Software Is Eating the Auto Industry

Roger Lanctot, writing for research firm Strategy Analytics: There are many more opportunities in cars today for things to go wrong as software takes over an ever-expanding array of functionality from the car stereo to enhanced safety systems and the vehicle powertrain. There are software bugs, updates, conflicts and, lately, cybersecurity vulnerabilities to worry about so it is perhaps no surprise that software is figuring in vehicle recalls. In the latest update of software-based recalls from CX3 Marketing, software-based recalls crept up higher again in 2016, surpassing 6M vehicles. It's a small portion of the overall total but it is growing -- especially as a proportion of the total. This expanding crisis in vehicle recalls is both good news and bad news for the automotive industry. The good news is that software recalls can often be corrected with over-the-air software updates. The bad news is that auto makers are in the very earliest stages of deploying software updating technology and, particularly in the U.S., they have yet to sort out conflicts with state-level dealer franchise laws that require warranty service work such as software updates be handled by dealers. The expanding role of software and the growing number of software-related recalls reflects an emerging battleground in the industry. The creation of software is expensive and labor intensive and also poses an ownership question. Starting approximately 10 years ago with BMW and Intel's mutual effort to bring Linux into cars on a larger scale via the GenIVI Alliance, auto makers have been seeking to segregated hardware from software in such a manner that hardware could conceivably be relegated to sourcing from contract manufacturers (like Flextronics) and software development costs could be reduced by sharing code. At the same time, car makers have sought to take ownership of the code written for their vehicles. Car enthusiasts have taken issue with the ownership question, asserting their right to modify vehicle software as they see fit. That particular struggle is yet to be resolved but has gained new life as more tinkerers experiment with home-grown self-driving car technology.

Dealers have to die out

[nospam007]

Soon. It's time. Nobody needs obnoxious vendors who didn't even read their own fucking prospectus.
What we need is some showrooms and then we buy directly at the manufacturer's site online.
After all that's what the dealers are doing, besides those brands who have thousands of unsold cars laying around they the have to pay customers thousands to take off their hands.

Re:

[JohnFen]

they can clue you in a bit

I think you misspelled "they can take you for a ride".

Re:

[Anonymous Coward]

They can stick around for those who want their 'knowledge' and 'advice', but the rest of us should be able to buy direct.

Re:

[ShanghaiBill]

Sure. I'm sure they will disappear right after real estate agents do.

Bad analogy. You can sell or buy a house without a RE agent. There are no laws preventing you from doing that. But in many states, it is illegal to sell a new car if you are not a government sanctioned dealer.

Comparing real estate agents to car dealers is like comparing making love to rape. In either case you get fucked, but the difference is consent.

Re:

[JohnFen]

Dealers are very easy to avoid, though. Just buy your cars used from real people. I've been doing that my whole life, except once when I bought one from a dealer. That one was the only lemon I got stuck with.

Re:

[tquasar]

There was a time when you could select the options you wanted. My dad ordered a truck with the engine, clutch, transmission, and suspension he wanted. Today you must buy a package that has all the crap the mfgr. adds. Crapware, I've read that term somewhere before....

Re:

[R3d M3rcury]

Not entirely true.

You can go to the dealer and order the exact car you want. The dealer will either find it (if it's been built and exists in the area) or will order it from the factory. Of course, you will have to wait.

That said, the dealer will push you to "settle" for one of the cars at the dealership. "You don't really want a stick shift, right? Tell you what, we'll offer you the automatic for the same price!" So if you want to drive a brand new car off the dealership that day, you have to settle f

Re:

[toddestan]

There's still the problems with the options packages. You can't just buy the options you want, you have to buy a package with a whole bunch of things lumped together. Nowadays they've limited the number of configurations (usually grouped into a small number of "tiers") and available colors to the point where I would be surprised if a decently large dealer didn't have a specific configuration of a popular model in their stock.

Re:

[MBGMorden]

Indeed.

It's basically a needless service that gets mandated through paperwork.

