back to article Ford's 400,000-car recall could be the tip of an auto security iceberg

Ford’s recall of more than 400,000 cars in North America to fix a software bug may be just the first of many for the motor industry as automobiles become increasingly complex, security researchers warn. As previously reported, a total of 433,000 2015 Focus, C-MAX and Escape cars are being recalled to dealerships for a software …

Page:

  1. Graham Marsden
    Facepalm

    And, as usual...

    ... security takes second place (or even lower) to marketing...

    1. Anonymous Coward
      Anonymous Coward

      Re: And, as usual...

      The whole movement of computerized control of car engines has gotten completely out of hand. There is very little need for much of it. Of course, it does cause to take our cars in for service more often and enables us to do less ourselves and I guess, ultimately, that's the point. We have lost control of own vehicles to the manufacture and whatever government agency decides to stop our car. As well as, whatever hacker decides to stop our car as I'm sure that can't be far away.

      1. Anonymous Coward
        Anonymous Coward

        Re: And, as usual...

        Because in the good old days everybody spent much less on servicing their totally reliable cars, and spent less on fuel because they were so much more efficient.

        Bollocks.

  2. Arachnoid

    So what happens

    When these faulty vehicles are beyond warrenty and the manufacturer requires either a disproportionate amount of money for a patch or even declies an upgrade path [al la Windows XP] .Are there to be thousands of vehicles just abandoned by the side of the road?

    1. Elmer Phud Silver badge

      Re: So what happens

      What happens is you get people like Quinten Willlson(sp?) appearing on telly offering insurance schemes in the guise of 'extended warranty'.

    2. James Hughes 1

      Re: So what happens

      I believe that safety issues have to be fixed even if out of warrantee. Hence you get recalls of even quite old cars.

      1. Arachnoid

        Re: So what happens

        Thats fine for a large manufacturer with a even larger budget but it would kill smaller manufacturers and as the vehicle ages [ala SAAB ] who then provides the now defunct system upgrade to a propriotory system that may be under someone eleses copyrights?

        To put a different analogy how long realisticly should Apple provide software support for the iPad One five years,ten years,fifteen years?

        1. YetAnotherLocksmith

          Re: So what happens

          "Smaller car manufacturers" is relative. All the small ones have already been crushed under the costs of testing, inspections, recalls, etc., or simply bought out.

          Going for Open Sorcery might work, but let's face it, none of it looks good from here - even the US government can't keep a secret these days, so you holding your car key (physical and/or electronic) on a server? What hope?

        2. Anonymous Coward
          Anonymous Coward

          Re: So what happens

          > To put a different analogy how long realisticly should Apple provide software support for the iPad One five years,ten years,fifteen years?

          Well they only provided it for three. It's been marooned on iOS 6 (IIRC), and has now gotten to the point where not even the browser works reliably with modern sites due to bugs in Safari, and you can't install a newer browser from the app store because none of the third-part browsers bother to support the limited API version in iOS6 ...

          Bad example ...

        3. nilfs2

          Re: So what happens

          "To put a different analogy how long realisticly should Apple provide software support for the iPad One five years,ten years,fifteen years?"

          Assuming that new cars will last that much, which is not at all the intention of most manufacturers nowadays

    3. Anonymous Coward
      Anonymous Coward

      Re: So what happens

      When these faulty vehicles are beyond warrenty and the manufacturer requires either a disproportionate amount of money for a patch or even declies an upgrade path [al la Windows XP]

      I suspect the same as what happens with old Windows PCs: they get reformatted and get a Linux derivative installed, and we end up with a whole new tech war where Debian purists only want a command line because graphics require proprietary drivers, Ubuntu sells every search for an address to someone else and eventually the Linux Mint team sorts out a display that is really nice, in various flavours. It will result in a whole new aftermarket environment (etc etc).

