This all getting absurd
Just absurd.
Your car’s web browser may be on the road to cyber ruin
Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities. Researchers …
-
-
Friday 19th December 2025 07:36 GMT Pascal Monett
Re: This all getting absurd
Absolutely.
Why put a web browser (that doesn't get updates) in a car when everyone has a smartphone these days and all of those have web browsers that do get updates ?
I can get video screens for backseat riders so kids can play games or watch videos, but a car must remain a self-contained unit and that means no YouTube, Instagram or anything web-based.
You have your smartphone for that shit.
-
Saturday 20th December 2025 06:03 GMT Anonymous Coward
Re: This all getting absurd
> Why put a web browser (that doesn't get updates) in a car when everyone has a smartphone these days
I use mine to:
* Check the en route weather in detail (though the car navigation already shows weather)
* Read the newspaper or access documents from my cloud when parked waiting for someone / something
* Access various company applications (again, when stopped)
* Access the security cameras at home and office
I could use the phone but the car's screen is much bigger and comfortable.
It does get updates (Chrome 138 last I checked a few days ago) but of course your point is valid.
-
Saturday 20th December 2025 07:01 GMT Jou (Mxyzptlk)
Re: This all getting absurd
> It does get updates (Chrome 138 last I checked a few days ago) but of course your point is valid.
Comparing to my phone: Xiaomi Mi 9, the model with Qi, from 2019, Android 10 QKQ1.190825.002: Chrome 143.0.7499.110.
What are the details for yours? Especially the exact Android version to hint whether security updates are applied to OS level, which seem to happen on mine.
-
Saturday 20th December 2025 15:38 GMT Anonymous Coward
Re: This all getting absurd
> What are the details for yours?
The details of what? If you're referring to my phone it does not use Android. The car uses a variety of RT and non-RT custom Linux builds. You can find some of the sources, and lots of other geek -level stuff here:
-
-
-
-
-
-
Friday 19th December 2025 11:02 GMT jdiebdhidbsusbvwbsidnsoskebid
Re: Seriously...
"The correct way for cars to handle this IS to support Apple Carplay and Android Auto, so the systems don't rely on software that never gets updated"
Yes it would be. But my other half's car has Android auto that doesn't work because phone updates have left it incompatible. The car is 8 years old and has never had any software updates available.
Another one: a friend has a car that is only 3 years old and he's facing our having no more software updates, even though that model is still being sold.
-
-
Thursday 18th December 2025 20:52 GMT Refugee from Windows
Embedded insecurity
It's the Automotive Sector. It's all done to a price and a template. Of course you could update it, except only at a dealer and for a large fee.
Think of it as a large phone that doesn't get any support.
The exception would appear to "Muskmobiles" which get updates, some of which may not be quite bug free. We're all used to ignoring the built in SatNav that is well out of date and can't find anywhere built in the last 5 years.
-
Thursday 18th December 2025 21:09 GMT Mike 137
Re: Embedded insecurity
"It's the Automotive Sector
It's not just the Automotive Sector. I recently had to reconfigure someone's SOHO router (a notionally reputable brand and a "professional" model only about a year from release). The digital certificate for its web interface had expired and there seems to be no mechanism for updating it (hard coded like what Firefox did maybe?). Fortunately the web interface is only accessible from the private side, but nevertheless the browser has to be instructed to ignore the certificate, which makes it pretty pointless.
-
-
Friday 19th December 2025 12:19 GMT Hubert Cumberdale
Re: pretty pointless
"browsers make it hard to use http these days"
Quite right, too. There's no excuse for an unencrypted website these days when Let's Encrypt (et al.) make it free and almost trivial to implement. And don't tell me "but it's only a [whatever] website and it doesn't matter". Sometimes you don't know exactly what might be sensitive information until its too late. Like having Jewish heritage in 1930s Germany.
-
Sunday 21st December 2025 14:52 GMT tiggity
Re: pretty pointless
@Hubert Cumberdale
I operate a few public facing websites for various pub leagues that have zero need for https, and so use http, despite browsers whinging.
I doubt the name of a team (named after pub they are "based at" is sensitive information)
.. and aforesaid websites also have zero JavaScript (& all content is served from the sites, no pulling in content from elsewhere) - as it's not necessary for information only websites (results, fixtures, league tables etc. - zero need for JS presenting that data)
Meanwhile, lots of https sites full to the gills with dubious JS, but browsers do not make the slightest whinge
.. Browsers whinging about http is just security theatre a lot of the time.
