And, as usual...
... security takes second place (or even lower) to marketing...
Ford’s recall of more than 400,000 cars in North America to fix a software bug may be just the first of many for the motor industry as automobiles become increasingly complex, security researchers warn. As previously reported, a total of 433,000 2015 Focus, C-MAX and Escape cars are being recalled to dealerships for a software …
The whole movement of computerized control of car engines has gotten completely out of hand. There is very little need for much of it. Of course, it does cause to take our cars in for service more often and enables us to do less ourselves and I guess, ultimately, that's the point. We have lost control of own vehicles to the manufacture and whatever government agency decides to stop our car. As well as, whatever hacker decides to stop our car as I'm sure that can't be far away.
Thats fine for a large manufacturer with a even larger budget but it would kill smaller manufacturers and as the vehicle ages [ala SAAB ] who then provides the now defunct system upgrade to a propriotory system that may be under someone eleses copyrights?
To put a different analogy how long realisticly should Apple provide software support for the iPad One five years,ten years,fifteen years?
"Smaller car manufacturers" is relative. All the small ones have already been crushed under the costs of testing, inspections, recalls, etc., or simply bought out.
Going for Open Sorcery might work, but let's face it, none of it looks good from here - even the US government can't keep a secret these days, so you holding your car key (physical and/or electronic) on a server? What hope?
> To put a different analogy how long realisticly should Apple provide software support for the iPad One five years,ten years,fifteen years?
Well they only provided it for three. It's been marooned on iOS 6 (IIRC), and has now gotten to the point where not even the browser works reliably with modern sites due to bugs in Safari, and you can't install a newer browser from the app store because none of the third-part browsers bother to support the limited API version in iOS6 ...
Bad example ...
When these faulty vehicles are beyond warrenty and the manufacturer requires either a disproportionate amount of money for a patch or even declies an upgrade path [al la Windows XP]
I suspect the same as what happens with old Windows PCs: they get reformatted and get a Linux derivative installed, and we end up with a whole new tech war where Debian purists only want a command line because graphics require proprietary drivers, Ubuntu sells every search for an address to someone else and eventually the Linux Mint team sorts out a display that is really nice, in various flavours. It will result in a whole new aftermarket environment (etc etc).
:)
Are there to be thousands of vehicles just abandoned by the side of the road?
That'd be cool, since this particular bug means the engine stays running. So when you need a car, you just find an abandoned, still-running one. As long as you can keep it fueled, you're good to go!
On a more serious note, I've had mechanical ignition switches fail in cars. Had one Honda with an intermittently-failing ignition switch, which took weeks to diagnose properly. Still a better idea than software-controlled ignition.
My Volvo has the whole transceiver-in-the-pocket hit-button-to-start gimmick. Yes, it saves me literally seconds of key-twisting. But everyone's adopting that sort of thing (at least for vehicles in the higher trim lines) because stupid buyers insist on stupid shiny, and the rest of us get stuck with it.
If you think about it, you only have keys in the first place because of thieves. If there were no thieves nobody would say "I'd really like to have the Inconvenience Package where I have to put a particular thing into a hole to get in, and then put that same thing into another hole to start the car." Buttonless-entry-button-start is paying for some technology that quietly says "Fuck you thieves" every time you use the car.
I don't know that I'd have paid for it as an option, but I do enjoy the buttonless-entry-button-start on my cars. Not only does it save a bit of time each day, and avoid fishing keys out of a pocket (thus eliminating the chance of accidentally fishing something else out of the pocket) but I live somewhere that gets very cold*, and it's rather nice to get out of that cold sooner rather than later.
* One winter night when I was growing up in the early eighties it got down to -22C overnight. Where I live now that's still a very cold night, but not a once-in-a-lifetime cold night, and I expect multiple overnight lows below that every year.
Quality assurance needs to be excellent too; imagine a duff update going out that bricks your vehicle or, worse, causes safety issues.
That is the "good case". Now imagine an update which screws up the update system in addition to any of those so you cannot fix it without re-flashing the control computer(s).
Unless of course, the update completely bricks the engine so that it's basically dead weight. And then it's found out at the dealer (AFTER you get them to pay for a tow truck to get your car back to the dealer) that it's bricked at the hardware level and needs to be completely replaced: sort of like the electronic equivalent of a blown transmission.
