They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
It doesn't matter. If a customer buys faulty hardware, it's the seller's responsibility to replace it with working hardware. If the breaks had a manufacturing defect, you wouldn't expect the customer to pay for the replacement.
I've been holding my breath ever since spectre/meltdown for a free cpu upgrade to make up for the slower performance that the mitigations cause.
It's intel's bug, they promised a certain processor speed, shouldn't it be their responsibility to replace it since their own security oversight resulted in the hardware not working as advertised?
Did you expect the same from intel/amd when those bugs came out? Is it different from this situation?
We don't actually know how to build the CPU that would replace your vulnerable one.
New CPUs are largely immune to the specific attacks that were published before they were designed. But we aren't gonna get a fast CPU without sidechannels and IMO it's not possible in theory to build a branch predictor that never makes potentially exploitable mispredictions.
In a sense this doesn't change your point but I wanted to take the opportunity to point this out. "This CPU is vulnerable to attack X" just means researchers have found an exploit in practice, which we already knew in theory was there.
This wasn't the expectation before Spectre/Meltdown but now we live in a world where you need to assume a degradation in your CPU's effective performance as we learn about its vulnerabilities and need to apply software workarounds.
I am building "one mitigation to rule them all" called Address Space Isolation but this doesn't fundamentally remove that fact, it just means that when we learn about a CPU's vulns we don't have to build a new mitigation we just have to change the settings on the existing one (and it should be more efficient than the bespoke one would be).
> IMO it's not possible in theory to build a branch predictor that never makes potentially exploitable mispredictions.
I believe the Mill hardware design would be immune by design because the hardware is in-order (relying on other trickery for its performance). Of course, it's still vaporware, but the noises made have been fairly competent.
So in some ways, yes, but in other ways, what if you didn't need a branch predictor in the CPU.
The last desktop processor that actually promised a certain speed was probably the 68020. Everything since then has had inscrutable performance characteristics.
They promised the performance of their processor more than Hyundai promised that the Ioniq 5 was "carjacking-proof, even if the attackers have specialized tools", and this thread is about hyundai replacing parts of cars for free because attackers can hack into cars. With specialized tools. Which of course they can.
The line between software and hardware is hard to distinguish when we talk about ASICs and FPGAs, but they still should be responsible for core functionality (i.e. locks) as they shipped insecure software.
These in fact do exist, but they have properties unsuitable for many use cases, such as taking 8-24 hours to open if you lose the key/combination or a mechanical fault occurs, and being part of a system so heavy the floor beneath them have to be constructed to support the weight. (A friend of mine was a master locksmith for many years and worked on such locks, mostly for government contracts.)
In case of a lockout often the easiest way to open them is a brute force attack using a device called an autodialer.
In my opinion, yes, yes they should. If you can’t guarantee security of your device, and you don’t want to update the software, then you’ll need to upgrade the hardware. I think it’s perfectly reasonable to have that under a warranty.
> I think it’s perfectly reasonable to have that under a warranty.
The warranty is not that long, and I think the parent comment is talking about 6+ year old iphones that are definitely out of warranty.
If those should get replaced, surely that means each person buys one iPhone in their life, and then just gets free replacements forever, leading to the initial cost of the phone having to go up a lot to account for that.
Incorrect. Forced obsolescence lets manufacturers decide where that cut off is. 6+ year iPhone, nope, not going to touch it. Sorry. However, if it’s still serviceable and by some rule less than X years old, that just had a security issue or something publicly disclosed, should do their best effort to repair their customer relationships by making it right.
Maybe you live in a country where car thieves hack into cars left and right. Maybe you live in a country where thieves just tow your car in the middle of the day and don't care about your locks at all. Do you expect car maker to ship you free fixes against every scenario? Security is a spectrum. Make your police better if you don't like it.
Swapping software, pentesting, testing, QA, CI/CD pipelines, image caches aren't free either. Can we then start making more money as software developers to patch CVEs? We clearly should consider holding ourselves to a lower standard. Your requests are getting 5xx errors? Pay me more to fix it, not my problem that your requests is failing.
> Pay me more to fix it, not my problem that your requests is failing.
If you are employed in a position where there is a defect in the product then you are already being paid. Imagine going to a restaurant and you get an uncooked frozen steak, and when you tell the waiter they tell you that since the cook will need to spend more time on it you now have to pay extra.
