I want a dumb EV. No infotainment system. Just speakers and a way to plug my device into them. Anything critical to the car should be completely air gapped and require an absolute minimum amount of software, preferably zero.
Mistletoe 26 seconds ago [-]
Check out Slate trucks. I want that too and this seems to be perfect. Has windows you roll down even. Fingers crossed it actually launches.
They're swapping out hardware, which is why they're asking money for this to compensate the labor costs. Not saying this justifies it, but the title is misleading.
mirzap 37 seconds ago [-]
It doesn't matter. If a customer buys faulty hardware, it's the seller's responsibility to replace it with working hardware. If the breaks had a manufacturing defect, you wouldn't expect the customer to pay for the replacement.
jader201 3 hours ago [-]
Agree the title is a bit misleading, but addressing what sounds like an exploit still feels like a patch of sorts.
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
GlacierFox 16 minutes ago [-]
Given what the car costs, you'd think they'd do this out of courtesy.
wiradikusuma 4 hours ago [-]
I understand that development costs are not free, and there's extra hardware involved, but IMO they should take this as marketing cost.
lokar 3 hours ago [-]
Yeah, I considered an ionic the last time I was getting a car. Now I’ll never again consider them.
inferiorhuman 1 hours ago [-]
The Kia Boys stuff, child labor, and ICCU failures weren't enough? The Ioniq 5 absolutely looks like a compelling car but from my POV Hyundai seems hell bent on snatching defeat from the jaws of victory.
moepstar 56 minutes ago [-]
I'd add dealerships to the list.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
inferiorhuman 27 minutes ago [-]
I watched the Rich Rebuilds review of the Ioniq 5N recently and while I'm underwhelmed by Hyundai as a company I'll disagree with you and Rich about Hyundai pricing these $10-15k too high. Pretty much the only competition is the Model 3 (Performance), and by that metric Ioniq pricing is spot on. Sure the iD.4 exists but VW really flubbed the software on that. And if you're eyeing the 5N, it did the Pike's Peak climb faster than the Tesla (and on a single charge IIRC).
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars.
petronic 2 hours ago [-]
“Gameboy-like device” - are they referring to Flipper Zeros with the firmware to exploit RF rolling codes?
No, they don't. You need to read the article. It says such devices cost $20k.
petronic 9 minutes ago [-]
My understanding is that the firmware has some sort of DRM and it’s being sold - not freely distributed. (Admittedly, the comment I saw mentioning cost pegged it at 1k, not 20k for a license.)
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
Terr_ 2 hours ago [-]
In some vehicles, their "software fix" literally did nothing but move thieves from smashing a window to screwdriver'ing the driver door lock.
More work for the thieves, but hardly a fix to inspire confidence.
TylerE 2 hours ago [-]
This is why, back when I owned a Jeep, I never locked it. Figured if someone wanted the 85 cents in change that badly I'd rather they not take a knife to my (plastic) windows.
Terr_ 2 hours ago [-]
Knowing folks with this problem, I've been looking into some way of adding some kind of "pulling or removing the door handle without first disabling the alarm triggers the alarm" circuit... but the necessary disassembly is a pain.
anonym29 2 hours ago [-]
The "Kia Boyz" saga was primarily motivated by theft of the vehicle itself, not the contents of the vehicle.
Terr_ 1 hours ago [-]
Right, and even un-sexy and inexpensive vehicles get targeted these days, because they can be used as tools to commit other crimes, not just a commodity to be resold or scavenged.
akamaka 3 hours ago [-]
This seems like a clickbait title because I’ve never hear of a hardware upgrade being called a “patch”.
4ndrewl 24 minutes ago [-]
"The term "patch" came from early use in telephony and radio studios, where extra equipment kept on standby could be temporarily substituted for failed devices." - from https://en.m.wikipedia.org/wiki/Patch_cable
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
OhMeadhbh 3 hours ago [-]
I don't think the patch is hardware. The hardware they're talking about is the "Gameboy like device" that runs the exploit.
echoangle 2 hours ago [-]
> The Verge now reports that Hyundai is offering a security patch for this issue through software and hardware upgrades to Ioniq 5 customers.
