Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will—the latest in a plague of web bugs that’s affected a dozen carmakers.

  • deafboy@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    3 months ago

    Mmmm, all those expired domains with known vulnerable api clients still calling them…

    Imagine a botnet. Now, imagine a botnet on wheels!

    • GHiLA@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      If the data isn’t being paid for anymore, they can’t connect to anything at all. Is T-Mobile or Verizon or whoever expected to foot the bill ten years down for no reason? There may be some definitions of connecting I’m missing, but I reasoned a data connection over some sort of cellular network.

      But then, if it’s some hidden proprietary magic on some unused bands, who knows?

      • 𝕸𝖔𝖘𝖘@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        3 months ago

        I think it does use cellular. But theoretically, it could use a mesh network of all applicable cars that hops back to some entrance nodes into the manufacturer’s network or cheap exit nodes to the broader internet.

        Edit, autocorrect

        • GHiLA@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          I imagine they’re still searching for the network despite not being able to reach anything, so maybe a local hack would be possible near the vehicle, but remotely? Idk.

          My personal strategy to avoid this situation is to just not buy a car with those “features”. If I can’t know before I buy it, then I won’t bother to care to know. Keep your secrets, I’ll keep my $.

          At some level, I’d put the blame of some of this on the consumer.

          Something being a scam on some level should be the inherent suspicion of basically everything you intend to purchase. The chances a product is straightforward and trustworthy seem to be far less likely these days than the opposite.

          • 𝕸𝖔𝖘𝖘@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            If they’re still connected (exitnode mesh or otherwise) and the target domain is no longer maintained by auto manufacturer, then someone else can grab the domain, register it, and the cars will try to connect. Maybe I misunderstood your meaning, but saying a mesh is slow or inaccessible is inaccurate. The whole internet is one giant mesh, and it works fine.