[HN Gopher] The Apparent Kia Ransomware Hackers Are Demanding Mi... ___________________________________________________________________ The Apparent Kia Ransomware Hackers Are Demanding Millions in Bitcoin Author : ourmandave Score : 84 points Date : 2021-02-21 21:46 UTC (1 hours ago) (HTM) web link (www.thedrive.com) (TXT) w3m dump (www.thedrive.com) | cblconfederate wrote: | It's only fitting, bitcoin is decentralized, it wants to kill | centralized security/locks | arcticbull wrote: | I mean how else would ransomware authors demand payment? | Classical solutions are too easy to trace. This is one of the | worst byproducts of crypto. Turns out permissionless means people | you don't want using the system, using the system for things you | don't want them doing. Who'd have thought. | sn_master wrote: | Monero. Its designed to be far less tracable than BTC and many | exchanges exist online that trade XMR for BTC. I am surprised | BTC still has this large presence in the blackmarket. | arcticbull wrote: | XMR has too little plausible deniability at the onramp and | offramp, and is getting delisted from exchanges. Like any | money laundering business the process relies on plausible | deniability. Think Los Pollos Hermanos. | | Monero markets itself to criminals. Bitcoin to speculators | and ancaps. You can hide your BTC gains by saying you made | some leveraged trades in Malta. You can't hide your Monero | gains. Ironically it's what makes it better at its job that | makes it less useful. | | You really want to toe the line. | kache_ wrote: | Blockchain analysis makes it extremely difficult to hide | bitcoin. Not only that, but bitcoin in general can be | blacklisted/tainted. | [deleted] | arcticbull wrote: | Honest question: does that mean anything on a DEX? | smabie wrote: | pretty easy to launder BTC actually using tornado | vmception wrote: | You feel that way, but its not a complete reality. | | For more than half a decade many bitcoin invoices have | actually been paid with Monero and we don't have a way to | quantify that except to participate in forums where people | talk about what they do. The merchants wouldn't even know | if thats what happened. | | For every XMR.to that shuts down, another has already risen | and is just waiting for marketshare. | | There are also trusted bridges between blockchains. | | And people are still working on trustless bridges | compatible with Monero, which will really unlock its value | and make exchanges completely ignorable. | | Ultimately the state will never accomplish its goal of | strongarming the intermediary. | arcticbull wrote: | > Ultimately the state will never accomplish its goal of | strongarming the intermediary. | | Wow it's like reading 1984. The uh, first part of course, | not the end. If you haven't read it I don't want to ruin | the surprise. | vmception wrote: | A non-sequitur. | | Monero is compliant with all FATF goals. The state has | gotten used to surveillance of digital transactions over | the past 50 years by deputizing financial institutions, | this was a temporary convenience for them and now digital | transactions don't require financial institutions, which | is simply a reversion to a mean with a millenium of | precedent. For now they can strongarm the intermediary as | they havent even noticed that they've just been taking a | convenience for granted, but the reality is pretty clear: | the state will have to deter whichever activities they | dont like by actually investigating and stopping that | person as regulating/strongarming the intermediary wont | be a tool they have anymore. | arcticbull wrote: | Trust me the boundary between the shadow market and the | real economy (where such systems would be illegal) is | where the friction will always be and remain. Trade away, | have fun, as soon as you try and convert to real money | they'll come down on you like the sword of Damocles fell. | The only reason this isn't more frictional is because the | government has bigger things to worry about. They simply | don't care about you. The second that changes you'll be | trading in the digital equivalent of suitcases full of | prepaid gift cards. | | This isn't a new game lol, it's been played to death and | one side has a lot more experience than the other. | 8note wrote: | I'd imagine this is the primary usecase of bitcoin? | | Existing transactions cover other usecases just fine | chrischen wrote: | For the doubters of bitcoin arguing the lack of utility here it | is. Hackers may be illegal but they are still part of the global | economy, providing the service of enforcing security compliance. | seaman1921 wrote: | I agree, so are terrorists - more power to them, right! | [deleted] | MeinBlutIstBlau wrote: | In a way it reinforces that the status quo has some kinks | that could be adjusted every now and then. I'm not saying | it's good. It's just a feature of humanity. | Judgmentality wrote: | I've tried multiple times, including contacting the corporate | branch of the automaker and talking to multiple dealers, scouring | the forums, and everything else in an attempt to disconnect my | car from their online services (in theory, depending on the | automaker, the hackers can