A large part of the crime wave stems from the policies these cities implemented. Many times from the same leaders who are suing Kia now.
For instance, a friend got their car stolen in D.C. After they caught the guy, they let him go with no consequences, because they said he was under 25 and it was the first time they caught him. D.C. recently put a convicted murderer on the sentencing commission who believes that this kind of "it's not really their fault if they're under 25" thinking should be extended to murders as well.
Local politicians even told us there wasn't a crime wave, and that it was just a fake narrative. Then when that stopped working, they started pointing fingers at everyone else they could.
Anything political doesn't have to be only this reason or only that reason. "Both" is an option too.
- Kia fucked up, to make more $
- Some cities have ineffective enforcementTo be specific, I don't think the cities are suing over the car thefts. If I understand correctly, they're suing because the availability of easily hacked Kia cars enabled a wave of other crimes, because the criminals knew they had easy access to a getaway vehicle that couldn't be traced back to them.
One extreme is the death sentence, sure.
But on the other end it feels as if there are constant stories of career criminals who just do thing after thing after thing. It's not like someone just accidentally gets caught up in multiple assaults/robberies/break-ins etc. At some point you have to just think, okay, there's no rehabilitating this guy, how do we minimise the damage to society.
Locking 1,000 people up for a decade costs ~1 billion dollars. So even slightly more aggressive policies get expensive fast, and a surprising number of people “age out” of these kinds of crimes. It’s not clear if it’s hormones or what but you’ll see people with extensive rap sheets who end up as productive members of society in their 30’s or 40’s and beyond.
A person that goes about assaulting people is a significant drain on society. It's not even just monetary, it ruins trust, it ruins the relations between the people who aren't antisocial. It also has the moral hazard effect of increasing the number of others that see that this behaviour ultimately goes unpunished.
As far as I'm concerned, there are very few legitimate reasons to raise taxes, but police and prisons are one of them, they are not problems that individuals can solve in the private sector.
On the contrary, Canada's rate of stolen cars is only 10% less than the US despite having very few port cities. <https://www.bbc.com/news/articles/cy79dq2n093o>
But you are right that there are many (older models) that use ciphers with know quick exploits: TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
Keep in mind any need for expensive equipment is already a deterrent for many.
One of my old neighbors had their same car stolen like 2-3 times, always ditched and found after some number of days missing.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
Part of what makes it unintuitive is the specificity:
* Why Milwaukee and Chicago instead of everywhere?
* Why carjacking and not a general increase in crimes that could be facilitated by an unassociated car (bank robbery, toll violations, etc)?As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
It wasn't just in those cities, it was nationwide. The poster was using those cities as examples because they are familiar to him.
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
I can think of nothing more American than suing car manufactures because they're too easy to steal. The US is truly screwed.
As much as some narrative wants us to think, we don't need to be forced to live in effectively the same conditions as a maximum-security prison in order to have no crime.
Cars (and other things) being easy to steal isn't the problem.
It's a pretty good argument for the regulation, since everyone else is already doing it just make it the standard.
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P...
https://platetovin.com/about#pricing
But how are they getting the data?
Why is it okay for Kia/manufacturers to spy on our cars, and only a problem when others do it? This attitude is pervasive in reporting on hacks like these - the initial spying by corporations is always given a pass (or rather, it is implied that's not even "tracking", as the title implies the tracking happened only after the hack).
Manufactures like VW/Audi place an opt out within the vehicle itself so if you opt out of telematics in the vehicle you are in a full privacy mode and the manufacture cannot get the data or override this request. This covers the scenario if other "Users" of the vehicle are driving and would choose to opt out outside of the main users/owner.
So some bake it into your app registration and signup, and some leave it in the vehicle. The gist is you can opt out, and if the manufacturer does not respect that you have grounds to sue, Currently there is a lawsuit against GM/Caddy because a user did not opt-in to Usage Based Insurance, but their information was captured and brokered blocking them from acquiring new insurance.
[1] https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
[2] https://web.archive.org/web/20240705093406/https://www.wired...
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
And before anyone says "but the thief can swap the ECU before it calls home and if it was continously reporting at least there would be a trail where he did it" it is silly. Let's say there indeed is a gps trail leading from in front of your house to some alleyway or a forest. Do you think the car is still there? Nope.
It is a common fallacy. The manufacturer wants to steal your privacy and gives you a useful feature tied to it. Oh, do you want to be able to switch the car off remotely when it's stolen or not? If so we need to know where you drive for next 20 years. And if you ever drove over 80mph we're using this to decline your warranty BTW. I
I have a 2023 Kia and that's not necessary. You only need the account if you want to use the optional online services.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
Not really. Personal vehicles are responsible for such miniscule portion of co2 emissions it barely matters.
Emission regulations enjoy popular support because of city air quality, not climate change. Yes, people tolerate taxes on CO2 emitted by their vehicles (do you have that in the US BTW?) because it has a very beneficial side effect of also limiting particulates and NOx CO and such emissions that actually killed hundreds of people every year in major city centers. Also caused lifelong disability for many children(asthma).
