Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Is Eating the Auto Industry (strategyanalytics.com)

Posted by msmash on from the shape-of-things dept.

Roger Lanctot, writing for research firm Strategy Analytics: There are many more opportunities in cars today for things to go wrong as software takes over an ever-expanding array of functionality from the car stereo to enhanced safety systems and the vehicle powertrain. There are software bugs, updates, conflicts and, lately, cybersecurity vulnerabilities to worry about so it is perhaps no surprise that software is figuring in vehicle recalls. In the latest update of software-based recalls from CX3 Marketing, software-based recalls crept up higher again in 2016, surpassing 6M vehicles. It's a small portion of the overall total but it is growing -- especially as a proportion of the total. This expanding crisis in vehicle recalls is both good news and bad news for the automotive industry. The good news is that software recalls can often be corrected with over-the-air software updates. The bad news is that auto makers are in the very earliest stages of deploying software updating technology and, particularly in the U.S., they have yet to sort out conflicts with state-level dealer franchise laws that require warranty service work such as software updates be handled by dealers. The expanding role of software and the growing number of software-related recalls reflects an emerging battleground in the industry. The creation of software is expensive and labor intensive and also poses an ownership question. Starting approximately 10 years ago with BMW and Intel's mutual effort to bring Linux into cars on a larger scale via the GenIVI Alliance, auto makers have been seeking to segregated hardware from software in such a manner that hardware could conceivably be relegated to sourcing from contract manufacturers (like Flextronics) and software development costs could be reduced by sharing code. At the same time, car makers have sought to take ownership of the code written for their vehicles. Car enthusiasts have taken issue with the ownership question, asserting their right to modify vehicle software as they see fit. That particular struggle is yet to be resolved but has gained new life as more tinkerers experiment with home-grown self-driving car technology.

2 of 101 comments (clear)

  1. Not good news by JohnFen · · Score: 4, Interesting

    The good news is that software recalls can often be corrected with over-the-air software updates.

    Nope. No OTA updates for me. I don't trust companies to have access to my car (or computer, for that matter) any time they want. If I can't disable the communications channel, I'm not buying the car.

  2. Not easy for car manufacturers: an example by Anonymous Coward · · Score: 2, Interesting

    The car I bought has a built-in touch-screen Android system as part of the entertainment system. It runs the audio, trip computer, phone address book, the (optional) navigation system, and even has an interface with the air conditioning. It's basically a built-in Android tablet with car-specific software installed that interfaces with the rest of the car. I thought "Wouldn't it be wonderful if I could install any Android program I want?" Nope. It's locked down with a whitelist program in the background that will not allow installation of anything but the vendor-approved programs, the files that control the whitelist are read-only, and developer mode is locked down with a passcode so you can't even connect to it (wireless or through usb). Part of me thinks "Oh well. I guess that means it will be harder for a black hat to hack. Good." As a design decision to prevent people from doing things that could mess with the car in undesired ways (e.g., circumventing regulations preventing use of some types of software while the car is moving, and worse), I can understand it, but on the other hand there are inevitably going to be vulnerabilities.

    Within 6 months of buying it, it was no mere hypothetical. The Android version is old: 4.2.2 (first released 2013). Plenty of known vulnerabilities. People eventually found the hidden menu and code to break into developer mode, connect via USB using adb, and used the Dirtycow Android exploit to root the system via a setuid root program that was already installed. Then came modifying the whitelist to support whatever Android program you wanted.

    It's a mixed result. On the negative side, someone with access to the car interior could definitely hack into this thing no problem and embed any software they wanted, or damage it in nasty ways. Thankfully, only physical access can enable the necessary debug mode to get started unless you are foolish enough to leave it turned on (i.e. wireless debug is locked down by default to OFF, thank god). On the plus side, thanks to the flaws I now have (free, open-source!) navigation software installed in my car that would have cost more than $1000 from the dealer because it only came with other car options I didn't want, and the software has better maps than the vendor's software anyway. Without the flaws, the lock-down attempt by the vendor would have worked.

    I think many car manufacturers are facing a steep learning curve with this stuff. You've got the inertia and legitimate safety concerns of gigantic car companies in conflict with the natural desire of tech-savvy people to use the system to its full potential, all while keeping it secure, up-to-date, and cheap (hardware + software). Good luck with that!