Show HN: Control your Hyundai car with Python (opens in new tab)

(github.com)

98 pointssynchronizing3y ago56 comments

56 comments

I worked for a modern car rental company where you just need to download an app to drive a car. The tech was super interesting, there are vendors that sell a box with both gsm and ble interfaces and the cars are fitted with these.

You can send messages through ble or their cloud api / gsm. The app needed to first acquire a token to successfully establish a ble connection.

I'm not saying you can't buffer overflow through ble messages but at least the authentication was solid.

dubswithus3y ago

Zipcar? Or do they use Bluetooth?

grepfru_it3y ago

Zipcar was hilariously easy to bypass/override with physical access. I had access to a local Volvo for almost 3 years until I stopped checking. I never drove the car because of gps and the proliferation of cameras, but I would store random things in the trunk when I was passing by the area

1 more reply

jdmoreira3y ago

No, not Zipcar

synchronizingOP3y ago

I build this for a cron script that queries my car's odometer and then queries CarFax to log my cars price over time on YNAB[1], but it has many uses.

Been thinking - lately - to perhaps also use this package with Google Home, but haven't gotten around to it. Might come in handy fellow Hyundai owners.

[1] https://www.youneedabudget.com

anshumankmr3y ago

Thank god we have normal cars as I have never understood the appeal of a smart car since everything a smart car can do can be done with a halfway decent smartphone.

* by smart car, I am not talking about self driving cars, I am talking about the gimmick of running some Android and iOS apps on one's car

mdp20213y ago

> Thank god we have normal cars

A disconnected car is a requirement by any parameter of sanity given considerations of security including privacy, within a basic right of rejection of absurdity: but for how long will the "privilege" of avoiding lunacy will be granted?

In Europe already one has to have law-mandated (in terms of shipment) hardware modules removed (the "e-call"). For how long non-connected cars will be available on the market? It is even possible that some rogue legislating body will decide that some connected feature should be mandated...

the_biot3y ago

The tragedy is that while it's no doubt possible to remove (or disable) all that tracking junk you don't want from your car, we're still carrying around phones that more often than not are full of tracking crap. And they're even extra useful in cars, since the car's navigation and entertainment systems tend to be crap compared to what phones have.

1 more reply

fragmede3y ago

You're too late. You can't get a non-connected car since about 2016.

4 more replies

aaronbrethorst3y ago

Built in navigation in cars is garbage. So is the built in music app. Letting me play what’s on my iPhone is leaps and bounds better than what a car manufacturer can give me.

kyriakos3y ago

I use Android auto all the time. Having Google maps on cars dashboard is very useful.

GenerocUsername3y ago

Still requires manufacturers to implement correctly which I found my 2022 Subaru Android auto is locked in landscape so it's essentially half-screen... No way to fix

1 more reply

minedwiz3y ago

Suddenly feeling glad that I park my car in a garage with no mobile reception.

icy3y ago

Can someone ELI5 how this works? I understand it's sending requests to some API on some server, but what I don't get is how the car receives these commands. What does the entire end-to-end network look like?

Nextgrid3y ago

The same way your typical shitty IoT device works. There’s an internet-connected module that receives messages from the cloud and then emits the equivalent messages onto the CAN bus or some other bus connected to the BCM or whatever you want to control remotely.

jdmoreira3y ago

A lot of new cars are sold with a gsm module that you don't control

badrabbit3y ago

If you get phished or something, can attackers use this to turn off the car while driving? Or something lesd harmful like keep it on while you're at work and drain gas.

V__3y ago

Maybe. There was a vulnerability [1] with BlueLink and that could have been an attack vector, but the article mentions:

> The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker.

Wikipedia says BlueLink uses Bluetooth [2]. So I'm not sure what connection is actually used, but if it's Bluetooth/local wifi and there are no further security bugs, then it would be unlikely that someone else could connect to the car in the first place.

