This won't have nearly the same impact, but when you're considering how vulnerabilities like this might influence your future purchasing decisions, remember that Kia's decision to omit interlocks from their US vehicles (but not Canadian ones!) led to a nationwide epidemic of Kia thefts so large it fed a crime wave, something a number of US cities are suing Kia over. If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
Regarding the Kia Boyz - immobilizers have been mandatory in most of Europe since late 90s, in Canada since 2007.
Basically there is something to put on (lack of) regulations as well as on HKMC.
In the USA, we believe we don't need regulations, the Free Market(tm) will punish corporations that don't behave in a way that benefits their customers!
The problem isn't that we need better locks, but that we need locks at all.
Within my lifetime we've gone from leaving the backdoor unlocked at night and leaving the car keys on the seat (or in the ignition) from being the normal practice to being unthinkable.
We did when I was a kid. Nobody locked their doors in my town. In fact multiple people just had blanks over the holes meant for deadbolts.
Then the local powerplant shut down, and the manufacturing associated with it left as well. The largest employer in the area besides those two moved operations to China. Then methamphetamine became popular and then heroin, too.
Citation needed for the claim any significant fraction of the US population believe that regulations are completely unnecessary.
This runs directly contrary to my lived experience here, so unless you can provide evidence it sure seems like you're just stereotyping an entire nation to engage in ideological warfare.
It doesn't need to be the population believing that regulations are completely unnecessary.
It just needs to be a sufficient number of politicians understanding that their donors and prospective donors find specific regulation of their industry overbearing.
And never an American one after the Pinto, and never a German one after the VW testing scam, and never a Japanese one after the recent safety scandal? I guess you can still get a Jaguar, so your mechanic won't complain.
Even if that’s true, they are clearly nowhere near as “cheap and plenty” as watching a Tik Tok video. The spike in crime was far greater than normal random variation.
Not really. At least not for those immobilizers that don't use "proprietary" ciphers.
Automotive loves security through obscurity until it bites them in the ass.
Today most manufacturers have moved to AES128, which is not cheap to brute force, especially if there is a rolling code (should be the case for many)
But you are right that there are many (older models) that use ciphers with know quick exploits:
TI's DTS40/DTS80 (40/80bit, proprietary cipher, in many cases terrible entropy), models from Toyota, HKMC, Tesla. About 6s to crack in many cases.
NXP's HTAG2 - most commonly used one in the '00s - 48bit proprietary cipher, a lot less exploited in the wild than the TI's disastrous two variants.
Those type of attacks (CAN injections) are very OEM specific, and come from deep insider knowledge, not something you fuck around and find out.
I’m assuming you’re referring to Toyota, but anyways please give direct reference to the attack you’re referring to.
Keep in mind any need for expensive equipment is already a deterrent for many.
We Canucks needs all the features we can get to stop cars from being stolen, without exaggeration a car is stolen in Canada every 5 minutes on average.
> If you've read about carjacking waves in places like Milwaukee and Chicago: that was largely driven by a decision Kia made, which resulted in the nationwide deployment of a giant fleet of "burner" cars that could be stolen with nothing but a bent USB cable.
"A nationwide epidemic of Kia thefts" seems to be a natural consequence of decreased security. However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation. What is the connection of Kia interlocks to carjacking in Milwaukee and Chicago?
> However, that carjacking in Milwaukee and Chicago specifically would follow from a nationwide omission of interlocks is not obvious as the vehicles are easily stolen without the need for personal confrontation.
I think parent-poster means that the easily-stolen cars are being used as tools of carjacking, rather than the targets of it. In particular, carjacking that occurs by somehow provoking a victim to stop on the highway shoulder, a location where attackers can't exactly arrive by foot or bus or bike. That way they don't involve a vehicle that might be observed and traced back to them.
An alternate explanation is that they meant to write something like "theft" and accidentally put down "carjacking" instead.
This is correct, the usual procedure is: steal kia or hyundai with your friends using the no-interlock exploit --> find other cars to carjack (at gunpoint), or individuals to rob --> ditch stolen cars when no longer needed. Exploit no-pursuit policies as needed.
I've posted this point a couple times on HN and I guess I will keep posting until people stop expressing surprise that trivially stealable cars are a precursor to carjackings. I'm not dunking, there's no good reason for people to intuit that! But it's a really important thing to understand.
