Growing up in Michigan, I considered myself both a car and computer guy. In the sixth grade, I took my family’s Tandy 1000 computer apart to install a 300 baud modem. I vividly remember my older brother being certain the computer would no longer work after I had disassembled it to get to the motherboard. Much to his surprise, it did work and I was able to dial into a community bulletin board system (BBS) and connect to my friend’s computer so we could play chess. (Why anyone would want to do either of these things is a great mystery, but I did officially earn my Nerd Card.) On the car front, I subscribed to Car & Driver magazine and eagerly read about the newest automotive technology in each month’s issue.
Jumping forward to modern times, my father-in-law and mother-in-law each drive Hyundai Sonatas, 2015 and 2018 respectively. I should say “drove” because in October 2022, my mother-in-law’s was stolen from the parking structure of a Las Vegas casino. Then in January 2023, my father-in-law’s was stolen from their driveway! What a crazy coincidence!
You may remember that cars used to have two different keys – one for the door lock and one for the ignition. What many don’t recall is that auto companies used a fixed number of key designs. This meant that the same key worked in many cars across different manufacturers. To minimize the chance that someone would accidentally (or intentionally) use their key in someone else’s car, the automakers would randomly mix the door key with the ignition key. In this way, someone with the same door key would most likely not have the same ignition key and vice versa.
Looking back, I now see this purposeful key confusion as a rudimentary form of Multi-Factor Authentication (MFA) – the need for two credentials to gain access.
In this case, both the door and ignition keys combo to enter and start your car. However, if you broke into the car – thereby bypassing the door lock control – you only needed the ignition key to start and steal the car (or the knowhow to hotwire). This was a relatively easy vulnerability for car thieves to exploit.
To combat this problem, GM introduced their Pass Key Theft Deterrent system in the 1990 Cadillac Sedan de Ville. This technology embedded a computer chip into the ignition key and was uniquely coded to the car’s ignition system. In this way, GM modernized the MFA by requiring both the correctly coded chip and the standard key to start the car. Even if the physical key matched the lock cylinder, without the chip, the car would not start. This innovation was so effective that nearly all automakers adopted the technology into their vehicles over the next 25 years.
Perhaps you’ve already guessed which company didn’t fully adopt the technology… Hyundai!
It turns out that my in-laws were caught up in a nationwide target of Hyundais by car thieves. Hyundai wasn’t including the chip ignition technology in many of their models and car thieves found out about it. When faced with whether to steal a different model car, they picked the easier Hyundai target. The widespread impact hit the news in January 2023 when State Farm and Progressive announced they would no longer insure some models of Hyundais (or Kias) older than 2019 because of the string of thefts. Shortly thereafter, a class action lawsuit was brought against Hyundai and Kia by auto owners who had their cars stolen or insurance cancelled. (My in-laws had to pay their deductible twice, once on each car! And their insurance premiums went up!) The judge on the case recently rejected the proposed settlement of $200 million because it doesn’t provide “fair and adequate relief to vehicle owners.”
This story is a great reminder of three things happening in cybersecurity:
- After data backups, the most critical network protection is MFA. Having a more sophisticated ignition system won’t guarantee that your car won’t be stolen, but it does reduce the risk like MFA on a network (implementing MFA reduces the chances of a hacking incident between 95 and 99% (according to Google and Microsoft). Hackers target accounts that don’t use MFA in the same way that auto thieves target Hyundais, which don’t use the chip ignition technology.
- Cybersecurity experts consistently highlight the importance of keeping your hardware and operating systems patched. Just as auto thieves learned that certain Hyundais and Kias were easy marks for theft, cyber criminals learn about software vulnerabilities and target the systems that have not been patched and protected. Until those vulnerabilities are eliminated, the risk remains. Hyundai is actively working to recall and minimize their ignition system vulnerability.
- When your customers or clients learn of a breach of your system, your organization can suffer reputational damage. It’s important that your response be quick and appropriate. If Hyundai had moved quicker to aid their customers, they would have demonstrated to their clients their concern for their safety and well-being. They may have even looked like the heroes against the evil car thieves. However, because of their slow and inadequate response, they’re facing a huge financial settlement and more importantly, they’ve established their brand in the marketplace as being prone to theft. Who wants to buy a car that’s probably going to get stolen?
Cyberattacks will impact all organizations (it’s not a matter of if, but when). As a result, it’s critical that your organization (1) keeps your IT systems up to date from known vulnerabilities, (2) implements effective security measures, like MFA, and (3) utilizes an incident response plan to minimize the impact of a cyber security incident.
Dynamic Edge Can Keep Your Business Safe & Secure
Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Learn more about our Cybersecurity Support and request a free network assessment, so that we may help you implement cost-effective security solutions to keep your organization and its clients safe and productive. Our Help Desk features friendly, experienced engineers who answer calls live and solve more than 70% of issues on the first call.
