Hacking Kia: Remotely controlling cars with just a license plate

Original Article ↗ Hacker News Discussion ↗

Bug bounties, disclosure, and Kia’s security posture

  • Hyundai/Kia have vulnerability disclosure programs but explicitly offer no bounties, unlike some competitors (e.g., Tesla).
  • Some commenters see this as indicative of lower security maturity and incentive to find bugs.
  • Others note Kia did at least work with researchers to fix this specific issue and confirm the exploit hadn’t been seen in the wild (as stated in the article).

Connected cars: convenience vs attack surface

  • Many argue cars should not be internet-connected at all, or that connectivity should be an explicit, removable luxury option.
  • Pro-connectivity voices cite OTA updates, remote lock/unlock, location, and remote climate control as genuinely useful, especially for EVs and extreme climates.
  • Critics reply that most of these can be done via local RF (keyfobs, aftermarket systems) without global internet exposure.
  • Several experiences highlight half-baked implementations: full attack surface with no OTA updates, paywalled remote start, buggy apps and infotainment.

Telematics, tracking, and privacy

  • Concerns that manufacturers (not just Kia) track location and driving data, often behind buried or opt-out consent.
  • EFF and Wired reports are referenced to argue much of this isn’t truly transparent or meaningfully optional.
  • Some want legal rights to physically disable cellular modules; others note even mandated systems (e.g., emergency call in EU, future US impaired-driving tech) embed connectivity by default.

Kia’s broader security and theft issues

  • The new hack is seen as “strike two” after the USB “Kia Boys” immobilizer omission that made many models trivially stealable.
  • Some frame this as corporate negligence; others also blame weak regulation and local policing policies.
  • Kias are still attractive to some for EV architecture (800V, fast charging), but multiple commenters say these incidents deter them from ever buying Kia.

Backend & dealer system design flaws

  • Core weakness: ability to register as a dealer and then query/control any telematics-equipped Kia via VIN, plus easy plate-to-VIN services.
  • Commenters argue for stronger access control (per-vehicle owner authorization, short-lived tokens, audit trails) instead of global dealer access.

Liability and regulation debates

  • Many call for strict product liability for foreseeable security failures that enable theft, stalking, or remote control.
  • Others stress it’s a multi-cause problem: manufacturer choices, regulators, and criminals all play roles.