Hyundai and Kia car thefts fall sharply after software upgrade, study finds

lemme in@lemm.ee to Technology@lemmy.world – 456 points –
Hyundai and Kia car thefts fall sharply after software upgrade, study finds
cbsnews.com

A social media trend, dubbed the "Kia Challenge," has appeared to compound the automakers' problems in recent years, with people posting videos showing how to steal Hyundai and Kia cars. At its height, the Kia Challenge was linked to at least 14 reported crashes and eight fatalities, according to figures from the National Highway Traffic Safety Administration.

About 9 million vehicles have been impacted by the rash of thefts, including Hyundai Elantras and Sonatas as well as Kia Fortes and Souls. Hyundai and Kia earlier this year agreed to pay $200 million to settle a class-action lawsuit filed by drivers who had their vehicles stolen.

Technology is helping foil car thieves making life miserable for owners of Hyundai and Kia vehicles.

Hyundai and Kia upgraded their cars' anti-theft tech in early 2023. Vehicles equipped with the enhanced software will only start if the owner's key, or an identical duplicate, is in the ignition.

The rate at which the Korean automakers' cars are stolen has fallen by more than half since the companies upgraded their anti-theft software, according to new research from the Highway Loss Data Institute (HLDI). Hyundai and Kia thefts have soared in recent years after criminals discovered that certain car models lacked engine immobilizers — technology that has long been standard in other vehicles.

94

You’ll still get a broken window and steering column because the thieves can’t tell if the car has had the update or not and will still attempt to steal it.

I have a Kia and got the software upgrade; they put a little red sticker on your windows saying the vehicle is equipped with anti-theft software.

But something tells me most thieves aren’t checking for a sticker before they smash the window…

Can confirm. Happened to a friend within the past month. Theirs wasn't even on the list of affected models.

Hyundai and Kia upgraded their cars' anti-theft tech in early 2023. Vehicles equipped with the enhanced software will only start if the owner's key, or an identical duplicate, is in the ignition.

Fucking.... What? A 2023 anti theft technology upgrade added the space age cutting edge concept of starting the car with... the key?

If my car could start without the key in the bloody ignition I'd be furious, that's what the key is for, haha. You can add extra doohickeys to enhance security, but the first line of defence is the key that starts the car.

Absolute madness.

Watch the channel 5 Kia boys episode. It was really fucking easy to steal kia's n Hyundai's. Took the guy like 30 seconds to do it. You just ripped a piece of plastic off, and jammed a USB cord into the ignition, turned it, and off u went. They encountered one of these updated ones and failed as well.

Warning, the Kia boys are fucking insufferable twats.

https://youtu.be/DJA7jDF7bLE?si=7uoD6USzsuzg0vC2

🤯 this is so fucked up Like, is this cyperpunk coming true?

No this is how every car was stolen prior to the 90s/00s. The "USB cord" is a red herring as the shape of the USB-A port just happens to match the remaining bit of the ignition cylinder once the lock has been removed, but journalists love to hype that part up as if this is some technological attack.

Yeah, u just gotta turn the thing. But the tool of choice by the current gen of thieves is USB 2.x cords because it fit perfectly and is readily available.

I was not talking about the fact of how easy it is to steal, it was more about the society described. Gave me similar feelings like when I watched the first episode of the cyberpunk anime.

always has been. we live in cyberpunk dystopia

Luckily my country is not that far into the cyberpunk transition (yet?) 😮

Keyless start is fucking awesome though, just get in the car and drive. I wouldn't even consider a car without after having one with it. Pretty much all other manufacturers have this in a safe way that doesn't make the cars easier to steal. Its not the keyless start that's the issue, its how they implemented it.

I mean, many new cars don't even have an old school key ignition at all.

A lot of smart key cars are vulnerable to relay attacks. It's not a solved security issue by any means.

Nobody is fucking doing that, though! This isn’t a “oh I will hack this person using a relay attack” attack, it’s some dumb kids breaking into cars using physical measures. They are NOT going to be using a RELAY ATTACK

They are. It’s not incredibly common, but it’s not rare.

My coworker had his car stolen from his driveway. He believes it was a relay attack.

That being said, it’s super easy to mitigate by putting your keys in a metal bin.

AFAIK they're not anymore vulnerable than central locking systems

Yes they are, because keyless listens to the car asking for authorization, so you can amplify the car signal hoping the key is not too far off, and unlock the car without any other work.

What’s more, all keyless cars still have a fob with proximity and if the fob dies, they legally have to have a way to start the car without the fob battery which is why they all have an nfc reader somewhere (usually in a cup holder) so you can put you dead fob on it and the car will start like normal.