Modern cars are much more fuel efficient, have better quality interiors and more features. They are also safer and often cheaper to maintain, as they go wrong less.
But apart from that...
(I have an 13 year old Civic on 230k miles, plus some kit cars based on Escort Mk2 parts, so not as if I have a new car, but even I can see the advantages)
This post has been deleted by its author
True but none of this requires external connectivity.
I would MUCH rather have my car NOT connected, and secure, and have to return occasionally to the dealer for updates than have any form of automated OTA updates for CORE functions.
I can see a point to having ancillary things like builtin satnavs updated wirelessly, but core functionality? HELL NO.
I would MUCH rather have my car NOT connected, and secure,
Wrong logic. This means that a major issue with the car is not fixed until you understand about it and take it to the dealer.
An example is BMW taking the thoroughly and fully cretinous decision of allowing key programming via EBD2 while the alarm is in active state. So anyone with a tool which costs 30$ can steal a car which costs 60k. So let's imagine a hypothetical situation similar to a zero day exploit where you are driving a car which is vulnerable somewhere out in the sticks in the deepest darkest Eastern Europe/Latin America/South East Asia (scratch the ones that do not fit). Do you want the next villager down the road to appropriate your car (or your car to crash, stop just because it feels like it, etc) or you are happy to have the firmware uploaded?
What I am not happy with though is the car doing it by _ITSELF_.
This is what is massively opened for abuse including tracking users, updating at the wrong time, etc. What I would want is the car to ask my phone nicely via an app on my phone if I agree that a particular action is appropriate at this particular moment. Ditto for firmware updates, recall alerts, servicing - everything.
The problem is that the car manufacturers will never ever agree to that. They are obsessed with the car doing everything and never ever relinquishing the control. An example of this obsession is the next Eu safety reg which instead of mandating car pairing and car initiated emergency calls in case of a crash has gone for sticking a GSM SIM (with all the opportunities for abuse coming with this) into the car itself.
I don't think computers have ANY place in a car apart from engine management where constant microsecond changes are needed. In your example I would say the car should not have so much IT in it that is vulnerable.
I don't want to go back to days of contact breaker points but I also don't see the need for massive computerisation either.
But I realise I have no hope of ever stopping it.
@yugguy
You realise this is a tech site?
Do you want traction control, end, abs brakes, tyre deflation warnings, air bags, parking sensors, remote central locking, electric windows and mirrors, auto on lights, engine immobiliser (anti theft) windscreen wipers, turn indicators to name but a few.
They have been on many "dumb" cars but require an amount of IT/CPU/software to work. You may not want them but they have saved countless lives, are mandated by law and the buying public want them too.
@chris
My 1972 LandRover doesn't have any microelectronics (hell, it barely has electrics) but somehow it manages to have turn indicators and windscreen wipers. Happy to live without the other nice to haves - if they're not there they don't go wrong. :)
Not sure what "end" is a typo for.
You miss the point.
Firstly, a lot of those can be done with none-computerised electro-mechanical systems.
Secondly, even if fully computerised and with internal networking (e.g. Vauxhall canbus), everything you mention can be done with CLOSED systems. NONE of them require external connectivity. I very much want my car to be a closed system.
Thirdly, systems such as air bags, abs, traction control should NEVER require the equivalent of hotfixes or patches.
I am not against computerisation per se. I LOVE the fact that ECUs mean I can pay a couple of hundred quid and get a 30 or 40% power increase for my diesel turbo car.
I recall a friend showing me the points from a Nissan in the days just before electronic ignition. The car had been used around the clock to within limits a driving school car would have. After going around the clock a fair bit he took it in for its service and the mechanic found the points worn down to the bone.
He had not noticed any problem with the engine as the car was firing perfectly.
He had thought the car was running with electronic ignition and was surprised to find he needed to replace them. Cut to an adjacent Talbot whose computer problems required it rot away in a yard waiting for parts. I have never been in any hurry to get the latest greatest.
I can still remember the thin skin of platinum that was all that was left of the Nissan's points. I was duly, truly amazed.
You'd be truly amazed how easy it is to run an engine. Remember that back in the early days of cars, there were no carburettors or anything that sophisticated - all they did was blow air over the surface of a puddle of fuel, and hope evaporation picked up enough. And it worked.
