[HN Gopher] The Apparent Kia Ransomware Hackers Are Demanding Mi...
___________________________________________________________________
The Apparent Kia Ransomware Hackers Are Demanding Millions in
Bitcoin
Author : ourmandave
Score : 84 points
Date : 2021-02-21 21:46 UTC (1 hours ago)
(HTM) web link (www.thedrive.com)
(TXT) w3m dump (www.thedrive.com)
| cblconfederate wrote:
| It's only fitting, bitcoin is decentralized, it wants to kill
| centralized security/locks
| arcticbull wrote:
| I mean how else would ransomware authors demand payment?
| Classical solutions are too easy to trace. This is one of the
| worst byproducts of crypto. Turns out permissionless means people
| you don't want using the system, using the system for things you
| don't want them doing. Who'd have thought.
| sn_master wrote:
| Monero. Its designed to be far less tracable than BTC and many
| exchanges exist online that trade XMR for BTC. I am surprised
| BTC still has this large presence in the blackmarket.
| arcticbull wrote:
| XMR has too little plausible deniability at the onramp and
| offramp, and is getting delisted from exchanges. Like any
| money laundering business the process relies on plausible
| deniability. Think Los Pollos Hermanos.
|
| Monero markets itself to criminals. Bitcoin to speculators
| and ancaps. You can hide your BTC gains by saying you made
| some leveraged trades in Malta. You can't hide your Monero
| gains. Ironically it's what makes it better at its job that
| makes it less useful.
|
| You really want to toe the line.
| kache_ wrote:
| Blockchain analysis makes it extremely difficult to hide
| bitcoin. Not only that, but bitcoin in general can be
| blacklisted/tainted.
| [deleted]
| arcticbull wrote:
| Honest question: does that mean anything on a DEX?
| smabie wrote:
| pretty easy to launder BTC actually using tornado
| vmception wrote:
| You feel that way, but its not a complete reality.
|
| For more than half a decade many bitcoin invoices have
| actually been paid with Monero and we don't have a way to
| quantify that except to participate in forums where people
| talk about what they do. The merchants wouldn't even know
| if thats what happened.
|
| For every XMR.to that shuts down, another has already risen
| and is just waiting for marketshare.
|
| There are also trusted bridges between blockchains.
|
| And people are still working on trustless bridges
| compatible with Monero, which will really unlock its value
| and make exchanges completely ignorable.
|
| Ultimately the state will never accomplish its goal of
| strongarming the intermediary.
| arcticbull wrote:
| > Ultimately the state will never accomplish its goal of
| strongarming the intermediary.
|
| Wow it's like reading 1984. The uh, first part of course,
| not the end. If you haven't read it I don't want to ruin
| the surprise.
| vmception wrote:
| A non-sequitur.
|
| Monero is compliant with all FATF goals. The state has
| gotten used to surveillance of digital transactions over
| the past 50 years by deputizing financial institutions,
| this was a temporary convenience for them and now digital
| transactions don't require financial institutions, which
| is simply a reversion to a mean with a millenium of
| precedent. For now they can strongarm the intermediary as
| they havent even noticed that they've just been taking a
| convenience for granted, but the reality is pretty clear:
| the state will have to deter whichever activities they
| dont like by actually investigating and stopping that
| person as regulating/strongarming the intermediary wont
| be a tool they have anymore.
| arcticbull wrote:
| Trust me the boundary between the shadow market and the
| real economy (where such systems would be illegal) is
| where the friction will always be and remain. Trade away,
| have fun, as soon as you try and convert to real money
| they'll come down on you like the sword of Damocles fell.
| The only reason this isn't more frictional is because the
| government has bigger things to worry about. They simply
| don't care about you. The second that changes you'll be
| trading in the digital equivalent of suitcases full of
| prepaid gift cards.
|
| This isn't a new game lol, it's been played to death and
| one side has a lot more experience than the other.
| 8note wrote:
| I'd imagine this is the primary usecase of bitcoin?
|
| Existing transactions cover other usecases just fine
| chrischen wrote:
| For the doubters of bitcoin arguing the lack of utility here it
| is. Hackers may be illegal but they are still part of the global
| economy, providing the service of enforcing security compliance.
| seaman1921 wrote:
| I agree, so are terrorists - more power to them, right!
| [deleted]
| MeinBlutIstBlau wrote:
| In a way it reinforces that the status quo has some kinks
| that could be adjusted every now and then. I'm not saying
| it's good. It's just a feature of humanity.
| Judgmentality wrote:
| I've tried multiple times, including contacting the corporate
| branch of the automaker and talking to multiple dealers, scouring
| the forums, and everything else in an attempt to disconnect my
| car from their online services (in theory, depending on the
| automaker, the hackers can completely brick your car).
