Recalls still require the customer to take action. They’re much less likely to go into the shop to have it fixed than press a button on their phone and have the car fix itself overnight.
Your suggestion for not allowing safety software fixes OTA is dangerous.
Other way around. Unsupervised OTA updates are dangerous.
First: A car is a piece of safety-critical equipment. It has a skilled operator who has familiarized themselves with its operation. Any change to its operation, without the operator being aware that a change was made, puts the operator and other people at risk. If the operator takes the car into the shop for a documented recall, they know that something is being changed. An unsupervised OTA update can (and will) alter the behavior of safety-critical equipment without the operator’s knowledge.
Second: Any facility for OTA updates is an attack vector. If a car can receive OTA updates from the manufacturer, then it can receive harmful OTA updates from an attacker who has compromised the car’s update mechanism or the manufacturer. Because the car is safety-critical equipment — unlike your phone, it can kill people — it is unreasonable to expose it to these attacks.
Driving is literally the most deadly thing that most people do every day. It is unreasonable to make driving even more dangerous by allowing car manufacturers — or attackers — to change the behavior of cars without the operator being fully aware that a change is being made.
This is not a matter of “it’s my property, you need my consent” that can be whitewashed with a contract provision. This is a matter of life safety.
If a car can receive OTA updates from the manufacturer, then it can receive harmful OTA updates from an attacker who has compromised the car’s update mechanism or the manufacturer.
There’s potential for a very dystopian future where we see people assassinated, not via car bomb but via the their cars being hacked to remove braking functionality (or something similar). And then a constant game of security whack-a-mole like we see with anti-virus software. And then some brilliant entrepreneur will start selling firewalls for cars. And then it’ll be passed into law that it’s illegal to use a vehicle that doesn’t have an active firewall/anti-virus subscription.
It almost feels like the obvious path things will go down. Yay, capitalism…
I’m not totally opposed to software being used in cars (as long as it’s tested and can be trusted to the degree mechanical components are) but yeah, OTA updates just seem like a terrible idea just for a little convenience. I’d rather see updates delivered via plugging the car in (and not via the charging port - it would need to be a specific data transfer port for security reasons). Alert people when there’s an update, and even allow the car to “refuse to boot” if it detects it’s not on the latest version. But updates should absolutely be done manually and securely.
Cutting someone’s brake lines has been a means of assassination for a while. What’s new here is that it could potentially be done remotely, e.g. an attacker in Bucharest targeting a victim in Seattle on behalf of a payer in Moscow.
So yeah you could assassinate someone like that, or you could break every cars brakes at once and have thousands of simultaneous car accidents timed during some other infrastructure attack
Cutting someone’s brake lines is all or nothing and can’t be done while the vehicle is already in motion. Anyone who is not an idiot will hopefully notice as soon as they start driving that there’s something wrong with the brakes. But you could brick somebody’s car remotely and without warning while they’re taking a curve on the interstate at 80 MPH, and that’d be a lot more problematic.
In reality, few to no people outside of novels and Hollywood have actually been killed by some malefactor “cutting their brake lines.”
Wow man, I never thought about your 2nd point before. Every car like this is a kinetic weapon waiting to be activated. And I was worried about the “self driving” mode…
I don’t think anyone will disagree with you about unsupervised OTA updates.
To your first point- I agree that any update that changes the behavior of any fundamental system in a car is pretty reckless. Especially ones that increase a car’s acceleration, which Tesla historically does. I don’t know why those sorts of updates aren’t being regulated harder. OTA updates should be for mundane things like infotainment updates or, in more serious cases, to fix systems that aren’t functioning properly. It shouldn’t otherwise be used to alter how the car functions as a car, especially when these updates largely happen silently or the changes are tucked into some changelog that the owner doesn’t have to read.
However, to your second point, cars are smart now and there’s no going back. So cars do need software updates to close attack vectors.
However, to your second point, cars are smart now and there’s no going back. So cars do need software updates to close attack vectors.
He’s not saying that cars shouldn’t be updated… But that OTA updates are a problem. They’re saying that it should be a drive to the dealership to do an update. I would go a step further and make it possible to have it opt-in for car manufacturer to send out cd/usbs to update firmware.
Offline updates are generally fine and not super susceptible to general hacking. OTA on the other hand… that’s a massive risk for a reward of… slightly faster fix times?
If it’s a safety system, it might be “have the car taken to the dealership on a flatbed truck”. Also, some people don’t live near a dealership.
Like it or not, all modern cars are connected - for the maps if nothing else - and if a car is capable of an OTA update, I say do it. I don’t see how a dealership adds anything other than cost which will always discourage updates from being made at all.
And I actually think physical updates are easier - connect a laptop to the ECU, and you’re done. It’s generally only OTA updates that use code signing/etc.
all modern cars are connected - for the maps if nothing else
Carplay and Android Auto are better than any other in built infotainment shit. I do not see this as valid. Nor that does mean that firmware on the car should be writable from those systems.
I don’t see how a dealership adds anything other than cost which will always discourage updates from being made at all.
Thus why I said…
I would go a step further and make it possible to have it opt-in for car manufacturer to send out cd/usbs to update firmware.
Then any dick or harry can do it on their own.
But honestly whenever I say “dealer” I really mean any repair shop.
You do realize your entire first point is invalidated by the comment you’re replying to? I just said the customer has to press a button on their phone to initiate the update. On that same phone they can view release notes that clearly outline the recall. Additional on first use, the car will display those same release notes on the screen.
Sure, safety vs convenience is a huge factor in software development. The biggest factor to safety is unpatched software. You know, the kind that requires significant effort to update, such as needing to bring your car into the shop to apply.
Overall your doom and gloom argument against OTA safety updates is pretty weak.