Look at the price of the car compared to other electric SUVs. This is a mcdonalds type of situation. not a restaurant where you can request to cook a rare steak a bit more and not get charged extra
Even in McDonalds if what they give you is defective they will replace it without question once you bring it to their attention.
If it turned out the door locks on the car were defective you'd expect them to be replaced under warranty. If the warranty had expired the situation would, admittedly, be a bit murkier - but you could still make a case that since the locks had always been faulty they'd be the manufacturer's responsibility.
Someone I used to work with had a car a few years ago on which the battery would mysteriously drain for no obvious reason. It turned out to be a defect in the infotainment system's firmware - and he was furious that he was expected to pay for the firmware update to fix it. (The car was long out of warranty, though.)
> if what they give you is defective they will replace it without question once you bring it to their attention
Go there and request a rare steak or idk steak with kimchi, let is know how it goes!
This is a Korean car and probably secure enough in korea where you usually don't lock your bike and/or house. If it not secure if you park it on the street in SF/London/Magadan/Capetown/Kabul are you sure they owe you a free "fix" for everything that may occur
Hyundai has car factories in 10 countries. The car in question is made in at least 2 countries. The defect being fixed applies to cars sold by a British subsidiary in Britain to Britons with the promise that it meets British market standards. It’s not even clear to me that these cars were manufactured in Korea, if they were, they couldn’t be sold there due to the right hand drive. The cars in question were very much NOT made to be driven in Korean conditions.
If these people had bought a Korean market car in Korea and personally shipped it to the UK, yours would be a more compelling argument.
As it is, it makes no sense. If you choose to participate in a foreign market you do not get to abdicate responsibility for problems because they don’t exist in your home market.
It is one of many local menu items available exclusively in Korea. What is absurd is that you make false assertions that can be checked faster than you can write your comment.
Do you genuinely think that Hyundai does not adapt the car to the market (did they accidentally put the steering wheel on the right, and just happen to send those cars to the UK?)? Every car company HAS to do this, if only because different markets have contradictory rules. E.g. Lights that are legal in North America do not meet the standards of other countries. The car HAS to be adapted to the market.
Are you just a mean person on general that you think bringing a problem to the attention of wait staff would cause them to become malicious?
Be a nice human being and you won’t receive that treatment. If your McDonalds wait staff are generally malicious without any provocation, well vote with your feet, nobody is making you eat McDonalds, the sales numbers will correct he problem.
While as noble as that sounds, there’s only so much nice in the tank in a day. Wait staff and fast food workers are treated terribly and so you end up with folks about to snap.
There’s a lot of evidence of this happening in the USA if you just do a search. It’s uncommon, but it happens. At those prices, I’d just rather purchase the item to be made again.
You read some stuff on search and you think it somethings that happens more than it really does.
In general they don't care, it's not coming out of their paychecks, they'll give you another burger, go away now.
When I worked at McDonald's we'd have the favorite burgers pre-made and they'd be left at the warming tray, so orders can be taken care of in maybe 30 seconds, but I guess nowadays that's too wasteful so the burgers are made on demand. There was a day like "Big Macs for $1" day, so we had a line of maybe 50 Big Macs queued, wrapped and ready to eat, that the foreman said "Slow it down with the Big Macs!".
It seems short-sighted to not do this as a courtesy, given the reputational hit from the Kia/Hyundai Boyz saga just a few years ago. Who wants to be a manufacturer with a reputation for making easy-to-steal cars? Who wants to (for a reasonable price) insure cars made by said manufacturer?
I have a Kia EV6, and just saying that if the same “patch” is offered for it, I won’t think twice about paying $65 for it.
I’d also not be super happy they didn’t cover it, but I saw a comment about never buying a Hyundai because of this, and not sure I’d be that upset about it.
There’s a line, for sure, but $65 wouldn’t be it, for me.
I want a dumb EV. No infotainment system. Just speakers and a way to plug my device into them. Anything critical to the car should be completely air gapped and require an absolute minimum amount of software, preferably zero.
Agreed. I'd actually like to buy an EV, but so far there are no candidates which meet my minimum requirements, which are pretty much what you said + serviceable by any mechanic with aftermarket parts + using Na-ion, not Li-ion batteries. And it shouldn't be super ugly like most new cars are today (e.g. Rivian, VW ID Buzz).
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
I'm hopeful but pessimistic about Slate. There is still time for them to A.) raise prices because of "unforeseen" issues, B.) enshittify with tech or wacky pricing structures.