As for points, old cars used whole lot more juice on the spark than they ideally needed. The result was spark plugs and points wearing away as the zaps vaporised small bits of metal each time. Spark plugs were a 5000-mile/6-month service item on my old Montego. These days spark plugs are a 10-year-service item, and that's more because they simply don't know how long they'll keep running so they take a guess.
If you want fuel economy *and* performance *and* the car to run at altitude, that's where it gets tricky.
@voland
They know if they ask customers if they want to update they'll get 99.9999% of customers being confused & complaining about being asked and a silent few who won't bother to update anyway.
Do you get a say when the websites you visit patch their systems? Would you care?
@chris 17
It is not just the update. The update is the least of the issues with car-centric instead of user-centric connectivity. By the way, even joe average user is so trained on updates nowdays that he/she will actually usually press yes. Phones finally made sure of that.
The update being the least of the issues.
Scenario 1. The Eu idiocy for emergency calling in accidents driven by car manufacturers which are scared sh*tless from losing control - worthless. Emergency services get a message and so what? Do they know the number of occupants? Do they know their identities? Allergies? Blood groups? Organ groups? F** no. Useful? I doubt it.
Scenario 2. Car requests from each and every phone in the car it can pair with to send an emergency message in a crash. Let's suppose that the driver has an anaphilaxis level allergy (I do) and the passenger who has had one blood transfusion too many in the past cannot take blood which does not match in secondary or even tertiary (M, K, etc) groups (example - my mom). That _WILL_ be useful if transmitted as well. World of difference between the usability of either for emergency services.
So what do we get? The first one - because the car manufacturers marketing would rather let people die instead of making anything related to the car not car-centric.
"Modern cars are much more fuel efficient, have better quality interiors and more features. They are also safer and often cheaper to maintain, as they go wrong less."
Whilst I know what you're getting at, remember the main reason modern cars go wrong less is because of advances in materials science and mechanical engineering. However, whilst my 13 year old Ford Mondeo is still going strong with 250k miles and the mechanic anticipates it being able to reach at least 300k, there are doubts about the life left in the 'fancy' stuff ie. the electronics, sensors and associated stuff. Because for the last two years my main costs have been replacing various parts of the 'fancy' stuff which are rather expensive.
Comparing this car with my new Ford, my impression is that whilst the new car may also mechanically be capable of doing at least 300k, the additional electronics most probably mean that it will never achieve a similar length of service because electronics will age quicker than the mechanical parts...
The question is, why doesn't the key actually cut off the engine physically(/electrically)? This is not a function that software should over-ride. It certainly isn't a function that should provide a "hint" to a computer that the fleshy part might like the engine to stop.
""...why doesn't the key actually cut off the engine physically(/electrically)? "
Because then you can't have remote start."
Maybe you're joking, maybe you're not.
Two independent momentary switches, one for "Press to Start" and another one for "Press to Stop", is trivial to do. A contact in parellel with the "Start" one can be operated remotely without having to remove the local "Stop" facility.
It doesn't need a "body control module" aka computer to talk to an engine control module aka computer, It may need an extra relay, depending on what's already there. Relays are nice simple trustworthy things, but there is an actual cost to fitting them, whereas the software for remote start costs nothing to add, so software's better for that kind of thing, right?
It's classed as a safety feature, basically, if you're travelling above a certain speed (usually 10kph, all these systems work in metric).
Killing the ignition, would (eventually) kill all the other systems in the vehicle (ABS, EPS, Stability control etc).
So they treat it as an invalid key off and it won't die until you stop.
"underlines the increasing need for over-the-air (OTA) software updates"
No it doesn't. Quite the opposite in fact. It underlines the need to make sure things actually work properly before releasing to the public, and then ensuring no-one can screw with it in any way to change that. Over-the-air updates would guarantee far more faulty products being released (see the gaming industry for a perfect example). while simultaneously meaning that previously working products will constantly be broken via either incompetent updates or malicious activity.
The problem with YOUR idea being that "getting it right the first time" is a pipe dream, especially with time AND budget constraints.
Cheap, Quick, Correct — Pick any TWO.
And it's been like this even BEFORE computers entered cars. Manufacturers basically pray they're not forced to do a recall.
The second you use software to control systems with potentially fatal consequences, you MUST apply safety-critical software design and testing techniques. Which means literally getting it right first time, and for the projected lifetime of the system.
Any 'patches' should only be delivered after running the amended code through the complete suite of regression tests, combined with unit tests for the newly introduced code.
