Slashdot Mirror
Why Your Phone Gets OTA Updates But Your Car Doesn't
New submitter kjbullis writes with this snippet from Technology Review: "When Toyota recalled over two million cars last week because of flaws with antilock braking systems and other problems, the fix was simple — a few software updates .The implementation of that fix is far from simple. Every one of those cars has to be taken into a dealership to have the new software installed, an expensive process that can take months. Cars that haven't been fixed could, in some cases, suddenly stall and crash. There is an alternative — the same sort of remote software updates used for PCs and smart phones. Indeed, one automaker, Tesla Motors, already provides what it calls 'over-the-air updates,' which allowed it to execute a recent software fix without requiring anybody to bring in their cars. But other automakers are dragging their feet, both because they're worried about security and because they might face resistance from dealers."
Because a bad update on the phone won't cause a high speed fiery wreck.
...but I'd rather not add any more attack vectors than absolutely essential.
What happens when it loses connection or gets hacked. I rather not have everything in my life constantly connected. Cars have too many computers now that have things go wrong.
Please wait while Windows restarts your......KER-BAM!
Scruting the inscrutable for over 50 years.
Although it doesn't happen as often these days, I do remember OTA updates bricking my phone in the past, and PCs under my care are still occasionally screwed up by "drive-by updates" in the middle of the night. For something like a car with the potential for property damage or stranding me and mine far from civilization, I'm pretty sure I don't want automatic OTA updates, even if they could arrange that the car not be moving during the time. I want to know exactly what problem the update is solving, the likelihood I will experience that problem, whether the update and backout procedures have been vetted, and the post-update test procedure. I make a living with my camera, and I don't blindly install firmware updates for it either.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I'd rather not have a car manufacturer get into the mindset of assuming problems like that are cheap and easy to fix (so they can scrimp on testing)
How about firmware updates that a user can just download off the manufacturer's website, save on a USB stick, and insert it into a USB port somewhere on the dash?
A little less convenient than OTA, but with lesser risks, and still a whole lot more convenient than going to the dealer's service department.
Consider that updates are done via firmware that is downloaded and stored on computers at local dealerships (They aren't downloading the updates for every single car they update).
How difficult would it be for any moderately skilled hacker to compromise those machines to side load along with the updates?
So the idea that the dealer is somehow safer, is purely insane.
I would assume part of the reason that this works for Tesla is that the cars most likely don't hard shut down when they're charging over night. This allows updates to be applied when the car is entirely idle.
No person is going to want to start their car and have it say, "Please wait while we install important updates to your car. Approximate time required will be 30 minutes."
Imagine having to tell your boss you were late because of your car applying necessary updates.
- because your phone comes with built-in wireless networking but your car doesn't?
- because your phone isn't a 4,000-pound hunk of metal and glass frequently moving at a hundred feet per second in public?
Just a couple thoughts...
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Beyond the possible risks to safety, I think it has a lot to do with the price and importance of a car relative to a phone. Cars also must undergo much more strict testing, and are likely to have fewer computer errors that could be easily fixed by flashing a new firmware. (many cars could probably benefit from one or two "updates," though, especially considering how computerized they have become)
Basically, a phone manufacturer and provider is taking less of a financial risk with a faulty or interrupted firmware update. If hundreds or thousands of cars get temporarily bricked, that is extremely bad publicity due to the inconvenience and could cost quite a bit for the company to fix, factoring in towing and service for tons of customers in addition to the possibility of requiring expensive and/or difficult to install replacement parts.
Also cell phones are known to sometimes be troublesome, so it's not like the temporary loss of use of your cellphone makes you unable to go to work or do other daily activities. (there will be a lined phone wherever you are, other than perhaps in your home)
I have a Toyota, it's traction control and all associated assists are acting crazy under certain circumstances (Check Engine light on due to stupid sensor in exhaust pipe + wet road) but i wasn't notified of any recall.
Could this be just for cars that are still under warranty ?
If that's the case, from where i can download the updated firmware and how do i install-it ?
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
install it ourselves usb...
everybody knows that baby has new clothes http://www.youtube.com/watch?v=xEwtUf2sGX4
Dealerships in most populated areas have no reason to exist in the 21st century.
Almost every Android manufacturer except Samsung: What are those?