      :)

    4. Anonymous Coward
      Anonymous Coward

      Re: So what happens

      *enter stage left, Apple*

    5. Michael Wojcik Silver badge

      Re: So what happens

      Are there to be thousands of vehicles just abandoned by the side of the road?

      That'd be cool, since this particular bug means the engine stays running. So when you need a car, you just find an abandoned, still-running one. As long as you can keep it fueled, you're good to go!

      On a more serious note, I've had mechanical ignition switches fail in cars. Had one Honda with an intermittently-failing ignition switch, which took weeks to diagnose properly. Still a better idea than software-controlled ignition.

      My Volvo has the whole transceiver-in-the-pocket hit-button-to-start gimmick. Yes, it saves me literally seconds of key-twisting. But everyone's adopting that sort of thing (at least for vehicles in the higher trim lines) because stupid buyers insist on stupid shiny, and the rest of us get stuck with it.

      1. Anonymous Coward
        Anonymous Coward

        Re: So what happens

        If you think about it, you only have keys in the first place because of thieves. If there were no thieves nobody would say "I'd really like to have the Inconvenience Package where I have to put a particular thing into a hole to get in, and then put that same thing into another hole to start the car." Buttonless-entry-button-start is paying for some technology that quietly says "Fuck you thieves" every time you use the car.

        I don't know that I'd have paid for it as an option, but I do enjoy the buttonless-entry-button-start on my cars. Not only does it save a bit of time each day, and avoid fishing keys out of a pocket (thus eliminating the chance of accidentally fishing something else out of the pocket) but I live somewhere that gets very cold*, and it's rather nice to get out of that cold sooner rather than later.

        * One winter night when I was growing up in the early eighties it got down to -22C overnight. Where I live now that's still a very cold night, but not a once-in-a-lifetime cold night, and I expect multiple overnight lows below that every year.

  3. Elmer Phud Silver badge

    It's a bit like getting a new O/S -- always leave it for a while until all the 'beta' testers have sorted it out.

    1. YetAnotherLocksmith

      Except that means you are late patching, which could really easily be fatal or lead to your car literally stealing itself - it wouldn't take much to tell a self-driving car to drive to the new owner in a foreign clime!

  4. Voland's right hand Silver badge

    That is the least of your problems

    Quality assurance needs to be excellent too; imagine a duff update going out that bricks your vehicle or, worse, causes safety issues.

    That is the "good case". Now imagine an update which screws up the update system in addition to any of those so you cannot fix it without re-flashing the control computer(s).

    1. James Hughes 1

      Re: That is the least of your problems

      Then you are back to what we have now - return car to dealer for fixing.

      1. Anonymous Coward
        Anonymous Coward

        Re: That is the least of your problems

        Unless of course, the update completely bricks the engine so that it's basically dead weight. And then it's found out at the dealer (AFTER you get them to pay for a tow truck to get your car back to the dealer) that it's bricked at the hardware level and needs to be completely replaced: sort of like the electronic equivalent of a blown transmission.

        1. annodomini2 Bronze badge

          Re: That is the least of your problems

          It happens, but it's still return to dealer, to replace the ECU rather than a software update.

  5. Yugguy

    The more of this I read

    The more I know I don't want a modern car.

    How complicated does software need to be to cut off the fuel when the key is removed?

    1. James Hughes 1

      Re: The more of this I read

      Modern cars are much more fuel efficient, have better quality interiors and more features. They are also safer and often cheaper to maintain, as they go wrong less.

      But apart from that...

      (I have an 13 year old Civic on 230k miles, plus some kit cars based on Escort Mk2 parts, so not as if I have a new car, but even I can see the advantages)

      1. This post has been deleted by its author

        1. JeffyPoooh Silver badge
          Pint

          Re: The more of this I read

          "...being chased by violent criminals along an open road..."

          No, it's in a shopping mall.

      2. Yugguy

        Re: The more of this I read

        True but none of this requires external connectivity.

        I would MUCH rather have my car NOT connected, and secure, and have to return occasionally to the dealer for updates than have any form of automated OTA updates for CORE functions.

