Why does a car need to be connected to the internet? A reliable rule of conduct in aeronautics is that systems which are deemed critical to safety are air gapped from the systems which are connected to the internet, so in the event that those systems are compromised by malware or hackers, the safety critical systems won’t also be compromised.
Why is it seemingly taking automotive manufacturers so long to catch on to this principle? Before anyone mentions downloadable features, I do not see that as a means of justification. Like with videogames, if you’re paying good money for a product, that product should already be finished by release. Hiding content that should already exist on a car is egregious and the normalisation of it incentivizes manufacturers to release vehicles that are incomplete and should not have been released in their current state.
This is my car, I have a stereo with entertainment features. My mileage, drive time, fuel economy, and anything related to the systems of the car, shows up on a separate display strip. To the best of my knowledge, the stereo cannot control the car in any way. Its just there to play music for me. I dread the day I have to replace this car. I may just buy an old pre-telemetry 4x4. The roads around here have gotten too bad for a hatchback anyway.
Yup, that’s how it should be across the board. That’s how it is with modern airliners. The redundancy of having each system be controlled by multiple computers is nullified if a hacker can get to control all of them, including the ones which are safety critical, just by hacking one. I honestly don’t blame you, I love the internet but there really are situations where something really doesn’t need to be connected to the internet.
This is why you have to install the latest software updates on your license plate. One time I let my gas cap firmware get outdated and someone downloaded my car.
$ wget kiasorrento. sh
…looks like it’s my car now. 😈😆
This is the problem with digital serfdom, those lording it over us aren’t perfect either. Not only should we be able to connect our cars to our own server, we should be able inspect provided server implementation to see if it’s a bag of nails.
aren’t perfect either
You misspelled “are fucking morons” :)
smiles contentedly in 2003 1.8T Jetta 5MT
Agreed. But I am getting more and more concerned we won’t always be able to keep or buy an old car and avoid these pitfalls
I’m likely 3 to 6 years away from having to buy a new/used car and I don’t think il be able to (or actually want) a 20 year old car
Yeah I have to replace the suction side AC line on mine and the OE part alone is about 350-400 and absolutely impossible to find 💀
FYI: From the article: “These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously.”
Well I wouldn’t really trust kia, who released these gaping vulnerabilities and benefit the most from pretending ain’t no big thing, with these statements
I know the majority of you hate Tesla, but security is something they do take more seriously. They even take part in pwn2own to help find vulnerabilities.
All auto manufacturers should be taking part in that.
Nothing like winning a car to get people to try and break into it publicly.
We hate Elon, Tesla is Ok
There’s a portion that only hate Elon and not Tesla, but there’s a lot of Tesla hate out there as well, and there has been since even before Elon publicly went off the deepend.
Some of that might be decisions that Elon made for Tesla, but it’s still at Tesla.
Edit: but I will take your point and say my use of majority in my OP wasn’t correct as the majority here is about Elon.
I have my money on Tesla being the first cloud-connected car (that phrase shouldn’t exist) to be hacked and push a malicious firmware that will cause all cars to simultaneously activate self driving and to pull a hard left at a specific time (time bomb).
You should watch - Leave the World Behind
You might be right, but I don’t think it’ll be because their cars are the easiest to hack, it’ll be because they have the most cars out there capable of doing this and it’d be more impactful attack if successful.
(edit: Also they’d be able to exert the most control on their cars with the software/sensors available today at scale. E.g they could more easily have the car drive around until it finds a pedestrian to hit)
(edit: Further, you can make the most changes to a Tesla as they have one of the more (or probably most) advanced OTA update capabilities)
They are definitely a prime target.
I also love how Tesla engineers pay attention to small quality-of-life things like racing games to play while you wait for charge using the wheel as controller, using the built-in 360 camera as dashcam and parking monitor.
Let the fucking hacking begin. Fuck these assholes. They are milking people out of their last penny, and on top of that they’re selling people’s driving data to data brokers who sell it to insurance companies that jack up prices.
Let the fucking hacking begin. Fuck these assholes.
Then you’re gonna hack the company, not the endusers’ cars.
Right?
Right?
The ones on the dealership lot
I hope so? Lol
dumb cars will be worth their weight in gold soon
The car will still work if you take the radio out or put a faraday cage around it, maybe that’ll become a thing in the future, but that might fuck with the paid charging infrastructure for EVs. Doesn’t impact gas.
Fucking wot
I wish, but most people don’t know / care about this stuff, it’s not going to really percolate into the public consciousness .
