Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?


A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).

If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.

Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.


In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.

So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.

In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.

The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.

Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.

You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.


Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service


This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.


Any stealership shouldn’t be able to lookup information about any active/sold car. These interactions need to have consent (authorization) from car owner. These authorizations should be short lived and can be revoked at any time.

Any of this sound familiar? Yea that’s because it’s a flow (oauth) used by many companies to control access to assets.

Car companies are just not meant to do tech. So common shit like this is ignored.

If these car manufacturers can barely shit out barely usable “infotainment” systems. Why the fuck are they diving into remote access technology?


That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.

If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.


This is absurd. If there was a screen on the infotainment system where you could allow (temporarily!) the local service center of your choice to access your car remotely, fine. Otherwise, no thanks.


> What if a dealership employee uses this to stalk an ex or something?

Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.


For those who seem to believe I'm exaggerating this:

https://www.youtube.com/watch?v=j0sZpKXMUtA&list=PLhFPpjYO-P...


Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.


That is incorrect, as per the article Kia ties the VIN number to the car’s functionality. The author used a 3rd party service to convert the license plate number to VIN.


Maybe this? $0.05 per request

https://platetovin.com/about#pricing

But how are they getting the data?


Most states have the data publicly available if you know where to look or how to request.


Uhh this seems like a big fact to gloss over, and something I am quite surprised by. Could you point to any examples as I’m having a hard time finding anything available publicly from any DMVs/states


In Michigan anyone can do a in-person plate lookup for about $15 and it comes back with complete registration information including name and address. VIN and car details as well.


That’s usually the kicker - requests have to be done in person but other than that there’s not much limitation.


The $15 makes this pretty hard to scale too. The link someone posted was $0.05/request. I'd love to see how/where you can get this data in bulk from a primary source.


License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.


What if the internet is used for that?


Security is an afterthought... nobody cares, until shit hits the fan.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: