They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
It doesn't matter. If a customer buys faulty hardware, it's the seller's responsibility to replace it with working hardware. If the breaks had a manufacturing defect, you wouldn't expect the customer to pay for the replacement.
I've been holding my breath ever since spectre/meltdown for a free cpu upgrade to make up for the slower performance that the mitigations cause.
It's intel's bug, they promised a certain processor speed, shouldn't it be their responsibility to replace it since their own security oversight resulted in the hardware not working as advertised?
Did you expect the same from intel/amd when those bugs came out? Is it different from this situation?
We don't actually know how to build the CPU that would replace your vulnerable one.
New CPUs are largely immune to the specific attacks that were published before they were designed. But we aren't gonna get a fast CPU without sidechannels and IMO it's not possible in theory to build a branch predictor that never makes potentially exploitable mispredictions.
In a sense this doesn't change your point but I wanted to take the opportunity to point this out. "This CPU is vulnerable to attack X" just means researchers have found an exploit in practice, which we already knew in theory was there.
This wasn't the expectation before Spectre/Meltdown but now we live in a world where you need to assume a degradation in your CPU's effective performance as we learn about its vulnerabilities and need to apply software workarounds.
I am building "one mitigation to rule them all" called Address Space Isolation but this doesn't fundamentally remove that fact, it just means that when we learn about a CPU's vulns we don't have to build a new mitigation we just have to change the settings on the existing one (and it should be more efficient than the bespoke one would be).
The last desktop processor that actually promised a certain speed was probably the 68020. Everything since then has had inscrutable performance characteristics.
They promised the performance of their processor more than Hyundai promised that the Ioniq 5 was "carjacking-proof, even if the attackers have specialized tools", and this thread is about hyundai replacing parts of cars for free because attackers can hack into cars. With specialized tools. Which of course they can.
The line between software and hardware is hard to distinguish when we talk about ASICs and FPGAs, but they still should be responsible for core functionality (i.e. locks) as they shipped insecure software.
These in fact do exist, but they have properties unsuitable for many use cases, such as taking 8-24 hours to open if you lose the key/combination or a mechanical fault occurs, and being part of a system so heavy the floor beneath them have to be constructed to support the weight. (A friend of mine was a master locksmith for many years and worked on such locks, mostly for government contracts.)
In case of a lockout often the easiest way to open them is a brute force attack using a device called an autodialer.
In my opinion, yes, yes they should. If you can’t guarantee security of your device, and you don’t want to update the software, then you’ll need to upgrade the hardware. I think it’s perfectly reasonable to have that under a warranty.
> I think it’s perfectly reasonable to have that under a warranty.
The warranty is not that long, and I think the parent comment is talking about 6+ year old iphones that are definitely out of warranty.
If those should get replaced, surely that means each person buys one iPhone in their life, and then just gets free replacements forever, leading to the initial cost of the phone having to go up a lot to account for that.
Incorrect. Forced obsolescence lets manufacturers decide where that cut off is. 6+ year iPhone, nope, not going to touch it. Sorry. However, if it’s still serviceable and by some rule less than X years old, that just had a security issue or something publicly disclosed, should do their best effort to repair their customer relationships by making it right.
It seems short-sighted to not do this as a courtesy, given the reputational hit from the Kia/Hyundai Boyz saga just a few years ago. Who wants to be a manufacturer with a reputation for making easy-to-steal cars? Who wants to (for a reasonable price) insure cars made by said manufacturer?
I have a Kia EV6, and just saying that if the same “patch” is offered for it, I won’t think twice about paying $65 for it.
I’d also not be super happy they didn’t cover it, but I saw a comment about never buying a Hyundai because of this, and not sure I’d be that upset about it.
There’s a line, for sure, but $65 wouldn’t be it, for me.
Swapping software, pentesting, testing, QA, CI/CD pipelines, image caches aren't free either. Can we then start making more money as software developers to patch CVEs? We clearly should consider holding ourselves to a lower standard. Your requests are getting 5xx errors? Pay me more to fix it, not my problem that your requests is failing.
> Pay me more to fix it, not my problem that your requests is failing.
If you are employed in a position where there is a defect in the product then you are already being paid. Imagine going to a restaurant and you get an uncooked frozen steak, and when you tell the waiter they tell you that since the cook will need to spend more time on it you now have to pay extra.
Look at the price of the car compared to other electric SUVs. This is a mcdonalds type of situation. not a restaurant where you can request to cook a rare steak a bit more and not get charged extra
Even in McDonalds if what they give you is defective they will replace it without question once you bring it to their attention.
If it turned out the door locks on the car were defective you'd expect them to be replaced under warranty. If the warranty had expired the situation would, admittedly, be a bit murkier - but you could still make a case that since the locks had always been faulty they'd be the manufacturer's responsibility.
Someone I used to work with had a car a few years ago on which the battery would mysteriously drain for no obvious reason. It turned out to be a defect in the infotainment system's firmware - and he was furious that he was expected to pay for the firmware update to fix it. (The car was long out of warranty, though.)
> if what they give you is defective they will replace it without question once you bring it to their attention
Go there and request a rare steak or idk steak with kimchi, let is know how it goes!
This is a Korean car and probably secure enough in korea where you usually don't lock your bike and/or house. If it not secure if you park it on the street in SF/London/Magadan/Capetown/Kabul are you sure they owe you a free "fix" for everything that may occur
Hyundai has car factories in 10 countries. The car in question is made in at least 2 countries. The defect being fixed applies to cars sold by a British subsidiary in Britain to Britons with the promise that it meets British market standards. It’s not even clear to me that these cars were manufactured in Korea, if they were, they couldn’t be sold there due to the right hand drive. The cars in question were very much NOT made to be driven in Korean conditions.
If these people had bought a Korean market car in Korea and personally shipped it to the UK, yours would be a more compelling argument.
As it is, it makes no sense. If you choose to participate in a foreign market you do not get to abdicate responsibility for problems because they don’t exist in your home market.
Are you just a mean person on general that you think bringing a problem to the attention of wait staff would cause them to become malicious?
Be a nice human being and you won’t receive that treatment. If your McDonalds wait staff are generally malicious without any provocation, well vote with your feet, nobody is making you eat McDonalds, the sales numbers will correct he problem.
While as noble as that sounds, there’s only so much nice in the tank in a day. Wait staff and fast food workers are treated terribly and so you end up with folks about to snap.
