back to article Good luck saying 'Sorry I'm late, I had to update my car's firmware'

The IETF has noticed how badly Internet of Things firmware is managed, and wants it fixed. Whether it's the Mirai botnet's attack on Dyn, smart sex toys with dumb vulns, or easily hackable home routers, the problem is often that firmware fixes are needed but too often aren't installed. The Software Updates for Internet of …

  1. Anonymous Coward
    Anonymous Coward

    OTA Updates for Cars

    This is one of the things that Tesla owners crow loudly about.

    They will carry on until... it gets hacked and thousands of Tesla's are borked and turned into useless lumps of metal and plastic.

    So far the update mechanism hasn't been hacked but surely it is only a matter of time. Then... all hell will be let loose.

    I refer to IoT as Idiots or Twats. At the moment there are just so many holes in the stuff that you have to be an idiot to buy it in the first place and then a total twat to install it in your home where it can possbly spy on you 24/7 and you don't have a clue as to what it is doing.

    In time, we may be able to test the security of these devices for ourselves but until then... I'm staying well away (As in miles) from this shit and NOT buying a Tesla.

    1. Phil O'Sophical Silver badge

      Re: OTA Updates for Cars

      Why single out Tesla? Just because it uses electricty to power the engine doesn't make it any more or less vulnerable to a control system hack than an ICE car. The hacks which have been carried out so far have been on things like Jeeps, not Teslas. Every car with onboard electronics and OTA (which these days means most new cars) is vulnerable.

      1. AMBxx Silver badge
        Boffin

        Re: OTA Updates for Cars

        I don't think hacking is the first thing to worry about. It's far more likely that the cars are broken by a bad update.

        1. parperback parper

          Re: OTA Updates for Cars

          And if these guidelines are followed, the borking update will be promptly installed and you won't be able to roll it back.

        2. ma1010 Silver badge
          Stop

          Re: OTA Updates for Cars

          @AMBxx

          ...making sure failed updates are reversible but successful ones are not.

          THIS: It's far more likely that the cars are broken by a bad update.

          Exactly. What if you get a "Windows X" type update (you can't control it) that borks your car? But the update went through, so it must be "successful," right? Except for the minor detail that your car won't run now.

          It all depends on how one defines "successful," I guess. Owners always need the ability to back out of a bad firmware update, whether or not it succeeded in installing itself.

          1. englishr
            Joke

            Re: OTA Updates for Cars

            "Exactly. What if you get a "Windows X" type update (you can't control it) that borks your car?"

            Presumably function can be restored by careful editing of /etc/X11/xorg.conf ?

      2. boltar

        Re: OTA Updates for Cars

        "Why single out Tesla? Just because it uses electricty to power the engine doesn't make it any more or less vulnerable to a control system hack than an ICE car. "

        If the engine runs away on an ICE car you can switch off the ignition (unless its a runaway diesel) , put it into neutral and coast to the side of the road even if the brakes have been disabled and get out . Good luck doing that in an electric car where the motors are directly connected to the wheels and there is no ignition system - just a button telling the computer to wake/sleep.

        Also if the hacker finds a way to bypass the battery overcurrent controls then he could remotely cause a fire. Possibly while driving you along at 150mph having disabled the brakes and doing some remote steering - I imagine the power steering in a tesla is a lot more powerful and harder to manually steer against than in a normal car due to the autodrive function so while some 200lb male might not have a problem fighting it a 100lb woman may well do.

        1. Anonymous Coward
          Anonymous Coward

          Re: OTA Updates for Cars

          Unless things have changed in the last couple of years, European construction regulations require direct mechanical linkage for steering and brakes (which have to be cross-linked, so a failure doesn't take out all the brakes on one side, but rather those in opposing corners)..

          1. boltar

            Re: OTA Updates for Cars

            " direct mechanical linkage for steering and brakes (which have to be cross-linked, so a failure doesn't take out all the brakes on one side"

            Brakes can be disabled simply by mucking about with the ABS system. I suggest you and the 8 clueless pillocks who modded me down google it (clue - ABS has to be able to lift the pads off the disc no matter what the pressure on the brake pedal). And yes, the steering has to have a mechanical linkage. But try turning the wheel on a car with power steering when the ignition is off.