I'm just tired of hearing about Slate. A relatively small amount of people want a product and they use a company that hasn't shipped as validation of their imaginary market size (this company exists, so tons of people want it!)
Vertical digital signage products should also have their polarization filter flipped 90° so you can view them with polarized sunglasses, adding another SKU and cost.
Stockholms Länstrafik didn't figure this out so all our timetable displays are pitch black when viewed with polarized sunglasses.
I've noticed that all but iPhones exhibit this behavior at some angle too and they're apparently using "circular polarization" (expensive) which is another one of these "we do it better" things nobody knows about from Apple (or displays in general)
I work at an ewaste recycling company. Last week, I was testing a projector, and was using a USBC to DVI cable (one of the most cursed cables I've come across). I said "LOL this won't work" and plugged it into my phone. Sure enough, my phone recognized that a display was connected, and once confirmed, showed what I expected it to!
Plugging a car into a phone should work like that: just a dumb display with maybe a keyboard or touchscreen input device.
We have a Volkswagen e-Up, it's basically that. Analog cluster, a very small radio screen that also displays the world's smallest reverse camera view, and a dashboard mount for your phone. It's a fantastic little car, I honestly like it more than our 400bhp Volvo XC60.
The e-Up is great, but there is still the remote control modem installed by default that lets Volkswagen « Cloud » and the app control the car remotely, and get data such as the GPS location of the car.
Except the modem doesn't work anymore because it's 3G-only and 3G networks have been switched off in a lot of places, and VW said they won't offer upgraded hardware for it.
Yeah I’ve seen these posted here previously! Probably the most appealing new car to me at the moment. Hopefully they take off and we can get them outside the US
I've seen this before, and I like the design. It's cute yet functional. It would fit in well on European roads.
One thing that stands out to me is the front wheels protrude beyond the body. I don't recall ever seeing that on a consumer road vehicle before, at least one designed after the 1930s.
Yeah, I'd think open-wheel cars are not road legal in the US but I just checked. Apparently it varies by state. Adding fenders seems simple enough at least. Aging Wheels did a video about the Telo and one thing that stood out to me was that they seemed intent on scaling slowly.
That’s illegal in the EU, 911 eCall requires an always-on cellular connection with an attached device that records your location. Would you please think of the children?
This is a violation of UN regulation 155/156 where the vendor must provide free fixes and updates in case of safety or cybersecurity violations.
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
The vast majority of countries have into their laws that road vehicles must adhere to UN vehicle regulations. That's how enforcement happens - by whatever regulatory authority of the country the vehicle is to be used in. Canada and the US are among the exceptions in that they have their own standards.
If the ignition and door locks in your vehicle were mistakenly designed in such a way that they are trivially shimmed or could be operated by any key it seems absurd to suggest the customer should pay you to replace these mechanisms with ones that are properly secured. This seems roughly analogous to that situation at least to my understanding.
The story has a bad spin yes. But it’s just as much of a controversy if they had require people themselves pay the cost if they found out the cars where shipped with defective breaks. It’s a product error not wear and tear or user error, they should eat the costs, but the cybersecurity framing of it is being used to attempt to push the cost to the consumer.
The Kia Boys stuff, child labor, and ICCU failures weren't enough? The Ioniq 5 absolutely looks like a compelling car but from my POV Hyundai seems hell bent on snatching defeat from the jaws of victory.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
I tried to buy an Ioniq 5 when Hyundai had attractive lease offers published. A dealer near me had a car that showed as qualifying and I emailed to verify that it was in-stock and qualifies for the lease offer. That started one of the most Byzantine discussions around “come on in and we’ll create a custom lease package that suits your needs best.” “I don’t need anything custom; I find the published lease offer suits my needs perfectly.” <3-4 more emails made clear they had no intention to sell that car for that lease offer.> Now we have a CPO Lexus and I couldn’t be happier.
I watched the Rich Rebuilds review of the Ioniq 5N recently and while I'm underwhelmed by Hyundai as a company I'll disagree with you and Rich about Hyundai pricing these $10-15k too high. Pretty much the only competition is the Model 3 (Performance), and by that metric Ioniq pricing is spot on. Sure the iD.4 exists but VW really flubbed the software on that. And if you're eyeing the 5N over the regular 5, it did the Pike's Peak climb faster than the Tesla (and on a single charge IIRC).
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars so it's all moot.