That's not even for the sales - it applies to the service too. Since this article talks about software: my new vehicle has one of the new info-tainment systems built it where it does bluetooth, interfaces with my phone, etc. It's pretty neat - when it works. The problem is half the time I plug in my phone and the screen just goes black. Unplug it, replug. Screen goes black again. TURN THE VEHICLE OFF, then back on, and it'll

Re:

[FooAtWFU]

I can imagine a manufacturer sending you a notice of a recall in the mail. In the same envelope, they include an explanation that you could get this update over the air with no effort in $(nearby_state), and include a business-reply-mail envelope with a form letter addressed to your state congressmen: "Dear Rep. Bork. I just went ___ miles out of my way and spent an extra ___ hour(s) getting a software update at a dealership instead of wirelessly. Please change this law."

Re:

[sjames]

Make sure to keep it current. Add releasing __ pounds of carbon into the atmosphere.

Re:

[MoarSauce123]

Most states will require a change in law for this to happen. Tesla found out the hard way not being allowed to sell directly to customers. It is one of these cases where successful lobbying put a law on the books that at first sight seems reasonable, but really is only there to protect a select group from any market changes. In all fairness, dealers are far more than sales these days. Last time I bought a car I pointed to the car on the lot that I wanted, took it for a test drive, and then agreed to purchas

Re:

[toonces33]

People like to have a fancy infotainment system (with tons of embedded software). The like to have a TFT instrument cluster instead of the old mechanical/analog ones that older cars used to have. And it isn't just that. There are tons of other tech options - each of which requires lots of software, and I haven't even gotten to the engine/transmission yet.

Re:

[Luthair]

The infotainment system doesn't need to be integrated with a million different things and really shouldn't be since it makes replacing them near impossible.

Re:

[green1]

Depends what features you want. Modern cars often have all sorts of functionality that requires various tie-ins.
For example, I find it extremely handy to be able to vent my sunroof from the app on my phone, that needs integration between infotainment and the sunroof. I also like being able to turn on and adjust the climate control remotely, so it needs a tie to the HVAC system.
Some of these other features are maybe more "gimmicky" but I can also unlock the doors and enable keyless driving remotely, these ar

Re:

[Luthair]

For example, I find it extremely handy to be able to vent my sunroof from the app on my phone, that needs integration between infotainment and the sunroof. I also like being able to turn on and adjust the climate control remotely, so it needs a tie to the HVAC system. Some of these other features are maybe more "gimmicky" but I can also unlock the doors and enable keyless driving remotely, these are kind of handy, but I could live without them.

Why are these tied to the head unit? You aren't even in the car.

The trouble is that manufacturers don't keep your head unit up to date, you're lucky if they even get the system work correctly before they abandon support.

Nothing dates a car more than its electronics, go play around with a 5-10 year old car. Heck, people are spending $500+ on some of these cars for boxes that add simple bluetooth because the head unit cannot be replaced.

Re:

[green1]

Why are these tied to the head unit? You aren't even in the car.

Apparently you missed this part:

But it's also a matter of usability, the infotainment screen is probably the largest and easiest to use screen in the car, so any setting you can control, seems like a logical place to do so, it's either that or you're stuck choosing between adding a whole extra settings screen which is only rarely used, or using very clunky steering wheel controls in conjunction with the dash display, which is rather unintuitive.

You're correct that there's a big problem with aging electronics in vehicles. The average age of a car on the road these days is 10-12 years, just imagine using a 10-12 year old cell phone on a daily basis! But that said, it isn't insurmountable. Things like Android Auto are a step in the right direction, my phone is likely to be updated, if the car can basically provide a big touchscreen, speakers, and a microphone, those things don't need to be outdated quickly. Couple that

Re:

[JohnFen]

I wish! But that appears to be a pipe dream.

I'm just hoping that self-driving cars make owning a car unnecessary before I can't find (relatively) software-free ones anymore.

Re:

[liquid_schwartz]

... not stuffing cars to the gills with software, but, you know, let the fscking things be cars?

That'd be too simple, eh.

Next you're going to suggest that phones should be primarily for making phone calls.

Re:

[Anubis IV]

Honestly, a better headline would have been "Software Is Eating *", given that software is eating anything and everything.

In some cases that's a good thing, such as dedicated phones and music players going away as we've replaced them with apps on our pocket computing devices. In other cases that's a bad thing, such as with smart TVs that abuse their newfound ability to gather personal information before becoming obsolete far short of the product's intended lifespan.

People used to joke about putting software

Safety recalls, and feature changes

[green1]

The other major issue is that manufacturers insist on tying safety and security updates to functionality changes.

