Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Your Phone Gets OTA Updates But Your Car Doesn't

Posted by timothy on from the 5g-at-95-mph dept.

New submitter kjbullis writes with this snippet from Technology Review: "When Toyota recalled over two million cars last week because of flaws with antilock braking systems and other problems, the fix was simple — a few software updates .The implementation of that fix is far from simple. Every one of those cars has to be taken into a dealership to have the new software installed, an expensive process that can take months. Cars that haven't been fixed could, in some cases, suddenly stall and crash. There is an alternative — the same sort of remote software updates used for PCs and smart phones. Indeed, one automaker, Tesla Motors, already provides what it calls 'over-the-air updates,' which allowed it to execute a recent software fix without requiring anybody to bring in their cars. But other automakers are dragging their feet, both because they're worried about security and because they might face resistance from dealers."

41 of 305 comments (clear)

  1. Umm safety? by fsck-beta · · Score: 5, Insightful

    Because a bad update on the phone won't cause a high speed fiery wreck.

    1. Re:Umm safety? by camperdave · · Score: 4, Insightful

      Also a phone has communication capabilities built right in. A car... not so much.

      --
      When our name is on the back of your car, we're behind you all the way!
    2. Re:Umm safety? by tiberus · · Score: 3, Interesting

      Hmm, but, you have to weigh that risk (and okay, I'm assuming software updates won't occur while the car is moving) against the risk of not updating a vehicle. Yes it's a numbers game and their are vested interests both ways (e.g. I have a vested interest in your car getting a safety update).

    3. Re:Umm safety? by ifiwereasculptor · · Score: 5, Funny

      Of course it does. Happened to me. Since my Nexus 4 updated to KitKat, I sometimes lose 3g signal. So there I was on the highway, trying to send a text, when, again, whatsapp refuses to send my message. I get frustrated, connect the phone to my laptop, fire up ADB and, lo and behold, the car crashes. It's ridiculous. I'm going to fucking sue Google.

    4. Re:Umm safety? by thue · · Score: 2

      Obviously the update should not be applied while the car is turned on... car companies are not that stupid.

    5. Re:Umm safety? by mythosaz · · Score: 3, Insightful

      Which modern car do you think doesn't?

    6. Re:Umm safety? by plover · · Score: 2

      Just because an update came over the phone doesn't mean it will crash your car. A bad dealer update could cause the same problem.

      The main difference is the update mechanism may have a security flaw. But really, if your car can already get on line for any reason (traffic, directions, reservations, etc.) it already has a significant attack surface. This is just one more application that could let an attacker have his way with your vehicle.

      --
      John
    7. Re:Umm safety? by Immerman · · Score: 4, Insightful

      Well the hardware's cheap, and considering the miniscule data usage I'm pretty sure they could work out something with cell companies - the "phone" wouldn't even need to be on but for a few minutes a month. Wifi support would probably be even cheaper, if not quite as convenient.

      I suspect security and inertia are a bigger issues - auto manufacturers have got to be aware of how atrocious their security is, but at present it needs physical access to attack - and if you've got physical access all safety bets are off anyway. I doubt any company wants their cars to be the first to to be used as Anonymous assassination tools, that's the sort of publicity that could decimate their business.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    8. Re:Umm safety? by jeffmeden · · Score: 4, Interesting

      You give the car companies way too much credit.

      They don't give a shit about our safety - that's why it has to be legislated and why they ALWAYS fight safety legislation. Always.

      The updates are done at the dealership so while the software is being updated, you're walking around looking that the new models and it gives the salesperson to harass you.

      It gets you to the dealership to shop.

      When it comes to the intentions of business, cynism is always appropiate.

      Strangely, the dealership/manufacturer model is rather adversarial, with dealerships lobbying (successfully) for control over who sells cars where, locking out the automakers from any attempt at selling directly to customers. The reason dealerships would balk at OTA software fixes is that they get a nice steady stream of revenue from the manufacturer by performing those recall updates. Its easy work: they plug the car in, double click, and collect $100 or more from the manufacturer. Who wouldn't want to run a shop that had guaranteed, easy to complete work that's always paid for on time? Time to lobby to make sure doing it any other way is illegal!