completely brick your car). | | My car isn't from Kia, but this is not unique to Kia. I | eventually personally found the microcontroller and shorted the | modem myself, after doing extensive work to figure out how to do | it without breaking anything else. | reaperducer wrote: | _I eventually personally found the microcontroller and shorted | the modem myself_ | | I would think that breaking the antenna would be easier. | | Or are they not that large anymore since car bodies have so | much plastic in them these days and not so much metal to | interfere with the signal? | avmich wrote: | Wonder how much it would cost to hire an engineer with required | skills to solve this issue :) . Seems like demand is here... | ska wrote: | > I eventually personally found the microcontroller and shorted | the modem myself, | | (perhaps silly?) question - why not just disable the antenna or | put it in an appropriate faraday cage? | neolog wrote: | Would you post a picture of how to do it? | mullingitover wrote: | I would wager that this is by design - if you stop making | payments on your car, they basically have lojack built in that | would help them repossess it. That's why they make it nearly | impossible to disable. | rectang wrote: | Internet anonymity won't last forever. When it proves impossible | to prevent escalating economic damage, the pressure to identify | culprits and hold them criminally responsible will prove | inexorable. | codegeek wrote: | Cars are really going in the wrong direction overall. I do like a | car with _some_ tech like power windows, memory seats etc but I | do not want to connect it to the internet. I have my smartphone | for it already. I want my car to be dumb. Add Key, it works. No | key, you are locked out and you can call someone to unlock it for | you. | | Btw, not to mention that New Cars are becoming too expensive | compared to say 15-20 years ago due to all this "tech" while the | engines are becoming crappy with plastic (shout out to famous | youtuber Scotty Kilmer if anyone knows him :)) | teclordphrack2 wrote: | So, is that like 1 bitcoin now? | vmception wrote: | Not an impossible future: | | The bitcoindollar, negotiated by nation states with hacking | syndicates to price all their contracts in bitcoin, forcing | nation states to continually purchase bitcoin and is a key | demand driver of bitcoin, and vital to diplomacy and hegemonic | peace. | | replace bitcoin with petro. same thing | userbinator wrote: | _As we noted previously, it means that many Kia owners may be | unable to remotely unlock their vehicles or warm them up during | an especially nasty winter storm hitting much of the country this | week._ | | Cars had remote unlock and start _decades_ ago (if not OEM, then | aftermarket systems were and still are widely available), with | _zero_ dependence on what appears to be the company 's servers. | The only advantage I can fathom for being able to unlock and | start a car over the Internet instead of only by being within | radio range seems more oriented towards attackers and other user- | hostile scenarios ("your car has now become a subscription, | please pay to unlock it"). Have we gone backwards...? | chki wrote: | > The only advantage I can fathom for being able to unlock and | start a car over the Internet instead of only by being within | radio range seems more oriented towards attackers and other | user-hostile scenarios | | Your car might be parked further away than the radio distance, | especially if you're living in a big city with few parking | spaces. There are also a lot of scenarios where you are not at | home but want to preheat your car anyways. | grawprog wrote: | The whole idea of an internet connected car that constantly | 'phones home' without any easy way to bypass or disable is kind | of mind boggling to me. | | I don't understand why after this people weren't in an uproar. | | https://www.nytimes.com/2017/09/11/business/tesla-battery-ir... | | When Tesla decided generously to temporarily grant residents | fleeing a hurricane an upgrade that allowed full usage of their | battery. | | People's lives were literally in the hands of an optional, | upsold firmware softlock. | | The fact that it's come to that is completely appalling. When | the manufacturer of your car has the power to save your life | because if they didn't they'd suffer bad publicity is | disgusting. | | And the fact is, the only reason why hackers are able to gain | access to vehicles, the only reason for any of it is because | companies have decided cars need to be a service provided by | them so they can keep making money after the initial purchase. | | People buy cars so they can travel freely without relying on | others. Making cars reliant on a third party server for | something as basic as the ingition goes against the entire | premise of owning a car. | ChuckNorris89 wrote: | _> People's lives were literally in the hands of an optional, | upsold firmware softlock_ | | People's lives are literally in the hands of optional | firmware softlock all the time in medical devices that you | can find in hospitals. If the hospital doesn't pay for x | feature or for support technicians to service them, then some | people