Seriously the average number of OTA updates is slightly under 1 because while a few phones get 2 or 3 there are many that never get any.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
If automobile manufacturers made as few different models of their products as Apple makes of their products, then I might trust that the update process could be reasonably tested and verified.
However, with all the different models and packages and trim lines - combined with different revision levels of different parts from 3rd party manufacturers - that automobile manufacturers produce, I don't think verifying that it's possible to verify that an update that can't be verified and documented by trained people is going to do anything but cause problems from dead cars in garages (or wilderness camps) to dead people when something bad happens at highway speeds.
In short, modern cars are not just one large, lethal embedded system - but a NETWORK of embedded systems controlling a potentially lethal device. A system with an expected useful life of several decades.
The business of embedded systems is barely up to the job of designing for systems with a useful life of several years in a hostile, networked environment. Automotive systems are networks of systems from different vendors, any of which might go out of business at any time - all of which jealously guard their designs as proprietary.
Last fall, I bought a Ford C-Max Energi (plugin hybrid.) It turned out that it had problems charging from a Level 2 (220V) charger that didn't manifest until after I'd been charging for a few weeks - which I didn't do until I installed a Level 2 charger after X-mass. This was a problem documented in the online forums for the car but I never received notice of it.
There are continuing problems with My Ford Touch - although (according to the online forums) it's better than it was a year ago (before an update this past summer.) My Ford Touch interacts with the charging system, the engine, etc. It seems to do so in a passive way - but the whole design of the internal communication network in automobiles (CAN) is based on implicit trust that one system won't send false messages to another system. (And various researchers have already exploited this.)
Having OTA capability encourages vendors to push out incomplete/buggy firmware ("we can always fix it later") and to push out updates without properly testing them ("if it breaks something, we'll just fix it and re-send"). Suffice to say we definitely do not need these kind of perverse incentives on cars.
And that's without even getting into the trouble that a malicious user could potentially cause if they managed to hack the OTA process and sent out spoofed updates to vehicles...
When you're running late for work, you don't want to wait for your car to reboot to install a software update.
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
Tech Support: Hello, this is tech support, how may I help you.
Customer: Yes, I'm trying to install this update on my car and it's not working.
Tech Support: Have you tried turning it off and on again?
Coder's Stone: The programming language quick ref for iPad
Why does it seem that everything bad about the automobile industry eventually leads back to the dealers..
Bricked phone: A pain in the ass.
Bricked car: A major pain in the ass.
Car that suddenly decides to brake (or not to) for no reason: A deadly accident waiting to happen.
Besides, it took the dealership several hours to get my car's systems to accept a (official) retrofitted parking sensor kit. Automotive engineers don't seem to value ease of use in their non-user-facing software features.
Warranty work via recalls are always free to the consumer, even if your car is out of it's warranty period. The only they could "pad" would be the bill to the company itself. Which would state "X warranty service" and then the head office would pay for the labor. Since you know, that's how it actually works.
Om, nomnomnom...
Actually, manufacturers PAY dealers for warranty work. So the dealers make bucks for recalls. Maybe not as much as when they catch a live one that lets them do all the "routine service" stuff too, but they make money on recalls.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
But other automakers are dragging their feet, both because they're worried about security and because they might face resistance from dealers.
Given that the level of security on OBD2 ports has been utter crap for about two decades now, I doubt the automakers' major concern is security. Even with well-publicized stories about car hacking, auto companies seem to persist in the belief that it will never be a major, widespread threat. It's probably dealer pushback that has them concerned - having a car dealership is a license to steal, and I imagine dealers are very resistant to any change that threatens their ability to charge $500 for 15 minutes' worth of work.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
You have to remember Dealers pay to play and they have contracts with auto makers on what kinds of service they'll perform under warranty and that the manufacturers will always support their interests. It's expensive when an auto maker has to change things in the field but it's a revenue stream for dealerships who charge all of the labor hours + service fees right back to the manufacturers but it's symbiotic and they both milk the customer either coming or going.
Remember when Chrysler and GM went bankrupt and all those dealers were screaming because their dealerships were terminated due to Chapter 11 reorganization? It was a cost saving measure for GM and Chrysler disguised as the argument that fewer dealers meant less competition within their own lines of vehicles.