I once ordered Kia EV6, but after a year I canceled the order. I am now glad I canceled it. Bi-yearly inspections and coolant change for 600€ are ridiculous ripoffs. ICCU failures are handled really badly in Germany. I really like the EV6 and EV3 cars, but the manufacturer isn’t that attractive anymore
Unsure what you're familiar with but California does indeed have an oil industry, although it's much smaller than other states known for oil production like Texas and Alaska.
We also have a governor fueled by Getty (oil) money. The people he's appointed to oversee the electric utilities have rubber stamped rate hikes to the point where even heat pumps barely make financial sense because natural gas is so much cheaper (well under $2.50/therm).
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
This is why, back when I owned a Jeep, I never locked it. Figured if someone wanted the 85 cents in change that badly I'd rather they not take a knife to my (plastic) windows.
Right, and even un-sexy and inexpensive vehicles get targeted these days, because they can be used as tools to commit other crimes, not just a commodity to be resold or scavenged.
The thing I did not expect is that most of these criminals will gladly connect their phone to the cars entertainment system so they can play their music while they do this.
They can then brag about the number of thefts they've engaged in by the number of Kia vehicles listed in their phones bluetooth connection list.
The surprise is that the police don't seem to understand how to incorporate these facts into their tactics.
Knowing folks with this problem, I've been looking into some way of adding some kind of "pulling or removing the door handle without first disabling the alarm triggers the alarm" circuit... but the necessary disassembly is a pain.
My understanding is that the firmware has some sort of DRM and it’s being sold - not freely distributed. (Admittedly, the comment I saw mentioning cost pegged it at 1k, not 20k for a license.)
I don't know about the Hyundai Ioniq, but the Kia Niro has no way to permanently disable keyless entry, which would be the obvious, super easy s/w fix. You can disable it each time you lock your car by holding extra buttons on the fob for a few secs, but it's auto re-enabled next time you unlock. It's everything you need to know before you make your smart decision not to buy a Kia. Cheap(er) for a reason.
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
We are not scared of regulation in the UK. And this car has existed, in the UK, with this flaw, for over 6 years. Quite clearly nobody is interested in doing either of those things you suggest.
Plus the UK is about to reintroduce financial incentives for private EV purchase, they want to push sales, not clamp down on crap products.
Also be aware that homologation means there is no one-sized-fits-all, canonical vehicle for all markets but many variations for different markets with variations in security and safety features. Some markets get proper security measures while others get screwed.
I don't get why companies don't understand how offensive it is to the customer to nickel and dime them, especially after they're already a converted customer. They could easily eat the $60 cost and spin it as positive PR, Apple-style.
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
There are two aspects. "Charge" and "costs/who pays". When someone can start a Kia with a USB cable, the owner pays for that. Kia may have a fee for replacing something, but that doesn't factor in the calculus of "there's a reason these people are buying our product, and we assess they will continue to do so."
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C).
A times B times C equals X. This is what it will cost if we don't initiate a recall.
If X is greater than the cost of a recall, we recall the cars and no one gets hurt.
If X is less than the cost of a recall, then we don't recall."
There is also this thing called brand loyalty. After the car manufacturer pulls a stunt like that I will think twice before I buy my next car from them.
"The term "patch" came from early use in telephony and radio studios, where extra equipment kept on standby could be temporarily substituted for failed devices." - from https://en.m.wikipedia.org/wiki/Patch_cable
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
I'm not so sure, I thought "patch" originated from hole punching cards to program stuff. A software patch was literally a patch of tape that hides an errorneously punched hole in such a card.
I find it far more likely that patches--in terms of fixing problems with small, targeted changes--derives from the use of the term for fixing holes in cloth by sewing on another piece of cloth.
A side question, both this and the VW power unlock payment from the other day, are targeting UK market, so is legislation (lack of it) such in the UK that allows for such practices?
Stealing cars is illegal in the UK, however you do it. Just having this "gameboy-like device", in your pocket is "going equipped", and you're going to get arrested on its discovery about your person outside of your abode. No ifs, no buts.
The UK has lots of new cars (plenty of cheap financing around for lease, PCP and HP deals), and there is a low-level epidemic of thefts of vehicles that end up in shipping containers and heading out of the country within hours. [0]
Car insurance is also so high in the UK at background levels that if you end up owning a highly desirable and very easy to steal car (the Range Rover a few years ago, for example), the costs being added to price in the risk of your car ending up in a container heading to the Middle East don't seem - as a percentage - particularly high.
The fact UK has great shipping throughput to the Middle East, Africa, and so on, is both a boon economically, but also it makes great cover for all sorts of shenanigans.