There’s a lot of evidence of this happening in the USA if you just do a search. It’s uncommon, but it happens. At those prices, I’d just rather purchase the item to be made again.
You read some stuff on search and you think it somethings that happens more than it really does.
In general they don't care, it's not coming out of their paychecks, they'll give you another burger, go away now.
When I worked at McDonald's we'd have the favorite burgers pre-made and they'd be left at the warming tray, so orders can be taken care of in maybe 30 seconds, but I guess nowadays that's too wasteful so the burgers are made on demand. There was a day like "Big Macs for $1" day, so we had a line of maybe 50 Big Macs queued, wrapped and ready to eat, that the foreman said "Slow it down with the Big Macs!".
I want a dumb EV. No infotainment system. Just speakers and a way to plug my device into them. Anything critical to the car should be completely air gapped and require an absolute minimum amount of software, preferably zero.
Agreed. I'd actually like to buy an EV, but so far there are no candidates which meet my minimum requirements, which are pretty much what you said + serviceable by any mechanic with aftermarket parts + using Na-ion, not Li-ion batteries. And it shouldn't be super ugly like most new cars are today (e.g. Rivian, VW ID Buzz).
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
Vertical digital signage products should also have their polarization filter flipped 90° so you can view them with polarized sunglasses, adding another SKU and cost.
Stockholms Länstrafik didn't figure this out so all our timetable displays are pitch black when viewed with polarized sunglasses.
I've noticed that all but iPhones exhibit this behavior at some angle too and they're apparently using "circular polarization" (expensive) which is another one of these "we do it better" things nobody knows about from Apple (or displays in general)
I work at an ewaste recycling company. Last week, I was testing a projector, and was using a USBC to DVI cable (one of the most cursed cables I've come across). I said "LOL this won't work" and plugged it into my phone. Sure enough, my phone recognized that a display was connected, and once confirmed, showed what I expected it to!
Plugging a car into a phone should work like that: just a dumb display with maybe a keyboard or touchscreen input device.
Yeah I’ve seen these posted here previously! Probably the most appealing new car to me at the moment. Hopefully they take off and we can get them outside the US
I've seen this before, and I like the design. It's cute yet functional. It would fit in well on European roads.
One thing that stands out to me is the front wheels protrude beyond the body. I don't recall ever seeing that on a consumer road vehicle before, at least one designed after the 1930s.
Yeah, I'd think open-wheel cars are not road legal in the US but I just checked. Apparently it varies by state. Adding fenders seems simple enough at least. Aging Wheels did a video about the Telo and one thing that stood out to me was that they seemed intent on scaling slowly.
We have a Volkswagen e-Up, it's basically that. Analog cluster, a very small radio screen that also displays the world's smallest reverse camera view, and a dashboard mount for your phone. It's a fantastic little car, I honestly like it more than our 400bhp Volvo XC60.
The e-Up is great, but there is still the remote control modem installed by default that lets Volkswagen « Cloud » and the app control the car remotely, and get data such as the GPS location of the car.
Except the modem doesn't work anymore because it's 3G-only and 3G networks have been switched off in a lot of places, and VW said they won't offer upgraded hardware for it.
That’s illegal in the EU, 911 eCall requires an always-on cellular connection with an attached device that records your location. Would you please think of the children?
This is a violation of UN regulation 155/156 where the vendor must provide free fixes and updates in case of safety or cybersecurity violations.
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
If the ignition and door locks in your vehicle were mistakenly designed in such a way that they are trivially shimmed or could be operated by any key it seems absurd to suggest the customer should pay you to replace these mechanisms with ones that are properly secured. This seems roughly analogous to that situation at least to my understanding.
The story has a bad spin yes. But it’s just as much of a controversy if they had require people themselves pay the cost if they found out the cars where shipped with defective breaks. It’s a product error not wear and tear or user error, they should eat the costs, but the cybersecurity framing of it is being used to attempt to push the cost to the consumer.
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
This is why, back when I owned a Jeep, I never locked it. Figured if someone wanted the 85 cents in change that badly I'd rather they not take a knife to my (plastic) windows.
Right, and even un-sexy and inexpensive vehicles get targeted these days, because they can be used as tools to commit other crimes, not just a commodity to be resold or scavenged.
The thing I did not expect is that most of these criminals will gladly connect their phone to the cars entertainment system so they can play their music while they do this.
They can then brag about the number of thefts they've engaged in by the number of Kia vehicles listed in their phones bluetooth connection list.
The surprise is that the police don't seem to understand how to incorporate these facts into their tactics.
Knowing folks with this problem, I've been looking into some way of adding some kind of "pulling or removing the door handle without first disabling the alarm triggers the alarm" circuit... but the necessary disassembly is a pain.
The Kia Boys stuff, child labor, and ICCU failures weren't enough? The Ioniq 5 absolutely looks like a compelling car but from my POV Hyundai seems hell bent on snatching defeat from the jaws of victory.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
I tried to buy an Ioniq 5 when Hyundai had attractive lease offers published. A dealer near me had a car that showed as qualifying and I emailed to verify that it was in-stock and qualifies for the lease offer. That started one of the most Byzantine discussions around “come on in and we’ll create a custom lease package that suits your needs best.” “I don’t need anything custom; I find the published lease offer suits my needs perfectly.” <3-4 more emails made clear they had no intention to sell that car for that lease offer.> Now we have a CPO Lexus and I couldn’t be happier.
I watched the Rich Rebuilds review of the Ioniq 5N recently and while I'm underwhelmed by Hyundai as a company I'll disagree with you and Rich about Hyundai pricing these $10-15k too high. Pretty much the only competition is the Model 3 (Performance), and by that metric Ioniq pricing is spot on. Sure the iD.4 exists but VW really flubbed the software on that. And if you're eyeing the 5N over the regular 5, it did the Pike's Peak climb faster than the Tesla (and on a single charge IIRC).
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars so it's all moot.
I once ordered Kia EV6, but after a year I canceled the order. I am now glad I canceled it. Bi-yearly inspections and coolant change for 600€ are ridiculous ripoffs. ICCU failures are handled really badly in Germany. I really like the EV6 and EV3 cars, but the manufacturer isn’t that attractive anymore
My understanding is that the firmware has some sort of DRM and it’s being sold - not freely distributed. (Admittedly, the comment I saw mentioning cost pegged it at 1k, not 20k for a license.)