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
Here's the NHTSA report to Congress about this:
https://www.nhtsa.gov/sites/nhtsa.gov/files/2023-07/Report-t...
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
App unlock, remote start + remote temperature control. All very useful.
I couldn't imagine buying a car without carplay now.
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
If I ever park and wonder “damn did I lock my car” I can look at my key fob and see if it has a locked or unlocked padlock on it. As long as I remember sometime within like 20 minutes of parking (assuming I spend 20 minutes walking away from it in a straight line), I can lock it if I _did_ forget. I’ll get confirmation that it locked if I do that and the command makes it through.
Mine also works even where there’s no cell reception!
Which is all to say… I’d prefer better key fobs instead of cellular modems and cloud services.
I see several aftermarket systems here: https://www.popularmechanics.com/cars/a34512303/best-remote-...
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
That happened to me once. Keys were in the car too. We had to try to get the dog to step on the button again to unlock the car, which she eventually did. Glad it wasn't a hot day.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
[1] https://www.techradar.com/pro/security/hackers-are-increasin...
[2] https://www.cisa.gov/news-events/alerts/2024/09/25/threat-ac...
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
It doesn't matter if my door has shitty locks, you still can't enter my house unless I invite you.
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
https://www.eff.org/deeplinks/2024/03/how-figure-out-what-yo...
But wait, they patched this! Yeah, but they also shipped it.
In submitting reports, please note that although Hyundai Motor America sincerely
values vulnerability reports, we do not provide monetary compensation (“bounties”)
or non-monetary remuneration in exchange for submitted reports. This program is
only meant to facilitate the responsible reporting and resolution of cybersecurity
vulnerabilities.
BTW, the Tesla bug from April is really scary. $100K is peanuts for the ability to remotely control the engine from an adjacent vehicle.
https://www.youtube.com/watch?v=1n0AI5aemUY
"I never hear the ancaps and the hardcore libertarians in my comments section... complain about Section 1201 of the DMCA. I wish I did more often."
EV companies haven't quite figured out that the only two things consumers care about are range and charge rate (well, and cost, but there's an untapped market of people willing to pay if the featureset is there). Everyone has settled on 300mi range, which in my opinion is a little low but workable (at 80mph you'd have to stop every 3.5 hours), but for some reason nobody can get their act together on charge rate. Consumers need to purchase a car for their 99th percentile use case, which for much of America includes at least one road trip per year. The DC fast charge experience is basically the whole story there.
There was a recent YouTube video with a car thief that basically showcased a "special" tablet that could get any car started in a minute by plugging into the OBD port. Pretty shitty security model if it relies on no tablets getting out.
The trouble is when manufacturers extend the CAN bus out to the smart headlights or something, and it's the same bus that the body control sits on, so they can just send a door-unlock message...
Note: the technical details are very lacking so it may not be that interesting to most here. tl;dw: there is a reseller that shouldn't be selling the tablets to "unauthorized" people and some other tidbits about how the thief operates.
What I do find useful is the car having "cellular connectivity" to make emergency calls. But that doesn't require internet connectivity.
My 2020 Subary only does remote start if you pay the monthly fee for their access (confusingly called Starlink), and requires the 'subaru app'
I hate it.
https://www.subaru.com/subaru-starlink/starlink-safety-and-s...
Not sure how you program it to your car, but I would get it just so I don't need to use an app.
With the app it's very useful to be able to find out the location of the car, the status of the doors and windows, the current mileage, and be able to control the climate (Dog Mode, etc), warm up on cold mornings, cool down in summer. You can also get important notifications (i.e. Climate mode on for a long time, Door/Window is open, etc )
You might knock the remote climate feature but if you have dogs/kids/elderly it really improves their quality of life.
There's another recent feature which supports streaming music such as Apple Music, without your phone needed. This is convenient and useful.
Tesla charges $9.99 USD a month for this which I find to be extremely reasonable. ( I am an SRE and I know what it takes to maintain scalable secure infrastructures )
The fact that your car needs "somewhat frequent" updates doesn't concern you? Cars are effectively appliances, they should work right the first time, with minor updates here and there to fix serious issues which can be done in the safety of a shop at next scheduled service, and not risk pulling a Rivian and bricking the entire fleet at the push of a button.
- customer service: took 3 weeks to get my last service appointment, so I couldn’t drive my car for that long (service was because the charge port door wouldn’t open); was not told that when I had to replace the touchscreen (it had bubbles in it and I live in a very moderate climate), I would no longer have a radio.
- basic/critical features being poorly designed or seemingly had little thought put into them: see the above charge port door issue; window seals that drip going through the car wash; no physical controls for anything so you have to focus on the touchscreen while driving; other random fit and finish issues just due to substandard workmanship.
- substandard software: frequent issues and bugs with basic operation; after my touchscreen was replaced, the glove box pin no longer opens the glove box (minor nit, but annoying); loads of other random little annoyances.
Up-front NRE, per unit HW, perpetual cloud backend maintenance. There's a lot of cost to connect a car to the internet. It should be a luxury option that I can decline to have installed.
Personally, I’d rather connect to my WiFi where I have control, but that’s a lot to ask for regular consumers.