You do a hardware upgrade on the car to patch the vulnerability.
commandersaki 1 hours ago [-]
The etymology of patch harkens back to Larry Wall's UNIX patch tool for applying diffs to a source code base.
ralph84 21 minutes ago [-]
The etymology of patch predates software by hundreds of years.
gbil 2 hours ago [-]
A side question, both this and the VW power unlock payment from the other day, are targeting UK market, so is legislation (lack of it) such in the UK that allows for such practices?
whirlwin 39 minutes ago [-]
Would be interesting to see insurance companies stand on this. Are you expected to pay for the security upgrade or not. Will it be deemed missing as "unpatched - that's your fault".
wjnc 25 minutes ago [-]
This is a great question. Have been in insurance for 20 yrs now. Cannot phantom why f.e. insurers don’t hold manufacturers responsible for losses due to cloned car keys with inadequate protection. I do know that insurers are generally very hesitant to start legal procedures, especially those that end up in the news. Say, Volkswagen and Stellantis are formidable adversaries as well as national champions, so there is some presumption that getting your right might be difficult. And the bar as I understand it is not technical SOTA, but more something like acceptable practice, so the manufacturer could argue “hey everyone has shitty protection, so suck up the loss”. Perhaps the newest European legislation will help raise the bar / even the playing field.
technick 1 hours ago [-]
I was just looking at a new Hyundai today. Now I've got something more to consider if they aren't willing to stand behind securing their vehicles at their cost.
OhMeadhbh 3 hours ago [-]
Hunh. I know what I'm doing this weekend... Scanning ionic VINs to see if they're vulnerable. I bet I could train YOLO to recognize ionics from a drone camera at 50 ft.
mihaaly 2 hours ago [-]
Car manufacturers seems to be determined to discourage people from buying their car.
JKCalhoun 3 hours ago [-]
Love to see a 3rd party step in with a lower-cost replacement.
OutOfHere 4 hours ago [-]
I guess this means Hyundai goes on the blacklist too.
EverydayBalloon 4 hours ago [-]
[dead]
userbinator 4 hours ago [-]
[flagged]
themafia 3 hours ago [-]
> I know the locks on my car are easily picked
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
anywhichway 3 hours ago [-]
I agree Hyundai should fix this for free (would make up a small portion of the bad PR for having this issue in the first place), but don't forced recalls usually only apply to defects that cause safety issues?
I'm not sure this would fit the definition of a product safety defect.
selkin 3 hours ago [-]
It's not ease, it's efficiency: opening a locked car door is 1-2 minutes for an experienced person. Smashing the window is 2 seconds (though you also need some experience, as modern car side windows are also laminated).
terribleperson 3 hours ago [-]
As far as I'm concerned, security issues (outside of very niche situations) in a product mean that the product was defective. If you sell a defective product, you should be on the hook to correct the defect.
hamburglar 16 minutes ago [-]
There’s no bright line that defines “defect” and makes this determination. What Hyundai should be considering here is whether consumers will decide that buying a car from a company that doesn’t fully own their security mistakes isn’t worth it.
ethan_smith 3 hours ago [-]
This isn't about normal wear-and-tear but a fundamental security design flaw that allows thieves to steal these cars with a $25 device exploiting the CAN bus - more akin to GM shipping cars with a master key hidden under the floor mat than a pickable lock.
throwawayoldie 2 hours ago [-]
Except even more egregious, because if your GM car had a master key under the floor mat, you could just remove it yourself and throw it down a handy storm sewer.
anywhichway 3 hours ago [-]
I think your take makes more sense in a world where you actually own the car fully and have the freedom to do what you want with it. Even if someone was able to write this patch themselves without the source code, distributing it would require owners to root their devices, which isn't legal in all jurisdictions.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
mrangle 3 hours ago [-]
If security flaw is so egregious as to warrant a patch, then the patch should be considered to be a fix of a defective product and free.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
verdverm 3 hours ago [-]
You missed some points
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
zmb_ 2 hours ago [-]
In the automotive industry, pretty much the whole point of standards like cybersecurity (ISO21434) and functional safety (ISO26262) is to let the manufacturer claim in court that they followed “modern best practices” and therefore are not liable when something goes wrong.
lostdog 4 hours ago [-]
It's a defect. We should fix it by making them do a recall.
mrangle 4 hours ago [-]
I didn't know Hyundai corporate defenders were so unrealistic and childish.
userbinator 3 hours ago [-]
I don't even like Hyundai.