I don't know about the Hyundai Ioniq, but the Kia Niro has no way to permanently disable keyless entry, which would be the obvious, super easy s/w fix. You can disable it each time you lock your car by holding extra buttons on the fob for a few secs, but it's auto re-enabled next time you unlock. It's everything you need to know before you make your smart decision not to buy a Kia. Cheap(er) for a reason.
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
We are not scared of regulation in the UK. And this car has existed, in the UK, with this flaw, for over 6 years. Quite clearly nobody is interested in doing either of those things you suggest.
Plus the UK is about to reintroduce financial incentives for private EV purchase, they want to push sales, not clamp down on crap products.
I don't get why companies don't understand how offensive it is to the customer to nickel and dime them, especially after they're already a converted customer. They could easily eat the $60 cost and spin it as positive PR, Apple-style.
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
There are two aspects. "Charge" and "costs/who pays". When someone can start a Kia with a USB cable, the owner pays for that. Kia may have a fee for replacing something, but that doesn't factor in the calculus of "there's a reason these people are buying our product, and we assess they will continue to do so."
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C).
A times B times C equals X. This is what it will cost if we don't initiate a recall.
If X is greater than the cost of a recall, we recall the cars and no one gets hurt.
If X is less than the cost of a recall, then we don't recall."
There is also this thing called brand loyalty. After the car manufacturer pulls a stunt like that I will think twice before I buy my next car from them.
"The term "patch" came from early use in telephony and radio studios, where extra equipment kept on standby could be temporarily substituted for failed devices." - from https://en.m.wikipedia.org/wiki/Patch_cable
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
I'm not so sure, I thought "patch" originated from hole punching cards to program stuff. A software patch was literally a patch of tape that hides an errorneously punched hole in such a card.
I find it far more likely that patches--in terms of fixing problems with small, targeted changes--derives from the use of the term for fixing holes in cloth by sewing on another piece of cloth.
A side question, both this and the VW power unlock payment from the other day, are targeting UK market, so is legislation (lack of it) such in the UK that allows for such practices?
Stealing cars is illegal in the UK, however you do it. Just having this "gameboy-like device", in your pocket is "going equipped", and you're going to get arrested on its discovery about your person outside of your abode. No ifs, no buts.
The UK has lots of new cars (plenty of cheap financing around for lease, PCP and HP deals), and there is a low-level epidemic of thefts of vehicles that end up in shipping containers and heading out of the country within hours. [0]
Car insurance is also so high in the UK at background levels that if you end up owning a highly desirable and very easy to steal car (the Range Rover a few years ago, for example), the costs being added to price in the risk of your car ending up in a container heading to the Middle East don't seem - as a percentage - particularly high.
The fact UK has great shipping throughput to the Middle East, Africa, and so on, is both a boon economically, but also it makes great cover for all sorts of shenanigans.
Does Hyundai consider this as a patch though? I'm wondering if the dealership would present you the bill with a straight face, is that presented as a "more secure" system, or an "additional anti theft device"?
From the wording of the press release it sounds like they view it as an optional add-on specifically for UK customers who want additional security:
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
Hmmm, so recently: ̶ ̶H̶y̶u̶n̶d̶a̶i̶ ̶K̶i̶a̶ ̶V̶o̶l̶k̶s̶w̶a̶g̶e̶n̶ ̶
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
I’ve now had 2 IONIQ 5s stolen in Berlin, the last a couple months ago. Each seemingly using a keyless access hacking device. That’s enough for me to not see a Hyundai or Kia in my future anytime soon.
And I very much liked the IONIQ 5. But if I can’t keep one more than 2 years, what’s the point? I’ve lost all trust in those companies, upgrade or not.
Would be interesting to see insurance companies stand on this. Are you expected to pay for the security upgrade or not. Will it be deemed missing as "unpatched - that's your fault".
This is a great question. Have been in insurance for 20 yrs now. Cannot phantom why f.e. insurers don’t hold manufacturers responsible for losses due to cloned car keys with inadequate protection. I do know that insurers are generally very hesitant to start legal procedures, especially those that end up in the news. Say, Volkswagen and Stellantis are formidable adversaries as well as national champions, so there is some presumption that getting your right might be difficult. And the bar as I understand it is not technical SOTA, but more something like acceptable practice, so the manufacturer could argue “hey everyone has shitty protection, so suck up the loss”. Perhaps the newest European legislation will help raise the bar / even the playing field.
Given that many door locks and other portable locks are laughably bad and can be opened with sometimes simple shimmering, or at most basic picking tools, that would mean insurance companies could already have sued Master locks for instance. So at least, bad security is probably not enough for it.
From there, making customer pay to fix bad security doesn't sound like a significant step.
So, can people tell me what cars with keyless entry systems aren't susceptible to these attacks?
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
I was just looking at a new Hyundai today. Now I've got something more to consider if they aren't willing to stand behind securing their vehicles at their cost.
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
The car stealing device is $20k, could someone do some math to see what kind of ROI a criminal could expect if they use it to steal cars and part them out?
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I agree Hyundai should fix this for free (would make up a small portion of the bad PR for having this issue in the first place), but don't forced recalls usually only apply to defects that cause safety issues?
I'm not sure this would fit the definition of a product safety defect.
It's not ease, it's efficiency: opening a locked car door is 1-2 minutes for an experienced person. Smashing the window is 2 seconds (though you also need some experience, as modern car side windows are also laminated).
As far as I'm concerned, security issues (outside of very niche situations) in a product mean that the product was defective. If you sell a defective product, you should be on the hook to correct the defect.
There’s no bright line that defines “defect” and makes this determination. What Hyundai should be considering here is whether consumers will decide that buying a car from a company that doesn’t fully own their security mistakes isn’t worth it.
I agree it's hard to draw a bright line, but I'm personally comfortable erring heavily on the side of defect for security issues.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.
This isn't about normal wear-and-tear but a fundamental security design flaw that allows thieves to steal these cars with a $25 device exploiting the CAN bus - more akin to GM shipping cars with a master key hidden under the floor mat than a pickable lock.
Claiming it is a "security design flaw" is absurd paranoia, the same paranoia that causes manufacturers to destroy the aftermarket and fight right-to-repair in their quest for "security".