            1. IsJustabloke
              Facepalm

              Re: OTA Updates for Cars

              @boltar

              I have a car without power steering and stationary you're absolutely correct they are a bugger to turn but any kind of motion and they become manageable.

              My more modern car suffered a power steering failure and guess what happened? That's right I successfully steered the car all the way home and then all the way to a garage. while we're on the subject I've also suffered an ABS failure do you think that ...

              A) my brakes stopped working

              or

              B) my brakes continued to work but with more effort

              There's only a single "clueless pillock" in this thread and I wasn't even one of the 8 that down voted you!

              Blimey, what a Friday afternoon car that was :D

              1. boltar

                Re: OTA Updates for Cars

                " but any kind of motion and they become manageable."

                For various definitions of manageable depending on whether its electric or hydraulic and how much the car weighs. I had a volvo that needed a serious heave to move the wheel when the pump was off regardless of speed and on the road at any significant speed would have been uncontrollable.

                "I've also suffered an ABS failure do you think that ..."

                Do try and keep up, we're not talking about ABS failures, we're talking about deliberately hacking the ABS so it lifts the pads and doesn't drop them again or simply doesn't switch off which is almost as effective.

                Don't believe me?

                https://www.youtube.com/watch?v=IvFVYEWh1xs

                "There's only a single "clueless pillock" in this thread and I wasn't even one of the 8 that down voted you!"

                Says the man who couldn't even be bothered to google the facts first. FFS, this is a technical forum, at least attempt to get a fecking clue.

                Oh, and FWIW , safe failed ABS doesn't mean you need more effort to operate the brakes. Do you even know how ABS works and what it does?

              2. Gene Cash Silver badge

                Re: OTA Updates for Cars

                > I've also suffered an ABS failure do you think that ...

                > A) my brakes stopped working

                > or

                > B) my brakes continued to work but with more effort

                You're confusing ABS with power brakes. They are not even remotely the same.

                I've suffered an ABS failure that manifested as the car completely removing ALL braking between 27-24mph (no matter how hard you stood on the brakes) then locking all 4 wheels when the speed dropped below 24mph (no matter how softly the pedal was applied)

                So yes, I'll take option A.

                That was a whole lot of fun. Fortunately I was able to pull the relay powering the ABS to disable it and get home and then to a shop. It turned out to be a bent wheel sensor bracket.

        2. Anonymous Coward
          Anonymous Coward

          Re: OTA Updates for Cars

          Lots of "I imagine" going on in this thread. Perhaps, given this is a tech publication, we could try sticking to some "facts"?

          1. Teiwaz Silver badge
            Devil

            Re: OTA Updates for Cars

            Lots of "I imagine" going on in this thread. Perhaps, given this is a tech publication, we could try sticking to some "facts"?

            If you are going to wait for facts, you're going to be either running to catch up to your runaway future self-driving car or running away as it tries to mow you down.

            'I imagine' helps visualise possible future problems, so hopefully you arrange to catch them before they happen, or merely not be there to take the blame as a convenient patsy.

            1. Anonymous Coward
              Anonymous Coward

              Re: OTA Updates for Cars

              @Teiwaz / @Mark 85 / @Roland6 - yes, all reasonable points regarding the wider need for imagination. In this particular case I was having a dig at people who were "imagining" (i.e. making things up) about actual vehicles that exist.

          2. Mark 85 Silver badge

            Re: OTA Updates for Cars

            Lots of "I imagine" going on in this thread. Perhaps, given this is a tech publication, we could try sticking to some "facts"?

            Err... yes. What do you expect? El Reg is for computer geeks not car geeks so speculation and thoughts are along those lines. We, in this field, tend to look a lot at "I imagine" and "what if" because it's part of what we do. There is more to a car than the control computer and there's where those nebulous statements come in. Personally, I've tossed my share of wrenches and had the greasy hands to show for it but with these rolling computers we have today they go to the shop.

          3. Roland6 Silver badge

            Re: OTA Updates for Cars

            Lots of "I imagine" going on in this thread.

            How do you think Software Devs write software? Requirements specifications only take you so far...

        3. DasWezel
          Facepalm

          Re: OTA Updates for Cars

          Here speaks someone who's knowledge comes almost entirely from drama shows on the TV.

          - How do you "just turn off the ignition" in your ICE car when the ignition switch is just a trigger to a computer?