Bringing the car into the dealership means much more than just fixing a software glitch, it also means the ability to upsell you on their expensive bullshit that you can get from Midas or an independent for far less. Not to mention while you're waiting you can see the new models that are out, you know the ones that don't have all the problems your current vehicle has. That means it's ultimately in their best interests to keep you coming to them when you need your headlight grease changed. Think that's unrealistic? Manufacturers are putting more and more components into cars that independent service people can't repair just to keep the symbiotic relationship going.
Tesla can't do that because they don't have dealers so pushing changes makes sense for them but now I'll suspect that some hacker network in Eastern Europe will be trying to figure this out so Telsas can be used as WMDs.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
If it's OTA and my car gets bricked, is the manufacturer going to send a tow truck to my house and take it to be repaired? This would be a major unplanned inconvenience for me.
If i have to take it into the dealership anyhow, and it gets bricked, it's already there and in capable hands of being fixed. If I time the update with other maintenance like oil changes, then it's all done at the same time.
The Tesla model could work perfectly well, just like i've never had my home router brick when doing upgrades, but if my router did brick, I'm not stuck somewhere.
There are way too many issues that this can cause for me to ever want a car that can do this. Here's a few:
Hacking. What's to keep a system like this secure? What happens if some criminal organization for bribing owner to pay them to "unlock" your car? Or a crazy person or group from changing the firmware to lock the brakes when the car hits 50 mph? Or just some 9 year old kid from doing this for the hell of it. And any number of other possibilities.
What happens if the process is interrupted in the middle of re-flashing? Does the car need to be towed in and the ECU replaced?
If there's a bad update, it's a hell of a lot better for it to be discovered quickly in the first few cars that receive it. It kinda sucks if the update is bad and suddenly a million+ cars all fail at the same time.
Perhaps I don't want the update. Granted, this doesn't happen often. But there have been cars that were recalled because they had more torque than they should have. Perhaps I want to keep this feature.
How many times have programs or video cards been released sooner than the software or drivers were ready. Being able to push out updates makes it possible to release a car that is not really ready. I would like to think it wouldn't happen. But as soon as someone's bonus is dependent on making a deadline, it will. Actually this would become pretty common I think. It's not done now because it costs the manufacturer a lot of money. Pushing updates would be very cheap by automotive company standards.
What's the added cost for this going to be?
I don't drive very much as it is. How much of a drain will this type of system put on my battery?
I don't want to have to pay to fix the update system when it breaks. A car is one of the harshest environments electronics can be in.
There was an article on /. not too long ago about the automotive industry charging monthly fees for functionality. I don't want a system like this in my car that would allow for fees of any kind.
I could go on. Perhaps I'm old and set in my ways. But I don't see any real benefit to this that would outweigh the potential issues.
Oh no, I need to get the hospital quick. "please wait while your car is being update... installing update 1 of 35... time remaing 1 h 16"
The software update to reduce the time that a Prius switched from regenerative braking to friction braking--because ABS was needed--happened in 2010, not recently. Updates to not take "months." The currently available software update to the motor-generator/powertrain system was announced last week; it is to protect some power transistors when accelerating during highway speeds. I just had that update installed, along with three other maintenance items, this morning in just two hours.
Car dealerships don't make big money on new car sales, it all comes from used sales and repairs.
Making updates a dealear-only item is a bone the manufacturers throw to to the dealers. Once the soon-to-be victim gets in to the dealers clutches theres a great chance for the dealership to either upsel or outright bilk the car owner out of significant cash.
A lot of people don't trust their car manufacturer to be in charge of firmware pushes. That makes perfect sense. Maybe the best approach, would be utilizing special software on existing smartphone platforms. This solves many issues at once. Car owners don't have to worry about their car "phoning home" or the dealer pushing "fixes" without their knowledge, while simultaneously giving the car owner, and the dealer the advantages of a remote software update. If you want it, you can install the dealer's smart app, and hook your phone up to your car for an update.
There are, of course, new issues. You need to properly sign and validate your updates, to make sure they are delivered to the cars uncorrupted, in the correct format, and that no one else can use the functionality to hack the car.
The *manufacturer* has a vested interest in making sure your car has a safety update--it's a bit different than just the neighbor's concern. Think about it. If you make a product that *will* kill a few hundred people over its lifetime unless you fix it, and only half of the owners will bring it in for an upgrade, wouldn't you rather be able to push the upgrade out?
An auto-upgrade is a major safety feature. Is there a security issue? Yes. But not an unsolvable one.
Every manufacturer will switch to auto-upgrades when the first one loses a massive tort case over failure to auto-upgrade.