Relying on an OTA 'patch Tuesday' system for a ton of metal travelling at high speed on public roads scares the crap out of me.
Planes still fall out of the sky due to unseen flaws. Granted, we need to get as close as reasonable, but then diminishing returns kicks in and we're still far from perfect (and will never get close--we ARE human).
As for scaring you, which scares you more? A car with software that can be borked over the air, or a car with a borked system that has never been to the dealer to be fixed? Seems like Pick Your Poison to me. OTA is probably the only reliable way to make sure such cars get their bugs fixed (and there WILL be bugs), yet it's inherently insecure.
"Using that logic, you'd be quite happy to update fly-by-wire software in aircraft using an OTA patch system."
Don't think about updating systems in-transit, but the occasional need to update things toot-sweet as soon as they're back down. That's why the US FAA has Airworthiness Directives. At least with airplanes, when these things get issued, they get done or bad things happen. You can't say the same thing about cars, most of which are owned by individuals who may be hard to reach.
@Chris 17
Depends who's is releasing it. Just because an ota patch has been released doesn't mean it actually does what it is intended to do - you need only look at some of Microsoft's critical Windows updates that were released several times before they actually got a version that worked...
What we've seen with software over the decades is that by making it quicker and easier to code and likewsie release said code, so the quality of code has gone down, whilst the size has dramatically increased.
By having an "air-gap" between your car's systems and the Internet, you automatically make the distribution of updates more difficult and time consuming. This in itself provides (some) motivation to improve the quality of updates, particularly if the manufacturers are reimbursing the dealers for the time and parts consumed in doing the recall update, as it is not in their interest to require a second or third recall...
No, no, stop resisting the remote updates silly! we need to know where you are keep you patched for your own good and not to forget that of your children. In fact to allow better service on these update stations we should provide them at fixed intervals along all roads so that we can collect send data at all times of day and night.
Remember nothing bad can come of it and the companies together with government just want to see you safe.
What ever happened to keep it simple...
I prefer a key to start my car to be fair not a fancy i sit in car it starts etc
On the plus side least they can still charge you half the cost of the car for you to upgrade your Maps/POI/Safety cameras on the car eh!!
Well, fuel efficiency standards, for one thing. About the only way we've found to make a super-efficient internal-combustion engine is to micromanage it with computers. The simpler you get (think Wenkel rotary engines and why they're hardly paragons of fuel efficiency), the less efficient you get because simple can't account for real-world factors.
Security wise, we are moving towards two factor for computer systems, yet we are moving away from it for cars.
Cars had great two factor for years - aftermarket alarm and a physical car key, or immo and key, etc.
I have four factor on my van - two different physical keys as well as two electronic. (Yes, I would add face recognition or something if there were a decent way.) Yet it still won't stop someone determined enough.
A friend of mine gave a talk at Bsides London called "How I steal cars" - it's all very technical and expensive, but nearly anything with wheels we locksmiths can walk up to and take away now. And the newer stuff is easier! Manufacturers who literally refuse to believe we can clone it means they won't patch, & just a radio signal - no physical key - so it can be very fast.
This post has been deleted by its author
The key doesnt engage the starter or turn of the engine off as per older conventional vehicles it sends a command to the ECU to run a program which then performs these tasks, ergo any corruption of the program and it just fails to do as commanded.
I think we need to enable the three laws of robotics on all future production.....
It'll be just a matter of time before we have a Patch Tuesday for Cars. Or Recall Tuesday, perhaps.
When the self-driving cars have taken over, we'll just notice that the roads are rather empty, because all the vehicles have taken themselves off to the workshops. And your car-ordering app will just sit there showing a spinning wheel for a few hours.
>When the self-driving cars have taken over, we'll just notice that the roads are rather empty, because all the vehicles have taken themselves off to the workshops.
No, they'll be stopped all over the place because they've "blue screened" whilst applying the lasted critical OTA update...
kengine management, ignition, locks and windows should not be on an exposed software updateble controller.
Fine, entertainment, sat-nav and other clever stuff can, and probably should be updated regularly.
Car manufacturers forget they are not IT experts (hence quite nasty software in the first place). keep the core stuff in a module that can be updated with a dealer service where it belongs effectively air gapped from the glossy guff that can take you to the neares pizza shack.
Why do we need cars that need:
- A computer system to turn the ignition off when a barrela nd key works with no less benefit.