I'd really like to see a citation for carjackings going up more than any other crime that a stolen car enables.
Cars are hard to fence and if you have a stolen car there's other crimes you can commit that have similar upsides and lower sentences/risks. For example ATMs never run over your buddies or shoot back at you.
I worry that single percentage might be hiding some complexities like a subcategory of cars with a much lower recovery rate, or having the term "recovered" encompassing "as scrap".
Part of what makes it unintuitive is the specificity:
* Why Milwaukee and Chicago instead of everywhere?
* Why carjacking and not a general increase in crimes that could be facilitated by an unassociated car (bank robbery, toll violations, etc)?
The phenomenon started in Milwaukee (the "Kia Boys" challenge), and I happen to live in Chicagoland, which experienced a huge wave of carjackings immediately afterwards. I have one of them recorded on my Nest camera in the alley behind my house. Nothing in particular about those two cities otherwise.
As the sibling points out: it's a broader issue than just carjackings --- but the carjackings themselves were novel, scared the shit out of people in a way that stochastic-seeming strong arm robberies don't. The headline here is: it was a gravely negligent thing for Kia to have done; I hope they lose their shirts.
FWIW the associated crime wave was much broader than carjacking (and I’m actually not aware of a particular increase in carjackings specifically due to the Kia issues but I don’t know) but the Kia issues seem to have started in Milwaukee.
For whatever reason, it became A Thing here more than a year before it went national. Car thefts in Milwaukee more than doubled (entirely due to a stupidly large increase in Kia/Hyundai thefts) and we got a reputation for Kia thefts before it became a national issue
"Places like" include Philadelphia. It's not a closed set, just some examples. I have friends that have had their KIA stolen this way, and others that have outright sold their car to get a different brand due to how prevalent it is here.
I question whether Milwaukee and Chicago are outstanding examples. I looked at a few reputable sources and those cities nor their states seem to be extremes in terms of car theft rates. Most of these law enforcement agencies are not specifically breaking our carjacking.
Random presentation of car theft stats comparing Chicago to a handful of others. We hear a lot about Chicago because many have a vested interest in deflecting discussions about crime. When was the last time you heard about the insane motor vehicle theft rate of Dallas? https://public.tableau.com/shared/W2KZH4JC7?:display_count=y...
Hell Mississippi as a state might soon pass Chicago in murder rate per capita. Chicago last year had a murder rate of 22.85 per 100,000 while Mississippi had a murder rate of 20.7 per 100,000. Louisiana had 19.8 and Alabama had 18.6..
Don't anthropomorphize the lawnmower and blame Kia for this, blame the NHTSA for making it legal to skimp out on immobilizers in the first place. Regulations matter!
The obvious next step is to crawl the whole database of vulnerable Kia cars and create a "ride share" app that shows you the nearest Kia and unlocks it for you.
Wait a moment, the key vulnerability appears to be that anyone could register as a dealer, but also any dealer could lookup information on any Kia even if they didn't sell it or if it was already activated!? That seems insane. What if a dealership employee uses this to stalk an ex or something?
A Kia authorised dealer being able to look up any Kia has some very useful benefits (for the dealer, and thus Kia).
If a customer has moved into the area and you’re now their local dealer they’re more likely to come to you for any problems, including ones involving remote connectivity problems. Being able to see the state of the car on Kia’s systems is important for that.
Is this a tradeoff? Absolutely. Can you make the argument the trade off isn’t worth it? Absolutely. But I don’t think it’s an unfathomably unreasonable decision to have their dealers able to help customers, even if that customer didn’t purchase the car from that dealer.
In my opinion, the better way to design such a thing would be for there to be a private key held in a secure environment inside the car which is used to sign credentials which offer entitlements to some set of features.
So for example, when provisioning the car initially, the dealer would plug into the OBDii port, authenticate to the car itself, and then request that the car sign a JWT (or similar) which contains the new owner's email address or Kia account ID as well as the list of commands that a user is able to trigger.
In your scenario, they would plug into the OBDii port, authenticate to the car, and sign a JWT with a short expiration time that allows them to query whatever they need to know about the car from the Kia servers.
