Did Hyundai Get Hacked?

Hyundai / By

To our shock, [greenluigi1] purchased a Hyundai Ioniq automobile and then completely destroyed the Linux-based head unit firmware. That is to say, he circumvented all firmware update authentication methods, reverse-engineered the firmware upgrades, and produced nefarious update files that granted him root access to his own device. He then developed his own app by deconstructing the dash’s app framework. Not just for show; by connecting to the dash’s APIs, which are accessible through header files, he was able to control doors and check the status of the car from his app. He even provided a guide on how anyone can create their own apps for the Hyundai Ionic D-Audio 2V dash, thus in the end, the dash was entirely conquered.

He guides us through the entire hacking process in this collection of articles that [greenluigi1] put together for us, and they’re a wonderful delight to read. He discusses a wide range of topics, including cracking.zip encryption, reprogramming efused MAC addresses on USB-Ethernet dongles, locating keys for encrypted firmware files, carefully installing backdoors into a Linux system, battling cryptic C++ compilation errors and flag combinations while cross-compiling the software for the head unit, creating plugins for proprietary undocumented frameworks, and many other reverse-engineering aspects that we will encounter when domesticating software

This represents a hacker’s success over yet another device in our lives that we aren’t supposed to edit, and it’s a painstakingly documented victory at that, aiding each of us in our fight against “unmodifiable” technology like this. You’ll walk away from reading these courses having learned quite a few new skills. For example, we’ve previously covered head unit hacks for Nissan and Subaru, and each time it was a spectacular ride.

In a Dec. 8, 2016, upgrade to the mobile app for its Blue Link connected car software, Hyundai added a bug.

A cyber security company said on Tuesday that software flaws in a Hyundai Motor Co. app that allows a car to be started remotely put the company’s vehicles vulnerable to theft from high-tech thieves for three months before the company rectified the fault in March. According to Tod Beardsley, research director at cyber security company Rapid7 Inc., Hyundai introduced a bug in a Dec. 8, 2016, update to the mobile app for its Blue Link connected car software that allowed auto thieves to find vulnerable vehicles, unlock them, and start them.

Hyundai acknowledged the bug’s existence and stated that it took swift action to address the issue. On Tuesday, the U.S. Department of Homeland Security released a warning regarding the vulnerability. The advisory stated that “no known public exploits expressly target these vulnerabilities.” To exploit, a high level of skill is required. Before Hyundai released the remedy to users of Android and iPhone in early March, the company and Beardsley both claimed they were unaware of any instances of car thieves taking use of the vulnerability.

According to Jim Trainor, a representative for Hyundai Motor America, “the problem did not directly affect vehicle safety.” Hyundai has no knowledge of any consumers who may have been harmed by this possible vulnerability. After a high-profile recall of Fiat Chrysler vehicles in 2015 and government warnings about the possibility of automobile hacks, the issue was discovered as the auto sector increased efforts to defend vehicles against cyber attacks.

As vehicles have become more complex and have added capabilities like smartphone apps that can locate, unlock, and start them, risks have increased recently. According to Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative, “what’s changed is not only the presence of all that hackable software, but the volume and variety of remote attack surfaces introduced to more modern vehicles.”

After two security researchers revealed that they could take remote control of a Jeep moving at high speeds, Fiat Chrysler recalled 1.4 million American vehicles in 2015. The bugs discovered in the Fiat Chrysler automobiles are more terrifying than the Blue Link bugs. According to Beardsley, a hacker would need to be close to the owner of a targeted vehicle who is using the mobile app over an unsecured WiFi connection for assaults to be successful utilizing moving automobiles.

View as

According to German media, hackers believed to have ties to the Vietnamese government have accessed the networks of two automakers, particularly Hyundai and BMW.

According to a report from Bayerischer Rundfunk and Taggesschau, hackers broke into a BMW branch’s network sometime this spring.

On affected hosts, the attackers allegedly installed the Cobalt Strike penetration testing tools, which they then allegedly utilized as a backdoor into the afflicted network.

