This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.

The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.

Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?

The article isn't clear, but it sounds like the cars were already being tracked, only now also "unauthorized" people could track them (when before, only Kia and car dealers could track your car).

Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).

Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.

In Massachusetts, Kia has disabled Kia Connect for all vehicles purchased over the past few years. Any data collected by cars must be made accessible to third-party shops, and Kia opted to disable any data collection (and thus disable Connect entirely) rather than allow that to happen. It doesn't matter where you actually live — as long as you bought in MA, the car's VIN is locked out and no one can do anything about it. You're typically told this at the very end of the sales process, after everything is signed, and it's framed as "oh, by the way, MA has a terrible right-to-repair law that has forced Kia to disable Connect, you should write your state senator."

It's... interesting to see just how easy it is to access this functionality if the VIN check is bypassed.

Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.

Stop connecting vehicles to the internet pls & thanks

There are no new cars on the market today that don't have a slew of connected """features""", right?

Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.

As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."

Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.

Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.

There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.

Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.

That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?

By law, we need to be able to disconnect cars from the cell network. This is stupid.

I wonder how many LEAs knew of this and used it to bypass having to get a warrant, instead of responsibly disclosing it for the benefit of public safety.

Ok, lesson learned. Thank you.

I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.

Yes, I felt stupid. But a little less stupid now.

Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?

Connecticut Kia Boyz here? Imagine in some states it's not a felony to steal Kias if you're under 18, so they do it for fun and even sell them for rides 100$ each.

There is a great Channel 5 documentary on youtube about it, definitely recommend to check it!

I just want a car that is as dumb as it can be while meeting all federal regulations to the highest degree. How hard can that be?

Internet connected vehicles are a mistake. Enough time out there and mistakes will get re-introduced. If it’s not Kia, it will be someone else.

You should be able to take out the internet connectivity as a consumer. The fact that this exploit worked even if the consumer wasn’t subscribed is wild.

Car companies just can’t do tech.

I am impressed that you were able to contact relevant folks at Kia. I tried contacting their security team via Kia's customer service and Twitter and was repeatedly told they don't have anyone working on security, vulnerabilities, etc. My favorite was when they redirected my call to roadside assistance (twice).

I’ve been telling my friends who want to avoid Tesla that an electric Kia is still a Kia

Glad my VW only had a 3G antenna built in. No longer works in the US.

> The License Plate to VIN form uses a third-party API to convert license plate number to VIN

I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?

EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.

My brother owns a Kia, and the constant auto break-ins are negatively impacting his mental health.

A day ago Louis Rossman posted on Youtube: Mazda requires $100+ subscription for remote start after filing DMCA takedown of open source program"

https://www.youtube.com/watch?v=1n0AI5aemUY

"I never hear the ancaps and the hardcore libertarians in my comments section... complain about Section 1201 of the DMCA. I wish I did more often."

Does Kia have a bug bounty like Tesla does? Tesla paid out 200k and a Tesla a few months ago.

If I'll ever buy a car, it won't have any network interfaces.

Strike two on KIA's car security after the USB cable disaster

Kia Boys Who Code

Kia is a terrible brand anyways

Maybe other manufacturers are also this bad, but I know Kia is this bad. I’m never buying a Kia.

But wait, they patched this! Yeah, but they also shipped it.

What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?

Can we stop connecting cars to the internet now?

With the advent of "Kia Boys" and now this, it's a miracle people still buy Kias.

"thanks to a simple website bug AND TELEMATICS HARDWARE in the vehicles that had absolutely no relevance to their ability to get from point A to point B"

i cannot connect to kia anymore, would have bot worked in me

How much time would you need to redevelop KIAtool with AI?