South Korean automaker Hyundai and its sister company Kia have been through the ringer. when it came to a notorious security vulnerability that was exposed through the power of social media.
The infamous "Kia Boyz" sprang a wave of auto thefts from 2021 to 2023, where Hyundai and Kia vehicles were targeted due to the lack of a vital security feature called an immobilizer, rendering them easy to drive without a key.
Related: The bare minimum is working wonders for Elon Musk
In "instructional" videos that have gone viral on social media platforms like TikTok, thieves demonstrated how easy it was to steal such vehicles, as it only required 35 seconds and rudimentary tools like a flat-head screwdriver and a USB charging cable for a smartphone.
While Kia and Hyundai have introduced fixes for vehicles targeted by the Kia Boyz, thieves have evolved and a new vulnerability is affecting vehicles that are crucial to the Korean automaking duo's future in the industry.
A new breed of "Kia Boyz"
As per a report by Inside EVs, brazen auto thieves are targeting Hyundai and Kia EVs, but are cut from a different cloth from the "Kia Boyz" exposed on TikTok's For You page.
Compared to the Kia Boyz, the thieves targeting these EVs act more like enterprising cybercriminals, as their methods exploit vulnerabilities in vehicle software.
Screwdrivers and USB smartphone charging cords are replaced by a sophisticated piece of technology known as an "emulation device," an amalgamation of radio transmission gadgetry stuffed into a device with the form factor of an old-school Nintendo Game Boy or similar devices.
These "Game Boys" do not accept game cartridges of the video game Grand Theft Auto, rather it allows people to commit the crime of actual grand theft auto.
Basically, these devices are designed to emulate, or replicate the characteristics of a key. In practice, a thief would walk up to a Ioniq 5 or Kia EV6 that they seek to steal and touch the door handle.
By touching the door handle, the car actively starts to look for the owner's key to unlock the car. The thief would then activate a program that talks to the car, convincing it that the thief is holding the key to the car. By using the program, the device generates codes that would identify the device as the actual key.
Related: CDK Global expects software outage to end soon, as dealers lawyer up
When the program finds the code (which can take a matter of seconds), the device is as good as the actual key and can be used to lock, unlock and commandeer the car. Additionally, once thieves get a good distance away, they can easily pull out the car's connectivity devices, which can render any type of tracking useless.
Gone in 25 Seconds
In one video taken from a home surveillance camera, it took a duo of thieves 25 seconds to take a Hyundai Ioniq 5 from a driveway.
These devices have been around for some time and carry some pretty hefty price tags. A 2020 report from The Drive showed that a Bulgarian entity producing such devices charged the equivalent of $25,000 for a unit.
According to one reseller of the device investigated by InsideEVs, the device is capable of stealing EVs like the Hyundai Ioniq 5, the Kia EV6, the GV60 from Hyundai's luxury Genesis brand as well as gas-powered cars like the Kia Niro, Forte, and K5.
More Business of EVs:
- New study suggests EVs are supercharging an impending environmental crisis
- GM President has bold plans for an iconic sports car's EV resurrection
- Ford CEO says this iconic model will "never" be an EV
But for such an expensive device, thieves are getting their money's worth.
Robert Whiteside told British tabloid newspaper The Sun in October 2023 that thieves nicked his Hyundai Ioniq 5 from right in front of his South London home while he was away on vacation in Cyprus.
He found out that his car was being stolen from a notification from the Hyundai Bluelink app alerting him that his car was unlocked. Though he was able to remotley connect to his home surveilance system, the car had already vanished into thin air.
"Two people walk up, open the car and drive off in a matter of seconds," he said.
"We were shocked and being away from the UK had challenges reaching the police via 999 so had to resort to other channels. I then realised the thief had removed me from the Bluelink App so I had no visibility of the car’s status or location."
Related: Veteran fund manager sees world of pain coming for stocks