Except even more egregious, because if your GM car had a master key under the floor mat, you could just remove it yourself and throw it down a handy storm sewer.
I think your take makes more sense in a world where you actually own the car fully and have the freedom to do what you want with it. Even if someone was able to write this patch themselves without the source code, distributing it would require owners to root their devices, which isn't legal in all jurisdictions.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
In the automotive industry, pretty much the whole point of standards like cybersecurity (ISO21434) and functional safety (ISO26262) is to let the manufacturer claim in court that they followed “modern best practices” and therefore are not liable when something goes wrong.
If security flaw is so egregious as to warrant a patch, then the patch should be considered to be a fix of a defective product and free.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
>Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
Well if your car had a seat belt defect and people were dying you know they absolutely would recall the car and pay for the defect.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
It seems like you don't like Hyundai. What's childish is your resort to ad hominem because you disagree.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
Is it a defect if it required the development of an adversarial tool / exploit which previously did not exist? If the roof leaked when it's raining it's a defect because rain existed before. But this exploit didn't exist before.
Sure, that could be a decent legal regime. The first step to enabling it would be releasing the source code and system documentation for the product they've sold, so that it's even possible for anyone else besides themselves to fix it. Until then it's a black box the company has chosen to retain responsibility for. And frankly regulators should be making sure they support the 20-40 years of useful life we generally expect from automobiles.
I'm not talking about individuals' expectations for how long they personally will use a given vehicle, but rather societal expectations for how long a given vehicle will live across all tiers of the market. The cell phone made-to-be-ewaste model shouldn't be allowed to infect capital assets costing 100x as much.
No. Humans age in a way that cars don't, so "that logic" would not attempt to apply the same curve to humans.
If you're done nitpicking, you're welcome to explain your number better. You forgot to say how to apply "4.5%". I'm sure an exponential fit has issues, but a linear fit would be much worse, and anything fancy needs more data points.
That's why I gave a range. That average stat actually seems to line up with the low end of that range, and since every car isn't scrapped at the same age it's going to be a distribution. There are not many cars from 1985 on the road today, but there sure are some. And since we're talking software which doesn't actually degrade, it shouldn't be the thing limiting the overall lifetime.
They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
It doesn't matter. If a customer buys faulty hardware, it's the seller's responsibility to replace it with working hardware. If the breaks had a manufacturing defect, you wouldn't expect the customer to pay for the replacement.
I've been holding my breath ever since spectre/meltdown for a free cpu upgrade to make up for the slower performance that the mitigations cause.
It's intel's bug, they promised a certain processor speed, shouldn't it be their responsibility to replace it since their own security oversight resulted in the hardware not working as advertised?
Did you expect the same from intel/amd when those bugs came out? Is it different from this situation?
We don't actually know how to build the CPU that would replace your vulnerable one.
New CPUs are largely immune to the specific attacks that were published before they were designed. But we aren't gonna get a fast CPU without sidechannels and IMO it's not possible in theory to build a branch predictor that never makes potentially exploitable mispredictions.
In a sense this doesn't change your point but I wanted to take the opportunity to point this out. "This CPU is vulnerable to attack X" just means researchers have found an exploit in practice, which we already knew in theory was there.
This wasn't the expectation before Spectre/Meltdown but now we live in a world where you need to assume a degradation in your CPU's effective performance as we learn about its vulnerabilities and need to apply software workarounds.
I am building "one mitigation to rule them all" called Address Space Isolation but this doesn't fundamentally remove that fact, it just means that when we learn about a CPU's vulns we don't have to build a new mitigation we just have to change the settings on the existing one (and it should be more efficient than the bespoke one would be).
> they promised a certain processor speed
How have they advertised that? Was it clock frequency? Their mitigations mean it still runs at that clock frequency.
The last desktop processor that actually promised a certain speed was probably the 68020. Everything since then has had inscrutable performance characteristics.
They promised the performance of their processor more than Hyundai promised that the Ioniq 5 was "carjacking-proof, even if the attackers have specialized tools", and this thread is about hyundai replacing parts of cars for free because attackers can hack into cars. With specialized tools. Which of course they can.
There is nothing faulty in the hardware, why they should replace it?
Following the same logic: old phones, even iphones can be hacked. Should manufacturers replace the hardware?
The line between software and hardware is hard to distinguish when we talk about ASICs and FPGAs, but they still should be responsible for core functionality (i.e. locks) as they shipped insecure software.
But why? Locks are working. They perfectly fulfill requirements for the lock. Open/close with a key, stay closed if tried to be opened without a key.
There is no such thing as secure lock. Any lock could be open without original key. The difference is in the amount of effort.
Still baffles me that KIA sold cars which can be driven away using screwdriver and USB cable.
> There is no such thing as secure lock.
These in fact do exist, but they have properties unsuitable for many use cases, such as taking 8-24 hours to open if you lose the key/combination or a mechanical fault occurs, and being part of a system so heavy the floor beneath them have to be constructed to support the weight. (A friend of mine was a master locksmith for many years and worked on such locks, mostly for government contracts.)
In case of a lockout often the easiest way to open them is a brute force attack using a device called an autodialer.
There are some locks that cannot be opened without the correct key. Abloy and BiLock are two examples.
They should open up the specs, so that the community could update the software.
In my opinion, yes, yes they should. If you can’t guarantee security of your device, and you don’t want to update the software, then you’ll need to upgrade the hardware. I think it’s perfectly reasonable to have that under a warranty.
> I think it’s perfectly reasonable to have that under a warranty.
The warranty is not that long, and I think the parent comment is talking about 6+ year old iphones that are definitely out of warranty.
If those should get replaced, surely that means each person buys one iPhone in their life, and then just gets free replacements forever, leading to the initial cost of the phone having to go up a lot to account for that.
Incorrect. Forced obsolescence lets manufacturers decide where that cut off is. 6+ year iPhone, nope, not going to touch it. Sorry. However, if it’s still serviceable and by some rule less than X years old, that just had a security issue or something publicly disclosed, should do their best effort to repair their customer relationships by making it right.
[flagged]
Agree the title is a bit misleading, but addressing what sounds like an exploit still feels like a patch of sorts.
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
Given what the car costs, you'd think they'd do this out of courtesy.
It seems short-sighted to not do this as a courtesy, given the reputational hit from the Kia/Hyundai Boyz saga just a few years ago. Who wants to be a manufacturer with a reputation for making easy-to-steal cars? Who wants to (for a reasonable price) insure cars made by said manufacturer?