For example, on my Tesla it was determined that if you connect your car to a rogue wifi AP and open the web browser an attacker can gain root access on the car. To solve that issue though I'd have to agree to Tesla nerfing autopilot and making the whole UI exponentially worse. I've chosen instead not to connect the car to random access points or use the web browser on unknown sites.

On an old fash

Re: Safety recalls, and feature changes

[WindBourne]

Bear in mind that it was not just surfing, but the worm was actually on the wifi. How many wifis do u hook up to, other than ur home? We only use our home and I setup so as we are not broadcasting out on out street.

Re:

[green1]

The exploit required using the browser, not just connecting to wifi. It appears it was really a browser exploit, but making you connect to a compromised wifi was the only way to guarantee you'd go to the page with the correct payload, as you could be redirected.

The problem with saying you only use your own wifi though is that all tesla cars automatically connect to the service wifi, and you can't turn that off. It's easy for an attacker to spoof that ap and know you'll connect whether you like it or not.

Re:

[WindBourne]

nope.
It actually required that you were connected to a cracked wifi, and then used the browser to go ANYWHERE. You did not have to hit a certain page. It is NOT a direct browser exploit like we see in MS Exploders. The fact is, that the browser had an opening it should not have.
The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car's web browser is used. [thehackernews.com]
And no, tesla does NOT automatically hook up to service AP. The tech has to hook them up. In addi

Re:

[green1]

You specifically state that you have to visit a web page, which is exactly what I stated. That proves that this is a browser exploit, otherwise you wouldn't have to open the browser. The point about a malicious WiFi access point, is simply a way to make sure your browser visits the page that they want you to visit when you open it. Otherwise they would have no way of forcing you to go to the malicious page. But with a malicious access point they can force any page load to go to the specific malicious page t

Re:

[WindBourne]

First off, I worked on USA PATRIOT act. Even now, I am trying to get CONgress to go after the REAL back-doors for how Russia is getting in, as opposed to the little garbage that they currently pursue. I suspect that I know a bit more about security then you do.

Secondly, I said you can go to ANY web page. The exploit is NOT from HTML or other resource parsing. It is through a different mechanism. The fact of having the browser open and having seen ANY SITE, is all that is needed. This was NOT a typical a

Re:

[green1]

As you obviously have zero grasp on how software or networking work, nor any experience with either computer security in general, or Tesla's systems in particular, I see no reason to continue this conversation.

To summarize: tesla vehicles always connect to the service wifi automatically without user intervention. If you connect to a compromised ap and visit any webpage, the compromised ap can redirect you to a malicious site and the malicious site can then use a browser exploit to give the attacker root acc

the VW Diesel-Cheat issue is why something FAA lik

[Joe_Dragon]

the VW Diesel-Cheat issue is why something FAA like is needed. Even more so with auto drive cars.

limiting liability will not stop an 3rd party vic

[Joe_Dragon]

limiting liability will not stop an 3rd party victim from suing or getting out of an criminal case (say an very bad crash that kills a lot of people)

Regulation Exists.

[0100010001010011]

Look up ISO 26262 & ASPICE and other things related to 'functional safety'.

Not everything in the vehicle is, or needs to be, compliant but your powertrain and anything with life and safety is. This isn't fly by the night programmers coding a Radio GUI.

This stuff goes all the way down to the hardware level. With dual core CPUs running in lock step, dual memory banks and ECC memory. If there's a mismatch anywhere along the line an error is thrown.

http://www.nxp.com/products/pr... [nxp.com]

https://www.renesas.com/en [renesas.com]

Re:

[mikael]

Your vehicle crosses the equator in autonomous mode and does a U turn the minute latitude changes sign. Then you are stuck in a car doing loops until manual mode is reactivated.

Not good news

[JohnFen]

The good news is that software recalls can often be corrected with over-the-air software updates.

Nope. No OTA updates for me. I don't trust companies to have access to my car (or computer, for that matter) any time they want. If I can't disable the communications channel, I'm not buying the car.

Re:

[JohnFen]

Probably not. That's fine, though, because I really dislike buying new cars. My concern is when these things trickle down into the used car market.

Re:

[Anne Thwacks]

My concern is when these things trickle down into the used car market.

They probably won't. 59 seconds after the warranty expires, they will be dead as dodos.

And security bug fixes will stop after the third one - just like phones.