The biggest thing you would lose in this case is the ability for _any_ dealer to geolocate any car that they don't have physical access to, which could have beneficial use cases like tracking a stolen car. On the other hand, you trade that for actual security against any dealership tracking any car without physical access for a huge range of nefarious reasons.
Of course, those use cases like repossessing the car or tracking a stolen vehicle would still be possible. In the former, the bank or dealership could store a token that allows tracking location, with an expiration date a few months after the end of the lease or loan period. In the latter, the customer could track the car directly from their account, assuming they had already signed up at the time the car was stolen.
You could still keep a very limited unauthenticated endpoint available to every dealer that would only answer the question "what is the connection status for this vehicle?" That is a bit of an information leak, but nowhere near as bad as being able to real-time geolocate any vehicle or find any owner's email address just given a VIN.
Those aren’t the only options. It would be trivial change to allow any dealer to request access to any vehicle and have it tied to the active employees SSO or something similar that at least leave an audit trail and prevents such random access. Allowing anyone to be a dealer is the real oversight. They could put some checks in place also to prevent the stalker situation GP mentioned. It’s always going to be possible but reduces risk a lot if employee just has to ask someone else to approve their access request, even if it’s just a rubber stamp process making sure the vehicle is actually in need of some service
This is quite common in Europe. There is normally no special relationship with the original dealer and the service history is centralised for most manufacturers.
That's not a benefit to me if I can't control how someone gets access to my vehicle, dealership or not. If I want a dealership to be able to assist me, I should have to authorize that dealership to have access, and have the power to revoke it at any time. Same for the car manufacturer. It ideally should include some combination of factors including a cryptographic secret in the car, and some secret I control. Transfer of ownership should involve using my car's secret and my car's secret to transfer access to those features.
If you feel like this sound like an asinine level of requirements in order for me to feel okay with this featureset, I'd require the same level of controls for any incredibly expensive, and potentially dangerous liability in my control that has some sort of remote backdoor access via a cloud. All of this "value add" ends up being an expense and a liability to me at the end of the day.
Yeah for some reason I find it so creepy that Kia ties your license plate number to your car's functionality. I don't know why but I feel like those two things should operate exclusively.
License plates are incredibly insecure. They are a short, easy to automatically recognize ID that is expensive to change, and it is a crime to drive while they are covered.
> What if a dealership employee uses this to stalk an ex or something?
Yes, and everyone should remember this the next time these companies and their lobbyist run TV ads telling you that your wives and daughters will be stalked and raped in a parking lot if Right to repair is allowed to pass.
Looks to me like all cars sold by KIA are still owned by KIA. I'm not worried about that exploit at all, it has been fixed. I'm terrified about how much data about a car and therefore about the "owner" is available to KIA. That's totally insane.
Not just KIA. Most if not all major automobile manufacturers track a huge amount of data on the vehicles [and their owners/operators]. For example, many vehicles come with that OnStar thing, and so they have a baseband processor and even LTE as well as a GPS receiver, and it's always on even if you don't pay for the service, which means that the manufacturer gets to know your vehicle's location and all the places you go and the routes you take.
Well, I am already pretty firmly against buying any car that requires you to create an account online to "activate" the vehicle. But I definitely won't buy another Kia anyway, based on the fact that our last one burned a quart of oil every thousand miles WELL before it hit the 100k mark.
As the article says, you don't need an active subscription to be vulnerable. In this case it seems that if the model supports the features at all, you are vulnerable.
This makes sense, because they want people to be able to subscribe to their services later without having to visit the dealership, so they make it possible to remotely enable the service.
I'm not sure if you can buy a tinfoil hat for a car.
It should be possible to physically disable the cellular modem in the vehicle, wherever that is. I have a 2020 Volvo that is definitely online, waiting for me to activate some pricey online subscription that I don't want or need.
Would be nice to have a organized online database of how to disconnect various "smart" devices— cars, TVs, appliances, etc.
In my VW, the cellular modem and something I actually use (I think it's the Bluetooth microphone) are in the same module, so pulling the fuse or disabling it in the CAN gateway would be too heavy-handed. I would need to spend hours getting to, and into, the module. Or maybe replace the antenna with an effective dummy load / terminator? Tons of trim work. Luckily it's old enough to be 2G, and my understanding is most towers no longer speak to it, so I haven't pursued it further.