    9. Re:Umm safety? by CanHasDIY · · Score: 2

      I have a vested interest in your car getting a safety update

      This statement sums up exactly what's wrong with society today, IMO.

      Believe me, dude, that's a slope you don't want to go slipping down. Because I could respond with, "I have a vested interest in making sure my neighbors aren't cooking meth," implying that they (which implies all citizens) don't have a right to be free from unlawful search and seizure in their (our) own homes.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    10. Re:Umm safety? by geekoid · · Score: 2

      ", "I have a vested interest in making sure my neighbors aren't cooking meth," "
      You do.

      " implying that they (which implies all citizens) don't have a right to be free from unlawful search and seizure in their (our) own homes."
      it does not. It implies that under some circumstances you can take some action i.e. lawful investigation.

      I do have a right to be sure vehicles have a minimum safety standard.

      By your argument, I should be able to careen down the road at 100 miles an hour, drinking whisky and driving the wrong way.

      Hey, you don't want a law against that, it's a slippery slope that leads right to Hitler.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    11. Re:Umm safety? by geekoid · · Score: 2

      YOU send the update and store it in memory. When the car is turned off, apply the patch.
      Personally, I would also maintain a log of any period where the car is off for more then 2 hours and try to apply my patch then.

      Or if they hire actual software engineers, it would install and as pointer were released it would start pointing to the new install.*
      We do know how to do live patching of devices.

      *yes, that was a VERY simple description and only used to make a point.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    12. Re:Umm safety? by ColaMan · · Score: 2

      Let's imagine you could buy a car that was $2000 cheaper without airbags - Would people buy them?

      No need to imagine. People did. And people still do. I bought plenty of cars that didn't have airbags or abs or stability control or seatbelt pretensioners or emergency brake assist or power steering,even (the horror!).

      But nowadays, people do give serious thought to their safety, which is why even the base model crapbox has ABS and airbags. If I had a choice between a car advertised as "5 STAR crash rating" and one without that was 5 grand cheaper, the one with the 5 stars gets my money every time. If one of those features saves me in an accident - or even better, helps me to avoid one - it's worth it.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    13. Re:Umm safety? by Aaden42 · · Score: 3, Insightful

      I do have a right to be sure vehicles have a minimum safety standard.

      This seems easy to fix. Most (all?) states have some sort of annual safety inspection requirement for keeping a car on the road. Generally these safety checks include connecting to the car computer’s diagnostic port to read emissions related information to ensure the car complies with the pollution requirements that applied to its model year.

      Add as a requirement of those checks that plugging into the computer also checks software versions and compare that against a list of updates the respective manufacture has deemed critical for continued safety. A passing safety inspection requires that the car’s systems be up to date with all critical software updates.

    14. Re:Umm safety? by ceoyoyo · · Score: 4, Informative

      Most cars today don't come with enabled cellular radios (or cellular radios at all for that matter). The luxury ones (like Tesla) do. The others, not so much. The subscriptions are expensive.

      RDS? For transmitting what song is playing on FM stations? Hooking that up to do firmware updates on a car's computer sounds like a great idea!

    15. Re:Umm safety? by AmiMoJo · · Score: 3, Interesting

      I develop data loggers that use mobile data networks and it really isn't easy to set this kind of thing up. You need special hardware like automotive grade SIMs that can withstand extreme temperatures. Getting network support isn't either either because no one provider covers all areas, so a roaming SIM or multiple SIMs are needed. There are companies that can provide that capability but it isn't cheap, especially if someone takes a holiday abroad on a network you don't have a deal with.

      I'd be interested to know how Tesla solved all these issues. The fact that their cars are high end helps, as I'm sure it wouldn't be a viable option on cheaper cars.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    16. Re:Umm safety? by klossner · · Score: 2

      Then why can I buy a Kindle with free 3G service?

      Because Amazon made a deal with Sprint so they could sell books OTA.