Yeah, definitely.
I have a Kia EV6, and just saying that if the same “patch” is offered for it, I won’t think twice about paying $65 for it.
I’d also not be super happy they didn’t cover it, but I saw a comment about never buying a Hyundai because of this, and not sure I’d be that upset about it.
There’s a line, for sure, but $65 wouldn’t be it, for me.
Starting MSRP of US$42,600? Seems like there’s some room there to cover manufacturer mistakes.
Swapping software, pentesting, testing, QA, CI/CD pipelines, image caches aren't free either. Can we then start making more money as software developers to patch CVEs? We clearly should consider holding ourselves to a lower standard. Your requests are getting 5xx errors? Pay me more to fix it, not my problem that your requests is failing.
> Pay me more to fix it, not my problem that your requests is failing.
If you are employed in a position where there is a defect in the product then you are already being paid. Imagine going to a restaurant and you get an uncooked frozen steak, and when you tell the waiter they tell you that since the cook will need to spend more time on it you now have to pay extra.
Look at the price of the car compared to other electric SUVs. This is a mcdonalds type of situation. not a restaurant where you can request to cook a rare steak a bit more and not get charged extra
Even in McDonalds if what they give you is defective they will replace it without question once you bring it to their attention.
If it turned out the door locks on the car were defective you'd expect them to be replaced under warranty. If the warranty had expired the situation would, admittedly, be a bit murkier - but you could still make a case that since the locks had always been faulty they'd be the manufacturer's responsibility.
Someone I used to work with had a car a few years ago on which the battery would mysteriously drain for no obvious reason. It turned out to be a defect in the infotainment system's firmware - and he was furious that he was expected to pay for the firmware update to fix it. (The car was long out of warranty, though.)
> if what they give you is defective they will replace it without question once you bring it to their attention
Go there and request a rare steak or idk steak with kimchi, let is know how it goes!
This is a Korean car and probably secure enough in korea where you usually don't lock your bike and/or house. If it not secure if you park it on the street in SF/London/Magadan/Capetown/Kabul are you sure they owe you a free "fix" for everything that may occur
Hyundai has car factories in 10 countries. The car in question is made in at least 2 countries. The defect being fixed applies to cars sold by a British subsidiary in Britain to Britons with the promise that it meets British market standards. It’s not even clear to me that these cars were manufactured in Korea, if they were, they couldn’t be sold there due to the right hand drive. The cars in question were very much NOT made to be driven in Korean conditions.
If these people had bought a Korean market car in Korea and personally shipped it to the UK, yours would be a more compelling argument.
As it is, it makes no sense. If you choose to participate in a foreign market you do not get to abdicate responsibility for problems because they don’t exist in your home market.
Absurd. McDonald chose to participate in Korean market and I see no kimchi burgs there?
That's absurd logic as cybersecurity applies everywhere.
Also, they need to secure it the international markets they're selling it in.
You are confusing infosec on the internet which is global and local crime which is not global and VERY different per country
>Even in McDonalds if what they give you is defective they will replace it without question once you bring it to their attention.
Tell me you have never worked fast food without telling me you have never worked fast food. You do this, they’ll spit in it.
Are you just a mean person on general that you think bringing a problem to the attention of wait staff would cause them to become malicious?
Be a nice human being and you won’t receive that treatment. If your McDonalds wait staff are generally malicious without any provocation, well vote with your feet, nobody is making you eat McDonalds, the sales numbers will correct he problem.
While as noble as that sounds, there’s only so much nice in the tank in a day. Wait staff and fast food workers are treated terribly and so you end up with folks about to snap.
There’s a lot of evidence of this happening in the USA if you just do a search. It’s uncommon, but it happens. At those prices, I’d just rather purchase the item to be made again.
But yes, be a good human.
You read some stuff on search and you think it somethings that happens more than it really does.
In general they don't care, it's not coming out of their paychecks, they'll give you another burger, go away now.
When I worked at McDonald's we'd have the favorite burgers pre-made and they'd be left at the warming tray, so orders can be taken care of in maybe 30 seconds, but I guess nowadays that's too wasteful so the burgers are made on demand. There was a day like "Big Macs for $1" day, so we had a line of maybe 50 Big Macs queued, wrapped and ready to eat, that the foreman said "Slow it down with the Big Macs!".
> You do this, they’ll spit in it.
I didn't work there long, but I don't remember anyone doing that.
Why would the price/cost of hardware replacement be treated differently from the price/cost of software replacement?
I want a dumb EV. No infotainment system. Just speakers and a way to plug my device into them. Anything critical to the car should be completely air gapped and require an absolute minimum amount of software, preferably zero.
Agreed. I'd actually like to buy an EV, but so far there are no candidates which meet my minimum requirements, which are pretty much what you said + serviceable by any mechanic with aftermarket parts + using Na-ion, not Li-ion batteries. And it shouldn't be super ugly like most new cars are today (e.g. Rivian, VW ID Buzz).
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
Nobody will sell you one for cheaper than a whole package.
See also ‘smart’ tvs vs digital signage displays aka dumb tvs.
Slate [0] say differently...
[0] https://www.slate.auto/en
Slate has not shipped yet.
While this is partially true, digital signage displays are also designed to run 24/7, which also makes them more expensive than regular TVs.
Vertical digital signage products should also have their polarization filter flipped 90° so you can view them with polarized sunglasses, adding another SKU and cost.
Stockholms Länstrafik didn't figure this out so all our timetable displays are pitch black when viewed with polarized sunglasses.
I've noticed that all but iPhones exhibit this behavior at some angle too and they're apparently using "circular polarization" (expensive) which is another one of these "we do it better" things nobody knows about from Apple (or displays in general)
(https://claude.ai/share/e462247c-0ecd-4a07-8ec1-36a4f3c86597)
On the other hand, it would be great for sunglasses to automatically change their polarization angle to block street ads...
There will always be at least a basic screen in new cars in the US because of backup camera requirements.
Yeah, a basic screen with Android Auto + Carplay (just the video passthrough, not the OS with installable apps) would be perfect.
I work at an ewaste recycling company. Last week, I was testing a projector, and was using a USBC to DVI cable (one of the most cursed cables I've come across). I said "LOL this won't work" and plugged it into my phone. Sure enough, my phone recognized that a display was connected, and once confirmed, showed what I expected it to!