1 more...

All keyless start kias and hyundais are/were immune to the Kia boys trick

So what was the exploit then? They could get in to the car without the key?

No engine immobilizer was the ultimate issue. And from what I understand, it was just an issue with models sold in the US, so all this misery was caused by a manufacturer’s cost saving measure.

ETA: To clarify, the cause was a manufacturer’s cost saving measure enabled by the US regulations’ lack of a requirement for engine immobilizers.

Yeah, by breaking the window. Then they rip out the ignition cylinder and turn the electrical switch just like on old cars. They didn't put any kind of electronics into the key to prevent this from happening. Most keys from about 1999+ have an NFC type "chip" in them that prevents the car from starting without a key that is programmed to the car.

Aah, so it actually has absolutely nothing to do with keyless access and driving like most seem to complain about.

Still, it would be cool if they didn't charge hundreds of dollars for a replacement key that costs them a couple bucks.

Til someone uses flipper to clone your key n jack your shit

That’s..not how rolling codes and tight timing requirements work. There are almost zero keyless entry car models that can be unlocked, let alone started, with hardware at the sophistication level of a flipper.

Yeah I did a little homework after I made the comment n realized I was wrong. Didn't get a chance to go back n remove or fix it.

I mainly pushed back because the Flipper Zero is an amazing toy to teach novices young and old about the basics of radios, computing, and cryptography. But they are facing backlash around the world from uneducated, reactionary, “think of the children” mouth breathers and you shouldn’t give those chucklefucks any more ammo in their misinformation belt.

You’re an insane person if you think KIA BOIZ are using a fucking flipper and not opportunistically attacking parked cars hahahaha

That's no different than if you had central locking and a douche nearby (but significantly further away than keyless access and start) to intercept it as you lock/unlock it. Risk of this actually happening to you is so slim, it's not an issue in real life.

1 more...

They were vulnerable because they didn't use chipped keys therefore people could break the ignition cylinder off and rotate the actual switch behind it to start the car. Cars with immobilizers still wouldn't start even if you removed the lock cylinder because the sensor didn't detect the chip. This is basically how most all cars worked prior to the 90s/00s which is where the trope of "using a screwdriver to steal a car" came from.

I'm really curious how they were able to add this in using software alone since you'd need some sort of sensor to detect the key along with keys that have a chip embedded in them.

😄so, my dacia spring can be stolen like that as well? It has one key without even a battery 🤣 (I think) Luckily I live in peaceful Switzerland, so I don’t even have to lock the car overnight..

Edit: it locks the steering wheel if not started, maybe that would be enough?

You might have an immobilizer as no battery is needed in the key, it's just a little chip embedded inside.

As far as the steering wheel lock, I think it can be defeated as well as those were used at least as far back as the 1970s and cars were still stolen then too. I believe people just hammered a screwdriver into the ignition to be able to bypass it.

You should Google your model of car to see if it has an immobilizer.

I see 😁👌🏻 good to know

Yep. No one would have stolen my SAAB anyway, since it was a stick shift, but if someone had tried, they'd have gotten a nasty surprise. On the '80s models the stick shift had a half inch steel pin that locked the gear shift of the car in reverse if a sensor in the ignition didn't sense the key, and tell it to disengage. You could hotwire the car just fine, but I would almost pay to see how you explain to the cops why you're driving down the road in reverse.

I don't know this to be a fact, but we own a Kia targeted by this whole 'challenge' business, and my understanding is that this issue is primarily because remote start was a factory installed feature for most of the generation and the "software update" that enhances security prevents remote starters from working.

I had my Sonata stolen last year. The problem is that, by default, there was neither a key checker nor a steering immobilizer built into the vehicles. These are industry standard features for every car manufacturer... Except Kia and Hyundai. These are required features in every car sold in every Western nation... Except the United States. To have excluded this literal 90s tech from their vehicles when they're so common that no one would ever stop to think about whether their car has them constitutes a serious lie by omission on the part of Kia and Hyundai, in my opinion. If I knew that all you had to do was rip off the ignition and shove something onto a peg to screw off with the car, I would have told the dealer to stick it up his butt.

For those wondering: I had comprehensive insurance, so I was paid the full value of the vehicle after it was totaled. I bought a Toyota Camry with the money and it's a great car. I am never buying Kia or Hyundai cars again and I recommend everyone else avoid them from here on out. Like, if this is what they're willing to do to save $30 per assembled vehicle, what else might be lurking in their newer vehicles that we won't know about until it's too late?

Nope, they just went so fucking cheap that they didn’t even bother verifying the presence of a key to start the car. It’s got nothing to do with technological hacking, it’s just the same basic hot wiring that was pervasive before the invention of computers.

