The headline on the site is a bit misleading. It's not "because of viral TikTok challenge", it's because the software and physical ignition interface is, in fact, totally broken:
"The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers that prevent thieves from simply breaking in and bypassing the ignition. The feature is standard equipment on nearly all vehicles from the same period made by other manufacturers."
"Based on research conducted by Donut Media, we see that stealing a Hyundai or a Kia model produced between 2011 and 2021 is astonishingly simple. Folks at Donut Media started this research with a regular screwdriver and a USB cable. They start by unscrewing the steering column case and exposing the wires and the ignition cylinder. Once they pull out the ignition cylinder, they find a twist lever that fits perfectly into the slot of a USB-A cable. Once they connect their spare USB Type-A to the ignition cylinder male port, they rotate the unit in a clockwise motion to find the car starting without a proper car key. "
This is like saying that movies in the 1980s sparked a rash of car thefts because they showed people hotwiring cars all the time.
I could see an argument that the "viral challenge" is forcing them to change it. The manufacturers were aware of the problem, and doing the absolute minimum to address it. They were giving out steering wheel locks and offering to do a software fix for anywhere between $170 and $500. The issue spread through the "tiktok challenge" and that's forced them to make a move toward helping customers.
> "The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers that prevent thieves from simply breaking in and bypassing the ignition. The feature is standard equipment on nearly all vehicles from the same period made by other manufacturers."
It's more than that.
It's a combination of a lack of electronic immobilizer and putting the mechanical component behind a piece of plastic.
If they really want to save pennies on the immobilizer, they can move the mechanical piece further down the steering column
The proliferation of knowledge about how easy it was to do this, and the resulting subcultural trend, is the reason they are being forced to change it. Otherwise, people would be stealing them at the same rates they were before the recent trend.
From what I've gathered, "Viral TikTok Challenge" and its variations are sleeper-agent activation phrases for news editors which make them automatically accept the next story pitch you give them.
Back in the '80s and '90s, many computer vendors like Sun and IBM shipped their systems with radically broken security configs, not to mention holes in their software. Often, the only way to get them to fix their problems was to make their problems very public. Hence, BUGTRAQ.
if this is what it took to get two large multinational automakers to capitulate to basic theft immobilization in their vehicles to protect customers, perhaps we should reconsider the 'tiktok is objective evil' narrative.
I just bought a 23 Kia Telluride (was also looking at palisades) to upgrade my 05 outback; I did extensive research, and ended up zoning in on Hyundai-Kia specifically because their electronics are so 'hackable,' while still containing all the cutting edge sensors.
I think it is going to be a tiny sliver of cars that are allowed to get away with having a vehicle be able to be controlled like a remote control from a completely unencrypted, trivially intercepted-and-changed protocol. In the future I suspect if manufacturers want to put these features on cars, they will have to protect the communication between the different systems.
More than 3,000 cars have been reported stolen in Minneapolis this year, including 432 Kias and 368 Hyundais. Officers are warning people to do what they can to protect their vehicles because this year, an average of 13 cars are stolen each day.
Prior to this spring, Hondas, Toyotas, Chevys, and Fords were the most common cars stolen in Minneapolis. But as word spread on social media this year about how easy Kias and Hyundais are to steal, they now account for more car thefts.
I'm pretty sure that steering wheel locks were required by law starting in the 1970s. Does this process bypass the steering wheel lock somehow? Or do these cars not have steering wheel locks?
From what I know all of this originated in Milwaukee with the original "Kia Boyz"[0]. It's been going on there for years - to the point where I've seen wedding invitations that explicitly state not to bring a Kia/Hyundai to Milwaukee. Additionally, car rental companies will not rent Kia/Hyundai anywhere near Milwaukee.
As is the case with most car thefts they are an absolute menace to the streets. "Drive it like it's stolen" is a very real thing[1][2].
Warning - discussion on this topic gets especially racist very quickly so as usual ignore the comments. Seriously, don't even look.
A lady was killed by a stolen Kia doing 70 mph on a residential street a block away from me a few months ago. They did end up catching the kids that did it, somehow. I’m sure she’s not the only death resulting from this.
I hope the shareholders of the Kia/Hyundai Corporation are happy about their extra penny per share (if that) in dividends from the immobilizer savings. The reputational harm from this will be long lasting.