could actually die. | | Saving lives or not, you can't blame a company for not giving | you for free features you haven't paid for. | pie420 wrote: | That's a really silly and wrong way of looking at it. Tesla | has down society and you a great service by including | additional capacity in your car above what you payed for. If | they choose to let you have it for free, pat on the back for | them. If not, then it is no different at all from someone | dying in a Ford Focus that was only front wheel drive where | all-wheel drive would have saved their lives. | crocodiletears wrote: | Is the AWD drivetrain included in the base model? | bjelkeman-again wrote: | No. It is only a single motor in the SR model. | PenguinCoder wrote: | Yes, it has indeed gone backwards. I refuse to pay for the | remote start 'subscription'. Utter stupidity. | chrisseaton wrote: | > Cars had remote unlock and start decades ago | | Do you mean buttons on key fobs? That's not what this is about. | This is apps on phones that let you access the car. Why would | you want to do that? Range of the signal, additional | functionality (you can see the fuel level for example), and you | don't need to have your key fob to use it. | faeriechangling wrote: | Not having your key fob is huge for... Well... Accessibility | by multiple definitions of the word. ADHD for instance makes | it very easy to forget your keys and very easy to remember | your phone. | ska wrote: | > Have we gone backwards...? | | Sort of. A lot of this is pushed by fleet sales, where it makes | more sense (to the customer). | 14 wrote: | This is what I was thinking as well. It is frustrating to see | and make me feel less sympathetic to Kia's situation | joe_the_user wrote: | The amazing thing is realizing that despite the increasing | dangers and actual disasters involved, more and more things are | going to be put on the Internet. | | The equation everywhere is "the cost of the security is always | too high because the failure of security is always an unusual | situation and something that _usually works_ and is cheaper | will win in the marketplace. " | | _Have we gone backwards._ | | Yes, expect more of this. | faeriechangling wrote: | What's described in the article is not a security problem. | It's an availability problem. I would argue consumers DO care | about the availability and I see lots of cloud based systems | with local fallbacks. | | When IKEA introduced cloud devices, IKEA hardly a company | known for high prices or using expensive stuff in their | products, they had local fallbacks. Their product is | competing with the reliability of less expensive devices | controlled with a light switch. Locks are another case where | if you reinvent the wheel and get significantly less | reliability people will be mad. | PeterisP wrote: | Availability is 1/3 of what we traditionally define as | security (Confidentiality, Integrity, & Availability), so | it definitely is a security problem. | faeriechangling wrote: | If Kia's don't have a local override using a key or fob (?) | it's just a simple misapplication of technology. Even where you | are would want to control locks from the internet, security | concerns be damned, you need a high availability way to open | the lock locally. | | New technologies aren't nessecarily robust against | misapplication | jgilias wrote: | I wonder if there are any car manufacturers boasting a 'dumb | car' lineup. The current trend is pretty worrying. And sadly, | it seems to get even worse with EVs. For some reason car | manufacturers seem to want to market their EVs as 'smart-cars'. | Which I find cringe worthy. | crocodiletears wrote: | It's likely a similar situation to televisions. Large fleet | acquisitions may have the option to request telematics be | disabled on their vehicles. | | Never operated a fleet, though - so that's my speculation. | navaati wrote: | There kinda is: Renault has Dacia. | adav wrote: | Aren't Dacia cars just facelifted older Renault models with | the manufacturing moved to markets with cheaper labour? | sneak wrote: | We have indeed gone backwards. Most homes and businesses have | LANs, and yet almost every app works in a client/remote-server | model, adding dozens of SPOFs where there need not be any. | tunnuz wrote: | Honest question, is it a big deal not being able to start your | car remotely? | hanche wrote: | Not for me. (I own a Kia Soul, electric.) Many owners use a | similar feature to get their car to warm up at a specific time, | though. I haven't used it myself, though, being too | disorganized to know ahead of time when I want to use the car. | But I find it very useful to be able to keep an eye on the | charging status, so I can return to the car when the battery is | full enough. | | Of course, if the intruders have the means to disable my car | remotely, that is a much more serious issue. | crocodiletears wrote: | Not really, for most functional adults. But it's offensive you | need the OEM's servers to do it. | chrisseaton wrote: | No. People in this thread are (deliberately?) misunderstanding | and (pretending to?) think it means being able to start them at | all. | alfor wrote: | Bad news for Bitcoin and other crypto | | If