According to the dealership my car isn’t worth it’s weight grass clippings because it’s too old.
lol it’s not the dealers who will want them
Just like how manual cars became anti theft.
My friend has his Kia broken into and started, but it’s a standard so they ditched it hahaha
Huh?
most car thiefs can’t drive a manual transmission
Oh right in the USA there are mostly automatic cars
Manual transmission is an anti theft device because car jackers can only drive automatic
That’s if you can find one for an affordable price.
right before the used car market exploded i got my manual Subaru for $3400 when it was worth about 10-12k because of a misfire. yeah it just had the wrong spark plugs in it :p and it’s about as dumb as they come. it has a radio, abs, and cruise control - no other driving assists or telemetry
I got a decent manual for about $12k back in February. And it was one of three on the lot I was there to look at all around that price: A GTI, a WRX, and a Mini.
I went with the GTI
My car got dumbed for me because they killed the 3g network it was running on
Just because you can’t use it doesn’t mean a hacker can’t. If someone discovered a vulnerability in the 3g handshake or encryption protocol, it could be an avenue for an RCE.
Honestly if someone manages to figure that out I would want to know, that way I can finally use my cars remote start 😄
Especially when there are no security updates anymore. They should just rip out any possible receiver there is for mobile communication
Happy to have my 2012 civic. One of the last gens without a telemetry unit I think.
You could just find and disable the wireless modems.
You’d probably have more luck installing a signal jammer in your car.
The best you can hope for is a rootkit and some Linux-based OS for cars to be developed so you can take full control.
i fucking KNEW we would be jailbreaking cars eventually.
and you bet they will come up with locked bootloaders.
FWIW there is a cottage industry for OnStar disable/delete mods for GM vehicles. It can be done, usually without breaking too much else of the car’s electronic functionality.
I’d rather poke the GSM modem with a screwdriver.
if you can find it, and all it’s backups…
Also, jammers are illegal pretty much everywhere.
Cool just like trying to replace a blower motor in a modern car feel free to rip the entire dash out only to find out it has a second antenna all the way in the back underneath the spare tire also behind a tail light which somehow requires you to remove the muffler to get to…
Or just pull this fuse for the module?
brb, i have a muffler, a spare, and the entire dash to remove immediatly.
Not only what that other person said but it would probably void the warranty too.
There’s just no good reason to have anything beyond the radio/nav etc in a car connected to the Internet. Remote start can be done with just the key.
I would say even those don’t need Internet. Navigation can be updated using a USB drive, and I have a phone for audio so I just need bluetooth.
The only network connection I want in my car is to notify emergency services if the airbags go off.
Things like live traffic require a connection though, and Google maps I think does the routing calcs off the device. Most people will use their phone for all that, but the use case is there.
You know what fuck builtin nav. Connect it to my phone and let that be it for navigation.
Plus if you use your phone for nav you can use whatever maps you like. My city is mapped pretty good on openstreetmap so that’s what I use.
And same for music. What year is this 2010?
I like using the built in radio rather than my phone for music, but it doesn’t need an internet connection, just a flash drive.
I suppose I’m a weirdo for not using Spotify like most people nowadays though
I use my phone for music… but i have a 256GB sd card installed in it.
That’s a very subjective take. My friends and family that live in hot climates love the ability to remotely turn on and pre-cool their vehicles. I appreciate being able to check if I remembered to lock the doors.
And by using that internet connected feature you’re 100% handing out your driving info to your car manufacturer, who in turn will sell it to LexisNexis, who in turn will sell it to insurance companies, who in turn will jack up your insurance prices.
Sure, that sucks. But I’m not saying there are zero downsides, I’m specifically countering the argument that there are “no good reasons” with my personal good reasons.
it really depends whether that counts as a good reason. for us the downsides highly outweigh the upsides.
and yes, I know what it’s like to sit in a hot car when I just got back to it on the hot summer day. but I can really wait 2 minutes outside the car when it’s that badMan, I’ll never understand this “car is too hot for me to sit in” to be honest. Lmao. Sounds to me like people are too spoiled and this is something kids say. Come one, you really think of this is as an issue? I don’t even have an ac in my car. It broke over 4 years ago and I never fixed it. But for each their own I guess.
it was a fucking example, man. but there are places where if you left the car in the direct sun on the summer, a few hours later it will have 40-45 °C or so in there.
Man, I’ll never understand this “car is too hot for me to sit in” to be honest.
Probably because you don’t live in a hot climate?
The interior of a car here can get up to 150 degrees. And the bits and bobs inside can get even hotter. I’ve gotten second degree burns from the seatbelt.