1 more...

My car was never affected in the first place and I'm still getting fucked by my insurance saying it's a "theft risk" charging out the ass

Insurance companies like to claim they've done all the math and research but they're just lazy asses looking for any reason to raise rates.

Tell me about it, my rate over tripled.

Edit: and yes I did try and fight it

I’d guess a result of the dumber criminals not knowing what specific models are vulnerable. This fiasco tainted the entire brand.

Sue Kia for the difference in small claims.

And when you spend all your money on hookers and blow you can just shout out loud “I DECLARE…BANKRUPTCY!” and then all your debts are automatically erased.

Here's my simple solution: drive a super old car. My car:

  • isn't worth stealing
  • is immune to popular TikTok attacks because the tech is too old
  • drives just fine

There are some downsides, but at least I don't have to deal with this nonsense.

Here's my simple solution: be unable to operate a car.

Simpler solution: Drive stick

I miss my stick. My starter went out, so I push started it for a few months until I had the time and money to get it fixed. With an automatic, I'm just screwed...

I once got into my car and was surprised how the seat was farther back then when I left it. I glanced around and it was clear someone had jimmied the passenger door open.

I'm fairly confident, although I have nothing to back this up, that when they realized it was a stick, they decided not to try and steal it.

I went from an 07 Escape to a 2023 RAV4. The thing just won’t shut the fuck up. Mike any kinda of parking the detection beeps. Console software is annoying.

Miss my relatively dumb car.

The legal requirement that cars just beep within zero seconds if you start them without a buckled seatbelt is just actively harmful to safety. It trains you to despise and ignore all safety alarms. https://en.wikipedia.org/wiki/Alarm_fatigue

But that’s not actually a thing. I start both of my newer vehicles before I’m buckled. No beeping until I actually put it in drive.

It rarely happens because I always buckle

Oh thank fuck they finally fixed that. Or maybe it’s a California thing?

My wifes genesis is the same. Beeps if you do something beeps if you don't beep beep beep beep. All the telemetry bullshit and bad ui combined with cheap hardware and latency. It sucks ..

Bonus: If it's old enough and you get into a collision, your car will be fine and just tear through the other one like a hot knife through butter.

That is painfully untrue. Check out this video of an old Bel Air vs an 09 Malibu. Both cars get fucked up, but only one of those drivers has any chance of walking away from the accident, and it's sure as fuck not the one in the classic. https://youtube.com/watch?v=fPF4fBGNK0U&si=zJ7tDE4RrMWlaCOt

Despite the fixes, theft claims for the affected Hyundai and Kia models continue to exceed industry norms, including for vehicles equipped with the upgraded software, according to HLDI. One reason could be that the software-based immobilizer only activates if the driver remembers to lock the vehicle with a fob, while many people are in the habit of using the switch on the door handle.

If ever there were a problem that is ripe for fixing with the first version of the software upgrade, not a future one, this was it.

I just had to purchase a vehicle. My insurance company basically asked me not to buy a KIA or Hyundai and warned that the premiums for those makes were super high.

It's funny that even though theft rates have plummeted since the mass software upgrade, premiums have stayed high. They have savant-level mathematicians (actuaries) evaluating risk and even with compelling data showing otherwise, they choose to keep labeling these cars high risk and continue to charge exorbitant premiums.

The whole “insurance price is determined by geniuses” thing is just bullshit. They benefit greatly from perpetuating the myth but never really demonstrate competence. Their calculations are very non-specific. For example determining risk by ZIP code in places where one side of the tracks/street/infrastructure built with structural discrimination in mind is just not granular enough. Another example would be that some model of vehicle came with optional emergency braking, but taking the option doesn’t change insurance calculations at all, but having the feature as standard for all models reduces the price for those models.

“Insurance actuaries are sevants” is just an extension of the lie that “free” markets are 100% efficient and always correct.

Well I mean actuaries are like savants. Years ago in uni my calc III college prof was one. Amazingly sharp dude. Do I think insurance companies over-generalize their risk assessments? Yupp. Do insurance companies likely ignore their actuaries and set premiums to make outrageous profit? Probably.

Disclosure: I hate insurance companies. Also that professor was super weird

Well, the cars do not get stolen, but the windows sure as hell get smashed to check if it works. This costs money as well.

Same. I was looking at cars and told my insurance, who then said, "If you get a KIA, you never have to worry about losing your car keys, since you can search online on how easy it is to break in."

That throwaway joke threw me into the rabbit hole of the Kia challenge. Definitely a shit show.

