An emergency software update is underway for car manufacturers Hyundai and Kia after a TikTok hack revealed an easy way to steal the vehicles.
TikTok-inspired car theft.
Car manufacturers Hyundai and Kia have rolled out free theft-deterrent software for vehicles that don’t have an immobilize, the United States Department of Transportation (NHTSA) said in a press release on Tuesday.
Grand Theft Auto: not just a video game, but now also a video challenge.
Social media giant TikTok, known for its short-form video format, has seen the promotion of a so-called “Kia Challenge,” observed since July of last year in which users share “videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire [the] car,” Bleeping Computer wrote yesterday. This “challenge” saw such a great level of virality that Los Angeles, California saw an 85% increase in Kia and Hyundai thefts in 2022, with Chicago seeing a nine-time increase for the same brands.
Capabilities of the manufacturer’s software update.
The issue resides within a flaw in the vehicles’ “turn-key-to-start" system that allows for bypassing of “the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle,” Bleeping Computer recounted. The NHTSA says that the update provides an extended alarm duration, from 30 seconds to one minute, and requires a physical key in the ignition to start. This initial rollout will impact 2017-2020 Elantra, 2015-2019 Sonata, and 2020-2021 Venue car models. More updates are anticipated in June, with that second rollout providing an update for other car models.
Expert commentary on hacking vehicles.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the increasing computerization of vehicles:
"Vehicles are increasingly becoming more computerized and subject to hacking than ever before. Pandora's glove compartment box has been opened and it's never going to be closed. Every vehicle manufacturer will be dealing with hacking and how to mitigate various hacking attacks for the rest of their existence. Only time will tell if one vehicle manufacturer does cybersecurity better than another. I think the key thing they will be focusing on is preventing hacking of critical systems as their prime objective. They want to prevent vehicles from being stolen and from having their critical systems from being hijacked. That's what's most important. It's less important if a hacker messes with a customer's music station settings. That would be annoying and the vehicle manufacturer and customer doesn't want that either, but in this brave new world, the first order of business is preventing the very worst abuses. I think vehicle manufacturers, overall, will do a decent job of doing that. Let's hope they do a better job at preventing hackers and malware than what has happened in nearly every other previous platform (i.e., PCs, mobile phones, IoT, etc.). I actually have confidence that vehicle manufacturers will figure it out better than the past paradigm shift leaders did. They have to. Unlike my mobile phone being hacked, my car being hacked could more easily be a matter of life and death."