|
| My car isn't from Kia, but this is not unique to Kia. I
| eventually personally found the microcontroller and shorted the
| modem myself, after doing extensive work to figure out how to do
| it without breaking anything else.
| reaperducer wrote:
| _I eventually personally found the microcontroller and shorted
| the modem myself_
|
| I would think that breaking the antenna would be easier.
|
| Or are they not that large anymore since car bodies have so
| much plastic in them these days and not so much metal to
| interfere with the signal?
| avmich wrote:
| Wonder how much it would cost to hire an engineer with required
| skills to solve this issue :) . Seems like demand is here...
| ska wrote:
| > I eventually personally found the microcontroller and shorted
| the modem myself,
|
| (perhaps silly?) question - why not just disable the antenna or
| put it in an appropriate faraday cage?
| neolog wrote:
| Would you post a picture of how to do it?
| mullingitover wrote:
| I would wager that this is by design - if you stop making
| payments on your car, they basically have lojack built in that
| would help them repossess it. That's why they make it nearly
| impossible to disable.
| rectang wrote:
| Internet anonymity won't last forever. When it proves impossible
| to prevent escalating economic damage, the pressure to identify
| culprits and hold them criminally responsible will prove
| inexorable.
| codegeek wrote:
| Cars are really going in the wrong direction overall. I do like a
| car with _some_ tech like power windows, memory seats etc but I
| do not want to connect it to the internet. I have my smartphone
| for it already. I want my car to be dumb. Add Key, it works. No
| key, you are locked out and you can call someone to unlock it for
| you.
|
| Btw, not to mention that New Cars are becoming too expensive
| compared to say 15-20 years ago due to all this "tech" while the
| engines are becoming crappy with plastic (shout out to famous
| youtuber Scotty Kilmer if anyone knows him :))
| teclordphrack2 wrote:
| So, is that like 1 bitcoin now?
| vmception wrote:
| Not an impossible future:
|
| The bitcoindollar, negotiated by nation states with hacking
| syndicates to price all their contracts in bitcoin, forcing
| nation states to continually purchase bitcoin and is a key
| demand driver of bitcoin, and vital to diplomacy and hegemonic
| peace.
|
| replace bitcoin with petro. same thing
| userbinator wrote:
| _As we noted previously, it means that many Kia owners may be
| unable to remotely unlock their vehicles or warm them up during
| an especially nasty winter storm hitting much of the country this
| week._
|
| Cars had remote unlock and start _decades_ ago (if not OEM, then
| aftermarket systems were and still are widely available), with
| _zero_ dependence on what appears to be the company 's servers.
| The only advantage I can fathom for being able to unlock and
| start a car over the Internet instead of only by being within
| radio range seems more oriented towards attackers and other user-
| hostile scenarios ("your car has now become a subscription,
| please pay to unlock it"). Have we gone backwards...?
| chki wrote:
| > The only advantage I can fathom for being able to unlock and
| start a car over the Internet instead of only by being within
| radio range seems more oriented towards attackers and other
| user-hostile scenarios
|
| Your car might be parked further away than the radio distance,
| especially if you're living in a big city with few parking
| spaces. There are also a lot of scenarios where you are not at
| home but want to preheat your car anyways.
| grawprog wrote:
| The whole idea of an internet connected car that constantly
| 'phones home' without any easy way to bypass or disable is kind
| of mind boggling to me.
|
| I don't understand why after this people weren't in an uproar.
|
| https://www.nytimes.com/2017/09/11/business/tesla-battery-ir...
|
| When Tesla decided generously to temporarily grant residents
| fleeing a hurricane an upgrade that allowed full usage of their
| battery.
|
| People's lives were literally in the hands of an optional,
| upsold firmware softlock.
|
| The fact that it's come to that is completely appalling. When
| the manufacturer of your car has the power to save your life
| because if they didn't they'd suffer bad publicity is
| disgusting.
|
| And the fact is, the only reason why hackers are able to gain
| access to vehicles, the only reason for any of it is because
| companies have decided cars need to be a service provided by
| them so they can keep making money after the initial purchase.
|
| People buy cars so they can travel freely without relying on
| others. Making cars reliant on a third party server for
| something as basic as the ingition goes against the entire
| premise of owning a car.
| ChuckNorris89 wrote:
| _> People's lives were literally in the hands of an optional,
| upsold firmware softlock_
|
| People's lives are literally in the hands of optional
| firmware softlock all the time in medical devices that you
| can find in hospitals. If the hospital doesn't pay for x
| feature or for support technicians to service them, then some
| people could actually die.
|
| Saving lives or not, you can't blame a company for not giving
| you for free features you haven't paid for.
