Hyundai charges customers to fix security flaws despite laws requiring free manufacturer responsibility
Automotive giant defies international regulations whilst other industries provide security patches at no cost
Hyundai is charging British customers £49 to fix cybersecurity vulnerabilities that allow thieves to steal their £42,600 electric vehicles. The decision represents an audacious test of legal boundaries—international law explicitly requires manufacturers to provide such security fixes free of charge.
The vulnerabilities affect Hyundai's Ioniq 5, along with the related Kia EV6 and Genesis GV60. Criminals exploit these flaws using £15,000 handheld devices resembling old Gameboy consoles, which can circumvent the cars' wireless locking systems within seconds. No hot-wiring required.
Rather than treating this as a product defect requiring immediate free repair, Hyundai has rebranded the security fix as an "optional upgrade" available for a "customer contribution." The euphemistic language cannot disguise what amounts to charging victims to repair a manufacturer's design failure.
The decision has ignited fury among customers who reasonably assumed that buying a modern electric vehicle included functional security systems. More significantly, it directly contravenes binding international cybersecurity regulations that came into force specifically to prevent manufacturers from shirking such responsibilities.
The law Hyundai is ignoring
Since July 2022, the United Nations Economic Commission for Europe Regulation 155 has mandated that vehicle manufacturers maintain comprehensive cybersecurity throughout their products' entire lifecycles. The regulation leaves no ambiguity about responsibility: manufacturers must prove "that effective cybersecurity methods and processes were used" and maintain "measures to detect and prevent cyber-attacks."
This isn't voluntary guidance—it's legally binding across 54 countries including Britain, the European Union, Japan, and South Korea. Vehicles failing to comply cannot be sold, and existing models can be withdrawn from markets.
The regulation emerged from stark necessity. Modern cars contain 150 electronic control units running 100 million lines of software code—four times more than fighter jets. As connectivity increases, so do attack vectors. The UN recognised that without clear manufacturer obligations, consumers would bear the costs of corporate cybersecurity failures.
Under the regulation, Hyundai must demonstrate ongoing capability to identify risks, implement mitigations, and respond to threats. The requirement explicitly covers "post-production" monitoring and incident response across vehicle fleets. There is no provision for charging customers to fulfil these legal obligations.
How everyone else does business
Step outside the automotive sector and Hyundai's approach becomes even more extraordinary. Microsoft doesn't charge Windows users to download critical security patches. Apple provides iOS security updates freely, often installing them automatically. Google maintains Android security without subscription fees.
This universal practice reflects a fundamental industry understanding: security vulnerabilities are product defects, not revenue opportunities. When researchers discover that a smartphone's encryption can be bypassed, manufacturers race to provide free fixes. The alternative—charging customers to maintain basic security—would be commercial suicide.
The US Cybersecurity and Infrastructure Security Agency actively encourages automatic security updates, explicitly assuming vendors will provide them without charge. Australia's voluntary Internet of Things code requires manufacturers to provide security updates throughout device lifecycles, with no mention of customer payments.
The precedent spans decades and billions of devices. Security represents a shared responsibility: manufacturers design secure systems and provide ongoing support; users implement updates promptly. Introducing payment barriers breaks this social contract and creates dangerous security gaps across entire user populations.
Industry coordination or isolated greed?
Hyundai's decision gains disturbing context alongside Volkswagen's recent move to charge customers for software features already installed in their vehicles. Both decisions suggest coordinated industry testing of consumer tolerance for post-purchase charges rather than isolated corporate misjudgements.
The financial incentives are substantial. McKinsey projects automotive cybersecurity spending will reach £7.6 billion by 2030, driven by increasingly complex connected vehicle systems. For an industry simultaneously investing billions in electric vehicle transitions and autonomous driving development, shifting cybersecurity costs to consumers represents an appealing escape route.
The £49 charge may seem trivial against the Ioniq 5's purchase price, but it establishes a precedent with far-reaching implications. If manufacturers can successfully monetise cybersecurity compliance, today's modest security patch fee becomes tomorrow's expensive software update or hardware replacement charge.
Hyundai's language reveals the strategy. Describing the fix as "subsidised" implies the company is doing customers a favour rather than fulfilling legal obligations. Emphasising "evolving security threats" suggests that new vulnerabilities justify new charges—a direct contradiction of regulations requiring manufacturers to build adaptable security systems.
When laws lack teeth
Hyundai's gamble exposes a critical weakness in international cybersecurity enforcement. While UNECE Regulation 155 clearly mandates manufacturer responsibility, practical oversight mechanisms remain underdeveloped.
The regulation focuses primarily on pre-market approval, requiring manufacturers to demonstrate cybersecurity capabilities before obtaining vehicle type approval. Post-market monitoring appears limited, creating space for manufacturers to reinterpret their ongoing obligations.
This enforcement gap creates immediate consumer protection failures. Vehicle owners unable to afford the £49 charge remain vulnerable to theft, establishing a two-tier security system where cybersecurity depends on customers' willingness to pay additional fees. Such outcomes directly contradict the regulation's intent to ensure comprehensive vehicle protection.
Insurance complications multiply the problem. As automotive cybersecurity incidents cost the industry £17.6 billion in 2024, insurers increasingly require proof of current security updates. Customers who cannot afford manufacturer charges may find themselves unable to obtain coverage, compounding the financial burden of corporate security failures.
The connected car crossroads
Hyundai's cybersecurity charge represents more than corporate opportunism—it signals a fundamental choice about responsibility in the connected vehicle age. As cars become rolling computers, cybersecurity evolves from occasional concern to constant necessity.
The automotive industry can follow technology sector precedents, treating security as a fundamental product requirement warranting ongoing manufacturer investment. Alternatively, it can attempt to establish cybersecurity as a revenue stream, with customers bearing perpetual costs for maintaining security in products they have already purchased.
International regulations point decisively toward manufacturer responsibility, but their effectiveness depends on enforcement action that regulators have yet to demonstrate. Without meaningful consequences, Hyundai's £49 experiment may inspire widespread industry adoption rather than regulatory correction.
The stakes extend beyond individual vehicle owners to the entire connected mobility ecosystem. If manufacturers can successfully redefine cybersecurity as a customer responsibility, the precedent will influence autonomous vehicles, smart city infrastructure, and every connected device that touches transportation networks.
Hyundai has thrown down a gauntlet. The regulatory response will determine whether cybersecurity remains a shared social responsibility or becomes another consumer burden in an increasingly expensive connected world.