Plugging a car into a phone should work like that: just a dumb display with maybe a keyboard or touchscreen input device.
Isn't that essentially what Carplay and Android Auto are? Just over USB?
Such car will not comply with legislation. Or are you talking about car with all sort of tracking systems and driver's assists but no infotainment?
Anyway, that is not what majority want to buy. Even more, a car is not what majority want to buy in the USA. SUV/trucks are desirable.
If you get the base level, expression trim of the Dacia Spring then you get an EV without an infotainment system: https://www.dacia.co.uk/hybrid-and-electric-range/spring-cit...
Check out Slate trucks. I want that too and this seems to be perfect. Has windows you roll down even. Fingers crossed it actually launches.
https://www.slate.auto/en
Yeah I’ve seen these posted here previously! Probably the most appealing new car to me at the moment. Hopefully they take off and we can get them outside the US
Have you seen Telo?
https://www.telotrucks.com/
I've seen this before, and I like the design. It's cute yet functional. It would fit in well on European roads.
One thing that stands out to me is the front wheels protrude beyond the body. I don't recall ever seeing that on a consumer road vehicle before, at least one designed after the 1930s.
Yeah, I'd think open-wheel cars are not road legal in the US but I just checked. Apparently it varies by state. Adding fenders seems simple enough at least. Aging Wheels did a video about the Telo and one thing that stood out to me was that they seemed intent on scaling slowly.
This thing has no autonomy
Good? Less to go wrong.
We have a Volkswagen e-Up, it's basically that. Analog cluster, a very small radio screen that also displays the world's smallest reverse camera view, and a dashboard mount for your phone. It's a fantastic little car, I honestly like it more than our 400bhp Volvo XC60.
The e-Up is great, but there is still the remote control modem installed by default that lets Volkswagen « Cloud » and the app control the car remotely, and get data such as the GPS location of the car.
As eCall is now mandatory you can't build a car without a cellular modem anymore.
* in the EU. https://en.wikipedia.org/wiki/ECall
Except the modem doesn't work anymore because it's 3G-only and 3G networks have been switched off in a lot of places, and VW said they won't offer upgraded hardware for it.
That’s illegal in the EU, 911 eCall requires an always-on cellular connection with an attached device that records your location. Would you please think of the children?
https://configurator.microlino-car.com/en/edition-microlino?...
This is a violation of UN regulation 155/156 where the vendor must provide free fixes and updates in case of safety or cybersecurity violations.
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
The UN has regulations? Who does it have authority over? Who enforces its regulations?
If the ignition and door locks in your vehicle were mistakenly designed in such a way that they are trivially shimmed or could be operated by any key it seems absurd to suggest the customer should pay you to replace these mechanisms with ones that are properly secured. This seems roughly analogous to that situation at least to my understanding.
The story has a bad spin yes. But it’s just as much of a controversy if they had require people themselves pay the cost if they found out the cars where shipped with defective breaks. It’s a product error not wear and tear or user error, they should eat the costs, but the cybersecurity framing of it is being used to attempt to push the cost to the consumer.
This is precisely the point I intended to make with my comment. Perhaps my phrasing was unclear.
I think the GP is just agreeing.
Maybe a better link:
https://www.theverge.com/news/757205/hyundai-ioniq-5-securit...
Also frustrating but for different reasons:
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
In some vehicles, their "software fix" literally did nothing but move thieves from smashing a window to screwdriver'ing the driver door lock.
More work for the thieves, but hardly a fix to inspire confidence.
This is why, back when I owned a Jeep, I never locked it. Figured if someone wanted the 85 cents in change that badly I'd rather they not take a knife to my (plastic) windows.
The "Kia Boyz" saga was primarily motivated by theft of the vehicle itself, not the contents of the vehicle.
Right, and even un-sexy and inexpensive vehicles get targeted these days, because they can be used as tools to commit other crimes, not just a commodity to be resold or scavenged.
The thing I did not expect is that most of these criminals will gladly connect their phone to the cars entertainment system so they can play their music while they do this.
They can then brag about the number of thefts they've engaged in by the number of Kia vehicles listed in their phones bluetooth connection list.
The surprise is that the police don't seem to understand how to incorporate these facts into their tactics.
A stolen car being a tool is why it is a commodity to be resold.
Knowing folks with this problem, I've been looking into some way of adding some kind of "pulling or removing the door handle without first disabling the alarm triggers the alarm" circuit... but the necessary disassembly is a pain.
I understand that development costs are not free, and there's extra hardware involved, but IMO they should take this as marketing cost.
Not even a marketing cost, a delayed engineering cost to fix a fault in the product.
Yeah, I considered an ionic the last time I was getting a car. Now I’ll never again consider them.
The Kia Boys stuff, child labor, and ICCU failures weren't enough? The Ioniq 5 absolutely looks like a compelling car but from my POV Hyundai seems hell bent on snatching defeat from the jaws of victory.
I'd add dealerships to the list.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
I tried to buy an Ioniq 5 when Hyundai had attractive lease offers published. A dealer near me had a car that showed as qualifying and I emailed to verify that it was in-stock and qualifies for the lease offer. That started one of the most Byzantine discussions around “come on in and we’ll create a custom lease package that suits your needs best.” “I don’t need anything custom; I find the published lease offer suits my needs perfectly.” <3-4 more emails made clear they had no intention to sell that car for that lease offer.> Now we have a CPO Lexus and I couldn’t be happier.
I watched the Rich Rebuilds review of the Ioniq 5N recently and while I'm underwhelmed by Hyundai as a company I'll disagree with you and Rich about Hyundai pricing these $10-15k too high. Pretty much the only competition is the Model 3 (Performance), and by that metric Ioniq pricing is spot on. Sure the iD.4 exists but VW really flubbed the software on that. And if you're eyeing the 5N over the regular 5, it did the Pike's Peak climb faster than the Tesla (and on a single charge IIRC).
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars so it's all moot.
I once ordered Kia EV6, but after a year I canceled the order. I am now glad I canceled it. Bi-yearly inspections and coolant change for 600€ are ridiculous ripoffs. ICCU failures are handled really badly in Germany. I really like the EV6 and EV3 cars, but the manufacturer isn’t that attractive anymore
That's easy to say when you aren't the one footing the bill.