- Attaching to a laptop to bring wipers to the middle so you can change the blades, as the blades hide under the bonet when you turn them/the car off.
annnnnnnnnnd i could go on forever lol.
computers and electronics are great, but do we really need one to do simple mundane tasks which REALLY don't need making super complicated?! It's all about robbing the customer blind,
You need to connect your car to my gizmo mate to find out why your car is in limp mode. It'll give me an error code whih i can look up to tell me. Oh btw it costs £60 jto do that; just to tell you what's wrong.'
Nice money earner!
I think the computerised engine starting we have now is to do with stop/start modes on efficient engines, so that it can stop at traffic lights etc and start the instant you press the throttle pedal.
I think when the engine stops it has the pistons in a precise position to help the restart.
We have enough to moan about with cars that need bumpers removing to change lights.
You are of course free to buy an older car without all the computery gubbins. No-one is stopping you.
These things may appear to be pointless excesses, but there's a solid reason behind each choice. As the extra complexity is generally more expensive, and manufacturers want to be able to sell their cars, they don't just add this stuff on a whim.
Just because you don't see the benefit doesn't mean there isn't one.
A computer system to turn the ignition off when a barrela nd key works with no less benefit.
The intention is to improve security.
Simple barrel and key is open to hotwiring, it's just a switch that in some cases can carry a very high current - so is also a potential fire hazard if there's a wiring fault.
The electronic barrel has a transponder that reads a code from your key. That code is passed to the car's security module which decides if that key is allowed to start the car. That is why keys have to be coded to cars. Accessory positions 1 and 2 may still be simple switches, or they may also be enabled by the security module.
Secondary benefits are automated start/stop, and remote start.
Attaching to a laptop to bring wipers to the middle so you can change the blades, as the blades hide under the bonet when you turn them/the car off.
Design aesthetics and aerodynamics are probable reasons here. Manufacturers seeking that fractional improvement in drag reduction will conceal the wipers as this helps smooth airflow over the car.
As for being hidden under the bonnet, just open the bonnet when the blades need changing. This is normal practice on modern cars. I've never seen one that needs something plugged into the diagnostic port to change the wiper blades.
computers and electronics are great, but do we really need one to do simple mundane tasks which REALLY don't need making super complicated?! It's all about robbing the customer blind
I'd say it's more feeling the need to add automated and "intelligent" features as an attempt to differentiate in a competitive market, with a nod to making things more complicated than the average owner can handle so will maybe return to the dealer.
EU directives mean that servicing and repairs can be carried out at any VAT registered garage without affecting the manufacturer warranty, so you are free to take your car to just about any garage you want.
You need to connect your car to my gizmo mate to find out why your car is in limp mode. It'll give me an error code whih i can look up to tell me. Oh btw it costs £60 jto do that; just to tell you what's wrong.'
Sure, dealers like to scam you by charging half hour or hour labour just to plug in a computer that gives the result in 30 seconds. Know scam that is easily avoided.
You can buy yourself a £20 code reader and look up the fault yourself, then research the problem yourself and decide if you can fix it.
And you are still free to take your car anywhere to get repaired. Doesn't have to be the dealer. And dealers are often franchises so even if you do go to a dealer, the manufacturer doesn't see a penny of that. Dealer buys cars from manufacturer, parts sometimes from the manufacturer. That's the end of the relationship. Manufacturer does not benefit from service and repair jobs.
What's the alternative? Cars that tell you nothing about the problem so you pay out for hours and hours of diagnostic labour charge just to find the fault, then you still have to pay for the fix as well?
Going into limp mode is usually better than the car simply dying on you and refusing to start. you can at least get home or to a garage instead of being stuck at the roadside.
On the other hand, proper application of DO-178, MISRA, etc practices *might* (just might) have stopped Toyota paying billion dollar penalties (and might have saved a few lives) due to bad system+software design and implentation. See the rash of "uncommanded acceleration" incidents a few years back, which Toyota tried to sweep under the carpet before it finally came to court with expert witnesses etc.
Yes I acknowledge that DO178 is more about processes (and thus paperwork) than it is about good engineering practice, I'm open to suggestions that might work better.
http://www.eetimes.com/document.asp?doc_id=1319903 Oct 2013: Toyota: single bit flip that killed
http://www.eetimes.com/document.asp?doc_id=1321734 Apr 2014: Toyota underestimated risks
http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf Sep 2014. Prof Koopman was an expert witness at the Toyota trial. "Must read" material.