Does Hyundai consider this as a patch though? I'm wondering if the dealership would present you the bill with a straight face, is that presented as a "more secure" system, or an "additional anti theft device"?
From the wording of the press release it sounds like they view it as an optional add-on specifically for UK customers who want additional security:
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
Hmmm, so recently: ̶ ̶H̶y̶u̶n̶d̶a̶i̶ ̶K̶i̶a̶ ̶V̶o̶l̶k̶s̶w̶a̶g̶e̶n̶ ̶
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
I’ve now had 2 IONIQ 5s stolen in Berlin, the last a couple months ago. Each seemingly using a keyless access hacking device. That’s enough for me to not see a Hyundai or Kia in my future anytime soon.
And I very much liked the IONIQ 5. But if I can’t keep one more than 2 years, what’s the point? I’ve lost all trust in those companies, upgrade or not.
Would be interesting to see insurance companies stand on this. Are you expected to pay for the security upgrade or not. Will it be deemed missing as "unpatched - that's your fault".
This is a great question. Have been in insurance for 20 yrs now. Cannot phantom why f.e. insurers don’t hold manufacturers responsible for losses due to cloned car keys with inadequate protection. I do know that insurers are generally very hesitant to start legal procedures, especially those that end up in the news. Say, Volkswagen and Stellantis are formidable adversaries as well as national champions, so there is some presumption that getting your right might be difficult. And the bar as I understand it is not technical SOTA, but more something like acceptable practice, so the manufacturer could argue “hey everyone has shitty protection, so suck up the loss”. Perhaps the newest European legislation will help raise the bar / even the playing field.
Given that many door locks and other portable locks are laughably bad and can be opened with sometimes simple shimmering, or at most basic picking tools, that would mean insurance companies could already have sued Master locks for instance. So at least, bad security is probably not enough for it.
From there, making customer pay to fix bad security doesn't sound like a significant step.
I was just looking at a new Hyundai today. Now I've got something more to consider if they aren't willing to stand behind securing their vehicles at their cost.
So, can people tell me what cars with keyless entry systems aren't susceptible to these attacks?
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
The car stealing device is $20k, could someone do some math to see what kind of ROI a criminal could expect if they use it to steal cars and part them out?
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I agree Hyundai should fix this for free (would make up a small portion of the bad PR for having this issue in the first place), but don't forced recalls usually only apply to defects that cause safety issues?
I'm not sure this would fit the definition of a product safety defect.
It's not ease, it's efficiency: opening a locked car door is 1-2 minutes for an experienced person. Smashing the window is 2 seconds (though you also need some experience, as modern car side windows are also laminated).
As far as I'm concerned, security issues (outside of very niche situations) in a product mean that the product was defective. If you sell a defective product, you should be on the hook to correct the defect.
There’s no bright line that defines “defect” and makes this determination. What Hyundai should be considering here is whether consumers will decide that buying a car from a company that doesn’t fully own their security mistakes isn’t worth it.
I agree it's hard to draw a bright line, but I'm personally comfortable erring heavily on the side of defect for security issues.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.
This isn't about normal wear-and-tear but a fundamental security design flaw that allows thieves to steal these cars with a $25 device exploiting the CAN bus - more akin to GM shipping cars with a master key hidden under the floor mat than a pickable lock.
Claiming it is a "security design flaw" is absurd paranoia, the same paranoia that causes manufacturers to destroy the aftermarket and fight right-to-repair in their quest for "security".
Except even more egregious, because if your GM car had a master key under the floor mat, you could just remove it yourself and throw it down a handy storm sewer.
I think your take makes more sense in a world where you actually own the car fully and have the freedom to do what you want with it. Even if someone was able to write this patch themselves without the source code, distributing it would require owners to root their devices, which isn't legal in all jurisdictions.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
In the automotive industry, pretty much the whole point of standards like cybersecurity (ISO21434) and functional safety (ISO26262) is to let the manufacturer claim in court that they followed “modern best practices” and therefore are not liable when something goes wrong.
If security flaw is so egregious as to warrant a patch, then the patch should be considered to be a fix of a defective product and free.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
>Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
Well if your car had a seat belt defect and people were dying you know they absolutely would recall the car and pay for the defect.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
It seems like you don't like Hyundai. What's childish is your resort to ad hominem because you disagree.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
Is it a defect if it required the development of an adversarial tool / exploit which previously did not exist? If the roof leaked when it's raining it's a defect because rain existed before. But this exploit didn't exist before.