According to reports, BMW had permitted the hackers to remain on its network and had tracked their every step before denying them access over the last weekend at the end of November.

The hackers behind the attack allegedly also broke into Hyundai, according to BR and TS reporters, who did not offer any other information regarding this second incursion.

After being hacked, Kia Motors America was asked for $20 million.

The Hyundai Group’s Kia Motors America division was targeted by ransomware, and US$20 million was demanded as ransom. Kia Motors America may develop Apple electric vehicles. However, Kia merely confirmed that the business had a shutdown and refuted claims that ransomware was involved.

In a post published yesterday, BleepingComputer found a text message demanded as ransom that was allegedly sent by the DoppelPaymer hacker after the Kia Auto America attack. Hyundai Motor America is the letter’s intended recipient. The hacker revealed that the data belonging to the Kia Corporation was encrypted. Within 21 days, he demanded that they pay in accordance with the link in the letter. Kia can only get the file and backup decryption key after that. The website that the link led to was DoppelPaymer’s Tor payment portal. Within three days, if they are not actively contacted, they will reveal sensitive firm information.

On its Tor payment website, DoppelPaymer claimed that the US unit of Kia Cars had been the target of extensive data theft. In the extortion message, which BleepingComputer was able to receive, the hacker demanded 404.5412 bitcoins, or around $20 million USD. The ransom will increase to 600 bitcoins if the victim doesn’t pay within the allotted period. It costs about $30 million.

How does Hyundai combat theft?

KMOV/ST. LOUIS, MO – In response to car thefts of its vehicles across the country, Hyundai released a statement on Friday. Security kits will be available in October, according to the auto supplier.

This is the claim:

The current increase in car thefts of specific Hyundai model vehicles worries Hyundai Motor America. Despite the fact that all of our vehicles meet or exceed federal motor vehicle safety standards, a concerted social media campaign has sadly targeted our vehicles. Our vehicles without engine immobilizers are a target for thieves. All automobiles created after November 1, 2021, must have immobilizers as a standard feature.

Hyundai has been collaborating with regional police agencies to provide steering wheel locks for owners of previous model year Hyundai vehicles without an immobilizer, and will keep doing so. Hyundai has also discovered a Firstech / Compustar security package that specifically targets the way that thieves enter these vehicles.

This security kit will be offered for purchase and installation at Hyundai dealerships and accredited Compustar installations across the nation beginning on October 1, 2022. Customers with inquiries can always call the Hyundai Consumer Assistance Center at 800-633-5151 until Hyundai releases more information.

Hyundai theft victims have expressed frustration with the cost of the security kit to News 4.

“What a rip-off that is. Just drove away with $14,000. Therefore, I believe that you should be able to provide me with a kit for that $14,000 “Sierra Groman, a resident of St. Louis whose automobile was taken sometime between Friday night and Saturday morning, stated.

If Hyundai and Kia didn’t fix the security problems with their vehicles, the City of St. Louis threatened to sue the manufacturers.

In St. Louis, nearly 2,000 Kia or Hyundai vehicles have either been stolen or nearly stolen. According to the police, the vehicles account for 77% of all stolen vehicles in the city.

If possible, AAA advises drivers to lock their car, park in a well-lit area with lots of foot traffic, and do so in a garage.

Can you actually hack into a car?

  • When they work properly, connected cars are fantastic. Vehicle hacks are more frequent and harmful than most people think, according to a recent Detroit Free Press report.
  • According to a research by Upstream Security, there were at least 150 automobile cybersecurity incidents in 2019, representing a rise of 94% year over year since 2016.
  • Oh, and here’s a word we detest hearing, despite the fact that we’ll probably hear it a lot more in the future: ransomware for vehicles.

Remote hacking into an unconnected car is not possible. However, if you don’t drive the most recent Tautology Motors vehicle, your car is probably vulnerable to some type of digital infiltration. In fact, if a car can connect, it can be partially or completely hacked today.

Moshe Shlisel, the CEO and co-founder of GuardKnox Cyber Technologies, a business that specializes in shielding automobiles from precisely these kinds of assaults, has that viewpoint.