My 2008 GMC Canyon still receives ECM & BCM updates every year or so. Updated fuel tables, power curves, etc. Always have to do a GM Update before using a tuner like HPtuner to get things right. Truck is fly_by_wire but no OnStar, electric locks/windows etc. 2.9l 4 banger only averaged 20.3mpg we purchased new, I've de-GMmed to the point of 27.6mpg average city/highway now with 173k miles on her - she's faster than factory.
The above is also why I'm restoring a 1958 GMC Stepside pickup with three on the tree, it will run under circumstances unfriendly to electronics AND your average American car thief won't know how to row a stick.
... has been around for a while now; buttons to start / stop engines.. no need to physically insert an ignition key etc.
The whole concept of needing to or indeed being able to remove a key to stop the engine running is already reasonably foreign to drivers of many current vehicles.
About 6 years ago I had a thermostat housing changed for an updated part.
After this the engine management alert light came on after the car warmed up.
It took 3 visits back to the main dealer and them to get on to the manufacturer support before they realised that they needed to update the software so the tolerances matched the updated part.
Holding programmers accountable for bad code is what is required. If OTA updates are used as a bandaid to fix bad code, it just makes it easier for thieves to break into vehicles and depraved people to take control of the vehicles electronics. With autonomous vehicles on the horizon, now is the time to put an end to dangerous, deadly and unacceptably poor programming code and it's implementation.
Holding programmers accountable for bad code is what is required.
Respectfully disagree. Furthermore I respectfully suggest you know nothing about development processes or the differences between unit, regression and product testing.
now is the time to put an end to dangerous, deadly and unacceptably poor programming code and it's implementation
You really don't have a clue do you. This is almost never the case in safety critical systems. A failure to understand the process leaves you blaming the wrong people.
Applying a proper, rigorous and thorough testing program is the solution. Ensuring that any issues flagged up are taken seriously rather than swept under the carpet because another iteration of the development cycle costs another couple of million.
Making the programmers accountable is not the answer. Programmers should never be responsible for product testing and QA, for the simple reason they are programmers not testers. They know the code they have written and subconsciously avoid doing stupid or unexpected things with it. This has the natural effect of missing bugs.
Programmers do perform unit and regression tests on their code. But these can only be expected to perform within the scope of specifications the programmers have been given.
Bugs don't just arise from programming mistakes, and the ones that do are quickly weeded out in the unit and regression testing phases. In critical applications bugs tend to occur due to poorly specified requirements or operating conditions outside of anticipated ranges. This is not a failure of the programmers. This is a failure of specification, of understanding the original problem.
And these aren't actually bugs, these are failures to properly define the problem at the outset. It is the responsibility of requirements analysers and product specification engineers and their management to ensure all aspects are adequately specified before coding starts.
It is the responsibility of programmers to adhere to the specifications they are given, and of development managers to ensure this happens.
It is the responsibility of product testing to ensure that firstly the product meets the original specifications, and secondly to ensure that it doesn't royally fuck up when pushed beyond the original specifications.
Depending on the severity of problems found at this time, it is up to project stakeholders to decide what further action is needed. They will make a risk assessment and can choose to iterate the specification, programming and testing cycle again, or release the product as is.
None of this is the responsibility of the programmers.
Ultimately responsibility falls on the upper management layers of the company as a whole for failing to ensure they have delivered a safe, secure and working product. They are the ones whose job is supposed to be to make sure, really sure, that everything has been done correctly.
Tell all that to the guy who did the forensics in Bookout v. Toyota - several really basic systems design and programming errors. But we're not just blaming coders here, nor just the auto industry - there have recently been some quite spectacular aeronautical software design snafus.
The bottom line is that the whole software development process still fails to meet the standards expected of all other branches of engineering. And falling back on 'testing' is not an appropriate solution. We don't build bridges without doing the math and then just test them by running trucks across (we used to: there's a famous 19th century verse about Crystal Palace, London that goes "... the sappers and miners who marched and who ran ... To test the girders to Plaxton's plan..." but we've advanced beyond that by now.
So the reality is that software engineering is not yet a mature enough discipline to apply with confidence to safety-critical systems. With luck and persistence it may become so, but presently it's too damned dangerous to trust your life to software.