          - How do you "just put it in neutral" when a lot of ICE autobox gear selectors are nothing more than a fancy switch?

          As for battery overcurrent controls, I think you're underestimating a little invention from the far off days of 1864: the fuse.

          If you think your ICE car is truly "off" when you remove the key, you're about 40 years out of date.

          1. Anonymous Coward
            Anonymous Coward

            Re: OTA Updates for Cars

            Key??

          2. boltar

            Re: OTA Updates for Cars

            "How do you "just turn off the ignition" in your ICE car when the ignition switch is just a trigger to a computer?"

            Not in my 2008 car, its a physical wired connection.

            " How do you "just put it in neutral" when a lot of ICE autobox gear selectors are nothing more than a fancy switch?"

            You've never heard of manual gearboxes I take it? And the auto box is generally a failrly dumb self contained remotely unhackable unit except in up market cars.

            "As for battery overcurrent controls, I think you're underestimating a little invention from the far off days of 1864: the fuse."

            Apparently you don't understand how lithium batteries charge. Never mind, next...

            "If you think your ICE car is truly "off" when you remove the key, you're about 40 years out of date."

            The engine ECU is physically switched off in most cars - the only thing left on is the security system. And if you're dumb enough to have bought a car with a key fob instead of a key then more fool you. You'll probably have it nicked soon anyway thanks to spoofing.

        4. James O'Shea

          Re: OTA Updates for Cars

          "If the engine runs away on an ICE car you can switch off the ignition (unless its a runaway diesel) , put it into neutral and coast to the side of the road even if the brakes have been disabled and get out ."

          Ah... nope. See, for example, <https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/>

          "I imagine the power steering in a tesla is a lot more powerful and harder to manually steer against than in a normal car due to the autodrive function so while some 200lb male might not have a problem fighting it a 100lb woman may well do."

          read the article above. It is entirely possible to lock the 'user' completely out of everything _now_. Steering, brakes, engine start/stop, transmission, the lot. Down to controlling the radio. Doing it to a Tesla instead of a Chrysler would not be significantly harder or easier. And, yes, this problem affected Chryslers and Dodges as well as Jeeps, they used the same electronics packages. Chrysler has allegedly fixed this p[articular loophole. Given that they're Chrysler, and have been proven to be grossly incompetent over _decades_, I'm sure that there's more stuff hiding in their code just waiting to be exploited. Ford and GM are better than Chrysler, but that's not hard. And Toyota is just begging to be hacked. I own a Toyota; their arrogance is breathtaking.

          1. nijam

            Re: OTA Updates for Cars

            > Down to controlling the radio.

            Indeed. Out of interest, why is the radio even on the CANBUS?

        5. annodomini2

          Re: OTA Updates for Cars

          I imagine the power steering in a tesla is a lot more powerful and harder to manually steer against than in a normal car due to the autodrive function so while some 200lb male might not have a problem fighting it a 100lb woman may well do.

          Nope, 90% of cars less than 10yo are EPS (Electric Power Steering), vs Hydraulic or Electrically Powered Hydraulic Steering.

          IF an EPS system is determined to go a specific direction or position it will go there, no human is strong enough to resist, if you try it will most likely break your arms before it moves!

          To give you an idea, an early prototype of a 1st generation EPS was tested for a major automaker, there was a bug in the firmware which caused it to go full left (this is during development and not my code btw), it proceeded to go full left and when it hit the rack end stop, generated sufficient torque to rip the EPS unit out of the bulkhead and continued to spin until it snapped it's power cables.

          Autodrive has nothing to do with the power of the system, but the reliability, with self drive basically this thing cannot fail. It needs a sequence of backup modes in the event of failures (there are of course limits).

      3. macjules Silver badge

        Re: OTA Updates for Cars

        Why single out Tesla?

        As a (former) Tesla owner I experienced at least 2 updates that left the car unusable until the next update had been applied and those are the ones I know of. in each case Tesla were aware of what had happened and the fix was applied almost immediately. But still ..

  2. Voland's right hand Silver badge

    and when you turn the key to “off”, the electronics also goes dark.

    This will definitely stop being the case for a plug-in hybrid or electric vehicle. It will also define a clear idle state (while charging). A lot of the connectivity issues also go away - you can even talk low bitrate over the charging cable.