Re:

[jbmartin6]

Exactly, now your car can crap out and you'll have no idea. If it craps out while leaving the dealer's lot after an update at least you have a pretty good idea what happened. We've seen so many times reliable software with few to no bugs is beyond human ability. Why would you allow on the fly updates to something as critical as your car? Oh yeah, because the same rule means they will screw it up in the first place. Nuts.

Re:

[Jeremi]

Why would you allow on the fly updates to something as critical as your car?

Well, you wouldn't -- you'd download the update automatically, perhaps, but you'd get the user's explicit permission before applying the update. That way the user can decide when or if applying the update is worthwhile (e.g. do it after an important trip, rather than before).

Pretty much the same way it is done with cell phones and MacOS/X OS updates, no?

Re:

[danomac]

Didn't we just have an article on here about an OTA (or network) update disabling TVs? I really wouldn't want that happening to cars...

Just wait until some hacker sends an OTA update to disable vehicles... then maybe shit will hit the fan?

Really stupid decision.

Re:

[Mr. Shotgun]

Didn't we just have an article on here about an OTA (or network) update disabling TVs? I really wouldn't want that happening to cars...

Two [slashdot.org] articles [slashdot.org] actually. At least in the smart lock case there was still the manual option of a normal key, the tv users were screwed. Hopefully these car manufacturers are taking notes and designing their system that if the update fails the car still retains it's "car" functionality, like starting and driving. You're point about a hacker sending code to break a vehicle is a valid [wired.com] one, but imagine being some dude working a 9-5 who can't get into work for a couple weeks because the manufacturer bricked his c

Re: Not good news

[WindBourne]

Chill out. For example, on Tesla, u can kill ota of both WiFi and 3/4g. I'm sure others will follow suit soon enough.

Hungry software...

[__aaclcg7560]

Yesterday it was JavaScripting eating the Internet [slashdot.org], today it's software eating the auto industry. That's just the software. The hardware must be starving.

Re:

[dmomo]

Seriously, i came here to say just this. Is the eating analogy devouring slashdot?

Re:

[__aaclcg7560]

Hungry hungry creimer is eating out slashdot trolls.

I try to avoid eating empty calories whenever possible.

Re:

[K. S. Kyosuke]

The headline actually said that "Javascript [was] eating the world". Since Javascript is (a subset of) software and the auto industry is a subset of the world, this new headline contains no new information since the old one already subsumes it.

Re:

[zifn4b]

The headline actually said that "Javascript [was] eating the world". Since Javascript is (a subset of) software and the auto industry is a subset of the world, this new headline contains no new information since the old one already subsumes it.

So basically nothing new on Slashdot for the past 20 years then? :)

Re:

[Hognoxious]

You're a hoot at parties, aren't you?

That's a hypothetical question.

Re:

[K. S. Kyosuke]

Considering that I don't attend parties, yes, I've never been to a party yet where I wasn't a hoot. So you're correct.

Shhh .. don't mention the manufacturing industry

[OzPeter]

They probably don't realize that that manufacturing has been running on software since the 60's and when they do we'll get the FUD headline of "ZOMG!!! Software is eating the manufacturing industry!!!!!"

And then it will be "ZOMG!!! Software is eating the shipping industry!!!"

Followed by "ZOMG!!! Software is eating the mining industry!!!"

And then "ZOMG!!! Software is eating the power generation industry!!!"

etc. etc. etc.

Re:

[freeze128]

MTV is fat.

software updates be handled by dealers is profit

[Joe_Dragon]

software updates be handled by dealers is way a way to make big profit. and stopping updates after 2-3 years can make for new car sales.

Just think of an $50-$100 labor change for that or even mark up parts like an HDD X2-X3 bestbuy rental prices.

Not just the car industry...

[QuietLagoon]

... nearly any and every industry. Look what happened to Samsung. Or those people with the "security" cameras that phoned home, or pacemakers, or... or... or...

OTA update? DO NOT WANT

[davidwr]

I do NOT want the ability to do any "hands off" update of a killer robot, er, I mean automobile.

If the good guys can do it, so can the bad guys.

Make me come in for service or send someone out to me, just as you would for faulty hardware.

