back to article UK.gov expects auto auto software updates won't involve users

The British government expects that most future software updates to driverless cars will be pushed into the vehicles over-the-air without any user involvement. The rather surprising expectation was outlined in a letter from transport minister Baroness Sugg to peers in the House of Lords who are currently debating the Automated …

  1. steelpillow Silver badge
    Stop

    bricklaying

    If a car suffers mechanical breakdown it gets bricked, but if a safety modification becomes available the driver has to bring the car in at their convenience. It is not a case of rushing to the nearest service centre regardless.

    If a driver suffers a health incident, say a migraine or a heart tremor, they have to take the decision whether to continue the journey. It is not a case of calling an ambulance regardless.

    Insured parties do not dicker over these things.

    Why should software be different?

    Road-related icon ------->

    1. AMBxx Silver badge
      Go

      Re: bricklaying

      Most cars (all?) have either red or amber warning lights to notify the driver of problems. If it's red, you stop immediately. If amber, you follow some form of guidance. Would be easy enough for the software updates to have a warning light. Easy enough to prove a car has been notified of a critical update, just need to light an amber light to tell the driver to update next time they stop. Perhaps a graded system of how long they are allowed to drive until the light turns red.

      Another road-related icon --------->

    2. Dave 15

      Re: bricklaying

      One of the issues is the reliability of a recall... does even the DVLA know 100% who to contact on the BMW recall.. I doubt it.

    3. Dodgy Geezer Silver badge

      Re: bricklaying

      ...If a car suffers mechanical breakdown it gets bricked, but if a safety modification becomes available the driver has to bring the car in at their convenience. It is not a case of rushing to the nearest service centre regardless.

      If a driver suffers a health incident, say a migraine or a heart tremor, they have to take the decision whether to continue the journey. It is not a case of calling an ambulance regardless....

      That is the case NOW. But the inexorable trend over the last 30 years or so has been to introduce a voluntary requirement, then follow it up with compulsion.

      Expect to find it illegal for people outside a specified BMI to drive a car at some point in the next 20 years...

  2. }{amis}{
    Windows

    Oh this will be fun....

    So just as your burning off an HGV on the M5 the car connects to a nearby cell tower and does a Microsft and bluescreens at 70mph.

    The only evidence left over is wrapped around the axles of the said truck so the car company walks away.

    Given that the car companies cant even write a basic smartphone app for their cars without leaving gaping software holes I don't think I'm overstating the situation.

    1. AMBxx Silver badge

      Re: Oh this will be fun....

      Worse than that, they can't even write the security software properly. Look at the problems with keyless entry.

    2. MrXavia

      Re: Oh this will be fun....

      I suggest an amendment that states that updates must only apply while the car is not in use and must not prevent the car from being used during the update and in the event of an update causing the car to be unusable the manufacturer must be liable for costs incurred.

      Can you imagine parking in a car park but overstaying because your car is updating the software, or you are about to leave home to catch a train/plane and you have to wait for the update to finish so you miss it?

    3. N2
      Trollface

      Re: Oh this will be fun....

      Like BMW ...

  3. ArrZarr Silver badge
    Meh

    Harder than the trolley problem

    As title - on one hand, there is the risk of bricking a car as soon as the car gets the update. On the other hand, you would expect that a car manufacturer would test software on all the cars it supports, given how this is a much smaller group than the number of hardware configurations for computers and servers running a certain OS that we all know and love/hate (delete as appropriate)

    Personally, I'm in favour of automatic updates with the proviso that each model of car will be supported for some massive stretch of time, starting at 30 years or so (preferably 100 years).

    As soon as relatively new cars start hitting EoL á lá Samsung phones, then we have problems.

    1. bigtimehustler

      Re: Harder than the trolley problem

      You mean like a mobile phone software update? Where there is precisely one hardware configuration to test against, they do tests then release and have to stop the rollout due to unexpected issues. Happens all the time, why would you think a car any different? When in fact cars do have customisations, both manufacturer installed and otherwise.

      1. ArrZarr Silver badge

        Re: Harder than the trolley problem

        There is one hardware configuration to test against, but there are so many models in the range.

        Frankly, I should hope that the mission critical package was air gapped from the non-mission critical stuff and was standardised so that the car manufacturer only had one package to test against.

        As I said in my previous post, I'm fine with over the air updates as long as a minimum support time for the car is mandated and is counted in decades rather than years.

  4. DailyLlama

    It just needs to give you some warning before the update is installed - say 2 weeks.

    "An update is available for your car, and has been downloaded. If you do not manually install it, it will be automatically installed in 14 days time".