According to Shlisel, “the more connected your vehicle is and the more sophisticated the system is, the more vulnerable you are.” “Any type [vehicle] you can think of has been taken, and we have broken them in numerous areas. I have the ability to operate your steering, brakes, doors, wipers, and trunk opening and closing in addition to stopping and starting your engine.”

Report on Global Automotive Cybersecurity According to the Upstream study, there were 150 cybersecurity incidents in 2019, a 99 percent increase from the previous year, and a 94 percent increase since 2016. This trend is unlikely to change anytime soon as more communication channels, such as extensive over-the-air update capabilities, are being incorporated into new cars.

Not just Shlisel is attempting to anticipate and stop cyber attacks. The most prominent cyber events of 2020 are listed in the yearly published by Upstream Security. The latter involved hackers taking “full control of an OEM’s corporate network by reverse-engineering a vehicle’s [telematics control unit] and using the telematics connection to infiltrate the network” and “Tesla’s entire connected vehicle fleet by exploiting a vulnerability in the OEM’s server-side mechanism.” Press, Free

When were the stolen Hyundais manufactured?

Some Hyundai and Kia models can be stolen in as little as a minute, and it happens all over the nation.

Why it matters: Owners are currently forced to use a traditional steering wheel lock in order to secure their vehicles due to the widespread issue, which is thought to be caused by design defects in the cars.

  • Hyundai advises clients that they must pay for a specialist security kit if they wish to protect their vehicle.
  • Starting on October 1, Hyundai automobiles will be able to purchase the equipment—a “starter interrupt and siren” that “targets the technique of entry criminals are using”—for an undisclosed price.
  • According to Kia, a security kit is not currently available.

The ignition is made visible when a window is broken and a portion of the steering column’s cover is removed. They use a flathead screwdriver or USB plug to start the car after breaking the ignition cylinder.

  • The technique is compatible with Hyundai and Kia vehicles from 2016 to 2021 that employ steel keys rather than push-button start and a fob. According to the automakers, they are focusing on vehicles lacking engine immobilizers, which prevent a vehicle from starting without the proper smart key being present.
  • Hussein predicts that damage could cost $2,000–$3,000. He adds that it might take some time to get the car returned because some parts are on backorder as a result of the increasing demand.

The mystery: Authorities connect some of the thefts to a pattern highlighted in a popular Milwaukee-based YouTube video that features interviews with “Kia Boys” members. They show how swiftly they allegedly take the autos.

  • According to the Detroit police department, 111 Kias were taken in July and 22 in the first nine days of August. This is an increase from 23 in June and 11 or less in each of the other months of 2022.
  • 156 Kia and Hyundai thefts have been reported by Charlotte, North Carolina, police since June 20, a 346% rise from 35 instances during the same period last year.
  • Seven of the top 10 most stolen cars in Wisconsin, according to the NICB’s 2021 Hot Wheels report, were Kias or Hyundais. But according to the 2020 study, none of those cars were in the top 10 in the state.

According to court documents and legal firms, automakers are currently facing lawsuits all throughout the country, including two-plaintiff class-action litigation in Iowa, a class-action in Wisconsin, and two class-action actions focusing on Ohio theft victims.

  • Automobile owners claim that design flaws that make the vehicles simple to steal are not disclosed. Currently, despite acknowledging the issue, the firms “refuse to remedy them” or “compensate consumers,” according to the Iowa lawsuit.
  • All of Hyundai’s vehicles “meet or exceed Federal Motor Vehicle Safety Standards,” the automaker added. All of the new cars being made have immobilizers, which make them harder to steal.
  • The senior editor of VOX ATL in Atlanta asked, “Who on Earth would have believed that a dad-ride like a Kia Soul would have been targeted by teenagers?”
  • “It’s [because it’s] popular on social media and simple to do Lamborghinis are a little more difficult to steal.”

Editor’s note: This article has been updated to reflect the fact that Hyundai Motor Group, not Hyundai Motor Co., is the parent corporation of the two brands.