They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
jader201 · 20m ago
Agree the title is a bit misleading, but addressing what sounds like an exploit still feels like a patch of sorts.
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
wiradikusuma · 1h ago
I understand that development costs are not free, and there's extra hardware involved, but IMO they should take this as marketing cost.
lokar · 1h ago
Yeah, I considered an ionic the last time I was getting a car. Now I’ll never again consider them.
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
Terr_ · 53s ago
[delayed]
akamaka · 1h ago
This seems like a clickbait title because I’ve never hear of a hardware upgrade being called a “patch”.
OhMeadhbh · 1h ago
I don't think the patch is hardware. The hardware they're talking about is the "Gameboy like device" that runs the exploit.
mihaaly · 5m ago
Car manufacturers seems to be determined to discourage people from buying their car.
JKCalhoun · 37m ago
Love to see a 3rd party step in with a lower-cost replacement.
topato · 11m ago
Jesus, when did commenters on neowin get so stupid? Thank God I'm back to the safety of HN....
Weren't they a slightly subversive tech site a decade or so ago?
OhMeadhbh · 1h ago
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
OutOfHere · 1h ago
I guess this means Hyundai goes on the blacklist too.
userbinator · 1h ago
It wouldn't be "baffling" if we stopped thinking that companies should continue doing work for free after they've already sold their products. I know the locks on my car are easily picked, but I don't expect GM to give me a free lock cylinder replacement either. Caveat emptor.
Edit: didn't know Hyundai owners were so entitled.
themafia · 1h ago
> I know the locks on my car are easily picked
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
anywhichway · 43m ago
I agree Hyundai should fix this for free (would make up a small portion of the bad PR for having this issue in the first place), but don't forced recalls usually only apply to defects that cause safety issues?
I'm not sure this would fit the definition of a product safety defect.
selkin · 58m ago
It's not ease, it's efficiency: opening a locked car door is 1-2 minutes for an experienced person. Smashing the window is 2 seconds (though you also need some experience, as modern car side windows are also laminated).
ethan_smith · 1h ago
This isn't about normal wear-and-tear but a fundamental security design flaw that allows thieves to steal these cars with a $25 device exploiting the CAN bus - more akin to GM shipping cars with a master key hidden under the floor mat than a pickable lock.
throwawayoldie · 13m ago
Except even more egregious, because if your GM car had a master key under the floor mat, you could just remove it yourself and throw it down a handy storm sewer.
terribleperson · 1h ago
As far as I'm concerned, security issues (outside of very niche situations) in a product mean that the product was defective. If you sell a defective product, you should be on the hook to correct the defect.
anywhichway · 1h ago
I think your take makes more sense in a world where you actually own the car fully and have the freedom to do what you want with it. Even if someone was able to write this patch themselves without the source code, distributing it would require owners to root their devices, which isn't legal in all jurisdictions.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
mrangle · 1h ago
If security flaw is so egregious as to warrant a patch, then the patch should be considered to be a fix of a defective product and free.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
verdverm · 1h ago
You missed some points
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
lostdog · 1h ago
It's a defect. We should fix it by making them do a recall.
mrangle · 1h ago
I didn't know Hyundai corporate defenders were so unrealistic and childish.
userbinator · 1h ago
I don't even like Hyundai.
What's "unrealistic and childish" is expecting free labour.
superb_dev · 1h ago
It's not free labor, they already got paid for it. They just fucked it up the first time.
indemnity · 1h ago
Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
serf · 55m ago
>Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
Many would argue that this "free labour" you speak of is labour that Hyundai should have put into their product before releasing it.
14 · 37m ago
Well if your car had a seat belt defect and people were dying you know they absolutely would recall the car and pay for the defect.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
throwaway173738 · 12m ago
I think the deaths might qualify the cars as an attractive nuisance at this point. Although The Club is only about $50.
mrangle · 1h ago
It seems like you don't like Hyundai. What's childish is your resort to ad hominem because you disagree.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
mindslight · 1h ago
Sure, that could be a decent legal regime. The first step to enabling it would be releasing the source code and system documentation for the product they've sold, so that it's possible for anyone else besides themselves to fix it. Until then it's a black box the company has chosen to retain responsibility for. And frankly regulators should be making sure they support the 20-40 years of useful life we generally expect from automobiles.
thfuran · 1h ago
I think you significantly overestimate people’s expectations for automobiles.
mindslight · 18m ago
I'm not talking about individuals' expectations for how long they personally will use a given vehicle, but rather societal expectations for how long a given vehicle will live across all tiers of the market. The cell phone made-to-be-ewaste model shouldn't be allowed to infect capital assets costing 100x as much.
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
https://www.theverge.com/news/757205/hyundai-ioniq-5-securit...
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
Weren't they a slightly subversive tech site a decade or so ago?
Edit: didn't know Hyundai owners were so entitled.
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I'm not sure this would fit the definition of a product safety defect.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
What's "unrealistic and childish" is expecting free labour.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
[0]: https://www.youtube.com/watch?v=SiB8GVMNJkE
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.