I'm not buying this PR garbage. KIA and Hyundai thefts fall as cars lacking basic security hardware were stolen and wrecked until there are no more to steal and wreck.

Thank you for re-adding late 20th century tech to your 21st century cars. /s

A lot of cars in my neighborhood have been using a club to lock the steering wheel. Reminds me of the 80s-90s.

Those do absolutely nothing to stop someone from stealing a car as they attach to your steering wheel made of foam and plastic which takes seconds to cut through. They've only come back in to popularity due to grifters willing to sell people a false sense of security.

To be fair, they add another minute or two to the time it takes to steal the car.

I also feel these bars make your car harder to steal than the other car on the same block. If everyone is using them, you're car is again only as hard to steal as that other car on the block. This could make it a target again.

However, that update or a third party solution is going to do a whole lot more.

That's how bike security works! Make your bike look a little more annoying to steal than the next guy.

Yes, same idea. Though, I thought we were way past this when it comes to modern cars.

I wasn't going to get a new car any time soon. And my next car was going to be a Kia Soul. But I went with another brand. The Kia/Hyundai brand is hot right now. Crackheads and thieves aren't trying to figure out if your car is affected, you still end up with an inoperpable car. Maybe in a few years it will die down.

Does this update cover the new issue where the keyless cars can be broken into?

https://insideevs.com/news/724328/hyundai-kia-ioniq-5-gameboy/

That applies to every manufacturer, and no, there isn't really a fix.

It's also not really happening in any meaningful numbers, at least yet...

"Hyundai and Kia aren't alone in this high-tech fight. The same resellers offer console-like devices that can brute force key combinations for modern Infiniti, Lexus, Mercedes-Benz, Mitsubishi, Nissan, Subaru and Toyota vehicles, among other makes not sold in the U.S."

Didn't even see that part in the article that's concerning. Maybe not all manufacturers but a lot of them need to step their security up then.

There really isn't a way to realistically shield against relay attacks. Most people say "just go back go physical keys", but those are even less secure.

Phone-as-key and keycard systems are vulnerable in the same way.

My 2013 Forte wasn't eligible for the upgrade :(

If it wasn't eligible for the FIX (this is NOT an upgrade, you are entitled to them fixing this shit if it does effect you)maybe it wasn't the right ignition system? My 2013 Elantra needed it and it seemed to be on the older end of cars who had the vulnerability.

You would all lough to your grave if you would see how shit is the immo system in these cars are. To add a new key to a car you have to read immo data of the car and than decode it to get a password to make the key. In these cars you just sit in the car, make the car go into add key mode and than just touch the key to antena, and thats it, no passwords no immo data reading.

Your “make the car go into add key mode” statement is doing a ton of heavy lifting here, cryptographically speaking.

No its not, you just send a comand, there are no crypto, passwords, pins, secret comands or special tool. Thats why i sayed its shit and you would lough to your grave. As i see you may know something about cars, get a new hyundai, connect a simple passtrough and inject “ 41 64 64 6B 65 79 “ than touch NOT A KEY, but an empty chip without even an antena. And than come back and tell me your results, how a comand does a lot of heavy lifting.

Well they don’t call it a CAN’T bus! Lmao I can’t even imagine how stupid the executives that signed off on this trash are.

1 more...
1 more...
1 more...

Has biometric been considered for cars? I mean it’s used for phones and computers, why no cars. Maybe in addition to a key/fob. If it senses the fox and your biometrics (either finger or face or both even) it will start the car. If the car doesn’t recognize your biometrics, then you need to enter the key in the vehicle to start it. If it recognizes you can start it.

We've already solved this issue without biometrics. The manufacturers just cheaped out on actually implementing it in the affected models.

Given that car manufacturers cannot stop themselves from sending fuckloads of data about drivers, I do not want them to have any biometric scanners whatsoever.

I have never had a phone that has successfully unlocked the first time using biometrics. I wouldn't say it is a solved problem or a solution. There are also implications with law enforcement when using biometrics. They can't force you to unlock something with a password, but they can forcefully unlock something with your fingerprint.

The older fingerprint readers that were on the back or below the screen worked perfectly and near-instantly (I've used several Nexus, Pixel and Moto phones).

At least some of the newer in-screen readers are slow and unreliable. I've heard that the ultrasonic ones are better.

The 5th Amendment is a nonissue here. If they have a warrant for your phone and you don't give up the password it is hard to get in. If they have a warrant for your car and you don't open it for them they will just smash a window. I doubt our cars are bothering to encrypt any of the ridiculous amounts of telemetry they collect.

Ironically, I think Hyundai is the only company currently doing biometrics. They have a face unlock and fingerprint start on the GV60 in some markets iirc.