Hyundai, Kia patch bug allowing car thefts with a USB cable

Automakers Hyundai and KIA are rolling out an emergency software update on several of their car models impacted by an easy hack that makes it possible to steal them.

"In response to increasing thefts targeting its vehicles without push-button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels," reads Hyundai's announcement.

The car hack has been heavily promoted on TikTok as a "challenge" since July 2022, with videos showing how to remove the steering column cover to reveal a USB-A slot that can be used to hotwire the car.

The issue lies in a logic flaw that allows the "turn-key-to-start" system to bypass the immobilizer that verifies the authenticity of the code in the key's transponder to the car's ECU. This allows thieves to forcibly activate the ignition cylinder using any USB cable to start the vehicle.

The impact of the so-called "Kia Challenge" was so significant that in Los Angeles, the two brands had a steep 85% increase in thefts in 2022 compared to the previous year, while Chicago reported a nine-fold rise for the same.

The United States Department of Transportation (NHTSA) published a post yesterday explaining that the security flaw impacts approximately 3.8 million Hyundai vehicles and 4.5 million KIA cars.

The agency also stated that these hacks have resulted in at least 14 confirmed car crashes and eight fatalities.

Software upgrade underway

Since November 2022, the two car brands have been working with law enforcement agencies across the United States to provide tens of thousands of steering wheel locks. Still, a software update will now better solve the security problem.

The software upgrade will be provided free of charge for all impacted vehicles, with the rollout starting yesterday to more than 1 million 2017-2020 Elantra, 2015-2019 Sonata, and 2020-2021 Venue cars.

The second rollout phase will be completed until June 2023 and will be for the following models:

• 2018-2022 Accent
• 2011-2016 Elantra
• 2021-2022 Elantra
• 2018-2020 Elantra GT
• 2011-2014 Genesis Coupe
• 2018-2022 Kona
• 2020-2021 Palisade
• 2013-2018 Santa Fe Sport
• 2013-2022 Santa Fe
• 2019 Santa Fe XL
• 2011-2014 Sonata
• 2011-2022 Tucson
• 2012-2017, 2019-2021 Veloster

The free upgrade will be installed on Hyundai's official dealers and service network in the U.S. and will take less than an hour. Eligible car owners will be notified by the carmaker individually.

The announcement explains that the software upgrade will modify the "turn-key-to-start" logic to kill the ignition when the car owner locks the doors using the genuine key fob. After the upgrade, the ignition will only activate if the key fob is used to unlock the vehicle.

Hyundai will also supply its customers with a window sticker that makes it clear to aspiring thieves that the car's software has been upgraded to neutralize the social-media-promoted hack, discouraging any attempts.

For models with no engine immobilizers that cannot receive the fixing software upgrade, Hyundai will cover the cost of steering wheel locks for their owners.

KIA has also promised to start the rollout of its software upgrade soon but has not released any announcements with specific dates or details yet.

Hyundai, Kia patch bug allowing car thefts with a USB cable