Recalls still require the customer to take action. They’re much less likely to go into the shop to have it fixed than press a button on their phone and have the car fix itself overnight.
Your suggestion for not allowing safety software fixes OTA is dangerous.
Other way around. Unsupervised OTA updates are dangerous.
First: A car is a piece of safety-critical equipment. It has a skilled operator who has familiarized themselves with its operation. Any change to its operation, without the operator being aware that a change was made, puts the operator and other people at risk. If the operator takes the car into the shop for a documented recall, they know that something is being changed. An unsupervised OTA update can (and will) alter the behavior of safety-critical equipment without the operator’s knowledge.
Second: Any facility for OTA updates is an attack vector. If a car can receive OTA updates from the manufacturer, then it can receive harmful OTA updates from an attacker who has compromised the car’s update mechanism or the manufacturer. Because the car is safety-critical equipment — unlike your phone, it can kill people — it is unreasonable to expose it to these attacks.
Driving is literally the most deadly thing that most people do every day. It is unreasonable to make driving even more dangerous by allowing car manufacturers — or attackers — to change the behavior of cars without the operator being fully aware that a change is being made.
This is not a matter of “it’s my property, you need my consent” that can be whitewashed with a contract provision. This is a matter of life safety.
There’s potential for a very dystopian future where we see people assassinated, not via car bomb but via the their cars being hacked to remove braking functionality (or something similar). And then a constant game of security whack-a-mole like we see with anti-virus software. And then some brilliant entrepreneur will start selling firewalls for cars. And then it’ll be passed into law that it’s illegal to use a vehicle that doesn’t have an active firewall/anti-virus subscription.
It almost feels like the obvious path things will go down. Yay, capitalism…
I’m not totally opposed to software being used in cars (as long as it’s tested and can be trusted to the degree mechanical components are) but yeah, OTA updates just seem like a terrible idea just for a little convenience. I’d rather see updates delivered via plugging the car in (and not via the charging port - it would need to be a specific data transfer port for security reasons). Alert people when there’s an update, and even allow the car to “refuse to boot” if it detects it’s not on the latest version. But updates should absolutely be done manually and securely.
Cutting someone’s brake lines has been a means of assassination for a while. What’s new here is that it could potentially be done remotely, e.g. an attacker in Bucharest targeting a victim in Seattle on behalf of a payer in Moscow.
Remotely at scale.
So yeah you could assassinate someone like that, or you could break every cars brakes at once and have thousands of simultaneous car accidents timed during some other infrastructure attack
This reminds me of the movie “Leave the world behind” from last year.
And at any time.
Cutting someone’s brake lines is all or nothing and can’t be done while the vehicle is already in motion. Anyone who is not an idiot will hopefully notice as soon as they start driving that there’s something wrong with the brakes. But you could brick somebody’s car remotely and without warning while they’re taking a curve on the interstate at 80 MPH, and that’d be a lot more problematic.
In reality, few to no people outside of novels and Hollywood have actually been killed by some malefactor “cutting their brake lines.”
deleted by creator
Um, what city do you live in? Can I live there please? Not many skilled drivers around here.
Wow man, I never thought about your 2nd point before. Every car like this is a kinetic weapon waiting to be activated. And I was worried about the “self driving” mode…
I don’t think anyone will disagree with you about unsupervised OTA updates.
To your first point- I agree that any update that changes the behavior of any fundamental system in a car is pretty reckless. Especially ones that increase a car’s acceleration, which Tesla historically does. I don’t know why those sorts of updates aren’t being regulated harder. OTA updates should be for mundane things like infotainment updates or, in more serious cases, to fix systems that aren’t functioning properly. It shouldn’t otherwise be used to alter how the car functions as a car, especially when these updates largely happen silently or the changes are tucked into some changelog that the owner doesn’t have to read.
However, to your second point, cars are smart now and there’s no going back. So cars do need software updates to close attack vectors.
He’s not saying that cars shouldn’t be updated… But that OTA updates are a problem. They’re saying that it should be a drive to the dealership to do an update. I would go a step further and make it possible to have it opt-in for car manufacturer to send out cd/usbs to update firmware.
Offline updates are generally fine and not super susceptible to general hacking. OTA on the other hand… that’s a massive risk for a reward of… slightly faster fix times?
If it’s a safety system, it might be “have the car taken to the dealership on a flatbed truck”. Also, some people don’t live near a dealership.
Like it or not, all modern cars are connected - for the maps if nothing else - and if a car is capable of an OTA update, I say do it. I don’t see how a dealership adds anything other than cost which will always discourage updates from being made at all.
And I actually think physical updates are easier - connect a laptop to the ECU, and you’re done. It’s generally only OTA updates that use code signing/etc.
Carplay and Android Auto are better than any other in built infotainment shit. I do not see this as valid. Nor that does mean that firmware on the car should be writable from those systems.
Thus why I said…
Then any dick or harry can do it on their own.
But honestly whenever I say “dealer” I really mean any repair shop.
You do realize your entire first point is invalidated by the comment you’re replying to? I just said the customer has to press a button on their phone to initiate the update. On that same phone they can view release notes that clearly outline the recall. Additional on first use, the car will display those same release notes on the screen.
Sure, safety vs convenience is a huge factor in software development. The biggest factor to safety is unpatched software. You know, the kind that requires significant effort to update, such as needing to bring your car into the shop to apply.
Overall your doom and gloom argument against OTA safety updates is pretty weak.
Oh good, hackers can’t bypass button presses. I was worried for a bit, appreciate you helping us out.
Mr hackerman couldn’t get to the car because it crashed first due to a software bug the customer did not have time to take his car to the shop to fix.
The real world is quite different than the idealistic one.