"there have recently been some quite spectacular aeronautical software design snafus."
Pointers welcome.
"software engineering is not yet a mature enough discipline to apply with confidence to safety-critical systems. "
Arguably it was better in some ways two or three decades ago when this stuff was all new and everyone was happy with certain basic engineering principles like "keep it simple".
Since then, Ada has taken over, and everything about Ada is the opposite of simple, though as a language to document a design, it may once have had some advantages.
Also in some outfits I'm familiar with, there has been a move (perhaps understandably) to automatic code generation from models (model->Ada). It has been seriously suggested by some of these people that testing of the code compiled for a desktop PC or datacentre server, rather than testing of the code compiled with the toolchain for the target, will be adequate. It ought to be unbelievable. Sadly it isn't.
What could possibly go
"Ultimately responsibility falls on the upper management layers of the company as a whole for failing to ensure they have delivered a safe, secure and working product. They are the ones whose job is supposed to be to make sure, really sure, that everything has been done correctly."
I think you'll find the management are more interested in product that ships on time and on budget. Where does correctness come in?
Go read some of the Toyota "uncommanded acceleration" coverage, if you haven't done so already (it's not been covered much except in certain specialist circles e.g. Electronics Engineering Times as lead player, and a few specialist safety blogs and similar).
Toyota doing things on the cheap cost people's lives, and ultimately cost Toyota billions of dollars. But getting it out of the door on time and on budget was more important to the managers at the time.
Sadly Toyota won't be the only company working this way. Just one of the first to get caught out and pay the price.
Even ignoring the possibility of hackers cracking or otherwise obtaining the private key used to secure the updates, this is a terrible idea if it is just applied willy-nilly without the driving having a say or worse yet even knowing. How many times has a borked update been distributed over the years by everyone IT vendor out there? The supposedly "identical" environments actually aren't, or don't account for different settings, etc.
I don't want my car bricked and needing a tow out of my garage sometime because it received an update overnight, and especially don't want it if the updates are silent so I don't even know that was the cause - because you can be damn sure automakers will not want to give us this information willingly, to avoid the inevitable lawsuits that result from people getting in work or legal trouble because they missed an appointment due to their car not working!
It needs to be a requirement for any update that 1) drivers are notified when a car has received an OTA update 2) we must be told exactly what it is fixing (can't just say "bug fixes and performance improvements" like too many release notes say these days) and 3) I get to choose when to apply it, though it should be forced after a certain time (maybe a couple weeks so you don't have to get it in the middle of a cross country family trip if you would rather wait until you're home)
Yesterday I spent two hours trying to get a windows 8.1 update to install and reboot correctly on a laptop leaving me with absolutly no access to the device.Evenentually it ended up doing a self repair not something you want you car doing whilst waiting to go to work.
Let me make a bit of a parallel here.
Once upon a time, there was this thing called a console. It had no Internet connection, it had a defined hardware list and games were made for it and sold on the open market. No recall was possible, the game had to work from the shelf. There was no patching.
During those heady days, console gamers made much fun of PC gamers, with their constant updates and struggling framerates and constant need of upgrades.
Then the console got a hard disk and an Internet connection. Where is the console today ? Waiting for updates, struggling for framerates, and no game works as advertised on day 1.
Meanwhile, PC gamers have better equipment and actually less issues these days because they are not beholden to the proprietary portals imposed on consoles, nor do they risk DDOS of their only provider because if one game server doesn't work, there are other games to play. On a console, whatever the game, there is in practice only one server.
Please do not repeat this mistake with cars.
"Once upon a time, there was this thing called a console. It had no Internet connection, it had a defined hardware list and games were made for it and sold on the open market. No recall was possible, the game had to work from the shelf. There was no patching."
And yet, because we're human, mistakes were still made. Take the original Sonic Adventure for the Dreamcast (one of the last consoles where it was safe to assume no updating was possible). You'd have thought in a game like this they'd have tested speed-ghosting (going to fast you beat the collision detection and go through something). What about the Superman game for the Nintendo 64?
Times like this, I'm kinda reminded of The Gong Show. The basic rule was not to put on a bad act...but people still put on bad acts (some intentionally, many not).
Can you just plop the hood open and cover the air intake, or will it suck your hand in? Is there a hard kill switch somewhere? Or should I just start yanking the circuit breakers?
No, seriously, my dad got himself a Fusion with that remote start.