| pie420 wrote:
| That's a really silly and wrong way of looking at it. Tesla
| has down society and you a great service by including
| additional capacity in your car above what you payed for. If
| they choose to let you have it for free, pat on the back for
| them. If not, then it is no different at all from someone
| dying in a Ford Focus that was only front wheel drive where
| all-wheel drive would have saved their lives.
| crocodiletears wrote:
| Is the AWD drivetrain included in the base model?
| bjelkeman-again wrote:
| No. It is only a single motor in the SR model.
| PenguinCoder wrote:
| Yes, it has indeed gone backwards. I refuse to pay for the
| remote start 'subscription'. Utter stupidity.
| chrisseaton wrote:
| > Cars had remote unlock and start decades ago
|
| Do you mean buttons on key fobs? That's not what this is about.
| This is apps on phones that let you access the car. Why would
| you want to do that? Range of the signal, additional
| functionality (you can see the fuel level for example), and you
| don't need to have your key fob to use it.
| faeriechangling wrote:
| Not having your key fob is huge for... Well... Accessibility
| by multiple definitions of the word. ADHD for instance makes
| it very easy to forget your keys and very easy to remember
| your phone.
| ska wrote:
| > Have we gone backwards...?
|
| Sort of. A lot of this is pushed by fleet sales, where it makes
| more sense (to the customer).
| 14 wrote:
| This is what I was thinking as well. It is frustrating to see
| and make me feel less sympathetic to Kia's situation
| joe_the_user wrote:
| The amazing thing is realizing that despite the increasing
| dangers and actual disasters involved, more and more things are
| going to be put on the Internet.
|
| The equation everywhere is "the cost of the security is always
| too high because the failure of security is always an unusual
| situation and something that _usually works_ and is cheaper
| will win in the marketplace. "
|
| _Have we gone backwards._
|
| Yes, expect more of this.
| faeriechangling wrote:
| What's described in the article is not a security problem.
| It's an availability problem. I would argue consumers DO care
| about the availability and I see lots of cloud based systems
| with local fallbacks.
|
| When IKEA introduced cloud devices, IKEA hardly a company
| known for high prices or using expensive stuff in their
| products, they had local fallbacks. Their product is
| competing with the reliability of less expensive devices
| controlled with a light switch. Locks are another case where
| if you reinvent the wheel and get significantly less
| reliability people will be mad.
| PeterisP wrote:
| Availability is 1/3 of what we traditionally define as
| security (Confidentiality, Integrity, & Availability), so
| it definitely is a security problem.
| faeriechangling wrote:
| If Kia's don't have a local override using a key or fob (?)
| it's just a simple misapplication of technology. Even where you
| are would want to control locks from the internet, security
| concerns be damned, you need a high availability way to open
| the lock locally.
|
| New technologies aren't nessecarily robust against
| misapplication
| jgilias wrote:
| I wonder if there are any car manufacturers boasting a 'dumb
| car' lineup. The current trend is pretty worrying. And sadly,
| it seems to get even worse with EVs. For some reason car
| manufacturers seem to want to market their EVs as 'smart-cars'.
| Which I find cringe worthy.
| crocodiletears wrote:
| It's likely a similar situation to televisions. Large fleet
| acquisitions may have the option to request telematics be
| disabled on their vehicles.
|
| Never operated a fleet, though - so that's my speculation.
| navaati wrote:
| There kinda is: Renault has Dacia.
| adav wrote:
| Aren't Dacia cars just facelifted older Renault models with
| the manufacturing moved to markets with cheaper labour?
| sneak wrote:
| We have indeed gone backwards. Most homes and businesses have
| LANs, and yet almost every app works in a client/remote-server
| model, adding dozens of SPOFs where there need not be any.
| tunnuz wrote:
| Honest question, is it a big deal not being able to start your
| car remotely?
| hanche wrote:
| Not for me. (I own a Kia Soul, electric.) Many owners use a
| similar feature to get their car to warm up at a specific time,
| though. I haven't used it myself, though, being too
| disorganized to know ahead of time when I want to use the car.
| But I find it very useful to be able to keep an eye on the
| charging status, so I can return to the car when the battery is
| full enough.
|
| Of course, if the intruders have the means to disable my car
| remotely, that is a much more serious issue.
| crocodiletears wrote:
| Not really, for most functional adults. But it's offensive you
| need the OEM's servers to do it.
| chrisseaton wrote:
| No. People in this thread are (deliberately?) misunderstanding
| and (pretending to?) think it means being able to start them at
| all.
| alfor wrote:
| Bad news for Bitcoin and other crypto
|
| If crypto become the payment system for criminals I wonder what
| will happen with crypto.
| yread wrote:
| Perhaps the original article on bleeping computer would be
| better?