    1. jmch Silver badge

      "when you turn the key to “off”"

      More and more cars no longer have a key to turn to 'off', just keyless ignition (hopefully) secured by encrypted key on the remote fob. In fact there's probably no high-end car sold in the last 3-5 years or mid-level car in the last 1-2 years that still has a physical ignition except as backup when the remote fails.

      So there is no physical switch and SOME electronics have to be always-on

      1. tiggity Silver badge

        When you buy low end cars you don't have that issue ;-)

        I like physical keys that turn ignition on / off (and lock / unlock doors)

  3. malle-herbert Silver badge
    Facepalm

    "firmware fixes are needed but too often aren't installed."

    Or not available....

    How else do you get consumers to buy the new and latest shiny-shiny toys ?

    1. AMBxx Silver badge

      Re: "firmware fixes are needed but too often aren't installed."

      Anybody reading this know how long Tesla have promised updates for?

      1. Geoff Campbell
        FAIL

        Re: "firmware fixes are needed but too often aren't installed."

        My 2014 Tesla receives updates regularly.

        GJC

  4. A Non e-mouse Silver badge

    A friend was late a meeting. He was curing accepting the Tesla software update - thinking it would be something that would take only a few minutes. I think he said it took half an hour.

    1. Phil O'Sophical Silver badge

      Surely anyone who's opened their Windows laptop in an airport for a quick email check while waiting at the gate is familiar with that problem!

      1. Lee D Silver badge

        Strangely, I like my computers to not do anything unless requested.

        It seems some people lost that idea some years ago and tolerate anything now.

        Hell, even my phone can't update an app without asking first.

        Sorry, Microsoft / Samsung / whoever. It's my device. You'll do what I say. By all means inform me, but I can also say "shut up" to those notifications permanently if you abuse them.

        The auto-update-with-no-choice-about-it is really only a product of the last few years. I will literally hack my operating system to stop you doing that to me, having witnessed any number of updates-gone-drastically-wrong, and inconvenient timings for updates.

        Within weeks of Windows 10 upgrades going out to Windows 7/8 users, I had one person who trashed their entire system including all documents (we have no idea how), and one who was forced to upgrade a fresh machine and then explorer crashed out constantly (which meant Windows was unusable in any mode and we had to recover files). That's not counting all the Windows Updates that just blue-screen, take out features (one IT guy I know has a PC on Windows 10 that every Windows 10 update removes his Ethernet drivers and nobody knows why, but to say that's slightly annoying is an understatement), or are later revoked for discovered problems.

        You have to be an idiot to blindly upgrade everything the second it pops up. Hell, the software often doesn't even give you a chance to make a proper backup with it's "Update Later" kind of non-option. If MS etc. were taking responsibility for my data, that would then be their problem. While they don't, they don't get to dictate when I update.

        1. muddysteve

          I can see the problem with cars being the insurance companies. "You drove your car without accepting an important update? Sorry, we cannot cover you in those circumstances."

          1. Anonymous Coward
            Anonymous Coward

            That provision actually was in the draft bill for self-driving cars ...

          2. Anonymous Coward
            Anonymous Coward

            And the reverse is...

            so Mr Orlowski... You were driving and an over the air update caused your car to crash?

            Pull the other one. Oh, and by the way we aren't covering the damage to your car or the other 10 that you damaged before you ended up in the ditch.

            OTA Updates are a lovely way for the insurance companies to get out of any liability.

            1. Paul Hovnanian Silver badge
              Facepalm

              Re: And the reverse is...

              "You were driving and an over the air update caused your car to crash?"

              I hope they aren't that stupid. Even Microsoft waits for you to log off/shut down before borking your system.

              1. nijam

                Re: And the reverse is...

                > Even Microsoft waits for you to log off/shut down before borking your system.

                No, they install the bork first, *then* tell you to "restart to bork your system" (may not be the exact wording of the message, not sure).

        2. Phil O'Sophical Silver badge

          Strangely, I like my computers to not do anything unless requested.

          Me too, but it isn't my computer.

          You have to be an idiot to blindly upgrade everything the second it pops up.

          Couldn't agree more, but try telling that to the company IT people who provide the laptop & software image. Even when I change the registry entries to block updates, the next connection to the corporate network resets them. I've given up, I manage my own systems as they should be managed, and the company can do what it wants on the ones it owns.