Sure, that could be a decent legal regime. The first step to enabling it would be releasing the source code and system documentation for the product they've sold, so that it's even possible for anyone else besides themselves to fix it. Until then it's a black box the company has chosen to retain responsibility for. And frankly regulators should be making sure they support the 20-40 years of useful life we generally expect from automobiles.
I'm not talking about individuals' expectations for how long they personally will use a given vehicle, but rather societal expectations for how long a given vehicle will live across all tiers of the market. The cell phone made-to-be-ewaste model shouldn't be allowed to infect capital assets costing 100x as much.
No. Humans age in a way that cars don't, so "that logic" would not attempt to apply the same curve to humans.
If you're done nitpicking, you're welcome to explain your number better. You forgot to say how to apply "4.5%". I'm sure an exponential fit has issues, but a linear fit would be much worse, and anything fancy needs more data points.
That's why I gave a range. That average stat actually seems to line up with the low end of that range, and since every car isn't scrapped at the same age it's going to be a distribution. There are not many cars from 1985 on the road today, but there sure are some. And since we're talking software which doesn't actually degrade, it shouldn't be the thing limiting the overall lifetime.
It's intel's bug, they promised a certain processor speed, shouldn't it be their responsibility to replace it since their own security oversight resulted in the hardware not working as advertised?
Did you expect the same from intel/amd when those bugs came out? Is it different from this situation?
New CPUs are largely immune to the specific attacks that were published before they were designed. But we aren't gonna get a fast CPU without sidechannels and IMO it's not possible in theory to build a branch predictor that never makes potentially exploitable mispredictions.
In a sense this doesn't change your point but I wanted to take the opportunity to point this out. "This CPU is vulnerable to attack X" just means researchers have found an exploit in practice, which we already knew in theory was there.
This wasn't the expectation before Spectre/Meltdown but now we live in a world where you need to assume a degradation in your CPU's effective performance as we learn about its vulnerabilities and need to apply software workarounds.
I am building "one mitigation to rule them all" called Address Space Isolation but this doesn't fundamentally remove that fact, it just means that when we learn about a CPU's vulns we don't have to build a new mitigation we just have to change the settings on the existing one (and it should be more efficient than the bespoke one would be).
I believe the Mill hardware design would be immune by design because the hardware is in-order (relying on other trickery for its performance). Of course, it's still vaporware, but the noises made have been fairly competent.
So in some ways, yes, but in other ways, what if you didn't need a branch predictor in the CPU.
https://millcomputing.com/blog/wp-content/uploads/2018/01/Sp...
https://www.youtube.com/watch?v=8E4qs2irmpc
Well yes you can dodge this problem by not having a branch predictor but note the way I formulated my claim ;)
How have they advertised that? Was it clock frequency? Their mitigations mean it still runs at that clock frequency.
Following the same logic: old phones, even iphones can be hacked. Should manufacturers replace the hardware?
There is no such thing as secure lock. Any lock could be open without original key. The difference is in the amount of effort.
Still baffles me that KIA sold cars which can be driven away using screwdriver and USB cable.
These in fact do exist, but they have properties unsuitable for many use cases, such as taking 8-24 hours to open if you lose the key/combination or a mechanical fault occurs, and being part of a system so heavy the floor beneath them have to be constructed to support the weight. (A friend of mine was a master locksmith for many years and worked on such locks, mostly for government contracts.)
In case of a lockout often the easiest way to open them is a brute force attack using a device called an autodialer.
The warranty is not that long, and I think the parent comment is talking about 6+ year old iphones that are definitely out of warranty.
If those should get replaced, surely that means each person buys one iPhone in their life, and then just gets free replacements forever, leading to the initial cost of the phone having to go up a lot to account for that.
Maybe you live in a country where car thieves hack into cars left and right. Maybe you live in a country where thieves just tow your car in the middle of the day and don't care about your locks at all. Do you expect car maker to ship you free fixes against every scenario? Security is a spectrum. Make your police better if you don't like it.
/controversial opinion
If you are employed in a position where there is a defect in the product then you are already being paid. Imagine going to a restaurant and you get an uncooked frozen steak, and when you tell the waiter they tell you that since the cook will need to spend more time on it you now have to pay extra.
If it turned out the door locks on the car were defective you'd expect them to be replaced under warranty. If the warranty had expired the situation would, admittedly, be a bit murkier - but you could still make a case that since the locks had always been faulty they'd be the manufacturer's responsibility.