Currently they just don't fix problems in cars software unless there is a recall.
There haven't been any patches for the security holes associated with the electrical impulses causing doors to unlock (a patch requiring the door controller to get a cryptographic hello should do the trick), nor the issue allowing one remotely take control of a car, never mind the assorted annoyances that a software patch could fix.
If they were actually able to remotely patch a car there would be more questions about why they aren't making the patches, and they would rather not the focus be on them being cheap.
When a mechanic makes a change to my car, that mechanic is quite legally responsible for the change. That includes some amount of testing. When automatic updates occur, the user has always been responsible for testing it.
There's a big huge enormous line between money/business/phone/convenience/toy and car/safety/life/injury/toy.
In any event, in any device, in any change, some human needs to be responsible for it. When it comes to my car, that someone can't just be me. When it comes to my sister, it can't be her. It's that simple.
- because your phone comes with built-in wireless networking but your car doesn't?
- because your phone isn't a 4,000-pound hunk of metal and glass frequently moving at a hundred feet per second in public?
Just a couple thoughts...
Remember when mobile phones were the size of a suitcase?
There are already a number of manufacturers that allow updates to the on board computer using a USB drive. Ford allows you to update the My Touch system via a SD card. The onboard computer can also connect to the internet via a cell phone or satellite connection to retrieve data. Since the computers are all networked together in the car via CANBus, it is certainly conceivable that the PCM or ABS controller could be updated indirectly via a push from the "entertainment center" computer. They just have to enable it
Now, having said that, there's probably a very good reason they are not allowing the PCM, ABS controller, etc. to be updated that way: security. By requiring updates using the OBDII connector it requires "special hardware" (which I do own) and limits the potential for damage.
Some 6 months after I bought it HTC decided to not produce any more updates - the bullshit excuse was that what I had was optimal. The reality was that they considered it end of life and so could not be bothered -- they got the money from the sale, so why bother ? Well: it will cost them since I won't buy another HTC.
In cars you do not want easily accessible remote updates, at least from the main ECU/ECM (the in car infotainment gadgets/garbage doesn't matter).
Modern ECU/ECM's control the smallest details on how engine components operate (fuel delivery/mixtures, ignition timing, etc.)... so you screw something up here, and you will end up with a anywhere from a misfiring engine to more catastropic event (pre-ignition/detonation) that will "brick" your engine permanently.
Likewise, they also control many of the braking/safety systems, and more and more cars are being outfited with fake "traction control" systems which are nothing more then modulation of brakes to various wheels.
Not to mention that a failed update can "brick" the ECM/ECU itself, which in turn will make the vehicle completely inoperable (though i'm sure the goverment/police would love this ability). Replacement ECM/ECU's are very expensive, and generally require you also replace/reprogram all the keys associated with modern vehicles. Flashing of ECM/ECU's are also generally done in controlled conditions, since there is no guarntee the vehicle has enough battery charge etc.
All of these would result in a manufacturer being sued into oblivion... a bad update would probably bankrupt a company immediately. No... remote updates is a terrible idea. Most manufactures take the stance you only get an update if you have an existing condition that needs to be addressed... and that is the safest route to go. Adding new undefined/potentially untested behaviors to large numbers of vehicles on the road is extremely dangerous...
My father-in-law has a very nice Lexus he bought 3 years ago that has a built-in GPS. Unfortunately his GPS has gotten out of date, so he took it to the dealership to ask about getting it updated with new maps. The dealership wanted $800, half of that was labor. Turns out there is NO WAY to update the GPS in his car. They have to open up the dash board and replace the stupid computer. They're not smart enough to have a mechanism to update a built-in GPS - you think they'd do something as logical as OTA updates? Hah!
This space for rent...
Tesla builds luxury cars for rich people. Putting in a cellular radio and paying the subscription fee to keep it active is trivial compared to the margin on the car.
But cars do get updates, just not OTA.
When you take it in for service, it will often get an ECU update as part of the service. Just ask anyone who has ever chipped their car, only to have their ECU modifications erased after visiting the dealer.
. . . I mean, what if Boeing finds a problem with the avionics firmware in their 777? Just send out a broadcast radio patch, and you're good to go on all planes. What could possibly go wrong?
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
A device talking to — and accepting instructions to modify itself from — something foreign over the air is likely to get hacked eventually. With phones that may not be bad enough to warrant the inconvenience of mandating wired updates. Cars are a different story...