          1. Yet Another Anonymous coward Silver badge

            Strangely, I like my computers to not do anything unless requested.

            So you would be happy with a botnet of millions of home devices crashing infrastructure until a million owners all conduct their own failure mode analysis and initiate their CAPA policy framework before deciding to update their hacked device?

            1. Roland6 Silver badge

              >So you would be happy with a botnet of millions of home devices crashing infrastructure

              The trouble is that any half decent malware from the last decade, either disabled some updates or change things so that updates fail; hence I regularly come across systems where Windows Update is running automatically in background - but the user is totally unaware of the fact that either no updates have been successfully applied for several months. People tend to only discover their machine has been hacked when either an AV update (assuming this hasn't also been compromised) enables the scanner to detect the malware or the malware moves up a step and their system becomes unusable.

              So whilst I'm not happy with a botnet of home devices, I can't see any simple and 99.999% reliable way of remotely and automatically updating hacked devices, with a 99.999% degree of confidence that the updated device will boot and be fully restored to normal operation.

        3. ma1010 Silver badge
          Linux

          Have an upvote!

          @Lee D

          I wish I could give you 100+. What you say is totally true.

          On the PC front, that's one reason I moved to Linux, painful though the transition was for me. Having made that transition, though, I will never go back to Windows and that "forced update" nonsense. My Linux system never updates except when I tell it to, and only installs the updates I tell it to install. I can skip or defer any update I wish to.

          Whatever happened to the concept that if you OWN something, YOU should control it? It's my personal computer, not Satya's. My car belongs to me, not Honda. And so on.

          There should be a law that ANY updates, firmware, software, whatever, should not install without the owner's permission (take THAT, Satya!) and can be easily rolled back in the event they cause more problems than they cure, which happens all too often.

          Never happen, of course. On either side of the Pond, we've got the best governments big corporate money can buy.

          1. richardcox13

            Re: Have an upvote!

            > Whatever happened to the concept that if you OWN something, YOU should control it?

            It failed for the 99% of the population who failed to control and maintain it... and gave us the bots for the bot nets.

      2. Anonymous Coward
        Anonymous Coward

        Yet another reason, after security, reliability, performance, and privacy, to overwrite Windows with Linux on any new laptop.

    2. Anonymous Coward
      Anonymous Coward

      I am doubtful of this anecdote. The update screen quite clearly tells you how long it will take and you have to accept the dialog window to continue. They usually say a time > 1hr but often complete a bit quicker. You can also schedule it for any time you like (defaults to 2am or something like that) so there was no need to try and cram it in before a trip either.

      1. Colin Miller

        I am doubtful of this anecdote. The update screen quite clearly tells you how long it will take and you have to accept the dialog window to continue. They usually say a time > 1hr but often complete a bit quicker. You can also schedule it for any time you like (defaults to 2am or something like that) so there was no need to try and cram it in before a trip either.

        It would be useful if the car reminded you of an update when you turn the ignition off. A fair number of folks could well forgot between being told at the start of their drive, and arriving at their destination.

        1. Anonymous Coward
          Anonymous Coward

          It does remind you. There is a very obvious yellow clock icon at the top of the screen when there is an update waiting to be installed.

          1. Roland6 Silver badge

            >There is a very obvious yellow clock icon at the top of the screen when there is an update waiting to be installed.

            Yes Windows can be quite persistent and obvious that updates are waiting, as can iOS and the iStore. However, it is surprising just how many people can ignore such visual prompts for a surprisingly long period of time.

            It is because of this that I believe in the regular (although not too frequent) servicing/housekeeping action. ie. planned outage, so that outstanding issues can be addressed. Not ideal, but it gets the job done, hence why car manufacturers recommend at least annual service intervals and the government demands an annual MOT inspection.

    3. Jonathan Ellis

      Accepting an update takes about 8 seconds. Sitting there for no reason waiting for it to install however could well take hours... but heah, if people like to make up excuses about not going to meetings that's up to them.

  5. Anonymous Coward
    Anonymous Coward

    Wife's Skoda needs an update

    Garage says, we can't do it, you have to download it yourself - will need an SD card.

    Download for relevant model not in download site. Cr*p.

    Toyota not much better - you just have to pay through the nose.