I'm assuming you mean when parked, not whilst driving...
Pull one of many fuses for the fuel pump, fuel injection, engine management, or ignition systems. any of these will stop the motor.
Do not cover the air intake. You won't lose a hand but you will get a poor air/fuel mix in the cylinders that could lead to all sort of expensive damage, for instance to your catalyst. They don't like fuel contamination.
Patricia Herdman's book, When Cars Decide to Kill, highlighted many of these points. She points out that we have NO software safety laws and that it's time we put into place a proper software safety architectural framework for car software that INCLUDES the basic protective measures such as: no software update is permitted until the driver/owner of the vehicle OK's it...and ways to capture faulty software that triggers a crash.
In the Bookout v Toyota legal case in the US, the actual software flaws were identified in the Toyota Camry software inspected by Michael Barr and his team.
It's time for software safety laws. Herdman's website on the subject, GlitchWatch.com, is a must-read.
we have NO software safety laws
At least for vehicles that is not true (any more). Since 2011, vehicles have to be developed according ISO26262 standard, which is a legal requirement, making it effectively a worldwide software safety law for the automotive industry.
"In the Bookout v Toyota legal case in the US"
Thank you.
A few minutes ago (or in a few hours time, after moderation) I just posted some links to EE Times coverage of the Toyota case (excellent overview) and a link to a presentation from Prof Koopman at CMU (expert witness at the trial). Both should be mandatory reading.
Hadn't come across GlitchWatch, will go look.
Thanks for the reference to the Bookout case.
I wrote a couple of notes on that very subject before I saw yours, with some commentary and some links to EE Times reports of the Toyota court case and to a presentation from an expert witness on the case.
Something in them seems to have been unacceptable so they're not here.
Maybe the links will get through this time. They are well worth following up.
http://www.eetimes.com/document.asp?doc_id=1319903 Oct 2013: Toyota: single bit flip that killed
http://www.eetimes.com/document.asp?doc_id=1321734 Apr 2014: Toyota underestimated risks
http://users.ece.cmu.edu/~koopman/pubs/koopman14_toyota_ua_slides.pdf Sep 2014. Prof Koopman was an expert witness at the Toyota trial. "Must read" material.
That's the last thing I need on a vehicle--a formerly running car now not starting because it got a buggy update while parked. Or worse, "Preparing to update your vehicle--please wait." Or even worse, a truly buggy update causing the car to start, drain its battery, or possibly catch fire while parked in my garage. (true, this is unlikely, but certainly not impossible)
One of the good things about having to take your car to a dealer for an update (there aren't many) is that it forces the manufacturer to do a lot more debugging when it takes time to distribute an update. If cars are always connected in some future time, I think the frequency of updates will go up, but the quality will go down. More exposure of a car's core systems to the Internet would also open the doors wider for malicious hackers to exploit them.
If this all comes to pass, perhaps I'll be installing Cynogen on my vehicle when it's out of warranty :)
Acura has a big problem with this and they refuse to admit its a problem that should be fixed. Basically, They say that break-ins are a fact of owing a car as they have been there for years. They refuse to fix the potential of a hack by providing a Keyfob Proximity Automatic Door Unlock disable function, yet they admit it can happen. I called them three times on this issue and now they are not returning my call. I will never by an Acura again nor should anyone else.
I think it's about time OBD III or something akin to it be rolled out, and included in this standard is a complete separation of any environmental or entertainment controls, away from, and totally disconnected from drive train, steering, brakes, door locks, etc. Totally separate gapped systems. That way you can still continue to upgrade the driver(user) experience, without having any inlet for attack other than physical interconnect with special hardware. Would even keep dealers happy since that would bring new proprietary equipment they'll only have at first.
Or, in a perfect world, it'd be an open standard that companies would develop tech for, and take input from technicians and mechanics, increasing job opportunities, and advancing technology overall.
This actually does NOT point to the need for OTA updates. Most car companies at present do a pretty good job of quality assurance for the car software (and calibration tables that go with that to actually make it work with your particular engine) before it's shipped. Having OTA updates may in fact not add much value in this respect. Cases like Ford's should really not be that widespread.
On the other hand, having the car "online" to get the OTA updates to begin with presents an enormous security risk. I see a secondary risk from this of companies deciding it's alright to ship computer-controlled systems that have not been debugged yet, "secure" in the knowledge they can just OTA it.