In Soviet Washington the swamp drains you.
Careful, there have been hardware watchdogs that have *caused* problems instead of preventing them. Failsafe failure can be a big problem.
The word you are looking for is "Money"
It's linux you have to watch out for - they'll patch the kernel and just keep on going, though it's a reasonable chance most of it will work. And if it doesn't they'll tell you to write your own fscking update. Microsoft would require that you stop the car entirely for the simplest of changes, and you'll have to turn it off - possibly multiple times - just to get the damned thing running on the new software.
Apple won't worry about patches much - after three years they won't support software updates for your "legacy hardware" anymore, and will expect that in that time you should have bought a new car anyway.
Is it just my observation, or are there way too many stupid people in the world?
"...because they might face resistance from dealers." Nope.
"because dealers want their cut for providing warranty repairs."
Fixed that for you.
I think it should be obvious there should be some safe mode mechanism. If something is really messed up it can boot into safe mode.
Let it look for and authenticate a file. Update the device only when the conditions are met.
As it is, it's bad enough that cars are overengineered. Adding computer software between me and critical functionality (like acceleration and braking), and then adding the ability for someone to update it over the cellnet whenever, is unacceptable. If I ever do buy a modern car, the first things to go are any radio transceivers.
Or that is what a recent article In Motor Trend said. (Not a lot of reading material at the barber shop.) OTA needs additional, unused memory for the dif file that it creates and the auto manufactures are so close with the penny that it is not there. It also said, as I recall, that the average car had over 100 processors that would need updating.
Having a secure update process with extensive verification and testing, say a dealer, would seem to be required for safety. OTA might be okay for the car's phone, but little else.
Great, every Wednesday morning I'm late for work because my car won't start.
It's bad enough that modern software is released riddled with bugs, flaws and missing features that were supposed to be there
It is bad enough that games on consoles, and even the consoles themselves
It's bad enough that even mobile phones, routers and other hardware get released without proper QA and yes, riddled with bugs, flaws and missing features, because companies feel it's okay to release a half-baked PoS thinking "We can fix it post-launch!"
Yes it is expensive to recall a car to fix a software problem, but you know what? We aren't paying for that, the car manufacturer is and frankly, I'm fine with that.
If they didn't do proper QA, then they get penalized for it with the expensive recall. This is incentive for them to get it right first time.
As soon as they can do OTA updates, this incentive is whittled down that much more and the whole Never Buy Version 1 wisdom that we have in the computing world will end up in cars as well.
Hell, at least Toyota are doing the recall; Some manufacturers like Ford and Peugeot refused to even acknowledge there were dangerous flaws in their ECU code until accident and death rates forced them to.
I can see why people think OTA is a good idea generally, but I can see so many downsides; Corrupted OTA updates, hacked and hijacked OTA updates, people disabling the car cell connection or the cell connection failing so the car never gets the OTA, but because it's OTA no recall warning or notification is sent to the owner and they drive around blissfully unaware with their 0.1beta ECU that was released because of critical release dates.
We take cars for granted nowadays, but we should all pause to remember that it is A High Speed Murderous Deathtrap. You can easily kill hundreds of people with a car. It should have more rigorous safety and certification standards than a fucking mobile phone!
The dealers don't like it? It can only be a good thing. Fuck those guys.
Never underestimate the power of stupid people in large groups.
I would have the owner of the car get a phone messge to go get in the car and activate the bluetooth connection and then punch in some code. Once this is done the phone would provide the car with any updates. This would prevent any script kiddies, theives, police or FBI from doing any damage to the vehichle becuase only the owner with the authorized bluetooth would be able to do the updates. I know the police and FBI would prefer to have total access but this is a HUGE privacy issue and they MUST have a court order and show cause BEFORE they get access. Fishing expiditions are NOT allowed!
I'm a sysadmin with a background in security.
I don't want over the air firmware updates for my car. Scratch that, I don't want to drive a car with OTA updates. Actually, I don't want to be ANYWHERE near any car with OTA updates.
I update complex software for a living. Trust me, you don't want your car, any car to do that.
The very LAST thing I want is my car to get automatic software updates. It's bad enough that my computers and devices want to do this so badly, not to mention the insanity of ordinary software doing it. At least in all those cases, I can (and do) easily stop them.
USB Stuxnet