Car theft for joy riding is a really common reason for kids(!) and adolescents to end up "in the system". I don't know how many car thefts that activity accounts for, but it's got to be a non-trivial amount.
I kept thinking of this scene from the movie Fight Club:
Narrator:
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Business woman on plane:
Are there a lot of these kinds of accidents?
Narrator:
You wouldn't believe.
Business woman on plane:
Which car company do you work for?
That makes fun movie dialog, but I don't think the car company decides on their own whether or not to do a safety recall. The NHTSA can force them to do a recall for a serious issue if the manufacturer doesn't do it voluntarily. The NHTSA usually finds out about defects by owners filing directly with the NHTSA, so it doesn't take direct cooperation from the manufacturer to start an investigation.
"Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challenge" is the original title. i did my best to preserve it.
one thing that irritates me about this is the keyword "forced". This issue started in 2020, with numbers going up to nearly 20 cars stolen per day. Seems like a very slow and labored response to such a terrible problem with their cars.
There were 2220 cars stolen per day in 2020. While token bypass is a problem, I suspect that the biggest vulnerability is that nearly all cars lack MFA. Steal the token and you can steal the car.
Over 10,000 cars were stolen in Milwaukee in 2021. That's one stolen auto for every 60 Milwaukee residents, young and old.
South Korea's full of vulnerable Kia and Hyundai vehicles, yet doesn't have this problem of teenage serial car thieves. American social dysfunction is a big part of the equation that results in the numbers above.
"The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers" <-- Being the unfortunate owner of an even older suzuki ignis (secondary car, don't judge), who have has a key break and lost just the damn immobilizer chip from inside the key.. (meaning I had to spend over $100 for a replacement for a security system for a car nobody would steal anyway) I'm making a mental note that a 2015 Kia is a reasonable next car.
I'd pay a premium for a car with no digital electronics in the critical path (meaning I can repeair everything with a bag of diodes, resistors and capacitors)
> …for a car nobody would steal anyway) I'm making a mental note that a 2015 Kia is a reasonable next car.
But people are stealing the Kia’s. In bulk. That’s the issue discussed in the article. This contradicts your own reasoning about what people would want to steal.
I’d rather spend $100 on the extremely rare occasion I lose or break a key than own a car that’s trivial to steal. Each to their own though.
Always depressing how _any_ metric that is not regularly benchmarked will be ignored by manufacturers and noticeable degrade in a short timeframe. No matter what consumer's reasonable expectations of that metric are.
They weren’t stolen because of TikTok, they were stolen because there’s no mechanical lock on the steering wheel and no requirement for the key to be present when running the car.
The “usb cable” for the attack is not anything technical, it’s purely because a usb plug is approximately the same size as the socket used to house the ignition switch/key. You could also just use a screwdriver, knife, etc
Last summer, my piece of shit 2014 Kia Soul was stolen by our local "Kia Boyz" franchise. The thieves totaled it. I got a check for more than it was worth at the time.
We were contemplating going down to one car anyway, because of permanent work from home policies.
I couldn't have been happier.
Oh, and fuck you Kia, your car was a piece of shit.
The best part is this 'fix' is just adding an ignition kill-switch routine that requires you unlock with the keyfob to be able to start the car, then re-lock afterwards to disable the ignition.
Wonder what happens when your keyfob fails at that point - you can get in with the mechanical key, but now can't enable the ignition because you can't unlock it with the fob to signal the software.
(And if they make it so you can unlock and drive with an actual mechanical key in the door disabling the system, then it only takes 30-60 more seconds for someone with a Lishi pick to pop the door open and trigger the unlock themselves.)
I thought immobilisers were not only standard nowadays, but a legal requirement in some places. I don't understand why they would regress on something so simple.
The same way that every home builder in the US sells people houses with even less security than these cars. Having more security is not required by law, and people still buy them. And so, the demand is filled.
> A 2016 study in the Economic Journal finds that the immobiliser lowered the overall rate of car theft by about 40% between 1995 and 2008.
Getting it stolen renders you "not allowed to drive it" pretty effectively, and it's a lot more likely than your immobilizer malfunctioning. If you don't drive a Hyundai, Kia, or a 30 year old car, chances are your car already has one.