We tolerated worse gas mileage (computer controlled fuel injection, transmission, etc.), safety (anti-lock brakes), etc. We added computers because we wanted to lessen the effects of climate change and keep more people alive.
I was just going to say the same as it's stated pretty early in the article
> These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
If this should tell companies anything is that most of these services should be opt-in instead of opt-out in favor of security and privacy.
There are no new cars on the market today that don't have a slew of connected """features""", right?
Will it ever be possible to have a non-connected car? If so, how? What would it actually take? This is not a ranty rhetorical question -- I'm actually wondering.
In the U.S., by 2026, all new cars must have a "kill switch", and that includes a remote operation. The requirement is about preventing drunk driving, but it's being interpreted by many to require a kill switch.
> Section 24220, “ADVANCED IMPAIRED DRIVING TECHNOLOGY,” of the Bipartisan Infrastructure Law (BIL), enacted as the Infrastructure Investment and Jobs Act (IIJA), directed that “not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard (FMVSS) under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology.” Further, the issuance of the final rule is subject to subsection (e) “Timing,” which provides for an extension of the deadline if the FMVSS cannot meet the requirements of 49 USC 30111.
Now, I don't see anything in there about a "rmeote switch", and I don't understand how the "remote" bit would work to prevent DUI.
I wonder how well current adaptive cruise control/collision prevention technology works to help someone safely drive drunk. I don't own a car with these features but once rented a 2021 Nissan for a road trip and just set the cruise control to 70 and it would maintain a safe distance from other cars automatically down to like 20 mph iirc. I didn't, but I probably could have been drunk and driven that car without much issue, not that I am advocating for this.
There's probably already a bunch of data being collected about cars parked at e.g. a bar for a few hours that's being used to train some AI to detect driving behaviors associated with drunk driving or something like that.
Don't know about 2024, but my 2023 Honda Civic EX-B (Canadian market) is actually pretty old school. Yes, it has the keyless unlock and even a remote engine start button on the keyfob (can be disabled, thankfully - car is parked inside and we have kids!) But no cellular connectivity, no wifi, and all the touchscreen stuff is "extra icing" - all the controls you need are there in physical form except for some radio and cell phone call functions. Yes, the car may be vulnerable to signal boost kind of attacks (to pretend the keyfob is nearby when it's not) and possibly the "pop off a headlight and get into the CANbus" attack. But no cloud dependency and no way for the cloud to reach in and mess things up. Also, the software it does have seems "debugged" based on a year of using it.
You can pull the fuse on a ford maverick and it physically disables the telemetry. You could also opt out and disable it through the settings. Remote start from your keyfob still works. As expected remote start, seeing where you parked, remotely locking the car through the ford app will not work.
depends how wide is your definition of "connected features". all modern vehicles in the EU are required to have the eCall feature which uses cell to send your location in case of a crash. Since the hardware is in there I have absolutely no faith in car makers/govs to not use it for other purposes (now or in the future) https://en.m.wikipedia.org/wiki/ECall
Well... There is no reason to have a middleman like the OEM, so the car could be connected just with the formal owner (i.e. with a personal subdomain o dyndns), FLOSS stack under users control and some hard limits (like you can't act on the car if it moving and so on).
Sorry no. App unlock is a stupid anti-feature, do people genuinely think it's better than pressing a keyfob?
Remote start is very useful in very cold climates, but guess what, it doesn't need a phone, an app or the internet. My friend in a snowy part of Japan had a radio keyfob that did this literally 10 or more years ago. As long as you were within about 100 ft of the car you could switch it on and turn on the heaters.
Many of the earlier aftermarket remote start kits were cheap and simple because the vehicles had fewer security features. They are more complex and expensive today, and some are questionable in their implementation.
Remote start via phone is still useful in cold climates. While getting a ride with a friend to my car left at some location I've been able to start & get it warmed up before we even got off the highway.
It was nice and warm by the time I arrived to it. With only a keyfob it would have still been ice cold.
Absolutely not a necessary feature, but I miss it (free MyLink subscription expired and I won't pay for it).
For safety, you're really not supposed to remote start a vehicle if you can't observe it / are in contact with someone who is observing it. Lots of potential hazards, but it can be convenient.