What's "unrealistic and childish" is expecting free labour.
superb_dev 3 hours ago [-]
It's not free labor, they already got paid for it. They just fucked it up the first time.
jcdentonn 2 hours ago [-]
Nope. It requires new hardware installed.
whatevaa 1 hours ago [-]
Hardware which should have been there in the first place.
They will also be charging elevated dealership prices for thag labor.
brewdad 2 hours ago [-]
I don't expect free labor. I expect the service workers to get paid by Hyundai
indemnity 3 hours ago [-]
Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
serf 3 hours ago [-]
>Other manufacturers treat defects in their products by doing a recall and wearing the costs of their mistake.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
Do you have any other sources than a hollywood movie made for entertainment?
nulld3v 3 hours ago [-]
Many would argue that this "free labour" you speak of is labour that Hyundai should have put into their product before releasing it.
mrangle 3 hours ago [-]
It seems like you don't like Hyundai. What's childish is your resort to ad hominem because you disagree.
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
lmz 1 hours ago [-]
Is it a defect if it required the development of an adversarial tool / exploit which previously did not exist? If the roof leaked when it's raining it's a defect because rain existed before. But this exploit didn't exist before.
14 3 hours ago [-]
Well if your car had a seat belt defect and people were dying you know they absolutely would recall the car and pay for the defect.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
throwaway173738 2 hours ago [-]
I think the deaths might qualify the cars as an attractive nuisance at this point. Although The Club is only about $50.
mindslight 4 hours ago [-]
Sure, that could be a decent legal regime. The first step to enabling it would be releasing the source code and system documentation for the product they've sold, so that it's even possible for anyone else besides themselves to fix it. Until then it's a black box the company has chosen to retain responsibility for. And frankly regulators should be making sure they support the 20-40 years of useful life we generally expect from automobiles.
thfuran 4 hours ago [-]
I think you significantly overestimate people’s expectations for automobiles.
mindslight 2 hours ago [-]
I'm not talking about individuals' expectations for how long they personally will use a given vehicle, but rather societal expectations for how long a given vehicle will live across all tiers of the market. The cell phone made-to-be-ewaste model shouldn't be allowed to infect capital assets costing 100x as much.
thfuran 1 hours ago [-]
Yes, and the scrappage rate is about 4.5%. A 40 year old car is not the norm.
Dylan16807 1 hours ago [-]
At 4.5% loss per year, you'd still have 16% of cars running at 40 years. That's pretty normal.
thfuran 43 minutes ago [-]
By that logic, shouldn’t about 25% of US persons be 150, given the annual death rate of 9.28 per thousand?
mindslight 1 hours ago [-]
That's why I gave a range. That average stat actually seems to line up with the low end of that range, and since every car isn't scrapped at the same age it's going to be a distribution. There are not many cars from 1985 on the road today, but there sure are some. And since we're talking software which doesn't actually degrade, it shouldn't be the thing limiting the overall lifetime.
exe34 56 minutes ago [-]
so if I sell you a bridge that's not fit for purpose, I wouldn't have to fix it for you at my cost? nice! I've got a bridge to sell to you...
topato 2 hours ago [-]
Jesus, when did commenters on neowin get so stupid? Thank God I'm back to the safety of HN....
Weren't they a slightly subversive tech site a decade or so ago?
https://www.slate.auto/en
But yeah, “patch” usually implies software vs. hardware.
Either way, agree with other comments that Hyundai should just eat the costs if it prevents theft due to an exploit.
Having said that, given what the car costs, the fee doesn’t seem completely unreasonable.
I've had to "experience" those once for our testdrive of said Ioniq 5. Well, never again. "Dubious" is the most friendly word i have for the one that is next to us.