Now, if you need to update a non-critical system such as the infotainment or air conditioning system that's fine, as long as there is no way for those systems to make changes to the critical systems. Yes, I know this isn't risk-free - a bad guy could make the radio go on fu

Re:

[Rick Schumann]

You are not alone, far from it.
Since it's highly unlikely that they'll have (or would tell you of) a way to turn that off completely: If you have some background in electronics, you should be able to poke around and find the relevant antenna(s) that would be receiving the updates. Disconnect the antenna and connect it to a dummy load instead (most likely 50 ohm). Problem solved.

Re:

[JohnFen]

There are also websites that are compiling a list of where the antennas are in various makes and models and tell you how to disconnect them. With pictures.

Re:

[Rick Schumann]

Heh. Great minds do think alike. :-)

Re:

[Rick Schumann]

If you have the URLs, post them. My pickup is very much non-wirelessly connected, but I'd be interested regardless.

Re:

[JohnFen]

I don't. The last time I dug into this was a year ago, purely out of intellectual curiosity. Sorry!

Not easy for car manufacturers: an example

[Anonymous Coward]

The car I bought has a built-in touch-screen Android system as part of the entertainment system. It runs the audio, trip computer, phone address book, the (optional) navigation system, and even has an interface with the air conditioning. It's basically a built-in Android tablet with car-specific software installed that interfaces with the rest of the car. I thought "Wouldn't it be wonderful if I could install any Android program I want?" Nope. It's locked down with a whitelist program in the background

the new tool of assasination.

[fish_in_the_c]

over the air updates of your anti lock break control system.

Over the air update of auto software is only slightly less stupid then over the air updated of avionics software.

Or if you prefer, fast and cheap software updates supporting cool new software for vehicles are much more important something as small and insignificant as human life.

Re:

[bws111]

how exactly do you 'assasinate' someone with an anti-lock brake system?

Re:

[Jeremi]

how exactly do you 'assasinate' someone with an anti-lock brake system?

Ideally by remapping the accelerator pedal to the brakes, and the brake pedal to the throttle. (Note that Toyota may claim prior art regarding this technique)

Whats with the "eating" titles?

[gweihir]

Apart from being stupid, they seem to be nonsense as well...

Re:

[avandesande]

Betteridge's Law of Hungry Headlines?

Re:

[gweihir]

Hehehehe, probably.

Car software is terrible

[ElizabethGreene]

I travel for work, and rent a lot of brand-spanking-new cars.

Car software is shit. It doesn't matter what brand of car, it's shit.

I get in the car, factory reset the radio, reboot the car, connect Bluetooth, sync contacts, and go. Most recently I did this in a Buick Endeavor. Enabling Android Auto locked up the car entertainment system and I had to reboot the car. Apple car play worked, but bluetooth phone calls only worked 25% of the time when the phone rang while Pandora was open.

That's not an isolated incident. I've locked up the infotainment system on a dozen other rentals. That's extremely frustrating. The best was a Ford Focus that wouldn't reset with a power-off/power-on reset. The system didn't recover until I left it off for an hour.

It's not just new cars, either. I own a Chevy Equinox that won't Bluetooth pair with an iPhone 6. At least it doesn't lock up.

Re:

[JohnFen]

Yes, this has been my experience. I haven't seen even one of those in-car computer systems that was actually worth a damn.

Even the map software universally sucks. So much so that I always end up using my phone for that anyway.

Re: Car software is terrible

[WindBourne]

Try a Tesla. It just works.

Re:

[DNS-and-BIND]

"I had to reboot the car." This is the first time I have ever seen this phrase written. We're in a new era.

Re:

[R3d M3rcury]

They keep using unsafe languages like C, C++ or Java instead of time-tested safe ones for critical environments (ADA).

Or Rust. Don't forget Rust.

Re:

[JohnFen]

The reason for the state of software isn't the languages. It's the economics.

Re:

[Kormoran]

Economics. The name of the game. With PC/servers you can get past away telling your customers to reboot, patch, upgrade or just doing nothing, if the complaints aren't really loud. With cars you cannot.

Your fault (liability? I'm not familiar with legalese) in a car crash/hijack DOES cost you. A LOT. And car makers simply can't afford to recall every single car any time they need to patch a bug. I talked about EAL levels for a reason: with EAL 5 or higher, you can get an insurance for software bugs. With 4 o

Here is the result

[lwmv]

of auto industry being eaten by software: you can't repair your own car, or you violate the DMCA. Farmers Demand Right To Fix Their Own Dang Tractors [slashdot.org] Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware [slashdot.org]