    17. Re:Umm safety? by NicBenjamin · · Score: 4, Interesting

      Keep in mind that this isn't an application that needs great service. Your data rates do not have to be Netflix via high-speed broadband in every County. They just have to be quicker then driving the car to a dealership and waiting for the service tech to get around to setting shit up. For example, if you simply include an ethernet jack on the dashboard you've got a much better system then the one Toyota's using.

      According to Wired:
      http://www.wired.com/autopia/2...
      The Tesla can either use it's own 3G connection, or use your home WiFi.

    18. Re:Umm safety? by gl4ss · · Score: 2

      *nearly all new cars don't have a device that receives data is absurd.*

      nearly all new cars _globally_ lack such a mechanism for receiving data that could be feasible used for OTA updates.

      sure, it would cost just 40 bucks per car to add the hardware necessary, but the cellular plan contracts etc would make it complicated for car manufacturers, so they only do it for luxury cars(which are friggin NOT "most" cars)

      --
      world was created 5 seconds before this post as it is.
    19. Re:Umm safety? by davester666 · · Score: 2

      Just turn to 720 on your AM dial, drive around until you hear a clear tone, stop, turn off your car and remove the key from the ignition, then press the volume down button for 5 seconds. You will hear a beep to indicate the update process has started, and two beeps in succession to indicate a successful update.

      If the engine starts before you hear the two beeps, get out and run away.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Call me paranoid... by Forbo · · Score: 4, Insightful

    ...but I'd rather not add any more attack vectors than absolutely essential.

    1. Re:Call me paranoid... by mrchaotica · · Score: 2, Interesting

      Or better yet, why can't the manufacturer just email everybody a flash drive containing the update which they can then stick in the car's USB port at their leisure? No phone necessary, no possibility of wireless hacking, and the owner can apply the update at a time when it's convenient for them (avoiding the possibility of a bad update stranding somebody in the middle of a road trip or something).

      Sure, the cost is probably higher than OTA updates, but it's lower than dealer updates and it maintains the manufacturers' incentive not to screw up in the first place.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    2. Re:Call me paranoid... by CanHasDIY · · Score: 4, Funny

      Or better yet, why can't the manufacturer just email everybody a flash drive

      Channeling Morbo...

      EMAIL DOES NOT WORK THAT WAY! GOODNIGHT!

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
  3. brick your car by roc97007 · · Score: 4, Insightful

    Although it doesn't happen as often these days, I do remember OTA updates bricking my phone in the past, and PCs under my care are still occasionally screwed up by "drive-by updates" in the middle of the night. For something like a car with the potential for property damage or stranding me and mine far from civilization, I'm pretty sure I don't want automatic OTA updates, even if they could arrange that the car not be moving during the time. I want to know exactly what problem the update is solving, the likelihood I will experience that problem, whether the update and backout procedures have been vetted, and the post-update test procedure. I make a living with my camera, and I don't blindly install firmware updates for it either.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:brick your car by ColaMan · · Score: 2

      , because of an unexpected register state, well, ooooooooooooooops.

      oooooooooooops indeed, that'll be at least 50 milliseconds while the system watchdog reboots into previous firmware version.

      These are not the people that do your phone updates. These are people that deal with real-time embedded systems that are safety-criticial. There will be something like a hardware watchdog set that is used for the next 100 times of vehicle operation that triggers the 'fail safe' option of returning to the previous firmware.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
  4. Tuesday updates by tomhath · · Score: 5, Interesting

    I'd rather not have a car manufacturer get into the mindset of assuming problems like that are cheap and easy to fix (so they can scrimp on testing)

    1. Re:Tuesday updates by Riceballsan · · Score: 2

      Not to mention the secondary cost, lets assume testing is the same on both situations, a car goes out to the manufacturer, update is applied, update botches, car software system is bricked. The dealer can pull a spare hard drive or whatever it is stored on out of the back, get the car up and running etc... Now OTA update botches, does the dealer make a house call to swap out the car's storage, or do they pay for a tow truck? When an update fails and the device is rendered unusable... getting a car to the location to be repaired is considerably more expensive than a phone.

  5. Re:Reboot at 70? by thevirtualcat · · Score: 3, Funny

    That would be if the Windows Update team designed it, yes.