Can you give an example of a hazard? I genuinely can't think of one- at least on my car, when you remote start it is still locked so it's not like anyone can get in and drive it away (and even if someone breaks in I don't think it'll go into Drive without a key in the vehicle)
If the tailpipe is restricted (by snow, say), you're likely to damage the car. If it runs poorly when it starts, and it's unsupervised, it could result in damage that would have been avoided if you were present and shut it down in a reasonable amount of time.
If someone is working on the car (authorized or not), they may be injured if it starts without their knowledge.
If it's parked indoors, exhaust gasses are likely to build up, leading to a dangerous situation. If you have multiple drivers, maybe someone else moved it and you didn't know.
With an EV, this isn't a concern. No tailpipe fumes or whatnot to worry about. Also, in pretty much any public space where you would park it (i.e., outside of your own garage), this isn't a concern either.
Locking my car through the app is a genuinely useful feature. Ever parked, left your car, and thought to yourself "damn, did I lock my car?". Just lock it through the app.
I've had to fetch something from my car while my gf had the car keys with her, I could just open it with my phone. It's useful.
Automatic unlock with a phone is not an anti feature. If it replaces your key fob completely, then it’s one less thing you have to carry. I haven’t carried keys of any kind for… 6 years at this point?
Also, remote start/temp control that works no matter the distance as long as there’s internet connectivity is superior to a radio based implementation. There’s plenty of places that are largely RF impermeable, or otherwise distance is too far. If you’re in a store, 100ft is barely any distance, especially with the layers of concrete in the way.
> I haven’t carried keys of any kind for… 6 years at this point?
You do you, of course, but I've absolutely relied on physical keys on numerous occasions over the years even when electronic methods exist.
Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
> Garage door spring broke or power is out, and battery died on your electronic house lock? You're not getting in.
How, exactly, would this happen simultaneously? Any reasonable system should alert you when batteries in your locks are running low. Unless you brazenly disregard those warnings (since, the low battery at least on mine means you still have... weeks left of battery), you will always have access. Also, with multiple entry-points into the house, you'd need ALL door locks to have their batteries die simultaneously. And the power to be out. That's a level of redundancy that is just unreasonable.
> Actually had that conversation about the house with my wife when she didn't carry house keys: do you want to find yourself stuck out of the house while the pets freeze or boil because you didn't just carry a damned key?
In what world would your pets die because you got locked out of the house? You should have AC/heating... and in some sort of power outage event (which, also, would require you to not be home either), your pets are certainly not going to freeze/overheat immediately. In such a crazy unrealistic scenario, breaking a window or drilling out a lock is a straightforward solution. But also, that would require so many multiple events to happen simultaneously (to get to needing to break a window) that it will never reasonably happen.
> Keyless fob ignition car ends up in a very strange state where, even though I have the fob in my hand and the car is running, it won't respond because the doors were locked from the inside by the dog? Happened.
This is a good reason to have your car connected to the internet, you can use your app to turn it off and unlock it.
I use my Tesla app to lock and unlock our vehicles all the time, in all cases outside of RF range. I have a Twilio number wired up I can call, enter a 10 digit code, and it will unlock and enable the vehicle to drive in the event I have lost my phone and keycard. These are material quality of life improvements.
Physical access is required to exploit any unauthorized access to the vehicle. What are you going to do? Steal my change?
Yes, I accept the risk and threat model. RF fobs are compromised frequently as well. Unless you rip the cellular module out of my vehicles, I will find it, and someone is just going to break the window if they want in.
Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
>Edit: Non connected cars for the risk adverse, connected cars for those with the risk appetite. The market will self sort, even if telematics requires more regulatory oversight (they do!).
Seems contradictory. What risk are you actually accepting if we're all forced to kick in for some regulator that protects you from the majority of the risk?
DHS, CISA and NHTSA already exist to provide cyber regulatory mechanisms at the intersection of automotive and telematics or other software/connected scope. If an entity ships shit, apply punitive punishment to the offender (NHTSA forces software updates as recalls today, but can do much more). Software and connectedness is not going away [1] [2], so secure software development, actual QA, and real change management must be strongly encouraged through incentives. "The beatings will continue until the security posture improves."