        I can see a point to having ancillary things like builtin satnavs updated wirelessly, but core functionality? HELL NO.

        1. Voland's right hand Silver badge

          Re: The more of this I read

          I would MUCH rather have my car NOT connected, and secure,

          Wrong logic. This means that a major issue with the car is not fixed until you understand about it and take it to the dealer.

          An example is BMW taking the thoroughly and fully cretinous decision of allowing key programming via EBD2 while the alarm is in active state. So anyone with a tool which costs 30$ can steal a car which costs 60k. So let's imagine a hypothetical situation similar to a zero day exploit where you are driving a car which is vulnerable somewhere out in the sticks in the deepest darkest Eastern Europe/Latin America/South East Asia (scratch the ones that do not fit). Do you want the next villager down the road to appropriate your car (or your car to crash, stop just because it feels like it, etc) or you are happy to have the firmware uploaded?

          What I am not happy with though is the car doing it by _ITSELF_.

          This is what is massively opened for abuse including tracking users, updating at the wrong time, etc. What I would want is the car to ask my phone nicely via an app on my phone if I agree that a particular action is appropriate at this particular moment. Ditto for firmware updates, recall alerts, servicing - everything.

          The problem is that the car manufacturers will never ever agree to that. They are obsessed with the car doing everything and never ever relinquishing the control. An example of this obsession is the next Eu safety reg which instead of mandating car pairing and car initiated emergency calls in case of a crash has gone for sticking a GSM SIM (with all the opportunities for abuse coming with this) into the car itself.

          1. Yugguy

            Re: The more of this I read

            I don't think computers have ANY place in a car apart from engine management where constant microsecond changes are needed. In your example I would say the car should not have so much IT in it that is vulnerable.

            I don't want to go back to days of contact breaker points but I also don't see the need for massive computerisation either.

            But I realise I have no hope of ever stopping it.

            1. chris 17

              Re: The more of this I read

              @yugguy

              You realise this is a tech site?

              Do you want traction control, end, abs brakes, tyre deflation warnings, air bags, parking sensors, remote central locking, electric windows and mirrors, auto on lights, engine immobiliser (anti theft) windscreen wipers, turn indicators to name but a few.

              They have been on many "dumb" cars but require an amount of IT/CPU/software to work. You may not want them but they have saved countless lives, are mandated by law and the buying public want them too.

              1. Mudslinger

                Re: The more of this I read

                @chris

                My 1972 LandRover doesn't have any microelectronics (hell, it barely has electrics) but somehow it manages to have turn indicators and windscreen wipers. Happy to live without the other nice to haves - if they're not there they don't go wrong. :)

                Not sure what "end" is a typo for.

              2. Yugguy

                Re: The more of this I read

                You miss the point.

                Firstly, a lot of those can be done with none-computerised electro-mechanical systems.

                Secondly, even if fully computerised and with internal networking (e.g. Vauxhall canbus), everything you mention can be done with CLOSED systems. NONE of them require external connectivity. I very much want my car to be a closed system.

                Thirdly, systems such as air bags, abs, traction control should NEVER require the equivalent of hotfixes or patches.

                I am not against computerisation per se. I LOVE the fact that ECUs mean I can pay a couple of hundred quid and get a 30 or 40% power increase for my diesel turbo car.

            2. I. Aproveofitspendingonspecificprojects

              Re: The more of this I read

              I recall a friend showing me the points from a Nissan in the days just before electronic ignition. The car had been used around the clock to within limits a driving school car would have. After going around the clock a fair bit he took it in for its service and the mechanic found the points worn down to the bone.

              He had not noticed any problem with the engine as the car was firing perfectly.

              He had thought the car was running with electronic ignition and was surprised to find he needed to replace them. Cut to an adjacent Talbot whose computer problems required it rot away in a yard waiting for parts. I have never been in any hurry to get the latest greatest.

