Hyundai and Kia to patch a flaw that allows the theft of the cars with a USB cable

Hyundai and Kia car makers are releasing an emergency software update to fix a flaw that can allow stealing a car with a USB cable.

Carmakers Hyundai and KIA are rolling out an emergency update for the software shipped with several car models. The update addresses a bug that can be exploited by thieves to steal the impacted vehicles.

The anti-theft software upgrade rolled out by the company aims at preventing the vehicles from starting during a method of theft that was shared on TikTok and other social media channels.

“In response to increasing thefts targeting its vehicles without push-button ignitions and immobilizing anti-theft devices in the United States, Hyundai is introducing a free anti-theft software upgrade to prevent the vehicles from starting during a method of theft popularized on TikTok and other social media channels.” reads the announcement published by Hyundai.

The videos shared on TikTok, known as “Kia Challenge,” show how to remove the steering column cover to access a USB-A slot that can be used to connect to the car. The access to the slot can allow attackers to exploit the flaw to bypass the immobilizer that validates the code in the key’s transponder to the car’s ECU.

The software update will be released as a service campaign for a total of almost 4 million vehicles beginning on February 14. The carmaker will first upgrade the software shipped with more than 1 million model year 2017-2020 Elantra, 2015-2019 Sonata and 2020-2021 Venue vehicles. The upgrade will be performed by Hyundai dealers, and the carmaker ensures that the process will take less than one hour to be completed.

The carmakers will reimburse the purchase of steering wheel locks, to the owners of some 2011-2022 model-year vehicles without engine immobilizers that cannot install the software upgrade.

While the Kia Challenge was becoming viral, law enforcement observed a surge in the theft of the impacted car models in the US. In Los Angeles, the thefts of these vehicles increased by 85% in 2022 compared to the previous year.

In September 2022, a national class action lawsuit was filed in federal court in Orange County, California, against the carmakers for this flaw. The lawsuit blames Kia and Hyundais for building vehicles without engine immobilizers allowing cars to be hot-wired and stolen. The complaint states that, unlike any other carmakers, Kia and Hyundai did not use this protection system over the last 20 years

“Hyundai is committed to ensuring the quality and integrity of our products through continuous improvement and is pleased to provide affected customers with an additional theft deterrent through this software upgrade,” said Randy Parker, CEO, Hyundai Motor America. “We have prioritized the upgrade’s availability for owners and lessees of our highest selling vehicles and those most targeted by thieves in order for dealers to service them first.”

According to the United States Department of Transportation approximately 3.8 million Hyundai vehicles and 4.5 million KIA vehicles are impacted by this flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)