    It would also idle for half an hour while the update installed.

  6. Re:I would rather not have my car get updated OTA by SJHillman · · Score: 2

    I was assume the same thing that happens when anything else loses connection during an update... it will either hold the download until it can complete or else will cancel it. I don't know of any device that patches itself while it's still downloading the update... storage is cheap enough that nothing should be doing that in this day and age... cache first, then install.

  7. OTA creates the wrong incentives by JDG1980 · · Score: 3, Insightful

    Having OTA capability encourages vendors to push out incomplete/buggy firmware ("we can always fix it later") and to push out updates without properly testing them ("if it breaks something, we'll just fix it and re-send"). Suffice to say we definitely do not need these kind of perverse incentives on cars.

    And that's without even getting into the trouble that a malicious user could potentially cause if they managed to hack the OTA process and sent out spoofed updates to vehicles...

    1. Re:OTA creates the wrong incentives by firewrought · · Score: 2

      If you apply an update to a customers car and that causes them to crash and burn half their face off, you can bet you'll get sued.

      Granted, but that doesn't entirely invalidates JDG1980's point... knowing that lives are on the line will make you a very paranoid coder or tester, but knowing that the code can't ever be changed (without a mountain of hassle) will you make you that much more paranoid.

      [Side note: I use the term "paranoid" instead of "cautious" here because paranoid describes the mindset that drives one to examine, poke, and test their code exhaustively from multiple angles. The cautious mindset, by contrast, is the instinct to freeze up and make no changes (especially no innovative changes) altogether. I suppose they both have their place in life-critical systems, but the former is empirical and ambitious while the latter is superstitious and reluctant.]

      --
      -1, Too Many Layers Of Abstraction
  8. Rebooting by SoundGuyNoise · · Score: 3, Insightful

    When you're running late for work, you don't want to wait for your car to reboot to install a software update.

    --
    You never expect irony, do you?
    Want to be a professional wrestler? Visit www.iyfwrestling.com
    @iyfwrestling
    1. Re:Rebooting by Anti-Social+Network · · Score: 2

      Exactly. The only way I'd accept that kind of thing is full hardware redundancy - a fallback computer system I can manually switch over to if the update borks or gets hung up.

      --
      Goddammit just when I get my first +5 the Beta rolls out and kills everything
  9. Re:OTA seems excessive...How about USB? by bobbied · · Score: 2

    How about firmware updates that a user can just download off the manufacturer's website, save on a USB stick, and insert it into a USB port somewhere on the dash? A little less convenient than OTA, but with lesser risks, and still a whole lot more convenient than going to the dealer's service department.

    No, I don't see *any* possible ways to hack that update path. Not one thing comes to mind.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  10. Do not want. by The+Grim+Reefer · · Score: 2

    There are way too many issues that this can cause for me to ever want a car that can do this. Here's a few:

    Hacking. What's to keep a system like this secure? What happens if some criminal organization for bribing owner to pay them to "unlock" your car? Or a crazy person or group from changing the firmware to lock the brakes when the car hits 50 mph? Or just some 9 year old kid from doing this for the hell of it. And any number of other possibilities.

    What happens if the process is interrupted in the middle of re-flashing? Does the car need to be towed in and the ECU replaced?

    If there's a bad update, it's a hell of a lot better for it to be discovered quickly in the first few cars that receive it. It kinda sucks if the update is bad and suddenly a million+ cars all fail at the same time.

    Perhaps I don't want the update. Granted, this doesn't happen often. But there have been cars that were recalled because they had more torque than they should have. Perhaps I want to keep this feature.

    How many times have programs or video cards been released sooner than the software or drivers were ready. Being able to push out updates makes it possible to release a car that is not really ready. I would like to think it wouldn't happen. But as soon as someone's bonus is dependent on making a deadline, it will. Actually this would become pretty common I think. It's not done now because it costs the manufacturer a lot of money. Pushing updates would be very cheap by automotive company standards.

    What's the added cost for this going to be?

    I don't drive very much as it is. How much of a drain will this type of system put on my battery?