Now imagine you’re out exercising for 3 hours in 107 degree heat. Or working for 6-8 hours in it. Getting in that car might literally kill you.
LOL. I don’t live in a hot climate? How about the middle east? Does that sound hot enough? I grew up living in a tent. A literal tent until I was about 20, then my father decided to build a house. Then that house had no power until 2008. And our weather there can get to 130+ easily. So, imagine that heat. Imagine how getting into a car would feel. Here is a photo I took of a thermometer I took in June of 2009. It was around 1 pm. I was on a military base that day. It won’t kill you, you will be fine. Open your windows and wait outside a little so you don’t melt. lol
As I said in my comment, that can be done with the key, no Internet connection needed.
As for the lock thing, I just need to look if my mirrors are folded in or not.
The fob won’t work if you’re deep inside a store, will it? Same for checking the mirrors.
A) you can survive without precooling or set it to start before getting deep into the store.
B)if you want that feature fine, but leave it off everyone else’s car! No cell connections should be installed by default like this. It’s a walking cve list waiting to happen.
Both of those functions have been available via key fob for at least a decade, no internet required. Though yes the range on that can be limited.
I appreciate being able to check if I remembered to lock the doors.
How exactly does that work with a keyfob…?
There are “two-way” remote start kits that have a display on the fob to report back AC state, engine remaining run time, and door lock state. It also helps for making sure the button you pressed actually reached the car.
Thats precisely what I’m referring to- these things being possible when you’re inside of a store, restaurant, or an extreme case like you parked at the airport for a trip.
Some of us still remember Wise Guys and want that range! ;-)
😭
I mean, there are plenty of very good reasons.
My car reminds me if the doors are unlocked or left open. I can adjust the charging speed at any time. I can turn on the HVAC and seat heaters before I leave. I can see my current state of charge. I can see exactly what is happening when my alarm goes off. I can see exactly where it is if it’s stolen. Etc.
You can argue that those are not important to you, personally but I don’t think you can argue that they aren’t good reasons.
I think there are certainly other wireless technologies that are superior in many ways and can supplement or replace the need for internet access in your immediate area.
frankly they aren’t good reasons.
the first bunch provides info and abilities that are only relevant when you are in the car. this is like wanting to know your house’s temperature when you are in the store, or on vacation. what the fuck you do with that information?
the remaining about the alarm and it being stolen, what are you going to do with this? go after them with your 4th car and a shotgun? let’s hope they did not disconnect the batteries…
if you absolutely cannot live without these, you should by an extension that does this, instead of forcing this shit on everyone
what the fuck you do with that information?
I don’t know what “the first bunch” is so I can’t answer that but these are all definitely use while away from the car.
the remaining about the alarm and it being stolen, what are you going to do with this?
Is that a real question? You’re going to figure out why your alarm is going off, and if it’s stolen you’re going to give it to the police so they can recover it…
if you absolutely cannot live without these, you should by an extension that does this
I dunno what an “extension” is but pretty sure it doesn’t exist or can’t do these things.
I don’t know what “the first bunch” is so I can’t answer that but these are all definitely use while away from the car.
sorry, I wanted to mean these:
My car reminds me if the doors are unlocked or left open. I can adjust the charging speed at any time. I can turn on the HVAC and seat heaters before I leave. I can see my current state of charge. I can see exactly what is happening when my alarm goes off
_
Is that a real question? You’re going to figure out why your alarm is going off, and if it’s stolen you’re going to give it to the police so they can recover it…
yes, why do you need a moving, online accessible high quality surveillance camera system is a real question.
I don’t think you need this to report it to the police, the loud alarm and policeman on the road searching for the stolen car has worked well for decades. or at least I haven’t heard of car theft in… a pretty long time, so long that I don’t even remember.I dunno what an “extension” is but pretty sure it doesn’t exist or can’t do these things.
oh it would exist if laws would force car makers to not place unremovable tracking systems in the car by default.
but I that being said, think these tings do exist, in the form of little devices thay you can connect to your car’s OBD port, and they have a GPS receiver and a SIM slot to do it’s job.
None of those features require the Internet to work properly. Manufacturers can implement them (and have in the past) without it.
None of those features require the Internet to work
Yes? They do?
Lol, okay. Which one? Remember that car manufacturers have the ability to put a SIM card in cars.
Lol, okay. Which one?
LOL literally all of them, unless you’re standing near the car.
Remember that car manufacturers have the ability to put a SIM card in cars.
…and they do. That SIM card is useless without internet…
once again, no, they don’t
LOL okay, maybe you’d like to share with the class how any of this works without internet while you’re not near the car?