-
Tuesday 23rd December 2025 23:18 GMT Hubert Cumberdale
Re: pretty pointless
I'll say it again, as you clearly didn't read my post:
"And don't tell me "but it's only a [whatever] website and it doesn't matter". Sometimes you don't know exactly what might be sensitive information until its too late."
This is purely about the real and present danger of eavesdropping in transit, not some vague notion of "website security". And JS is an entirely different problem (hint: use NoScript).
-
-
-
-
Thursday 18th December 2025 21:45 GMT Altrux
Re: Embedded insecurity
My satnav (2023 VW group car, fully updated, Aug 2025 maps) still has points of interest that ceased to exist 30 years ago. There was an old petrol station towards the city centre that was redeveloped into apartments in the 90s, but it's still on the map. And a pharmacy that closed at least 12 years ago. Curious where they get their data from!
-
Friday 19th December 2025 03:02 GMT Eric 9001
Re: Embedded insecurity
Probably from an ancient map that wasn't under a proprietary license or contract.
I'd rule out openstreetmap, as well you need to comply with the free license and street numbers are often missing (this is usually the fault of government bodies not making their street number records available for free usage, not even for a price, as openstreetmap does import all the street numbers when those are provided).
-
-
Saturday 20th December 2025 05:31 GMT Anonymous Coward
Re: Embedded insecurity
> Which provider do VW group use for their satellite navigation map data (which tends to be horribly out of date)?
Here (not here, "here" is the actual name of the company) or Tom Tom (they still exist). And yes, both their databases leave to be desired with driving a car, never mind a pump ladder (Google doesn't help here either, as it will try its best to route you around the accident you're trying to get to, but that's a different story)
-
-
-
Thursday 18th December 2025 22:24 GMT Ribfeast
Coming from an engineering company, the amount of paperwork and nightmare to change the "software part" for the baseline is a a huge body of work. Has to go past the test team etc too, months of work. Go through EULAs, ensure no clauses can catch us out. I can see why they don't like to change it after it's implemented.
-
Thursday 18th December 2025 23:20 GMT alain williams
the amount of paperwork and nightmare to change the "software part" for the baseline is a a huge body of work.
Maybe if they firewalled off the infotainment from the automotive parts so that the sat-nav & kids' amusements cannot interfere with the parts that drive the car it would be a lot easier. This would also make the car more difficult for reprobates to crack into - a double win.
-
Monday 22nd December 2025 10:57 GMT The Organ Grinder's Monkey
"Maybe if they firewalled off the infotainment from the automotive parts so that the sat-nav & kids' amusements cannot interfere with the parts that drive the car..."
I havei direct experience of this, albeit 20+ years ago on a, then, several years old Saab 9.3 convertible, so it's from the early days of canbus.
Detailed in a recent comment (which I would link directly to, but I'm ashamed to admit that I don't know how to, so reproduced below. Apologies if this contravenes comments etiquette.
"Further to my gentle rant above about automotive canbus (it's in domestic boilers now, too, apparently) I remember a Saab 9.3 which had had a lot of the customer's money spent on it trying to cure a combo of spurious ABS captions & random stalling. The original dealers had just done what they always do, & thrown a lot of (the customer's) money at it by randomly changing most of the control units in the car, & then pronounced the fault incurable.
We weren't a dealership, but a non-franchised specialist, & kept a yard-ful of wrecked cars that we could borrow parts from to trial-&-error test theories on such problem cars without having to charge the customer 3 or 4 figure sums each time for new components.
Long story short, it was the 6-disc CD changer in the boot that was the cause of both faults. We never really worked out how or why, but replacing it completely resolved all it's problems. Later chats with someone at Saab who had detailed knowledge of the canbus tech suggested that there were several tiers to the canbus implementation in the car, & that there was a hierarchy to the devices on the network. Evidently the CD changer had been given greater status than it needed & when it faulted it provoked a panic response from the central controller rather than being ignored & simply logging a code. Note that the CD changer worked perfectly throughout, whatever the fault it had was, it wasn't a functional one."
.
-
-
-
Friday 19th December 2025 04:51 GMT An_Old_Dog
Re: Car's web browser?
The flashing of your car's digital clock's colon (as in: "12:00", "12 00", "12:00", "12 00", etc.) varies slightly so as to send you subliminal International Morse-coded messages.
You should remove the digital clock in your car and replace it with a reliable analog clock incorporating a wind-up mechanism.
-
Friday 19th December 2025 06:46 GMT Neil Barnes
Re: Car's web browser?
I find it curious that my 30-year old Fiat's clock - a simple module provided with permanent power and a dim signal when the lights are on - keeps excellent time. Every other car I've owned in the last fifteen years, though, or so has something going on that makes the clock lose a couple of minutes a month.