You would prefer your vehicle have no keys or locks at all? Let's say your house was burgled and only the keys were stolen. The vehicle would then decide (because you no longer have a key) that you are not allowed to drive it.
[+] [-] mmastrac|3 years ago|reply
"The thefts are reportedly easy to pull off because many 2015-2019 Hyundai and Kia vehicles lack electronic immobilizers that prevent thieves from simply breaking in and bypassing the ignition. The feature is standard equipment on nearly all vehicles from the same period made by other manufacturers."
And from: https://www.hotcars.com/kia-boyz-easily-steal-base-kia-hyund...
"Based on research conducted by Donut Media, we see that stealing a Hyundai or a Kia model produced between 2011 and 2021 is astonishingly simple. Folks at Donut Media started this research with a regular screwdriver and a USB cable. They start by unscrewing the steering column case and exposing the wires and the ignition cylinder. Once they pull out the ignition cylinder, they find a twist lever that fits perfectly into the slot of a USB-A cable. Once they connect their spare USB Type-A to the ignition cylinder male port, they rotate the unit in a clockwise motion to find the car starting without a proper car key. "
This is like saying that movies in the 1980s sparked a rash of car thefts because they showed people hotwiring cars all the time.
[+] [-] gwill|3 years ago|reply
[+] [-] johncessna|3 years ago|reply
It's more than that.
It's a combination of a lack of electronic immobilizer and putting the mechanical component behind a piece of plastic.
If they really want to save pennies on the immobilizer, they can move the mechanical piece further down the steering column
[+] [-] throw1230|3 years ago|reply
[+] [-] rootusrootus|3 years ago|reply
Even worse, that feature has been pretty common on mainstream vehicles since the 90s.
[+] [-] kube-system|3 years ago|reply
[+] [-] a_shovel|3 years ago|reply
[+] [-] mcguire|3 years ago|reply
https://bugtraq.securityfocus.com/archive
[+] [-] nimbius|3 years ago|reply
[+] [-] eof|3 years ago|reply
I think it is going to be a tiny sliver of cars that are allowed to get away with having a vehicle be able to be controlled like a remote control from a completely unencrypted, trivially intercepted-and-changed protocol. In the future I suspect if manufacturers want to put these features on cars, they will have to protect the communication between the different systems.
[+] [-] at-fates-hands|3 years ago|reply
More than 3,000 cars have been reported stolen in Minneapolis this year, including 432 Kias and 368 Hyundais. Officers are warning people to do what they can to protect their vehicles because this year, an average of 13 cars are stolen each day.
Prior to this spring, Hondas, Toyotas, Chevys, and Fords were the most common cars stolen in Minneapolis. But as word spread on social media this year about how easy Kias and Hyundais are to steal, they now account for more car thefts.
https://www.fox9.com/news/data-kias-and-hyundais-now-most-st...
[+] [-] kens|3 years ago|reply
[+] [-] supercanuck|3 years ago|reply
Probably did, but the scale of the problem is much larger considering TikTok's reach.
[+] [-] outworlder|3 years ago|reply
I guess that at some point Hyundai and Kia decided to save some money?
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] kkielhofner|3 years ago|reply
As is the case with most car thefts they are an absolute menace to the streets. "Drive it like it's stolen" is a very real thing[1][2].
Warning - discussion on this topic gets especially racist very quickly so as usual ignore the comments. Seriously, don't even look.
[0] - https://www.youtube.com/watch?v=fbTrLyqL_nw
[1] - https://www.youtube.com/watch?v=YdilXqQaQZU
[2] - https://www.youtube.com/watch?v=2VJhLJsBs74
[+] [-] quickthrowman|3 years ago|reply
I hope the shareholders of the Kia/Hyundai Corporation are happy about their extra penny per share (if that) in dividends from the immobilizer savings. The reputational harm from this will be long lasting.
[+] [-] yamtaddle|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] farmaway|3 years ago|reply
[deleted]
[+] [-] SHAKEDECADE|3 years ago|reply
Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Business woman on plane: Are there a lot of these kinds of accidents?
Narrator: You wouldn't believe.
Business woman on plane: Which car company do you work for?
Narrator: A major one.
