I was gonna say they still need the fob for the car to actually drive it, but saw it mentioned in the article. I don’t have a Kia (used to, but traded it in because of the immobilizer shit), but my car right now has an app to remote-start, but the car itself won’t let you drive it if you don’t have the fob on you while sitting in the driver’s seat.

The group’s web-based Kia hacking technique doesn’t give a hacker access to driving systems like steering or brakes, nor does it overcome the so-called immobilizer that prevents a car from being driven away, even if its ignition is started. It could, however, have been combined with immobilizer-defeating techniques popular among car thieves or used to steal lower-end cars that don’t have immobilizers.

But yes, that’s just bad security.