Hyundai and Kia, South Korea’s two largest auto manufacturers, are issuing a software update to certain models to prevent a common car theft technique. Some of the Korean car-makers models have a USB-A shaped slot that can be exposed by removing the steering column cover, and this slot grants direct access to the engine.
The impacted model types run from 2011 to 2022. The exposure of the hack on social media led to a worldwide rash of car thefts, as the trick does not involve any hacking; the USB-A plug is simply turned like an ignition key to start the engine once it is uncovered. The software update will disable this ignition start method when the factory alarm is enabled, but vehicle owners will have to bring their cars into a dealership for a procedure that is said to take “about an hour.”
About four million of Korean car-makers vehicles impacted by vulnerability
The trick is somewhat reminiscent of a very old method of car theft: using a screwdriver or similar blunt instrument to turn over the ignition. The hack of the Korean car-makers models has a couple of extra steps, but is not really any more technically advanced.
The technique became popularized via social media video in 2022, particularly on TikTok and YouTube. Considerate thieves can remove the steering column cover with a screwdriver, but numerous videos demonstrate that the plastic cover is not particularly strong and can simply be ripped off with one’s hands as well. This exposes the ignition cylinder, which has a USB-A shaped slot sitting in it that can be turned over with a USB-A cable head.
There are at least nine known impacted models that use keyed ignitions to start (press-to-start models reportedly do not have the vulnerable port). While there has no doubt been a great deal of theft for profit, taking these models for joyrides also became a phenomenon on social media, one that led to at least 14 crashes and eight fatalities (according to the United States National Highway Traffic Safety Administration).
The Korean car-makers say that this problem can be solved with a software update, and that it will be free. However, it will be rolled out in a “phased approach” set to span several months and it will require owners to bring the car into a dealership. The updated will cause the door lock command from the key fob to enable the factory alarm, and while in this state an “ignition kill” command will be enabled until the owner again uses the fob to unlock the doors.
The first wave of updates will secure 2017-2020 Kia Elantras, 2015-2019 Hyundai Sonatas, and 2020-2021 Hyundai Venues, covering about one million cars in total. Future updates will cover additional models of Elantra and Sonata along with Hyundai Accents, Genesis Coupes, Konas, Palisades, Santa Fes, Tucsons and Velosters. The full range of impacted models runs from 2011 to 2022 and spans over eight million vehicles, though only certain years of each specific model are impacted in most cases.
The Korean car-makers say that owners will be contacted about their updates individually when they are ready. In some cases, the vehicles may not have an engine immobilizer installed (an estimate of at least 26,000 in total), in which case the cost of a steering wheel lock will be covered.
Car thefts more common than usual as they become a viral TikTok prank
Particular cities such as Chicago, Los Angeles and Seattle reported even higher rates of theft of the Korean car-makers vehicles after this exploit became public knowledge, something broadly attributed to it becoming popular as a viral TikTok prank. In some cases these pranksters did not steal the cars for profit, but took them for dangerous joyrides often paired with other TikTok antics that put both themselves and other people on the road in danger. Seattle is taking the Korean car-makers to court over the failure to install suitable anti-theft technology in these models.
The Korean car-makers have also said that the software update will extend the length of the alarm sound from 30 seconds to a minute, and that window stickers that announce that the car is no longer vulnerable will also be distributed (something that may not deter thieves from breaking in and checking for themselves, since it is so easy to do).
Kia and Hyundai have something of an extended history of being vulnerable to car theft at this point, with some insurers already having excluded some older models from coverage due to the ease with which they can be stolen. Hyundai did not start making engine immobilizers standard on all models until late 2021, and Kia did not start until 2022. Car and Driver has previously reported that some of these models also have a vulnerability in which the back window can be broken without setting off the car alarm, the usual point of entry for car theft.
Kia first came to the United States in the early 1990s and has not generally been highly targeted for car theft prior to this vulnerability going viral, given the general reputation as a budget brand. Though the brand has worked hard on reliability since its introduction, now widely viewed as sitting at the top of the industry in that regard, car theft has generally centered on highly durable older models that are easier to break into from Japanese manufacturers such as Toyota, Nissan and Honda, along with specific Chevrolet and Ford models known to be relatively easy to start with brute force.
Roger Grimes, data-driven defense evangelist at KnowBe4, shared some thoughts on what this implies for car security going forward: “Only time will tell if one vehicle manufacturer does cybersecurity better than another. I think the key thing they will be focusing on is preventing hacking of critical systems as their prime objective. They want to prevent vehicles from being stolen and from having their critical systems from being hijacked.”
“Let’s hope they do a better job at preventing hackers and malware than what has happened in nearly every other previous platform (i.e., PCs, mobile phones, IoT, etc.). I actually have confidence that vehicle manufacturers will figure it out better than the past paradigm shift leaders did. They have to. Unlike my mobile phone being hacked, my car being hacked could more easily be a matter of life and death,” noted Grimes.
