Thefts of 2010-2021 Kia and Hyundai cars have been on the rise for years. In 2022, a TikTok challenge made the news rounds as it led to a much larger spike in thefts. Thefts have increased so much that some insurers, such as State Farm and Progressive, stopped accepting applications for affected Hyundai and Kia vehicles.
Background
Specific 2010-2021 Kia and Hyundai models use a mechanical key to start the car. These vehicles can be easily stolen by removing the steering wheel column and disassembling the key slot. In a throwback to the old trick of using a screwdriver, thieves can then use a USB cable to turn the ignition tumbler and start the vehicle.
Normally, this type of theft is prevented using an immobilizer, which uses a transponder to authenticate a paired key against the value programmed in the ECU. When an immobilizer is in play, even if you have a physical copy of the key, the vehicle will not start unless a paired transponder is present. Kia and Hyundai models using a mechanical key lack an immobilizer, allowing them to be forcibly started.
The Automakers’ Responses
These thefts have been occurring for years, but automakers did little to address the problem. Spurred by the TikTok challenge, the primary focus was providing free steering wheel locking devices to law enforcement officials in affected areas. To receive one, owners needed to contact local law enforcement to see if any were available. The NHTSA notes that over 26,000 steering wheel locks have been provided since November 2022 – hardly an effective measure given that there are roughly 3.8 million Hyundai and 4.5 million Kia vehicles affected by this flaw.
Now, the automakers are releasing free software updates, which will be performed at a dealer or service provider.
Hyundai’s approach adds a new “ignition kill” feature. When locking the doors with a key fob, the ignition kill and an alarm will be activated. The key fob must be used to unlock the vehicle in order to disable the ignition kill feature. However, not all vehicles can be patched – some 2011-2022 Hyundai vehicles will not work with the software update, and Hyundai will reimburse those owners for steering wheel lock purchases (and potentially for other anti-theft devices). An initial software update was released in February for a subset of affected models. A second update will be released in June to cover the remaining models. Hyundai is also providing a window sticker to show that the car has received an anti-theft upgrade to discourage damage from additional theft attempts.
We did not find details on Kia’s approach, or a firm schedule for releasing software updates, but we imagine it is similar. All 2022 Kia models now feature an immobilizer.
In May 2023, Hyundai and Kia settled a class-action lawsuit for $200 million, intended to compensate 9 million people for losses related to the social media theft trend. Customers whose cars were totaled are eligible for up to $6,125. Damaged vehicles and property can receive a maximum reimbursement of $3,375. Reimbursements are also available raised insurance, car rental, towing, tickets, and other expenses.
Our Thoughts
What is most surprising to us is that such a significant issue did not result in an NHTSA safety recall. We’re not sure why we have to say this, but: you should obviously not be able to forcibly start a vehicle using a USB-A cable. How the NHTSA and automakers claim the vehicles adhere to FMVSS 114 mystifies us. The requirement states:
Each vehicle must have a starting system which, whenever the key is removed from the starting system prevents:
(a) The normal activation of the vehicle’s engine or motor; and
(b) Either steering, or forward self-mobility, of the vehicle, or both.
The test criteria are also extremely clear:
The engine cannot be started without using the key (S5.1.1a)
When the key is removed from the starting system, starting the engine or motor and either steering or self mobility is prevented. (S5.1.1b)
Regulatory failure aside, what lessons can we draw from this? Here are some that jump out at us:
- In today’s age of hyper-connectedness, you cannot rely on obscurity to protect you. Vulnerabilities in your system can spread like wildfire, especially when the payoff is high.
- Physical security requirements may matter for your system just as much as (or more than) “software security.”
- Skimping on effective security measures might save you money in the short term, but (if you last long enough in the market) you’re likely going to spend more time and money addressing the fallout.
- Regulation doesn’t matter if there’s no enforcement.
References
- Hyundai, Kia Provide Anti-Theft Software Update | NHTSA
- Hyundai Introduces Free Anti-Theft Software Upgrade, Beginning With More Than 1 Million Elantras, Sonatas and Venues – Hyundai Newsroom
- Hyundai Anti-Theft – Anti-Theft Software Upgrade
- Hyundai, Kia patch bug allowing car thefts with a USB cable
- TikTok challenge spurs rise in thefts of Kia, Hyundai cars | CNN
- Kia Boys Documentary (A Story of Teenage Car Theft) – YouTube
- How Thieves Are Stealing Hyundais and Kias With Just a USB Cable
- Safety Advocates Say Hyundai, Kia’s Anti-Theft Upgrade Doesn’t Go Far Enough – NBC Chicago
- Kia, Hyundai theft issues: State Farm, Progressive drop new policies
- Hyundai, Kia agree to $200 million settlement over US car thefts | Reuters
- Kia and Hyundai agree to $200M settlement for making cars viral theft targets | Ars Technica
Prior to this settlement, cities including Seattle, Baltimore, and Columbus, Ohio, have filed suit against Kia and Hyundai, according to NPR. Attorneys general in 17 states and the District of Columbia pressed the NHTSA last month to issue a mandatory recall of all vehicles lacking immobilizers.