    Software seems to dodge the UK requirements for 10 years of spare parts availability.

    I strongly suspect that the problems will not be hacking related as suggested above, simply obsolescence. All these cars with built-in Apple friendly modes are only an Apple change away from being entirely useless.

    I want to buy a car, not an additional subscription to your cr*p maps, a tat app that reminds me when you want to advertise insurance.

    Cars should "Just work"...grrr

    1. AMBxx Silver badge

      Re: Wife's Skoda needs an update

      I guess the resale value of my 3 year old Land Rover Defender just went up again.

      1. BebopWeBop Silver badge

        Re: Wife's Skoda needs an update

        But the purchaser will need to be able to drive it away I presume (sore experience from my otherwise dependable - when it drives, Landrover)

        1. AMBxx Silver badge
          Happy

          Re: Wife's Skoda needs an update

          Yes, rub it in!

          Coat always carried for potential breakdowns..

      2. Roland6 Silver badge

        Re: Wife's Skoda needs an update

        >I guess the resale value of my 3 year old Land Rover Defender just went up again.

        Not interested unless it is ex-military spec - where the floor panels could be lifted giving full access to the drive train...

  6. Roger Greenwood

    Should be easy to find the time for car updates

    The updates can run whilst you check the windows, lights, oil, water, tyres etc before each journey. We all do that surely?

    1. AMBxx Silver badge
      Facepalm

      Re: Should be easy to find the time for car updates

      I think you'll find that all those checks are dependent upon the software being updated.

    2. Roland6 Silver badge

      Re: Should be easy to find the time for car updates

      >The updates can run whilst you check the windows..

      No, 'checks' are checks. Having checked the fuel level, oil level, water levels, tyre pressures etc. I then decide which if any need any further action before or during my journey.

      Thus thankyou for informing me that a software update is available, I will (if I remember) set it to run when I know the car is not going to be needed for a while, such as at the end of my journey or when I return home after work.

    3. Paul Hovnanian Silver badge
      Joke

      Re: Should be easy to find the time for car updates

      "whilst you check the windows"

      Right. They are updating as well.

  7. Anonymous South African Coward Silver badge

    All righty then.

    Now get the Great Unwashed to update their 2-year old (if not older) IoT tat, and see where that will get you.

    Better to brick all those old IoT tat for good and get them to get new IoT stuff that can be updated on a regular basis.

    But that ain't gonna happen, the old stuff will remain, spewing out junk until it dies and get replaced by another cheap knockoff.

  8. Chris Hills

    A new cause for concern

    One thing that worries me, is that when a company is sold, or goes bankrupt and the assets are flogged off, a malicious third party could acquire the private keys and use it to distribute malware. For example, the British company Wileyfox that makes phones has gone into administration. If I were to acquire the company, I could silently push out malware that dialed premium rate phone numbers. With vehicles the potential is far worse. You could send a firmware that causes the vehicles to identify its competitors' management and try to run them over. Yes this is far fetched right now, but I fear less far fetched in the future.

    1. Anonymous Coward
      Anonymous Coward

      Re: A new cause for concern

      Ooooh, I like the way you're thinking...

    2. Nick Kew Silver badge

      Re: A new cause for concern

      Not sure that's entirely new: rather it's a new face on a well-known issue. We've seen it online where a domain changes hands from someone trusted (and linked from respected sources) to someone evil. Not a private key, but a level of trust that might count for just as much.

      The more interesting question is, who is thinking about it? You can mitigate: for example, IoT company's insurers to hold keys and revocation certificates in escrow, but who will make that a code of practice?

      1. Anonymous Coward
        Anonymous Coward

        Re: A new cause for concern

        "IoT company's insurers to hold keys and revocation certificates in escrow"

        Oh, what lovely opportunities for another point of attack to get keys and revocation certs to use for ransomware, DOS, etc., quite possibly for a whole assortment of different companies.

      2. Mark 85 Silver badge

        Re: A new cause for concern

        The more interesting question is, who is thinking about it? You can mitigate: for example, IoT company's insurers to hold keys and revocation certificates in escrow, but who will make that a code of practice?

        Sorry... If I buy your company, I'm buying and controlling everything including keys, certificates, etc. Once you have the check/cash, you're out of the picture. That's the way it works...