And: the car itself is priced at least 10-15k€ too high for what it is.
Compared to the Tesla, the Hyundai has an actual interior with physical controls, an 800V charging system, panels that actually line up, and a far bigger dealer/support network. These are things that cost money and even without those things Tesla isn't making a ton of money.
Of course I'm in California so EVs are more expensive to run than ICE cars.
https://www.rtl-sdr.com/flipperzero-darkweb-firmware-bypasse...
https://www.theverge.com/news/757205/hyundai-ioniq-5-securit...
> in 2023 over the “Kia Boyz” attacks that allowed thieves to bypass a vehicle’s security system using a USB cable.
The USB cable happened to have the right size to engage the starter mechanism. Any physical object with similar dimensions could have been used. It really undercuts how absolutely terrible the Kia security design was around that component.
More work for the thieves, but hardly a fix to inspire confidence.
But yeah, the term patch just seems weird in this article. Why not just "upgrade" or "fix"?
You do a hardware upgrade on the car to patch the vulnerability.
They aren't actually. Which is why theives just smash your windows. In either case the alarm is going to go off so there's no advantage to them learning a complex attack on your lock cylinder when a piece of concrete will do.
Further there often were additional ignition interlock mechanisms that required the correct key code or a key with the correct additional hardware to be present for the starter cylinder to actually engage your starter.
> didn't know Hyundai owners were so entitled.
It's called a defect. It should be a recall. We have laws that cover this. They're pretty explicit. I didn't know Hyundai CORPORATION was so entitled as to think they were not subject to them.
I'm not sure this would fit the definition of a product safety defect.
You don't expect Microsoft or Adobe to issue fixes any time someone finds a remote exploit that let's attackers gain control of you system though security issue in their software? I 100% expect this of my software vendors even for this purchase in the past. The expectations for software and hardware are certainly very different, but even for hardware we have laws that force companies to fix their hardware in some situations.
If the situation doesn't rise to that level of severity, then it follows that a patch isn't necessary.
If GM were to offer lock cylinder replacements because their original cylinders were so flawed as to warrant them, then yes the cylinder replacements should be free. The sold product was not as described.
If the original cylinders aren't so flawed as to warrant a replacement, then no cylinder replacement would be offered.
Are GM cylinder replacements being offered? If not, then your analogy isn't analogous.
1. This is only in the UK, they are not doing the same in the US
2. Recalls are the responsibility of the manufacturer. Security lapses, even if "up to standards" at the time are not a legitimate exemption (imo)
What's "unrealistic and childish" is expecting free labour.
They will also be charging elevated dealership prices for thag labor.
Asking customers to pay for the actually-secure retrofit is certainly a choice.
I hope the small amount of money recovered was worth it, Hyundai/Kia just disappeared from my consideration for any future vehicle.
No.
Other manufacturers treat defects with recalls after analyzing the fiscal prospect of doing so, and determining whether or not state/regional laws require them to do it.
Here's one of the "not that wrong" scenes from Fight Club to better explain[0].
[0]: https://www.youtube.com/watch?v=SiB8GVMNJkE
It's not free labor anymore than the car was free. It's a fix of product that was defective off of the line. The necessity of the fix being evidence of the defect.
Car buyers are not automotive cybersecurity engineers, and they can never be expected to be. Caveat Emptor is a hilarious remark for this situation.
The defect that allows the car to be stolen in seconds is absolutely a serious problem. I hope Hyundai changes course and decides to provide it for free. We have already seen reports of the trend where people were stealing Hyundai/Kia vehicles and going on joy rides driving extremely dangerously. This has lead to deaths in several instances. So they have a flaw that has lead to people dying. IANAL but I would say leaving this flaw unpatched may even leave them liable if anyone else were to be hurt. As a recent example of something similar is the Sig Sauer P320. They are in the middle of fighting some lawsuits over their faulty product. So it would not be a far stretch if Hyundai/Kia were held responsible for a know flaw in their product.
Anyways it is just my opinion that they should just eat the cost to provide this for free as a show of standing behind their product. Just seems like such bad PR to now make people pay.
Weren't they a slightly subversive tech site a decade or so ago?