              I can still remember the thin skin of platinum that was all that was left of the Nissan's points. I was duly, truly amazed.

              1. Graham Bartlett

                Re: The more of this I read @IAproveofitspendingonspecificprojects

                You'd be truly amazed how easy it is to run an engine. Remember that back in the early days of cars, there were no carburettors or anything that sophisticated - all they did was blow air over the surface of a puddle of fuel, and hope evaporation picked up enough. And it worked.

                As for points, old cars used whole lot more juice on the spark than they ideally needed. The result was spark plugs and points wearing away as the zaps vaporised small bits of metal each time. Spark plugs were a 5000-mile/6-month service item on my old Montego. These days spark plugs are a 10-year-service item, and that's more because they simply don't know how long they'll keep running so they take a guess.

                If you want fuel economy *and* performance *and* the car to run at altitude, that's where it gets tricky.

          2. chris 17

            Re: The more of this I read

            @voland

            They know if they ask customers if they want to update they'll get 99.9999% of customers being confused & complaining about being asked and a silent few who won't bother to update anyway.

            Do you get a say when the websites you visit patch their systems? Would you care?

            1. Voland's right hand Silver badge

              Re: The more of this I read

              @chris 17

              It is not just the update. The update is the least of the issues with car-centric instead of user-centric connectivity. By the way, even joe average user is so trained on updates nowdays that he/she will actually usually press yes. Phones finally made sure of that.

              The update being the least of the issues.

              Scenario 1. The Eu idiocy for emergency calling in accidents driven by car manufacturers which are scared sh*tless from losing control - worthless. Emergency services get a message and so what? Do they know the number of occupants? Do they know their identities? Allergies? Blood groups? Organ groups? F** no. Useful? I doubt it.

              Scenario 2. Car requests from each and every phone in the car it can pair with to send an emergency message in a crash. Let's suppose that the driver has an anaphilaxis level allergy (I do) and the passenger who has had one blood transfusion too many in the past cannot take blood which does not match in secondary or even tertiary (M, K, etc) groups (example - my mom). That _WILL_ be useful if transmitted as well. World of difference between the usability of either for emergency services.

              So what do we get? The first one - because the car manufacturers marketing would rather let people die instead of making anything related to the car not car-centric.

      3. Roland6 Silver badge

        Re: The more of this I read @James Hughes 1

        "Modern cars are much more fuel efficient, have better quality interiors and more features. They are also safer and often cheaper to maintain, as they go wrong less."

        Whilst I know what you're getting at, remember the main reason modern cars go wrong less is because of advances in materials science and mechanical engineering. However, whilst my 13 year old Ford Mondeo is still going strong with 250k miles and the mechanic anticipates it being able to reach at least 300k, there are doubts about the life left in the 'fancy' stuff ie. the electronics, sensors and associated stuff. Because for the last two years my main costs have been replacing various parts of the 'fancy' stuff which are rather expensive.

        Comparing this car with my new Ford, my impression is that whilst the new car may also mechanically be capable of doing at least 300k, the additional electronics most probably mean that it will never achieve a similar length of service because electronics will age quicker than the mechanical parts...

      4. Intractable Potsherd

        Re: The more of this I read @ James Hughes 1

        "... they go wrong less."

        At least while they are new. Just wait until the electronic components start to die.

    2. Blane Bramble
      Terminator

      Re: The more of this I read

      The question is, why doesn't the key actually cut off the engine physically(/electrically)? This is not a function that software should over-ride. It certainly isn't a function that should provide a "hint" to a computer that the fleshy part might like the engine to stop.

      1. Yugguy

        Re: The more of this I read

        EXACTLY.

      2. Anonymous Coward
        Anonymous Coward

        Re: The more of this I read

        "...why doesn't the key actually cut off the engine physically(/electrically)? "

        Because then you can't have remote start.

        1. Anonymous Coward
          Anonymous Coward

          Re: The more of this I read

          "Because then you can't have remote start."

          errrr ... I do not think the two are mutually exclusive in any electrical sense.

