They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
It doesn't matter. If a customer buys faulty hardware, it's the seller's responsibility to replace it with working hardware. If the breaks had a manufacturing defect, you wouldn't expect the customer to pay for the replacement.
Swapping software, pentesting, testing, QA, CI/CD pipelines, image caches aren't free either. Can we then start making more money as software developers to patch CVEs? We clearly should consider holding ourselves to a lower standard. Your requests are getting 5xx errors? Pay me more to fix it, not my problem that your requests is failing.
I want a dumb EV. No infotainment system. Just speakers and a way to plug my device into them. Anything critical to the car should be completely air gapped and require an absolute minimum amount of software, preferably zero.
Agreed. I'd actually like to buy an EV, but so far there are no candidates which meet my minimum requirements, which are pretty much what you said + serviceable by any mechanic with aftermarket parts + using Na-ion, not Li-ion batteries. And it shouldn't be super ugly like most new cars are today (e.g. Rivian, VW ID Buzz).
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
We have a Volkswagen e-Up, it's basically that. Analog cluster, a very small radio screen that also displays the world's smallest reverse camera view, and a dashboard mount for your phone. It's a fantastic little car, I honestly like it more than our 400bhp Volvo XC60.
That’s illegal in the EU, 911 eCall requires an always-on cellular connection with an attached device that records your location. Would you please think of the children?
This is a violation of UN regulation 155/156 where the vendor must provide free fixes and updates in case of safety or cybersecurity violations.
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
If the ignition and door locks in your vehicle were mistakenly designed in such a way that they are trivially shimmed or could be operated by any key it seems absurd to suggest the customer should pay you to replace these mechanisms with ones that are properly secured. This seems roughly analogous to that situation at least to my understanding.
The story has a bad spin yes. But it’s just as much of a controversy if they had require people themselves pay the cost if they found out the cars where shipped with defective breaks. It’s a product error not wear and tear or user error, they should eat the costs, but the cybersecurity framing of it is being used to attempt to push the cost to the consumer.
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
I don't know about the Hyundai Ioniq, but the Kia Niro has no way to permanently disable keyless entry, which would be the obvious, super easy s/w fix. You can disable it each time you lock your car by holding extra buttons on the fob for a few secs, but it's auto re-enabled next time you unlock. It's everything you need to know before you make your smart decision not to buy a Kia. Cheap(er) for a reason.
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
Also be aware that homologation means there is no one-sized-fits-all, canonical vehicle for all markets but many variations for different markets with variations in security and safety features. Some markets get proper security measures while others get screwed.
"The term "patch" came from early use in telephony and radio studios, where extra equipment kept on standby could be temporarily substituted for failed devices." - from https://en.m.wikipedia.org/wiki/Patch_cable
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
I don't get why companies don't understand how offensive it is to the customer to nickel and dime them, especially after they're already a converted customer. They could easily eat the $60 cost and spin it as positive PR, Apple-style.
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
There are two aspects. "Charge" and "costs/who pays". When someone can start a Kia with a USB cable, the owner pays for that. Kia may have a fee for replacing something, but that doesn't factor in the calculus of "there's a reason these people are buying our product, and we assess they will continue to do so."
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C).
A times B times C equals X. This is what it will cost if we don't initiate a recall.
If X is greater than the cost of a recall, we recall the cars and no one gets hurt.
If X is less than the cost of a recall, then we don't recall."
A side question, both this and the VW power unlock payment from the other day, are targeting UK market, so is legislation (lack of it) such in the UK that allows for such practices?
Does Hyundai consider this as a patch though? I'm wondering if the dealership would present you the bill with a straight face, is that presented as a "more secure" system, or an "additional anti theft device"?
From the wording of the press release it sounds like they view it as an optional add-on specifically for UK customers who want additional security:
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
I’ve now had 2 IONIQ 5s stolen in Berlin, the last a couple months ago. Each seemingly using a keyless access hacking device. That’s enough for me to not see a Hyundai or Kia in my future anytime soon.
And I very much liked the IONIQ 5. But if I can’t keep one more than 2 years, what’s the point? I’ve lost all trust in those companies, upgrade or not.
Hmmm, so recently: ̶ ̶H̶y̶u̶n̶d̶a̶i̶ ̶K̶i̶a̶ ̶V̶o̶l̶k̶s̶w̶a̶g̶e̶n̶ ̶
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
Would be interesting to see insurance companies stand on this. Are you expected to pay for the security upgrade or not. Will it be deemed missing as "unpatched - that's your fault".