    I don't want to have to pay to fix the update system when it breaks. A car is one of the harshest environments electronics can be in.

    There was an article on /. not too long ago about the automotive industry charging monthly fees for functionality. I don't want a system like this in my car that would allow for fees of any kind.

    I could go on. Perhaps I'm old and set in my ways. But I don't see any real benefit to this that would outweigh the potential issues.

  11. Updates always come at the wrong moment by Anonymous Coward · · Score: 5, Funny

    Oh no, I need to get the hospital quick. "please wait while your car is being update... installing update 1 of 35... time remaing 1 h 16"

  12. Re:Dealers aren't any safer by RyuuzakiTetsuya · · Score: 2

    That's not my primary concern. My primary concern is bricking.

    Dealer bricks my car, they already have it and can install a new ECU. I brick my car and it's a costly tow truck trip to the dealer.

    --
    Non impediti ratione cogitationus.
  13. Manufacturer Interest by Etherwalk · · Score: 2

    The *manufacturer* has a vested interest in making sure your car has a safety update--it's a bit different than just the neighbor's concern. Think about it. If you make a product that *will* kill a few hundred people over its lifetime unless you fix it, and only half of the owners will bring it in for an upgrade, wouldn't you rather be able to push the upgrade out?

    An auto-upgrade is a major safety feature. Is there a security issue? Yes. But not an unsolvable one.

    Every manufacturer will switch to auto-upgrades when the first one loses a massive tort case over failure to auto-upgrade.

    1. Re:Manufacturer Interest by Anonymous+Brave+Guy · · Score: 2

      If you make a product that *will* kill a few hundred people over its lifetime unless you fix it, and only half of the owners will bring it in for an upgrade, wouldn't you rather be able to push the upgrade out?

      And where does that stop? Google took a similar attitude with Chrome, except that the updates they push don't distinguish between closing security vulnerabilities, adding functionality, changing the UI around, and breaking stuff because yet again they didn't test properly and pushed out an update that regressed something important. Chrome is now the most buggy software on my computer.

      Cars are not toys. Shipping this kind of product with a bug that "*will* kill a few hundred people over its lifetime" is basically unheard of. Even if such a defect were discovered, there are well-established mechanisms for tracking all cars of a certain model and contacting all of the owners, in many cases backed by force of law. You're never going to find a bug that really is that dangerous goes unfixed in half the cars out there because the owners couldn't be bothered to take them in for the repair. It just isn't going to happen.

      An auto-upgrade is a major safety feature. Is there a security issue? Yes. But not an unsolvable one.

      Given the auto industry's laughable track record on security and privacy so far, particularly in terms of software and communications technologies, I think that is optimistic. Even if they could theoretically implement a secure mechanism, there is little reason to believe they have the skill and ability to do it in practice, and even less reason to believe they actually would.

      Every manufacturer will switch to auto-upgrades when the first one loses a massive tort case over failure to auto-upgrade.

      Sure, except for the part where there is nothing in law to require them to actually do that.

      In any case, they would all switch back again the first time a disgruntled ex-employee causes dozens of KSI accidents in one morning rush hour with the "secure" authentication codes they stole on the way out the door and a $50 MacGyvered transmitter.

      I love the dream that we'll eventually have efficient, interconnected private transport systems that overcome many of the problems we face today, and I love that technology might actually be able to do it one day, too. But that day is a long, long way into the future.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  14. Re:Security? by confused+one · · Score: 2

    It's not a question of the security on the OBD2 port. In most modern cars all the computers internally are networked together; so, the center console computer can actually talk to the PCM. It's theoretically possible to have any one of the computers push an update. My suspicion is that they're not allowing OTA updates to reduce risk.

    Yes, I know anyone can buy an OBDII interface, I have one. Requiring a piece of "special" hardware to connect to the computer for updates both limits who can do it and requires physical access. Making OTA updates possible means anyone who can hack the update encryption and attach a proper digital signature (because, we all know that's impossible) can push anything they want.

  15. Re:Reboot at 70? by confused+one · · Score: 2

    Many of those infotainment centers are running Microsoft Windows Embedded.