crypto become the payment system for criminals I wonder what | will happen with crypto. | yread wrote: | Perhaps the original article on bleeping computer would be | better? | | https://www.bleepingcomputer.com/news/security/kia-motors-am... | mensetmanusman wrote: | Looks like BTCs main value is facilitating ransom ware attacks | smabie wrote: | Not exactly. Tens of billions of dollars worth of BTC changes | hands everyday and percentage of transactions associated with | ransomware is absolutely minuscule. | mbreese wrote: | So, let's assume the perpetrators get their ransom in Bitcoin... | how are they ever going to be able to spend these coins? It's not | like the transactions are anonymous. So what will the rest of the | world be able to do about it? Can the target wallets be blocked? | Monitored? | vmception wrote: | the secret that chainanalysis companies wont tell you is that | they have no idea if the same physical human still owns the | coins they are following. | | watching transactions on a blockchain is a wild goose chase | that relies on amateurs making stupid mistakes. | lifeisstillgood wrote: | Huh? Aren't we following addresses (If you have the private | key to an account that accepted a ransom, chances are you are | the same person (or in cahoots enough to be legally in | trouble) | ad31mar wrote: | https://en.bitcoin.it/wiki/CoinJoin | shiado wrote: | https://wasabiwallet.io/ | torbital wrote: | Was Kia using BlackBerry's QNX platform? | jonplackett wrote: | Have there been any attempts to deal with this kind of thing | within Bitcoin? Like, could everyone agree to blacklist specific | coins that were known to have been paid as random? Would it be | plausible for a large government to introduce regulation to | demand any proper exchange to refuse coins originating from a | ransom? Or is that just impossible? | lifeisstillgood wrote: | This is probably easier than "normal" money laundering due to | the traceability of BTC. But it flounders on the usual problems | of money laundering (for example the biggest money laundering | locations globally are London and NYC.) | | We can solve money laundering but it needs political will - | write your congressman! | treeman79 wrote: | Isn't avoiding regulations one of the main points of Bitcoin? | avdlinde wrote: | Maybe, but that doesn't make the question invalid. If a | majority decides a subset of coins is invalid or should not | be used, wouldn't that work? | MattGaiser wrote: | Is this a big part of why companies are buying up tons of | bitcoin? Insurance against these kinds of attacks? | fasteddie31003 wrote: | I own a 03 Ram 2500 with a 5.9 Cummins engine. It has 250,000 | miles and from the forums it can easy get to 1 million miles. | There is no infotainment system to show the truck's age, distract | you, or break from a bad solider joint. I've fixed everything | myself on that truck from the transmission to the axle seals. The | vehicle is actually increasing in value because it has a grand | fathered in diesel engine. I have no idea why someone would buy a | car with so many confusers (AVE for computer) that will only give | you grief down the road (literally). | jgilias wrote: | There's a lot of symmetry with farmers buying 40 year old | tractors. For exactly the same reasons. I really hope the | pendulum swings the other way if even just a bit. I mean, there | are still new dumb-phones being made. So maybe there's hope for | dumb-other-things as well. | jacquesm wrote: | Remote unlock is the least of the problems here, the real issue | is that cars have no business being connected to the vendors | servers at all. This could have been entirely solved locally by | pairing the car to one or more phones using BT/WiFi. How remote | does it have to be, you don't really want to be able to start | your car if you're not in WiFi range. | chrisseaton wrote: | > Remote unlock is the least of the problems here, the real | issue is that cars have no business being connected to the | vendors servers at all. | | Why do you think that? It provides valuable functionality that | I use, such as journey logging, fuel status, access from an | app, and so on. You need an intermediate server run by the | vendor. I can't give it my phone's IP address, can I! | Jimmc414 wrote: | I really hate the fact that it would have been so much cheaper | for them to have just quietly paid the $20 million from the | outset. | Jerry2 wrote: | According to the original article [1] (The Drive one is just a | poor rewrite), Hyundai is also affected. | | > _After the publishing of this story, numerous Hyundai and | dealership employees contacted BleepingComputer to state that | Hyundai was also affected by unexplained outages._ | | > _In emails sent by Hyundai Motors America to Kia dealerships on | Saturday and seen by BleepingComputer, Hyundai stated that | multiple systems were down including their internal dealer site, | hyundaidealer.com._ | | [1] https://www.bleepingcomputer.com/news/security/kia-motors- | am... | Clewza313 wrote: | Not surprising, since Hyundai acquired a majority stake in Kia | in 1998. ___________________________________________________________________ (page generated 2021-02-21 23:00 UTC)