It is easy to say as a customer that already paid money in return for a working/safe/functional car.
It’s easy to say as a customer with alternatives.
“Gameboy-like device” - are they referring to Flipper Zeros with the firmware to exploit RF rolling codes?
https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasse...
They’re talking about something like this https://www.thedrive.com/tech/34817/this-25000-game-boy-is-m...
No, some dedicated hardware device, about five years old, that looks like a Game Boy.
The flipper firmware is only about six months old, and it is still not as convenient and distributed.
The actual firmware exploit is the same idea.
Wow, that really is Gameboy-like! This time the reporters weren't wrong.
More than likely
No, they don't. You need to read the article. It says such devices cost $20k.
My understanding is that the firmware has some sort of DRM and it’s being sold - not freely distributed. (Admittedly, the comment I saw mentioning cost pegged it at 1k, not 20k for a license.)
Could still be a flipper with custom firmware.
I don't know about the Hyundai Ioniq, but the Kia Niro has no way to permanently disable keyless entry, which would be the obvious, super easy s/w fix. You can disable it each time you lock your car by holding extra buttons on the fob for a few secs, but it's auto re-enabled next time you unlock. It's everything you need to know before you make your smart decision not to buy a Kia. Cheap(er) for a reason.
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
> Having terrible security just helps sales!
Until it’s banned by regulators or made uninsurable…
We are not scared of regulation in the UK. And this car has existed, in the UK, with this flaw, for over 6 years. Quite clearly nobody is interested in doing either of those things you suggest.
Plus the UK is about to reintroduce financial incentives for private EV purchase, they want to push sales, not clamp down on crap products.
My 2021 Ioniq 5 does not have keyless entry at all. You need to press the button to open the door.
I don't get why companies don't understand how offensive it is to the customer to nickel and dime them, especially after they're already a converted customer. They could easily eat the $60 cost and spin it as positive PR, Apple-style.
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
There are two aspects. "Charge" and "costs/who pays". When someone can start a Kia with a USB cable, the owner pays for that. Kia may have a fee for replacing something, but that doesn't factor in the calculus of "there's a reason these people are buying our product, and we assess they will continue to do so."
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C). A times B times C equals X. This is what it will cost if we don't initiate a recall. If X is greater than the cost of a recall, we recall the cars and no one gets hurt. If X is less than the cost of a recall, then we don't recall."
There is also this thing called brand loyalty. After the car manufacturer pulls a stunt like that I will think twice before I buy my next car from them.
Nobody buys a Kia because of brand loyalty, they do it because that's what they can afford.
Citation for the final paragraph quote "the previous formula" goes to Fight Club.
This seems like a clickbait title because I’ve never hear of a hardware upgrade being called a “patch”.
"The term "patch" came from early use in telephony and radio studios, where extra equipment kept on standby could be temporarily substituted for failed devices." - from https://en.m.wikipedia.org/wiki/Patch_cable
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
I'm not so sure, I thought "patch" originated from hole punching cards to program stuff. A software patch was literally a patch of tape that hides an errorneously punched hole in such a card.
The term patch-cable seems to be way younger.
https://www.merriam-webster.com/dictionary/patchboard
patchboard
: a switchboard in which circuits are interconnected by patch cords
First Known Use
1934, in the meaning defined above
I find it far more likely that patches--in terms of fixing problems with small, targeted changes--derives from the use of the term for fixing holes in cloth by sewing on another piece of cloth.
Everything is about patching up clothes or other things. I was just commenting on the “patch-cable seems to be way younger” remark.
Hence patch cable.
"Service"?
I don't think the patch is hardware. The hardware they're talking about is the "Gameboy like device" that runs the exploit.
> The Verge now reports that Hyundai is offering a security patch for this issue through software and hardware upgrades to Ioniq 5 customers.
You do a hardware upgrade on the car to patch the vulnerability.
The etymology of patch harkens back to Larry Wall's UNIX patch tool for applying diffs to a source code base.
The etymology of patch predates software by hundreds of years.
https://www.etymonline.com/word/patch
> "piece of cloth used to mend another material," late 14th century.
> Electronics sense of "to connect temporarily" is attested from 1923 on the notion of tying together various pieces of apparatus to form a circuit.
A side question, both this and the VW power unlock payment from the other day, are targeting UK market, so is legislation (lack of it) such in the UK that allows for such practices?
Stealing cars is illegal in the UK, however you do it. Just having this "gameboy-like device", in your pocket is "going equipped", and you're going to get arrested on its discovery about your person outside of your abode. No ifs, no buts.
The UK has lots of new cars (plenty of cheap financing around for lease, PCP and HP deals), and there is a low-level epidemic of thefts of vehicles that end up in shipping containers and heading out of the country within hours. [0]
Car insurance is also so high in the UK at background levels that if you end up owning a highly desirable and very easy to steal car (the Range Rover a few years ago, for example), the costs being added to price in the risk of your car ending up in a container heading to the Middle East don't seem - as a percentage - particularly high.
The fact UK has great shipping throughput to the Middle East, Africa, and so on, is both a boon economically, but also it makes great cover for all sorts of shenanigans.
[0] https://www.containerlift.co.uk/cracking-the-code-uk-police-...
Does Hyundai consider this as a patch though? I'm wondering if the dealership would present you the bill with a straight face, is that presented as a "more secure" system, or an "additional anti theft device"?
From the wording of the press release it sounds like they view it as an optional add-on specifically for UK customers who want additional security:
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
Hmmm, so recently: ̶ ̶H̶y̶u̶n̶d̶a̶i̶ ̶K̶i̶a̶ ̶V̶o̶l̶k̶s̶w̶a̶g̶e̶n̶ ̶
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
Rather because some people parked their Teslas on public roads and later found them vandalized.
We’re not a very smart species.
I’ve now had 2 IONIQ 5s stolen in Berlin, the last a couple months ago. Each seemingly using a keyless access hacking device. That’s enough for me to not see a Hyundai or Kia in my future anytime soon. And I very much liked the IONIQ 5. But if I can’t keep one more than 2 years, what’s the point? I’ve lost all trust in those companies, upgrade or not.
Would be interesting to see insurance companies stand on this. Are you expected to pay for the security upgrade or not. Will it be deemed missing as "unpatched - that's your fault".