[1] https://www.tomshardware.com/news/hyundai-blue-link-vulnerab... [2] https://en.wikipedia.org/wiki/Hyundai_Blue_Link

synchronizingOP3y ago

I can't speak on older BlueLink cars (article is from 2017), but my 2021 Elantra has GSM built-in and the commands are sent/received through the web - no bluetooth at all.

1 more reply

badrabbit3y ago

Makes sense. I thought it was done over the internet when U saw login().

srvmshr3y ago

It reminds me of the slightly funny incident when my brother's boss got stuck midway on the road to his destination, because his Fiskar Karma was having a firmware update

jacquesm3y ago

I looked at a company in this space and was quite surprised they never thought to check whether the vehicle was in motion during OTA updates. So much for risk assessment...

mdp20213y ago

He should have sued.

aaronbrethorst3y ago

Anyone happen to know if Kia UVO's is based on Hyundai's Bluelink? I'd love to build a more user-friendly iOS app for controlling my Niro EV than Kia Connect :P

marsokod3y ago

It is exactly the same. You have many modules for Home Assistant (through HACS, none is an official module yet) that will use a similar setup.

I use it mostly to track and keep a record of my Niro status.

aaronbrethorst3y ago

Cool, thanks!

steve_mcdougall3y ago

Ooooooo what I really hate about this is that a remote API is called to do this.

It would be considerably less terrifying if this was just canbus messages.

BIG YIKES

redeux3y ago

Having looked into this myself recently, why would I use this project over bluelinky?

https://github.com/Hacksore/bluelinky

tyingq3y ago

I see some differences. The python one can enumerate all cars in the account, the node.js one doesn't have that....you have to specify a VIN. Python one has figured out how to enable specific seat heaters at start, node.js one says "Not sure?", etc.

mrweasel3y ago

Because you really want a Python API?

jmartin26833y ago

Because you’re using Python?

dzhiurgis3y ago

I haven’t studied these much but If your car doesn’t have Bluelink there are things like autopi and probably some others.

hodgesrm3y ago

If you had to pick a single title to summarize the Hacker News ethos, this would be it.

captainkrtek3y ago

This is cool (and terrifying)! :-)

abdouls3y ago

Absolutely haha!

I remember being excited when I could remotely control the lights on my table from school (fun little arduino/rpie + led project).

Now we remotely control cars with REST... Indeed cool and terrifying!

lostmsu3y ago

To save you a click: this is not about being able to drive the car.

2 more replies

throw4573y ago

Hackernews: connected closed proprietary Tesla good. Also hackernews: connected open api Hyundai bad.

blowski3y ago

Hackernews: A community made up of many people with a wide variety of opinions.

throw4573y ago

Nah… if you are not lucky enough to be in a discussion early it’s just one side of the hivemind jerking it and the other side stfu because no one wants to get downvote abused :)

1 more reply

klogvl3y ago

Blinkenlights with Python! I wonder when we'll see "Crash your Tesla with Python". So far, Musk seems to disallow the untyped language based on modifiable nested dictionaries and weird name spaces.

j / k navigate · click thread line to collapse

56 comments

jdmoreira3y ago

You can send messages through ble or their cloud api / gsm. The app needed to first acquire a token to successfully establish a ble connection.

I'm not saying you can't buffer overflow through ble messages but at least the authentication was solid.

dubswithus3y ago

Zipcar? Or do they use Bluetooth?

grepfru_it3y ago

1 more reply

jdmoreira3y ago

No, not Zipcar

synchronizingOP3y ago

I build this for a cron script that queries my car's odometer and then queries CarFax to log my cars price over time on YNAB[1], but it has many uses.

Been thinking - lately - to perhaps also use this package with Google Home, but haven't gotten around to it. Might come in handy fellow Hyundai owners.

[1] https://www.youneedabudget.com

anshumankmr3y ago

Thank god we have normal cars as I have never understood the appeal of a smart car since everything a smart car can do can be done with a halfway decent smartphone.

* by smart car, I am not talking about self driving cars, I am talking about the gimmick of running some Android and iOS apps on one's car

mdp20213y ago

> Thank god we have normal cars

the_biot3y ago

1 more reply

fragmede3y ago

You're too late. You can't get a non-connected car since about 2016.

