this post was submitted on 27 Sep 2024
43 points (97.8% liked)

Cybersecurity

5687 readers
59 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
 

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

top 11 comments
sorted by: hot top controversial new old
[–] Fiivemacs@lemmy.ca 13 points 1 month ago (2 children)

Probably with every IoT device. Security is always an afterthought.

[–] GhiLA@sh.itjust.works 4 points 1 month ago* (last edited 1 month ago) (1 children)

Oddly enough, the cars will be more secure used since all of those online features will be defunct and abandoned for newer, more "advanced" shitware in ten years.

Continuing the tradition that buying used is always a good idea. Thank you, auto industry.

[–] deafboy@lemmy.world 8 points 1 month ago (1 children)

Mmmm, all those expired domains with known vulnerable api clients still calling them...

Imagine a botnet. Now, imagine a botnet on wheels!

[–] GhiLA@sh.itjust.works 4 points 1 month ago* (last edited 1 month ago) (1 children)

If the data isn't being paid for anymore, they can't connect to anything at all. Is T-Mobile or Verizon or whoever expected to foot the bill ten years down for no reason? There may be some definitions of connecting I'm missing, but I reasoned a data connection over some sort of cellular network.

But then, if it's some hidden proprietary magic on some unused bands, who knows?

[–] 01189998819991197253@infosec.pub 4 points 1 month ago* (last edited 1 month ago) (1 children)

I think it does use cellular. But theoretically, it could use a mesh network of all applicable cars that hops back to some entrance nodes into the manufacturer's network or cheap exit nodes to the broader internet.

Edit, autocorrect

[–] GhiLA@sh.itjust.works 2 points 1 month ago (1 children)

I imagine they're still searching for the network despite not being able to reach anything, so maybe a local hack would be possible near the vehicle, but remotely? Idk.

My personal strategy to avoid this situation is to just not buy a car with those "features". If I can't know before I buy it, then I won't bother to care to know. Keep your secrets, I'll keep my $.

At some level, I'd put the blame of some of this on the consumer.

Something being a scam on some level should be the inherent suspicion of basically everything you intend to purchase. The chances a product is straightforward and trustworthy seem to be far less likely these days than the opposite.

If they're still connected (exitnode mesh or otherwise) and the target domain is no longer maintained by auto manufacturer, then someone else can grab the domain, register it, and the cars will try to connect. Maybe I misunderstood your meaning, but saying a mesh is slow or inaccessible is inaccurate. The whole internet is one giant mesh, and it works fine.

[–] a1studmuffin@aussie.zone 3 points 1 month ago

If the cost of implementing proper security is greater than the cost of the fallout from a serious vulnerability, I think we know how most companies will behave. Just take a look at Crowdstrike's share price, it's recovering nicely.

[–] 01189998819991197253@infosec.pub 7 points 1 month ago (1 children)

Maybe don't award your security to the lowest bidder...

[–] Fox@pawb.social 12 points 1 month ago (1 children)

Better yet, don't connect cars to the internet. Why does everyone care so much about a shitty tablet in the middle of the dash? I am so much happier to not have it.

[–] 01189998819991197253@infosec.pub 5 points 1 month ago* (last edited 1 month ago)

The cellular variant they're talking about and the mesh variant don't provide you internet access, they provides them access to your car and driving data, and you can't control that. It doesn't really give you any benefits.

Edit: and, also, cars shouldn't be internet connected. Nothing will change my mind on that.