Someone I used to work with had a car a few years ago on which the battery would mysteriously drain for no obvious reason. It turned out to be a defect in the infotainment system's firmware - and he was furious that he was expected to pay for the firmware update to fix it. (The car was long out of warranty, though.)
Go there and request a rare steak or idk steak with kimchi, let is know how it goes!
This is a Korean car and probably secure enough in korea where you usually don't lock your bike and/or house. If it not secure if you park it on the street in SF/London/Magadan/Capetown/Kabul are you sure they owe you a free "fix" for everything that may occur
If these people had bought a Korean market car in Korea and personally shipped it to the UK, yours would be a more compelling argument.
As it is, it makes no sense. If you choose to participate in a foreign market you do not get to abdicate responsibility for problems because they don’t exist in your home market.
McDonald’s, famously, adapts their menu to the location. Here’s a bulgogi burger they only sell in Korea: https://www.mcdonalds.co.kr/eng/menu/detail.do
Here’s another menu item exclusive to Korea https://www.mcdonalds.co.kr/eng/menu/detail.do
It is one of many local menu items available exclusively in Korea. What is absurd is that you make false assertions that can be checked faster than you can write your comment.
Do you genuinely think that Hyundai does not adapt the car to the market (did they accidentally put the steering wheel on the right, and just happen to send those cars to the UK?)? Every car company HAS to do this, if only because different markets have contradictory rules. E.g. Lights that are legal in North America do not meet the standards of other countries. The car HAS to be adapted to the market.
Also, they need to secure it the international markets they're selling it in.
Be a nice human being and you won’t receive that treatment. If your McDonalds wait staff are generally malicious without any provocation, well vote with your feet, nobody is making you eat McDonalds, the sales numbers will correct he problem.
There’s a lot of evidence of this happening in the USA if you just do a search. It’s uncommon, but it happens. At those prices, I’d just rather purchase the item to be made again.
But yes, be a good human.
In general they don't care, it's not coming out of their paychecks, they'll give you another burger, go away now.
When I worked at McDonald's we'd have the favorite burgers pre-made and they'd be left at the warming tray, so orders can be taken care of in maybe 30 seconds, but I guess nowadays that's too wasteful so the burgers are made on demand. There was a day like "Big Macs for $1" day, so we had a line of maybe 50 Big Macs queued, wrapped and ready to eat, that the foreman said "Slow it down with the Big Macs!".
I didn't work there long, but I don't remember anyone doing that.
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
I have a Kia EV6, and just saying that if the same “patch” is offered for it, I won’t think twice about paying $65 for it.
I’d also not be super happy they didn’t cover it, but I saw a comment about never buying a Hyundai because of this, and not sure I’d be that upset about it.
There’s a line, for sure, but $65 wouldn’t be it, for me.
Though I'm pretty sure you can't even legally make such a car anymore, at least in Europe, where certain "smart" features are required for new cars. Perhaps a manufacturer of such an EV could put all of that into one box which the user can simply pull out and discard.
See also ‘smart’ tvs vs digital signage displays aka dumb tvs.
[0] https://www.slate.auto/en
I'm just tired of hearing about Slate. A relatively small amount of people want a product and they use a company that hasn't shipped as validation of their imaginary market size (this company exists, so tons of people want it!)
I hope they're successful.
Stockholms Länstrafik didn't figure this out so all our timetable displays are pitch black when viewed with polarized sunglasses.
I've noticed that all but iPhones exhibit this behavior at some angle too and they're apparently using "circular polarization" (expensive) which is another one of these "we do it better" things nobody knows about from Apple (or displays in general)
(https://claude.ai/share/e462247c-0ecd-4a07-8ec1-36a4f3c86597)
Plugging a car into a phone should work like that: just a dumb display with maybe a keyboard or touchscreen input device.
Anyway, that is not what majority want to buy. Even more, a car is not what majority want to buy in the USA. SUV/trucks are desirable.
https://www.slate.auto/en
https://www.telotrucks.com/
One thing that stands out to me is the front wheels protrude beyond the body. I don't recall ever seeing that on a consumer road vehicle before, at least one designed after the 1930s.
I'm mentioning this specifically because the CAN bus is involved, which is mandatory to be safety conform and has to be ASIL-C/D conform. If you cannot guarantee that, you will lose the license.
Without conformance to UN Regulation 155/156, the car manufacturer might lose its license for the underlying car platform (not only the downstreamed models), meaning refunding/damages need to be paid for all buyers of cars of that platform.
