’s add every cheap computer gimmick to a car to compete with Tesla” thing has corrupted Automakers.

Don’t get me started on GMs project Edsel…

Daniel AJ Sokolov Sep 26, 2024

@briankrebs How would my car know what license plate I've screwed on it?

bojkotiMalbona Sep 26, 2024

@newstik if the car has cameras, your plate would frequently appear in the reflection of glass and all things shiny it drives by.

Or perhaps owners have to enter that so the app can remind them when plates need to be renewed.

Theodrake Sep 26, 2024

Car knows its VIN which every state associates with a license plate.

Daniel AJ Sokolov Sep 27, 2024

@Theodrake @briankrebs And that data VIN->license plate is public?

`Da Elf Sep 26, 2024

@briankrebs You should not be able to access your fucking car from a fucking website.

Are people so fucking stupid that ... nevermind.

Fish Id Wardrobe ⁂Sep 26, 2024

@briankrebs Ah, the Kia, whose owners sign a T&C that says the company are allowed to collect data from them for a long list of things, including sexual activity…

https://foundation.mozilla.org/en/privacynotincluded/kia/

*Privacy Not Included review: Kia

How creepy is your car? We read the privacy policies so you don’t have to. Learn how your favorite car brand stacks up when it comes to protecting your privacy and security.

Mozilla Foundation

Brian Vastag Sep 26, 2024

@briankrebs HackerNews says it was fixed last month.

https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.html?m=1

Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates

Kia fixes vulnerabilities that allowed remote car control using only a license plate. Patch issued

The Hacker News

BrianKrebs Sep 26, 2024

@brianvastag Thanks. Seems like maybe safer to say they fixed the issue(s) the researchers raised? Aren't they still collecting all the data?

Brian Vastag Sep 26, 2024

@briankrebs Well they say the exploit that allowed remote control of car functions was fixed.

njsg Sep 28, 2024

@brianvastag @briankrebs Minor nitpick, but that is *not* Hacker News.

@briankrebs connected cars sounds like such a dumb idea to me.

Gregatron5 Sep 27, 2024

@User47 @briankrebs It doesn’t seem like a dumb idea when it’s 100º outside and you need to go somewhere and you can tell the car to start the air conditioning from your phone well before you get there. Same for when it’s 20º. Especially with kids.

My car lost connectivity when AT&T killed the 3G network. And I miss it all. the. time.

Vibes Explainer Sep 26, 2024

this will get fixed pretty quick because it undermines their $200 annual subscription model for owners to use it legitimately

((Jann Gobble)) 🏳️‍🌈Sep 26, 2024

@briankrebs Hey @TechConnectify ⬆️ Did you see this? #Kia #Hacked

Howard Chu @ Symas Sep 26, 2024

@briankrebs The cars have cameras that can see their own license plates?

_noice Sep 26, 2024

@briankrebs why heads up if the article says fixed?

BrianKrebs Sep 26, 2024

@_noice one reason may be that the carmaker fixed the precise issues the researchers raised. But probably there are more. Also, they're still collecting or able to collect all this data, so there's that.

_noice Sep 26, 2024

@briankrebs oh gotcha. Thank you for clarifying. I figured that.👍 Honda had a similar issue a while back.

Ehay2k Sep 26, 2024

Oh, this isn't the first time #Kia has had a big security issue.

Remember when they used the sample encryption key from a NIST publication to secure their software? 🤦‍♂️

They need to hire people who know what they are doing.

https://www.schneier.com/blog/archives/2022/08/hyundai-uses-example-keys-for-encryption-system.html

Hyundai Uses Example Keys for Encryption System - Schneier on Security

AlienKnight Sep 26, 2024

@briankrebs sigh

miridescent Sep 26, 2024

@briankrebs dont tell Mossad....

Fahri Reza 🍉Sep 27, 2024

@briankrebs exploding cars this time?

SpaceLifeForm Sep 27, 2024

No USB cable required. Just a Feature.

The Cat Herder Sep 27, 2024

@briankrebs I’m still driving my ‘99 sedan with a manual transmission. I even have a CD player in dash. Too much unnecessary tech in vehicles is not only vulnerable but breaks down more often and more expensive to fix. I’ll stick with my old friend as long as I can.

takaishi77 Sep 27, 2024

@briankrebs
Security and privacy become big concerns when having a new vehicle. This news is so disturbing.

Luka Rubinjoni Sep 27, 2024

@briankrebs Honk, honk!

Christoph Sep 27, 2024

@briankrebs all i want is 4 wheels, a steering wheel and a roof. How hard can it be