-
Saturday 20th December 2025 18:45 GMT Yet Another Anonymous coward
Re: Car's web browser?
My 18 year old car has a digital clock that loses 5min/month and SWMBO insists on keeping it 5min fast so she's not late ..... erm ok
Her much newer fancier car has clocks that links to all the carplay rubbish and so is set to absolute perfect time - I can't find anyway to make it 5min fast
-
-
-
Sunday 21st December 2025 07:28 GMT The Oncoming Scorn
Re: Car's web browser?
I have a aftermarket Android Head Unit (2021).
Up until the point I had a insurance safety test done on it this year, time & date were always correct.
Now in the morning:
Time & Date will be correct - Then roll back the date to 2005.
Time & Date will be correct, but time will be fast.
Time will be fast & Date will be 2005.
No combination of using manual setup, network time, GPS time (Its a couple of simple touch screen taps while at traffic lights) or using my phone as a hotspot for network time, which worked after a few minutes but now seems to have stopped.
-
Sunday 21st December 2025 11:23 GMT Jou (Mxyzptlk)
Re: Car's web browser?
I would have loved to say GPS rollover, but the last one was in 2019. ntp rollover will happen in ~10 years. If you car chooses atomic-clock signal (Europa 77 kHz, other parts of the word different) it might be a rollover or something similar there. All together with an unfixed bug in the underlying OS. The latter is most likely, since a quick search shows that old androids tend to have such issues. Some report reset to 2003, 1980, year 2000. Not yet a report 2005 - well, that night increase in the next days, you cannot be the only one here. You may just be patient number one.
I recommend reading TheRegister, news like that will likely pop up there soon.
-
-
-
Thursday 18th December 2025 22:58 GMT cyberdemon
Re: Just Say No
I could not agree more.
I will never buy an "iPad on wheels". The tendency to omit the dashboard instrument cluster and physical controls for heating/etc and put it all on a giant touchscreen, I find obnoxious.
All the more so if it transpires that these controls and more could be hijacked via a vulnerable embedded web browser on the same screen.
-
Friday 19th December 2025 11:13 GMT jdiebdhidbsusbvwbsidnsoskebid
Re: Just Say No
I'm surprised we haven't seen news stories of people having accidents due to navigating touch screen UIs whilst driving.
I did see an accident once where the driver failed to go round a corner and just drifted in a straight line off into the hedge. They said they were try to adjust the aircon at the time. Even if that wasn't a touchscreen it shows that driver distraction is a thing, and touchscreen UIs make it worse.
-
Tuesday 23rd December 2025 03:14 GMT Anonymous Coward
Re: Just Say No
> touchscreen UIs make it worse.
Badly designed ones do, IMO. With well designed ones, your hands stay on the wheel essentially all the time.
> driver distraction is a thing
Very much so. Which is why robotic driving looks set to be a game changer. It doesn't have to be perfect but anything that reduces the *massive* casualty rates (roughly 1.19 *million* people a year¹; over a thousand in the UK alone) will be a massive improvement.
It is one of those things that just don't get talked about but it's by far the most dangerous thing the vast majority of people will ever do in their life… and most do it every day, week in week out.
¹ https://www.who.int/news-room/fact-sheets/detail/road-traffic-injuries/
-
-
Friday 19th December 2025 10:21 GMT nematoad
Re: I must be getting old ...
I do not even use the one in my mobile 'phone.
What is this mobile 'phone thing you are talking about?
Seriously, what is the compunction to get everything hooked up to a system known to be dangerous and a privacy nightmare?
I do not have a mobile 'phone and my car is old enough to have been built before all this IOT nonsense and I have no desire to "upgrade".
-
-
This post has been deleted by its author
-
-
Friday 19th December 2025 10:18 GMT steelpillow
Not just cars
What about all those ancient boxes still running legacy OS and legacy browsers, but still perfectly functional for what they do?
Regressions are baked into the HTML5 specification for browsers, but not for the bloody servers. More and more web sites these days are so full of smartass "living standard" novelties that they barf when they meet an older browser and refuse to dump their load.
So the poor non-upgradeable browser soon passes its use-by date anyway. There is no app or browser support for that stupid social network that all your "mates" are using, you can't even login to your PayPal account directly any more. Users soon learn to avoid the more enshittified sites.
Meanwhile, all that malware increasingly barfs on the old browsers too, or the underlying OS, so patching is not quite so vital either.
So, which is worse, running with the latest enshittification, or losing half the Internet? Enjoy the choice. :-(
-
Friday 19th December 2025 10:54 GMT Roland6
What a surprise, not.