So chances are this can be fought in court, and Hyundai probably has to offer free replacement of that defective part.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars so it's all moot.
We also have a governor fueled by Getty (oil) money. The people he's appointed to oversee the electric utilities have rubber stamped rate hikes to the point where even heat pumps barely make financial sense because natural gas is so much cheaper (well under $2.50/therm).
https://www.pge.com/content/dam/pge/docs/account/rate-plans/...
https://www.theverge.com/news/757205/hyundai-ioniq-5-securit...
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
More work for the thieves, but hardly a fix to inspire confidence.
They can then brag about the number of thefts they've engaged in by the number of Kia vehicles listed in their phones bluetooth connection list.
The surprise is that the police don't seem to understand how to incorporate these facts into their tactics.
https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasse...
The flipper firmware is only about six months old, and it is still not as convenient and distributed.
The actual firmware exploit is the same idea.
But looks from their point of view. It's the most stolen car in the UK. The brand doesn't seem to be suffering much. Having terrible security just helps sales!
Until it’s banned by regulators or made uninsurable…
Plus the UK is about to reintroduce financial incentives for private EV purchase, they want to push sales, not clamp down on crap products.
It's particularly bad because customers see it as a defect. No one wants to pay full price for defective equipment. The only thing that would make it worse is if this "hack" were reproducible on the flipper zero and they get themselves into another Kia Boys situation.
Note that Kia offered a maximum of $6,125/$3,375 for totaled/damaged vehicles.
The previous formula:
"You take the population of vehicles in the field (A) and multiple it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C). A times B times C equals X. This is what it will cost if we don't initiate a recall. If X is greater than the cost of a recall, we recall the cars and no one gets hurt. If X is less than the cost of a recall, then we don't recall."
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
The term patch-cable seems to be way younger.
patchboard
: a switchboard in which circuits are interconnected by patch cords
First Known Use
1934, in the meaning defined above
You do a hardware upgrade on the car to patch the vulnerability.
> "piece of cloth used to mend another material," late 14th century.
> Electronics sense of "to connect temporarily" is attested from 1923 on the notion of tying together various pieces of apparatus to form a circuit.
The UK has lots of new cars (plenty of cheap financing around for lease, PCP and HP deals), and there is a low-level epidemic of thefts of vehicles that end up in shipping containers and heading out of the country within hours. [0]
Car insurance is also so high in the UK at background levels that if you end up owning a highly desirable and very easy to steal car (the Range Rover a few years ago, for example), the costs being added to price in the risk of your car ending up in a container heading to the Middle East don't seem - as a percentage - particularly high.
The fact UK has great shipping throughput to the Middle East, Africa, and so on, is both a boon economically, but also it makes great cover for all sorts of shenanigans.
[0] https://www.containerlift.co.uk/cracking-the-code-uk-police-...
Recently, evolving security threats, including the use of unauthorised electronic devices to bypass vehicle locking systems have become more prevalent in the UK. This is an industry-wide issue and Hyundai is providing appropriate responses in line with industry practices.
As part of the Company’s commitment to supporting our customers, we are able to offer a subsidised software and hardware upgrade for a customer contribution of £49.
At this rate, I'll be back to Tesla for any future EV purchase. (Noting that Tesla second-hand prices in Europe seem to have taken a dive over the past while, presumably partly thanks to Elon's shenanighans?)
From there, making customer pay to fix bad security doesn't sound like a significant step.
I'm somewhat wary of any of them, but it seems like it's a feature of a lot of new cars, and I can't tell what is "safe" to buy. It was a simple signal amplification thing wasn't it?
Does anyone know if BYD cars suffer from it for example?
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I'm not sure this would fit the definition of a product safety defect.
Look up LockPickingLawyer on YouTube. Less than a minute with the right tool.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.
Claiming it is a "security design flaw" is absurd paranoia, the same paranoia that causes manufacturers to destroy the aftermarket and fight right-to-repair in their quest for "security".
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
What's "unrealistic and childish" is expecting free labour.
They will also be charging elevated dealership prices for thag labor.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
[0]: https://www.youtube.com/watch?v=SiB8GVMNJkE
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
If you're done nitpicking, you're welcome to explain your number better. You forgot to say how to apply "4.5%". I'm sure an exponential fit has issues, but a linear fit would be much worse, and anything fancy needs more data points.
Weren't they a slightly subversive tech site a decade or so ago?