|
| https://www.bleepingcomputer.com/news/security/kia-motors-am...
| mensetmanusman wrote:
| Looks like BTCs main value is facilitating ransom ware attacks
| smabie wrote:
| Not exactly. Tens of billions of dollars worth of BTC changes
| hands everyday and percentage of transactions associated with
| ransomware is absolutely minuscule.
| mbreese wrote:
| So, let's assume the perpetrators get their ransom in Bitcoin...
| how are they ever going to be able to spend these coins? It's not
| like the transactions are anonymous. So what will the rest of the
| world be able to do about it? Can the target wallets be blocked?
| Monitored?
| vmception wrote:
| the secret that chainanalysis companies wont tell you is that
| they have no idea if the same physical human still owns the
| coins they are following.
|
| watching transactions on a blockchain is a wild goose chase
| that relies on amateurs making stupid mistakes.
| lifeisstillgood wrote:
| Huh? Aren't we following addresses (If you have the private
| key to an account that accepted a ransom, chances are you are
| the same person (or in cahoots enough to be legally in
| trouble)
| ad31mar wrote:
| https://en.bitcoin.it/wiki/CoinJoin
| shiado wrote:
| https://wasabiwallet.io/
| torbital wrote:
| Was Kia using BlackBerry's QNX platform?
| jonplackett wrote:
| Have there been any attempts to deal with this kind of thing
| within Bitcoin? Like, could everyone agree to blacklist specific
| coins that were known to have been paid as random? Would it be
| plausible for a large government to introduce regulation to
| demand any proper exchange to refuse coins originating from a
| ransom? Or is that just impossible?
| lifeisstillgood wrote:
| This is probably easier than "normal" money laundering due to
| the traceability of BTC. But it flounders on the usual problems
| of money laundering (for example the biggest money laundering
| locations globally are London and NYC.)
|
| We can solve money laundering but it needs political will -
| write your congressman!
| treeman79 wrote:
| Isn't avoiding regulations one of the main points of Bitcoin?
| avdlinde wrote:
| Maybe, but that doesn't make the question invalid. If a
| majority decides a subset of coins is invalid or should not
| be used, wouldn't that work?
| MattGaiser wrote:
| Is this a big part of why companies are buying up tons of
| bitcoin? Insurance against these kinds of attacks?
| fasteddie31003 wrote:
| I own a 03 Ram 2500 with a 5.9 Cummins engine. It has 250,000
| miles and from the forums it can easy get to 1 million miles.
| There is no infotainment system to show the truck's age, distract
| you, or break from a bad solider joint. I've fixed everything
| myself on that truck from the transmission to the axle seals. The
| vehicle is actually increasing in value because it has a grand
| fathered in diesel engine. I have no idea why someone would buy a
| car with so many confusers (AVE for computer) that will only give
| you grief down the road (literally).
| jgilias wrote:
| There's a lot of symmetry with farmers buying 40 year old
| tractors. For exactly the same reasons. I really hope the
| pendulum swings the other way if even just a bit. I mean, there
| are still new dumb-phones being made. So maybe there's hope for
| dumb-other-things as well.
| jacquesm wrote:
| Remote unlock is the least of the problems here, the real issue
| is that cars have no business being connected to the vendors
| servers at all. This could have been entirely solved locally by
| pairing the car to one or more phones using BT/WiFi. How remote
| does it have to be, you don't really want to be able to start
| your car if you're not in WiFi range.
| chrisseaton wrote:
| > Remote unlock is the least of the problems here, the real
| issue is that cars have no business being connected to the
| vendors servers at all.
|
| Why do you think that? It provides valuable functionality that
| I use, such as journey logging, fuel status, access from an
| app, and so on. You need an intermediate server run by the
| vendor. I can't give it my phone's IP address, can I!
| Jimmc414 wrote:
| I really hate the fact that it would have been so much cheaper
| for them to have just quietly paid the $20 million from the
| outset.
| Jerry2 wrote:
| According to the original article [1] (The Drive one is just a
| poor rewrite), Hyundai is also affected.
|
| > _After the publishing of this story, numerous Hyundai and
| dealership employees contacted BleepingComputer to state that
| Hyundai was also affected by unexplained outages._
|
| > _In emails sent by Hyundai Motors America to Kia dealerships on
| Saturday and seen by BleepingComputer, Hyundai stated that
| multiple systems were down including their internal dealer site,
| hyundaidealer.com._
|
| [1] https://www.bleepingcomputer.com/news/security/kia-motors-
| am...
| Clewza313 wrote:
| Not surprising, since Hyundai acquired a majority stake in Kia
| in 1998.
___________________________________________________________________
(page generated 2021-02-21 23:00 UTC)