This is a great question. Have been in insurance for 20 yrs now. Cannot phantom why f.e. insurers don’t hold manufacturers responsible for losses due to cloned car keys with inadequate protection. I do know that insurers are generally very hesitant to start legal procedures, especially those that end up in the news. Say, Volkswagen and Stellantis are formidable adversaries as well as national champions, so there is some presumption that getting your right might be difficult. And the bar as I understand it is not technical SOTA, but more something like acceptable practice, so the manufacturer could argue “hey everyone has shitty protection, so suck up the loss”. Perhaps the newest European legislation will help raise the bar / even the playing field.
Given that many door locks and other portable locks are laughably bad and can be opened with sometimes simple shimmering, or at most basic picking tools, that would mean insurance companies could already have sued Master locks for instance. So at least, bad security is probably not enough for it.
From there, making customer pay to fix bad security doesn't sound like a significant step.
I was just looking at a new Hyundai today. Now I've got something more to consider if they aren't willing to stand behind securing their vehicles at their cost.
So, can people tell me what cars with keyless entry systems aren't susceptible to these attacks?
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
[+] [-] jjani|7 months ago|reply
[+] [-] mirzap|7 months ago|reply
[+] [-] jader201|7 months ago|reply
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
[+] [-] agilob|7 months ago|reply
[+] [-] unknown|7 months ago|reply
[deleted]
[+] [-] sorokod|7 months ago|reply
[+] [-] birdfood|7 months ago|reply
[+] [-] uyzstvqs|7 months ago|reply
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
[+] [-] gambiting|7 months ago|reply
[+] [-] Mistletoe|7 months ago|reply
https://www.slate.auto/en
[+] [-] aembleton|7 months ago|reply
[+] [-] baq|7 months ago|reply
See also ‘smart’ tvs vs digital signage displays aka dumb tvs.
[+] [-] crooked-v|7 months ago|reply
[+] [-] ponector|7 months ago|reply
Anyway, that is not what majority want to buy. Even more, a car is not what majority want to buy in the USA. SUV/trucks are desirable.
[+] [-] inferiorhuman|7 months ago|reply
[+] [-] owenversteeg|7 months ago|reply
[+] [-] cookiengineer|7 months ago|reply
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
[+] [-] solardev|7 months ago|reply
[+] [-] king_geedorah|7 months ago|reply
[+] [-] florbnit|7 months ago|reply
[+] [-] neilv|7 months ago|reply
https://www.theverge.com/news/757205/hyundai-ioniq-5-securit...
[+] [-] themafia|7 months ago|reply
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
[+] [-] wiradikusuma|7 months ago|reply
[+] [-] petronic|7 months ago|reply
https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasse...
[+] [-] asymmetric|7 months ago|reply
[+] [-] Shorel|7 months ago|reply
The flipper firmware is only about six months old, and it is still not as convenient and distributed.
The actual firmware exploit is the same idea.
[+] [-] technick|7 months ago|reply
[+] [-] nsteel|7 months ago|reply
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
[+] [-] sokoloff|7 months ago|reply
Until it’s banned by regulators or made uninsurable…
[+] [-] burnt-resistor|7 months ago|reply
[+] [-] hgomersall|7 months ago|reply
[+] [-] akamaka|7 months ago|reply
[+] [-] 4ndrewl|7 months ago|reply
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
[+] [-] OhMeadhbh|7 months ago|reply
[+] [-] poemxo|7 months ago|reply
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
[+] [-] Hilift|7 months ago|reply
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C). A times B times C equals X. This is what it will cost if we don't initiate a recall. If X is greater than the cost of a recall, we recall the cars and no one gets hurt. If X is less than the cost of a recall, then we don't recall."
[+] [-] bufferoverflow|7 months ago|reply
[deleted]
[+] [-] gbil|7 months ago|reply
[+] [-] charles_f|7 months ago|reply
[+] [-] delusional|7 months ago|reply
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
[+] [-] mihaaly|7 months ago|reply
[+] [-] blixtra|7 months ago|reply
[+] [-] mft_|7 months ago|reply
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
[+] [-] OutOfHere|7 months ago|reply
[+] [-] whirlwin|7 months ago|reply
[+] [-] wjnc|7 months ago|reply
[+] [-] makeitdouble|7 months ago|reply
From there, making customer pay to fix bad security doesn't sound like a significant step.
[+] [-] technick|7 months ago|reply
[+] [-] mijoharas|7 months ago|reply
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
[+] [-] OhMeadhbh|7 months ago|reply