Modern cars and security updates

System

This discussion was created from comments split from: Random EV thoughts......

SuperBowserWorld

What kind of guarantees do manufacturers give for software updates for their cars ?

Security updates ...

Do you have to get a new car in X years time because it's no longer secure software wise or can not function because it's running an unsupported version of the OS ?

Will insurance cover these cars ?

Can a car be hacked ... E.g. user can't get access, incorrect information displayed, or even worse ?

slave1

It’s never happened in the world of EVs, the nearest we’be come is Tesla moving the original Roadster (an extremely low volume EV) to unsupported legacy and shortly after they reversed their stance somewhat to “will support as best as”. There are now independents that have taken over from Tesla for the Roadster.

liamog

https://www.boards.ie/discussion/comment/119568973#Comment_119568973

That's probably a post for the general motors forum. There is nothing particularly unique about EVs having software on them, I remember updating a Fiat Grande Punto with a firmware file on a USB stick

SuperBowserWorld

Just asked as it was something that popped into my head, based on shite situation for same for mobiles, smart TV, ...

Yeah, it's not specific to EVs, but that's where most of the software action is happening for consumer vehicles.

I would hope the software can be disconnected from the Internet and continue to function safely for many years.

I would hate to think you'd have to buy a new car because of software reasons or that manufactures would be nefarious to build in planned obsolescence this way .

liamog

https://www.boards.ie/discussion/comment/119571892#Comment_119571892

Software has been in cars for the last 20 years, the drivetrain doesn't really make a difference. Automotive software for control of safety critical systems doesn't require an internet connection to operate. Software is just as prevalent in the latest VW Golf as it is the ID.3.

SuperBowserWorld

Ok.

I'm not talking about an Internet collection to drive the car ... but one to update the software in the car or any kind of internet connection for music, games, communication, navigation ...

I would hope this vector is isolated from the drivetrain and there is no way a rogue party can affect the control of the car or even prevent access to the car.

This does fly in the face of fully automated driverless cars. At some point the car will be fully automated and fully internet connected or perhaps not, if security can't be guaranteed. But I'm sure there is a solution to this. And also I need to read up on this ...

markpb

I think the risk here is the cars internet connection. As soon as manufacturer started connecting the CANBus to the internet, the risks elevated. It might be worth watching some of the videos by ASRG: https://youtube.com/c/AutomotiveSecurityResearchGroup

zg3409

https://www.boards.ie/discussion/comment/119572602#Comment_119572602

The risk is real and will happen. The safety systems are not fully isolated from the internet connection in modern cars. The sim cards are physically soldered on and even if you don't pay your annual fee to use the internet it's likely the manufacturer will continue to pay the sum fee as it's tiny in bulk. They could also cancel SIM and re-enable sim to perform essential updates.

The ability to remotely update ALL software on all safety systems opens the possibility of a mistake or deliberate insider problem or external hacker with bad intentions including governments such as russian meddling. Many manufacturers are using a Hodge podge of different parts and a mess of software thrown together including infotainment systems with the ability to talk to other systems.

There has been a good few proof of concept attacks against Tesla and other makes where someone messes with their own car, to show it's possible.

In terms of obsolescence manufacturers may be required to support old cars, particularly if it is a safety concern and it can be fixed at low cost by a remote update. I can imagine bugs in infotainment systems where it might not support modern phones for Android auto or Bluetooth calling incompatibility along with phone app options such as programming charging times and remote heating etc. I can imagine in the future these will not work with newer phones as there will be some slight incompatibility.

There is also risks of software or remote unlocking hacks where people can steal cars, particularly older models with known flaws. Tesla's and Hyundai's and Leafs have been stolen in Ireland without the car keys, and in some cases the manufacturers have not made a change to stop this. They can drag a car on to a tow truck, but they have found easier ways.

KCross

https://www.boards.ie/discussion/comment/119569834#Comment_119569834

https://www.boards.ie/discussion/comment/119589072#Comment_119589072

It has happened already.

The Leaf had a security breach a few years back. It has app support and you had the ability to check various functions and stop/start charging and stop/start the heating. A great feature ahead of its time, but Nissan cut the security corner and put no authentication in front of it, so all you needed was the cars VIN number (which you can read off the windscreen) and you could send it a signal from anywhere in the world and invoke those functions.

Those functions are somewhat benign but you could, for instance, keep sending the car the signal to heat the cabin and cause the battery to go dead leaving the owner stranded. You could write an attack to simply step through all the Leaf VINs and attack every one.

Once Nissan were told they shut the service down and addressed it, but clearly it can and will happen again. And it doesn't have to be through cutting corners either, it can be simply a case of a vulnerability being discovered long after the software is released and you are then at the mercy of that manufacturers software lifecycle to be able to address it.

Its a valid concern, for sure.