[+] [-] Johnny555|3 years ago|reply
[+] [-] ortusdux|3 years ago|reply
State Farm reportedly excludes 14 Hyundai and Kia models from new policies
https://www.autoblog.com/2023/02/09/hyundai-kia-models-state...
Seattle City Attorney Files Lawsuit Against Kia and Hyundai to Abate Public Safety Hazard Created by Exponential Rise in Theft of Their Vehicles
https://news.seattle.gov/2023/01/25/seattle-city-attorney-fi...
[+] [-] gwill|3 years ago|reply
one thing that irritates me about this is the keyword "forced". This issue started in 2020, with numbers going up to nearly 20 cars stolen per day. Seems like a very slow and labored response to such a terrible problem with their cars.
[+] [-] kube-system|3 years ago|reply
[+] [-] farmaway|3 years ago|reply
https://www.youtube.com/watch?v=fbTrLyqL_nw
Over 10,000 cars were stolen in Milwaukee in 2021. That's one stolen auto for every 60 Milwaukee residents, young and old.
South Korea's full of vulnerable Kia and Hyundai vehicles, yet doesn't have this problem of teenage serial car thieves. American social dysfunction is a big part of the equation that results in the numbers above.
[+] [-] dusted|3 years ago|reply
I'd pay a premium for a car with no digital electronics in the critical path (meaning I can repeair everything with a bag of diodes, resistors and capacitors)
[+] [-] shortcake27|3 years ago|reply
But people are stealing the Kia’s. In bulk. That’s the issue discussed in the article. This contradicts your own reasoning about what people would want to steal.
I’d rather spend $100 on the extremely rare occasion I lose or break a key than own a car that’s trivial to steal. Each to their own though.
[+] [-] xxpor|3 years ago|reply
That's probably a bigger issue.
[+] [-] AshamedCaptain|3 years ago|reply
[+] [-] olliej|3 years ago|reply
The “usb cable” for the attack is not anything technical, it’s purely because a usb plug is approximately the same size as the socket used to house the ignition switch/key. You could also just use a screwdriver, knife, etc
[+] [-] p0pcult|3 years ago|reply
We were contemplating going down to one car anyway, because of permanent work from home policies.
I couldn't have been happier.
Oh, and fuck you Kia, your car was a piece of shit.
[+] [-] kotaKat|3 years ago|reply
Wonder what happens when your keyfob fails at that point - you can get in with the mechanical key, but now can't enable the ignition because you can't unlock it with the fob to signal the software.
(And if they make it so you can unlock and drive with an actual mechanical key in the door disabling the system, then it only takes 30-60 more seconds for someone with a Lishi pick to pop the door open and trigger the unlock themselves.)
[+] [-] IronWolve|3 years ago|reply
[+] [-] askvictor|3 years ago|reply
[+] [-] garduque|3 years ago|reply
[+] [-] CottonMcKnight|3 years ago|reply
Almost literally Steven Wright's joke: "I couldn't fix your brakes so I made your horn louder."
[+] [-] can16358p|3 years ago|reply
[+] [-] mrtweetyhack|3 years ago|reply
[deleted]
[+] [-] apnew|3 years ago|reply
[deleted]
[+] [-] kube-system|3 years ago|reply
[+] [-] dharmab|3 years ago|reply
[+] [-] sleepybrett|3 years ago|reply
[+] [-] brianwawok|3 years ago|reply
It’s mostly just egg on their face and a reason to not buy their car in the future.
[+] [-] cute_boi|3 years ago|reply
[+] [-] ars|3 years ago|reply
Tell me something - would you buy a Kia or Hyundai after reading this?
You don't need a law, you need journalism.
[+] [-] Lammy|3 years ago|reply
[deleted]
[+] [-] ceejayoz|3 years ago|reply
> A 2016 study in the Economic Journal finds that the immobiliser lowered the overall rate of car theft by about 40% between 1995 and 2008.
Getting it stolen renders you "not allowed to drive it" pretty effectively, and it's a lot more likely than your immobilizer malfunctioning. If you don't drive a Hyundai, Kia, or a 30 year old car, chances are your car already has one.
[+] [-] op00to|3 years ago|reply
[+] [-] httpz|3 years ago|reply