We already had this lack of updates with car’s inbuilt Sat-Nav, why would other features be any different? Particularly, what we know about updates, or the lack of updates for smart TV, mobile phones,, “home” security cameras, doorbells annd other IOT devices.
Although there is a valid reason to include a web browser: Draytek for example include a browser in their router, it is used to view help pages and access the firmware download/update website. Although you could use it to access other websites, its performance is a good deterrent to doing so.
Aside: expect in a year or so to start hearing similar lack of updates and support for the AI capabilities now being baked into TVs etc.
-
Friday 19th December 2025 13:09 GMT Bebu sa Ware
Watching an old TV series†…
there was a scene where it was raining and the chap couldn't crank his car over so his Scots housekeeper came out an turned over the engine almost instantly.
(Set around 1924.)
Set me thinking that the modern car stealing toe rag would not stand a chance against these old vehicles. ;) Although the modern bright young things mightn't either, I suppose.
Still — demonstrates how little of the modern jiggery·pokery a functional motor vehicle actually needs.
† The Mind of J G Reeder Thames 1969-71 S01 E07 The Troupe
-
Monday 22nd December 2025 10:41 GMT The Organ Grinder's Monkey
Re: Watching an old TV series†…
Upvote for anything JG Reeder.
"the modern bright young things mightn't either, I suppose"
not least because, aiui, vast swathes of the "young people" demographic aren't bothering to learn to drive at all, so would be fooled by any age of motor car. (My observations of the way they drive their e-scooters suggests that the roads are a safer place for their absence?)
-
-
Friday 19th December 2025 15:44 GMT Legb
Embedded web browsers are by nature tied in at a point in time.
Why cars need browsers is beyond me, the same with in-car routers/wifi and so forth. The data rates are criminal as the network provider with their embedded SIM card holds the user to ransom.
With unlimited tariffs and network sharing built into the 5G phone in my shirt pocket why would I bother?
What does need to be addressed are car manufacturers who decide that they will ship tens of thousands of pounds worth of product, a car, but can’t be arsed performing any proper software updates.
I have a Honda hybrid on a 24 plate, as a closed loop traction and ABS motion control system this this looses traction at junctions, worse in the wet. Eco mode does less than sport mode to rectify the problem, I guess snow mode might do something :s
Add in the automatic main beam, that thinks a road sign is an oncoming vehicle, so dips, then eventually wakes up… no option to disable this excuse of a system except when you get in the car each time. It goes one stage further in annoyance and while in ‘automatic main beam mode’ the blue main beam lamp on the dashboard is permanently illuminated! Regardless of whether main beam is on or not…
Rather than worrying about web browsers being old, someone needs to ensure manufacturers are keeping ALL of their firmware updated and readily available to motorists to be able to update without trudging off to the stealership for some grease monkey to try and update it.
Critical options need to be brought to the fore and be easily enabled or disabled, not leaving drivers fighting poorly written and conceived code written by someone with the mentality on a par with 1970s VHS video recorder program recording or lack there of!
-
Tuesday 23rd December 2025 03:26 GMT Anonymous Coward
> What does need to be addressed are car manufacturers who decide that they will ship tens of thousands of pounds worth of product, a car, but can’t be arsed performing any proper software updates.
Tesla roll out updates every 4 to 6 weeks, with patches in between. This is a similar cadence to that of Chinese manufacturers (in China, they update less frequently in Europe) with the exception of Xpeng which, I'm told, push updates every 1-2 weeks.
-
-
Tuesday 23rd December 2025 16:04 GMT Anonymous Coward
Are you a child? Serious question, not being judgmental. If you are: because of the inverse relationship between cost and defects. A hypothetically perfect work of any kind would be infinitely expensive. Or, as is commonly put: perfect is the enemy of good enough.
Also, requirements are not static; they evolve with time. When new features can be implemented at relatively low incremental cost via an OTA update it's a win-win for both customer and manufacturer.
-
-
-
-
Saturday 20th December 2025 20:26 GMT martinusher
Perhaps they just need a subset of browser functionality
The problem is that its just cheaper for manufacturers to fork lift an entire computer subsystem into their device than to invest in the effort needed to build a system tailored to their requirements. The everyday web browser is optimized for the needs of ecommerce (if you think about it....) where the 'enhanced user experience' typically means optimized use of screen space for advertising, delivery of messages by popups of various sorts (including multimedia), relatively secure cart and payment systems and a mechanism for tracking user behavior, none of which is needed by a car. Since much of the malware is targeted at ecommerce stripping this out would produce a slick browser that's relatively bulletproof.
The snag is that we'd all one one for the home for day to day use with the regular browser being used for when we actually want to go shopping.