This is a great question. Have been in insurance for 20 yrs now. Cannot phantom why f.e. insurers don’t hold manufacturers responsible for losses due to cloned car keys with inadequate protection. I do know that insurers are generally very hesitant to start legal procedures, especially those that end up in the news. Say, Volkswagen and Stellantis are formidable adversaries as well as national champions, so there is some presumption that getting your right might be difficult. And the bar as I understand it is not technical SOTA, but more something like acceptable practice, so the manufacturer could argue “hey everyone has shitty protection, so suck up the loss”. Perhaps the newest European legislation will help raise the bar / even the playing field.
Given that many door locks and other portable locks are laughably bad and can be opened with sometimes simple shimmering, or at most basic picking tools, that would mean insurance companies could already have sued Master locks for instance. So at least, bad security is probably not enough for it.
From there, making customer pay to fix bad security doesn't sound like a significant step.
So, can people tell me what cars with keyless entry systems aren't susceptible to these attacks?
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
I was just looking at a new Hyundai today. Now I've got something more to consider if they aren't willing to stand behind securing their vehicles at their cost.
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
Love to see a 3rd party step in with a lower-cost replacement.
Car manufacturers seems to be determined to discourage people from buying their car.
I guess this means Hyundai goes on the blacklist too.
The car stealing device is $20k, could someone do some math to see what kind of ROI a criminal could expect if they use it to steal cars and part them out?
[dead]
[flagged]
> I know the locks on my car are easily picked
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I agree Hyundai should fix this for free (would make up a small portion of the bad PR for having this issue in the first place), but don't forced recalls usually only apply to defects that cause safety issues?
I'm not sure this would fit the definition of a product safety defect.
It's not ease, it's efficiency: opening a locked car door is 1-2 minutes for an experienced person. Smashing the window is 2 seconds (though you also need some experience, as modern car side windows are also laminated).
As far as I'm concerned, security issues (outside of very niche situations) in a product mean that the product was defective. If you sell a defective product, you should be on the hook to correct the defect.
There’s no bright line that defines “defect” and makes this determination. What Hyundai should be considering here is whether consumers will decide that buying a car from a company that doesn’t fully own their security mistakes isn’t worth it.
I agree it's hard to draw a bright line, but I'm personally comfortable erring heavily on the side of defect for security issues.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.
This isn't about normal wear-and-tear but a fundamental security design flaw that allows thieves to steal these cars with a $25 device exploiting the CAN bus - more akin to GM shipping cars with a master key hidden under the floor mat than a pickable lock.
The article claims it's a $20k device.
Claiming it is a "security design flaw" is absurd paranoia, the same paranoia that causes manufacturers to destroy the aftermarket and fight right-to-repair in their quest for "security".
Except even more egregious, because if your GM car had a master key under the floor mat, you could just remove it yourself and throw it down a handy storm sewer.
I think your take makes more sense in a world where you actually own the car fully and have the freedom to do what you want with it. Even if someone was able to write this patch themselves without the source code, distributing it would require owners to root their devices, which isn't legal in all jurisdictions.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
You missed some points
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
In the automotive industry, pretty much the whole point of standards like cybersecurity (ISO21434) and functional safety (ISO26262) is to let the manufacturer claim in court that they followed “modern best practices” and therefore are not liable when something goes wrong.
It's a defect. We should fix it by making them do a recall.
If security flaw is so egregious as to warrant a patch, then the patch should be considered to be a fix of a defective product and free.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
I didn't know Hyundai corporate defenders were so unrealistic and childish.
I don't even like Hyundai.
What's "unrealistic and childish" is expecting free labour.
It's not free labor, they already got paid for it. They just fucked it up the first time.
Nope. It requires new hardware installed.
Hardware which should have been there in the first place.
They will also be charging elevated dealership prices for thag labor.
I don't expect free labor. I expect the service workers to get paid by Hyundai
Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
>Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
[0]: https://www.youtube.com/watch?v=SiB8GVMNJkE
Do you have any other sources than a hollywood movie made for entertainment?
Many would argue that this "free labour" you speak of is labour that Hyundai should have put into their product before releasing it.
Well if your car had a seat belt defect and people were dying you know they absolutely would recall the car and pay for the defect.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
I think the deaths might qualify the cars as an attractive nuisance at this point. Although The Club is only about $50.
It seems like you don't like Hyundai. What's childish is your resort to ad hominem because you disagree.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
Is it a defect if it required the development of an adversarial tool / exploit which previously did not exist? If the roof leaked when it's raining it's a defect because rain existed before. But this exploit didn't exist before.
Sure, that could be a decent legal regime. The first step to enabling it would be releasing the source code and system documentation for the product they've sold, so that it's even possible for anyone else besides themselves to fix it. Until then it's a black box the company has chosen to retain responsibility for. And frankly regulators should be making sure they support the 20-40 years of useful life we generally expect from automobiles.
I think you significantly overestimate people’s expectations for automobiles.
I'm not talking about individuals' expectations for how long they personally will use a given vehicle, but rather societal expectations for how long a given vehicle will live across all tiers of the market. The cell phone made-to-be-ewaste model shouldn't be allowed to infect capital assets costing 100x as much.
Yes, and the scrappage rate is about 4.5%. A 40 year old car is not the norm.
At 4.5% loss per year, you'd still have 16% of cars running at 40 years. That's pretty normal.
By that logic, shouldn’t about 25% of US persons be 150, given the annual death rate of 9.28 per thousand?
No. Humans age in a way that cars don't, so "that logic" would not attempt to apply the same curve to humans.
If you're done nitpicking, you're welcome to explain your number better. You forgot to say how to apply "4.5%". I'm sure an exponential fit has issues, but a linear fit would be much worse, and anything fancy needs more data points.
That's why I gave a range. That average stat actually seems to line up with the low end of that range, and since every car isn't scrapped at the same age it's going to be a distribution. There are not many cars from 1985 on the road today, but there sure are some. And since we're talking software which doesn't actually degrade, it shouldn't be the thing limiting the overall lifetime.
so if I sell you a bridge that's not fit for purpose, I wouldn't have to fix it for you at my cost? nice! I've got a bridge to sell to you...
Caveat Emptor
Jesus, when did commenters on neowin get so stupid? Thank God I'm back to the safety of HN....
Weren't they a slightly subversive tech site a decade or so ago?
What’s wrong with the comments?
Perhaps the guy suggesting that you: "cut off your balls"