        2. Anonymous Coward
          Anonymous Coward

          Re: The more of this I read

          ""...why doesn't the key actually cut off the engine physically(/electrically)? "

          Because then you can't have remote start."

          Maybe you're joking, maybe you're not.

          Two independent momentary switches, one for "Press to Start" and another one for "Press to Stop", is trivial to do. A contact in parellel with the "Start" one can be operated remotely without having to remove the local "Stop" facility.

          It doesn't need a "body control module" aka computer to talk to an engine control module aka computer, It may need an extra relay, depending on what's already there. Relays are nice simple trustworthy things, but there is an actual cost to fitting them, whereas the software for remote start costs nothing to add, so software's better for that kind of thing, right?

        3. Intractable Potsherd

          Re: The more of this I read

          "Because then you can't have remote start."

          And the problem is ....?

      3. annodomini2 Bronze badge

        Re: The more of this I read

        It's classed as a safety feature, basically, if you're travelling above a certain speed (usually 10kph, all these systems work in metric).

        Killing the ignition, would (eventually) kill all the other systems in the vehicle (ABS, EPS, Stability control etc).

        So they treat it as an invalid key off and it won't die until you stop.

  6. Ben Bonsall

    “Cars which are capable of receiving instructions via the internet (such as software updates) are potentially more at risk of being hacked or meddled with than those which don’t,” warned Cluley

    Potentially??!!

  7. Cuddles Silver badge

    Ugh.

    "underlines the increasing need for over-the-air (OTA) software updates"

    No it doesn't. Quite the opposite in fact. It underlines the need to make sure things actually work properly before releasing to the public, and then ensuring no-one can screw with it in any way to change that. Over-the-air updates would guarantee far more faulty products being released (see the gaming industry for a perfect example). while simultaneously meaning that previously working products will constantly be broken via either incompetent updates or malicious activity.

    1. Charles 9 Silver badge

      Re: Ugh.

      The problem with YOUR idea being that "getting it right the first time" is a pipe dream, especially with time AND budget constraints.

      Cheap, Quick, Correct — Pick any TWO.

      And it's been like this even BEFORE computers entered cars. Manufacturers basically pray they're not forced to do a recall.

      1. Anonymous Coward
        Anonymous Coward

        "Getting it right first time"

        The second you use software to control systems with potentially fatal consequences, you MUST apply safety-critical software design and testing techniques. Which means literally getting it right first time, and for the projected lifetime of the system.

        Any 'patches' should only be delivered after running the amended code through the complete suite of regression tests, combined with unit tests for the newly introduced code.

        Relying on an OTA 'patch Tuesday' system for a ton of metal travelling at high speed on public roads scares the crap out of me.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Getting it right first time"

          Planes still fall out of the sky due to unseen flaws. Granted, we need to get as close as reasonable, but then diminishing returns kicks in and we're still far from perfect (and will never get close--we ARE human).

          As for scaring you, which scares you more? A car with software that can be borked over the air, or a car with a borked system that has never been to the dealer to be fixed? Seems like Pick Your Poison to me. OTA is probably the only reliable way to make sure such cars get their bugs fixed (and there WILL be bugs), yet it's inherently insecure.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Getting it right first time"

            Using that logic, you'd be quite happy to update fly-by-wire software in aircraft using an OTA patch system.

            Hey, we could use passengers' smartphones to communicate with the update server and do the patching over Bluetooth whilst in flight.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Getting it right first time"

              "Using that logic, you'd be quite happy to update fly-by-wire software in aircraft using an OTA patch system."

              Don't think about updating systems in-transit, but the occasional need to update things toot-sweet as soon as they're back down. That's why the US FAA has Airworthiness Directives. At least with airplanes, when these things get issued, they get done or bad things happen. You can't say the same thing about cars, most of which are owned by individuals who may be hard to reach.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019