    3. Anonymous Coward
      Anonymous Coward

      Re: A new cause for concern

      Who needs to wait until the company is sold? Just bribe the right person now.

  9. Steve Graham

    Let's get physical

    How about making the upgrade come as a little ROM chip? The dealership can either send it out, or pop it into your device for you (I'm thinking cars, mainly) for a modest fee.

    If you can get 64Gb or more in a micro-SD card for a few pounds, a tiny ROM in that kind of form factor could be very cheap.

    1. Nick Kew Silver badge

      Re: Let's get physical

      Very cheap, yes. But surely subject to the same security concerns as a software update: an imposter could brew up a ROM containing malware, at a cost that's a drop in the ocean compared to a home or car system. Security again boils down to a cryptographic chain of trust.

      How do SIM cards authenticate? That looks like a framework for pushing out a handshake. Having a SIM card manage security of signed updates, whether of hardware or software, should surely be feasible.

    2. Anonymous Coward
      Anonymous Coward

      Re: Let's get physical

      "How about making the upgrade come as a little ROM chip? The dealership can either send it out, or pop it into your device for you"

      The physical problems here are substantial.

      Cars are exposed to major physical challenges - condensation, salt spray, various fluids (oil, coolant), extreme temperatures (-50 to +45 degrees (-58F to 113F)), EMI, large changes in atmospheric pressure, corrosives, vibration, and impact.

      These are excellent reasons for choosing a specifically hardened and sealed repository for any critical software.

  10. hammarbtyp Silver badge

    To be honest neither RFC really adds any detail to the issue.

    The biggest issue with IoT security is provisioning of the security information. You could use a shared secret, but then there is a danger of that leaking out and making your system insecure. You could use a PKI infrastructure. However how are certificates safely distributed, revoked assuming that you have 100's of devices and are in the most part not human accessible.

    Even delivering web pages securely from a IoT device is a challenge since most web browsers rely on domain names to authenticate the server, which does not scale when you have 1000's of IoT devices

    1. Paul Hovnanian Silver badge

      "most web browsers rely on domain names to authenticate the server"

      While this may be true, it's not the right way to do things. DNS can only be trusted as far as the ISP or free WiFi hotspot you are connecting through. Secure DNS can fix this. But then you are right back to having saved a certificate signature locally against which you must check. Might as well just download a signed update package through whatever transport method is available and verify that.

  11. Starace Silver badge
    Flame

    Seems a bit half arsed

    Looking at what they've produced so far doesn't build huge confidence.

    There scribblings are what you'd expect of a bunch of application engineers. The problems they're trying to cover (fast startup, strong update security on microcontrollers) have already been addressed elsewhere but they need to actually talk to the people who specialise in this stuff not just rely on their in-house crew.

    That's what the automotive OEMs have finally started to do and you'd hope other people would start to learn the same lessons. But given the number of shipping products that are barely more than the original platform development kit with a little bit of app hacked on top I don't hold out huge hope for the bulk of IoT gizmos.

    One little issue though - on these platforms you can have secure updates or you can have fast updates. There just isn't the grunt available for both.

  12. Hans 1 Silver badge

    The draft also has a handy checklist of the challenges in automating the update process: for example, making sure failed updates are reversible but successful ones are not.

    Hm, can it read the user's mind ? How else could it detect that the update succeeded ? You update the firmware and all of a sudden your automatic transmission plays funny when you enable both Wifi and Bluetooth with the aircon at lowest with fans at half speed or some other silly combination ... listen, our smartphones / tablets are fine for the car, we do not want your untested, obsolete at delivery, script-toddler code that has more vulns than a sex toy, thanks!

    1. Anonymous Coward
      Anonymous Coward

      Well said

      I second that

  13. /dev/null

    "making sure failed updates are reversible but successful ones are not"

    But what if your successful update has successfully updated your firmware to a version that doesn't work as well as the previous one and you want to revert?

    1. Paul Hovnanian Silver badge

      Re: "making sure failed updates are reversible but successful ones are not"

      "to a version that doesn't work as well"

      That Volkswagen diesel emissions fix? I liked the way my car ran before it came out. I'm going back.

      Hmmm.

  14. ThatOne Silver badge
    Facepalm

    In theory there is no difference between theory and practice

    In practice, ideally you'll get 2 years of more or less useless updates signed by a private key left on an unsecured AWS bucket, updates which will replace any existing bugs with new, fresh ones.

