Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack

Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths.

The "Kia Challenge" started circulating in mid-2022 and explained that it's possible to remove the steering column covering on some Hyundai and Kia models by force, exposing a slot that fits a USB-A plug. Turning the plug activates its ignition, allowing thieves to drive away.

Videos depicting the hack went viral, leading to huge spikes in thefts of the vulnerable models around the world.

The United States National Highway Traffic Safety Administration (NHTSA) on Tuesday stated it is aware of "at least 14 reported crashes and eight fatalities" resulting from the hack.

Now both automakers have announced they'll issue software to thwart the exploit.

Hyundai's advisory states the upgrade will be performed by dealers and will require less than an hour to complete.

"The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard 'turn-key-to-start' ignition systems," The car-maker explained. "As a result, locking the doors with the key fob will set the factory alarm and activate an 'ignition kill' feature so the vehicles cannot be started when subjected to the popularized theft mode."

The update will be progressively offered to owners of "almost four million vehicles" – namely the 2017–2020 Elantra, 2015–2019 Sonata and 2020–2021 Venue.

• Software developer cracks Hyundai car security with Google search
• Automotive industry is driving revenue for at least one chip company: STMicroelectronics
• Japanese giants to offer security-as-a-service for connected cars
• Oh, no: The electric cars at CES are getting all emotional

The NHTSA's announcement states that "Kia is also rolling out its FREE software updates in a phased approach. The company will begin to update vehicles later this month, with ensuing phases throughout the next several months."

Kia appears not to have announced its updates but did yesterday pledge over the air updates in-car infotainment and navigation systems for some models.

Only cars that use keys are susceptible to the hack. Press-to-start vehicles – which rely on radio signal from a fob to allow engine start – are immune to the attack because they lack the mechanical elements that make this exploit possible.

Literal brute force attacks on car ignitions have been possible for decades, as have other electrical means of starting vehicles without a key.

The Kia Challenge’s presence on TikTok and other social media platforms, however, meant the method was widely shared. And thanks to the viral nature of social media, and its central place in popular culture, also widely emulated. ®