Or would you just like to insist over and over that it doesn’t while refusing to explain?
I think the point is that there isn’t a good enough reason to put internet in a car that negates the risk of it.
It is like adding lead to food. It’s a cheap sweetener with no calories. You can argue that cheap sweeteners aren’t important to you, but I don’t think you can argue that it isn’t a good reason. It just isn’t a good enough reason to negate the risk.
I think the point is that there isn’t a good enough reason
OK but that’s not what they said.
if its not a good enough reason, that’s literally not a good reason
“Not good enough” = not important to you
“no good reason” = the benefits dont exist.
These are not the same.
Yeah… fuck this shit. This is part of the reason I still drive a nearly 20 year old vehicle. It has features I want, and can’t be stolen via fucking API calls. Absolute insanity.
I think Hyundai/Kia group has done unfathomable damage to their brands. Kia, despite being a budget brand, wants to be seen as a legit competitor to Toyota or at least Nissan. Their corner cutting with the immobilizers and the resulting “USB” theft shit was bad enough. Now this exploit.
They’re just terrible cars. I’ve had two…they were great until they weren’t. I literally had a screw fall out of the headliner the other day bringing it home from a nearly 1000$ exhaust patch/repair. It’s not 10 years old yet and only has 60k miles.
The other one has had the engine replaced already (under warranty thank god).
We are likely replacing both of them next year. I’m never buying a Kia again.
The stats disagree with you, so your anecdotes don’t really mean anything…
Um…sure Kia marketing sure
There’s a reason the resale value is so cheap.
I’m so sad GM killed SAAB. Only decent cars left are Volvo and Subaru. I just wish someone would mass produce a manual transmission EV.
Uh…what? How does a manual transmission work on a direct drive motor?
(And if you really want to do that, drop an electric crate engine in an 80s muscle car. I’m strongly considering it)
Don’t apply physics to a wishlist. That’s not how wishing works. I’m aware it’s not possible, but stick shift is just fun to drive.
For me it would be a 1986 SAAB 900 SPG
I’m sure, for a price, someone could set you up with a placebo stick shift.
Of course it’s possible, electric conversion kits have been around for decades, and only work with manual transmissions. We just need the battery and charging tech applied to conversion kits. Who wants to start up an EV conversion kit company with me?
The issue is the complexity of the bespoke design of drive trains. It’s nigh on impossible to design a “one size fits all” or even “fits a majority” of solutions for a conversion kit that isn’t stupidly expensive.
See: Edison Motors. A Canadian heavy haul truck manufacturer startup that is trying to offer electric conversions for commercial light and medium duty trucks.
I would love to convert my car to an electric, but it’s an automatic so I’d have to spend as much as a new car to convert it.
A drop in ECU replacement and motor/battery would be great, but I doubt the auto industry or the government is going to allow the sale of third party drop in ECUs.
Actually, they do allow (in the US) in an 80’s car. A lot of the regulations around that sort of thing are very relaxed for classics.
just dont make it direct drive. boom.
And lose all that instant torque. No thanks.
thatd be the case for all conversions on old cars that i know of tho
oi look at the brain on this one!
behold 🧠
I had an '11 optima sx, right after the refresh. Beautiful car. Returned the lease on its 3rd engine.
1st one had a spark plug fail and basically melt. Piston seized. Had power, then it didn’t, while doing 60 over a bridge.
2nd one went after an engine mount failed. Block ended up cracking.
Only consolation was that I was paying kia prices, not their over inflated sense of self pricing they try now.
My Toyota with 300k+ miles has cost me $285 in repairs minus maintenance costs. I’ll likely get at least another 100k. Just placing these goalposts here…
I’ve noticed a lot of issues showing up for the Kia and Hyundai cars security wise. I wonder if they’re having issues because there’s more focus on those cars or if their security is really that bad.
Don’t look into South Korean web security. If their cars are as badly designed as their websites… Yikes
The Kia/Hyundai “challenge” where people were stealing their cars with a USB cord is because they opted not to include an immobilizer in US models for a decade. Every other car brand had them as standard. Kia even had them as standard in non US cars, but because the USA stupidly does not have a law about it, they opted to drastically reduce car security to save a few dollars per car.
This has made them prime targets, as people know they make bad security choices whenever they can save a buck.
So a bit of both, I expect.
I’m still amazed that immobilizers aren’t a legal requirement in the USA, and that Kia would remove them from US models just to save a small amount of money.
Both probably. I’m sure a lot of cars have problems like this, but they just haven’t been found and there are already known vulnerabilities to focus on.
Nice writeup