4 more replies

aaronbrethorst3y ago

Built in navigation in cars is garbage. So is the built in music app. Letting me play what’s on my iPhone is leaps and bounds better than what a car manufacturer can give me.

kyriakos3y ago

I use Android auto all the time. Having Google maps on cars dashboard is very useful.

GenerocUsername3y ago

Still requires manufacturers to implement correctly which I found my 2022 Subaru Android auto is locked in landscape so it's essentially half-screen... No way to fix

1 more reply

minedwiz3y ago

Suddenly feeling glad that I park my car in a garage with no mobile reception.

icy3y ago

Nextgrid3y ago

jdmoreira3y ago

A lot of new cars are sold with a gsm module that you don't control

badrabbit3y ago

If you get phished or something, can attackers use this to turn off the car while driving? Or something lesd harmful like keep it on while you're at work and drain gas.

V__3y ago

Maybe. There was a vulnerability [1] with BlueLink and that could have been an attack vector, but the article mentions:

> The attack can’t be done at scale, because the local network that the vehicle owner is using would have to be infiltrated by the attacker.

[1] https://www.tomshardware.com/news/hyundai-blue-link-vulnerab... [2] https://en.wikipedia.org/wiki/Hyundai_Blue_Link

synchronizingOP3y ago

I can't speak on older BlueLink cars (article is from 2017), but my 2021 Elantra has GSM built-in and the commands are sent/received through the web - no bluetooth at all.

1 more reply

badrabbit3y ago

Makes sense. I thought it was done over the internet when U saw login().

srvmshr3y ago

It reminds me of the slightly funny incident when my brother's boss got stuck midway on the road to his destination, because his Fiskar Karma was having a firmware update

jacquesm3y ago

I looked at a company in this space and was quite surprised they never thought to check whether the vehicle was in motion during OTA updates. So much for risk assessment...

mdp20213y ago

He should have sued.

aaronbrethorst3y ago

Anyone happen to know if Kia UVO's is based on Hyundai's Bluelink? I'd love to build a more user-friendly iOS app for controlling my Niro EV than Kia Connect :P

marsokod3y ago

It is exactly the same. You have many modules for Home Assistant (through HACS, none is an official module yet) that will use a similar setup.

I use it mostly to track and keep a record of my Niro status.

aaronbrethorst3y ago

Cool, thanks!

steve_mcdougall3y ago

Ooooooo what I really hate about this is that a remote API is called to do this.

It would be considerably less terrifying if this was just canbus messages.

BIG YIKES

redeux3y ago

Having looked into this myself recently, why would I use this project over bluelinky?

https://github.com/Hacksore/bluelinky

tyingq3y ago

mrweasel3y ago

Because you really want a Python API?

jmartin26833y ago

Because you’re using Python?

dzhiurgis3y ago

I haven’t studied these much but If your car doesn’t have Bluelink there are things like autopi and probably some others.

hodgesrm3y ago

If you had to pick a single title to summarize the Hacker News ethos, this would be it.

captainkrtek3y ago

This is cool (and terrifying)! :-)

abdouls3y ago

Absolutely haha!

I remember being excited when I could remotely control the lights on my table from school (fun little arduino/rpie + led project).

Now we remotely control cars with REST... Indeed cool and terrifying!

lostmsu3y ago

To save you a click: this is not about being able to drive the car.

2 more replies

throw4573y ago

Hackernews: connected closed proprietary Tesla good. Also hackernews: connected open api Hyundai bad.

blowski3y ago

Hackernews: A community made up of many people with a wide variety of opinions.

throw4573y ago

Nah… if you are not lucky enough to be in a discussion early it’s just one side of the hivemind jerking it and the other side stfu because no one wants to get downvote abused :)

1 more reply

klogvl3y ago

Blinkenlights with Python! I wonder when we'll see "Crash your Tesla with Python". So far, Musk seems to disallow the untyped language based on modifiable nested dictionaries and weird name spaces.

j / k navigate · click thread line to collapse