Of course, with this Kia attack, it didn't matter if you had never used or activated the feature, it was still vulnerable. With keyfobs you can just not use it or destroy it if you are worried about relay attacks.
Connecting every car to the Internet at all times just in case their owners might want to activate a remote start feature at some point is nuts.
Risk/threat I would accept. Leaking data - to telcos by constantly being connected to some cell tower and explicitly to the manufacturer whatever they decide to transmit - is the part I don't like.
Unlock via Bluetooth is perfectly viable without internet connection (unless you mean unlocking it for someone else?). Remote start and temp control should probably work from a few hundred feet away. If only phones had a longer range local radio, perhaps something like Zigbee. Maybe WiFi direct?
Well aren't you a precious little princess. I have none of that. It's very unlikely my early 2000s car will ever be attacked in this manner. I am going to maintain that car as long as possible. Enjoy your ticking time bomb.
If the car manufacturer can remote unlock and start your car for you, it can be abused by a hacker in same way. It's the exact same argument against backdoors in encryption for the government, if a backdoor works for them, it'll work for hackers too.
Why do you give CarPlay credit for those features? No need for CarPlay for any of those. What do you get from CarPlay that you don't get from a connected car without CarPlay?
As a Kia owner, this was what I was hoping for immediate term, FTA: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously."
Kia still has a lot of work to do because of bad decisions, but at least my vehicle isn't ripe for theft/abuse.
> The License Plate to VIN form uses a third-party API to convert license plate number to VIN
I guess that exists to make life easier for police. And because all patrol car laptops nation-wide need this, it really can't be authenticated meaningfully?
EV6 owner here. Scary stuff, but honestly, I'm not shocked. I feel like the EV6 is one of the better available EVs, but is hindered by Kia, based on the experience I've had dealing with the app and the dealerships.
Where's the strict product liability here? Like, if Kia is making a car that's easy to steal and it gets stolen, why isn't that Kia's fault and they're responsible for the damages? We're talking gross negligence here.
There have been demonstrations of hacking cars remotely to gain control of it. You could quite literally kill someone this way. This should 100% be the responsibility of the car maker.
Why do we let these companies get away with poor security? It's well beyond time we hold them financially and legally responsible for foreseeable outcomes from poor security practices.
That doesn't mean any vulnerability incurs liability necessarily. A 0day might not meet the bar for gross negligence. But what if you were told about the vulnerability and refused to upate the software for 2 years because a recall like that costs money? Or what if you released software using versions with known vulnerabilities because you don't want to pay for upgrading all the dependencies?
I have a Kia Niro EV Wind 2024 and just cancelled my account at Kia Connect.
Yes, I felt stupid. But a little less stupid now.
Edit: does anyone know how I could disable Kia's remote access to my car? Is there any antenna I could cover with tin foil or a chip that can be disconnected?
>These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
What if we had laws that required car manufacturers to have software with slightly better quality than the utter syphilitic diarrhea they currently ship?
I think you misunderstood the insinuation.[1] I believe they're suggesting that otherwise legitimate vulnerability concerns are discounted in favor of a laissez faire market policy unless and until the concerns are framed by a xenophobic narrative. IOW, xenophobia trumps capitalism, but not measured security concerns.
[1] But that's why sarcasm is usually frowned upon on HN.
Why would the average consumer car about intelligence of a foreign state? I, for one, have no fear of China presently but the climate in the USA isn't very pro free speech.
They don't (at least, not in peace time), but the US government does. They also buy cars.
Also the concerns of the average consumer aren't a really good barometer for what should be legal. Most consumers gladly sign up for services that violate their privacy, because they don't understand the consequences at the time of purchase. Also people are pretty bad at estimating risks of unknown certainty even when they do know about them. If 'buyer-beware' worked, there would be no need for consumer protection law... but this segment of the law has originated from necessity.
Cars are regulated to high heaven. They don't regulate software quality because the unholy union of big business and government that is the current US auto sector and its regulators have yet to find a way or need to do so that benefits them.
If it only impacted automakers they might do it. However if you apply this standard to cars you will have to apply it to a lot of other sectors. After all why stop at car makers. Why should other appliances not get the same treatment like IoT as well? A lot of other companies would hate to have this standard applied to them hence they lobby against it as well.
reply