    Then nothing. (If you're lucky the last update won't put your device into a "slow and useless" mode to help you decide buying the newest model.)

    But more realistically, you'll just pay for those updates through a higher price, but won't ever get any (unless a problem gets lots of media coverage and causes bad press). A dollar you spend is a dollar you don't get to keep, does it really need explaining?...

  15. David Roberts Silver badge

    As if millions of voices cried out

    Help me Obi-Wan Kenobi, I need to know if you have a firmware update for me.

    Either polling out from each device in each home or (heaven forbid) each device listening for an incoming call through the firewall.

    Should ramp up the traffic a little. Could also open an opportunity to DDoS the update server. Small request and then big download.

  16. Anonymous Coward
    Anonymous Coward

    OTA updates shouldn't

    Anyone serious about security and privacy will make sure any cellular radios in a new car are disabled before accepting delivery... and not by software. If there's no fuse, a wire cutter should do the trick.

    1. doublelayer Silver badge

      Re: OTA updates shouldn't

      And that won't break the car. Definitely. There is no way the lazy people who are so intent on automatic updates won't have checked for connectivity. I'd also like to block things like this from the internet--I don't see a reason for them to need it, but I would also like to buy a car that isn't super old. Maybe I want automatic driving; it sounds convenient. Even if I don't, the allure of a car that I can disassemble well doesn't appeal so much to me as it seems to for other comment writers. Maybe if I wasn't young and had actually worked on a car before, but I haven't and I just want to get to work. I can only hope that I will be able to find one that doesn't have IOT integration as the only selling feature.

  17. Anonymous Coward
    Anonymous Coward

    Big Trust Issues with 'Lets update the Car'

    If a shop doesn't offer anything but IoT, I walk out. Why? See below... Here's what I predict will happen with Car updates at first and/or eventually:

    #1. Security & Safety: Unsafe or 'less safe' / riskier updates will get pushed to drivers of cheap budget cars first VERSUS executives driving top-tier models. No laws to stop this, right? That's what Win-10 home users are right now, guinea-pigs for corporate customers!

    #2. Privacy: Suits will sneak-in Riders / Earmarks containing unfriendly slurpy T&C as part of security updates. Microsoft showed just how low a large company is wiling to go with Win-10 upgrade Malware. So why not?

    #3. Laziness / Rush-to-Market factor: Most IoT isn't ready for primetime. But firms ship anyway with a 'we'll fix it in post' attitude. Whereas products that aren't internet connected tend to work out of the box. Because they have to, don't they! What this means is: Time! Yours / mine etc. Its too easy for internet-of-shit firms to think, we'll just push this onto the customer. Its their problem to ensure updates went ok. If not, its their problem to troubleshoot it etc. Honestly, who needs that hassle! My windows car is now 'blue-screening' but I'm already late for work. Who wants that bs in their life!

  18. edris90

    new does not mean better

    its too bad we can't design a simple mechanical based vehivkle that can't be hacked because their is no computer in it at all.simple, elegant, resilent. unfortunatly that wisdom has been lost to history apparently

    1. muddysteve

      Re: new does not mean better

      That would be nice. Unfortunately, vehicles without all the computer gubbins will not meet current legislation, especially around emissions.

  19. whitepines Silver badge
    Devil

    So...how long until we have ME-style signed and locked bootloaders on IoT stuff (so you can't replace the firmware with an open alternative), of course with the same click-through agreement that allows the company to violate your privacy and wallet over and over and over again with zero consequences?

    I can't wait!

  20. Christian Berger Silver badge

    Any system which can push individual updates to individual users is highly problematic...

    ... as it can be abused into sending selected few special malevolent malware.

    This is my propper update mechanisms don't bother with that and just have a signed file available on a webserver which makes it much harder to push individual updates.

  21. Samizdata
    FAIL

    Forget the IOT gear...

    Forget the IoT gear, I would just be happy if I could get my tablet updates. And that's a proper computing platform with an already in place updating mechanism.

  22. Anonymous Coward
    Anonymous Coward

    Funny, some sad soul went through the whole thread, two pages of it, and conscientiously downvoted each and every post...

    Our lack of dutiful gullibility apparently angered someone...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019