    That way you can wait and see if the update bricks anyone else's car, and if they have to rush out a fix, and the update gets installed regardless.

    1. Anonymous Coward
      Anonymous Coward

      'It just needs to give you some warning'

      Agree, but the problem will be pushy marketers tagging on bloat to these updates, that absolutely must be consumed now. Think hyper-personalization from the likes of Adobe Experience Cloud:

      https://www.bloomberg.com/news/articles/2018-02-20/the-car-of-the-future-will-sell-your-data

    2. Dave 15

      you mean just like windows 10

      Only mine keeps failing (its a huge update and the disk isnt free enough despite having nothing but the OS on it) It also decides to tell you all about the security patch it wants to make with a small button to allow you to cancel it, however the small button doesnt always work, the update cat happen and the machine needs a power cycle restart. In fact I would say windows 10 is one hugely nasty virus.

      Frankly I do NOT want my car to auto update on its own. IF I am happy with my car then I will decide if and when it is updated, I will probably take it to the dealer and I will let them do it then if there is a problem they can contact the manufacturer and continue to provide me with a loaner while they sort the mess. After all self driving cars will need maintenance stops even if they do end up electric (then they will need new batteries every 2 years as the fitted ones die)

      1. Boothy

        Re: you mean just like windows 10

        @Dave15

        For large Win 10 updates, you typically need a lot of free space on the boot drive (10GiB+), as it's basically doing a fresh install of Windows with the larger updates, and it keeps a copy of your old Windows dir (now called 'Windows.old' ) on your boot drive afterwards. This old Windows dir is quite often 10GiB+ in size.

        This was to get round the old issue of the Windows dir just getting bigger and bigger over time, full of old cruft you no longer needed. This 'should' also get rid of the old need to reinstall Windows every couple of years or so (in theory anyway!). Still doesn't stop places like AppData getting bigger and bigger though!

        Unfortunately this basically means your boot disk needs to have at least enough space for two full copies of Win 10, your old and new version, as it retains the old version for 10 days so that it can roll back if needed (it should be deleted automatically after the 10 days is up).

        In my experience so far, you basically seem to need around 15GiB free on the Windows boot disk, otherwise the larger yearly updates are likely to fail. But the size is very dependant on your current Windows dir size.

        (Would have been nicer if MS gave the option to use a separate drive for the Windows.old backup).

        1. David 132 Silver badge
          Boffin

          Re: you mean just like windows 10

          @Boothy (Would have been nicer if MS gave the option to use a separate drive for the Windows.old backup).

          Wandering off the topic of this thread, and really just thinking aloud... I wonder if you could manually create a C:\Windows.old folder and mount another (empty) NTFS partition into it - thereby tricking Windows Update? i.e. instead of assigning a drive letter to drive D:, just mount it into c:\windows.old?

          1. Ken Hagan Gold badge

            Re: you mean just like windows 10

            @David 132: Mounting a drive on C:\windows.old would work if the upgrade process copies the old installation over to windows.old. It would fail if the upgrade expects to be able just to move it over. I expect MS do the latter, since it is more efficient in the normal case.

      2. Amused Bystander

        Re: you mean just like windows 10

        I agree with the sentiment about not allowing auto updates, but using this for another bash at Microsoft is going a little off-topic.

        A BMW 7 series, I believe has a number of Windows licenses running, while Audi is using some old version of Android, others use Apple, and I wouldn't trust any of them to Auto-update.

        I've written to Chris Grayling and my MP, Mr Gove, they pointed my at a "public consultation" in 2015 (which I had never heard of) https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/401565/pathway-driverless-cars-main.pdf

        The upshot is the Gov is happy for manufacturers to roll out autonomous cars without any extra permit or license. And they can be autonomous, but the "driver" has to remain in control at all times (not sitting in the passenger seat). A wonderful compromise.

        Coincidentally 2015 was when we first discovered the car manufacturers were cheating about emission standards. I'm sure they all learned their lessons and can be trusted with our lives.

        A controversial idea - stop Bitching here and write to your MPs

    3. Doctor_Wibble
      Coffee/keyboard

      > It just needs to give you some warning before the update is installed - say 2 weeks.

      It's a good idea but ultimately relies on someone else doing some particular thing and if everyone follows the same advice then nobody does the 'beta testing' and everyone still bricks their cars, all at the same time, just two weeks later.

  5. vtcodger Silver badge

    Bricking is not the worst thing that can happen

    Having a dead car is supremely annoying, but unless you are trying to outrun a wildfire or are racing to a hospital it's not that big a deal. But imagine if 1,726,314 recently updated 2021,2022 and 2022 Toyota Fussbudgets all decide to turn left simultaneously at local noon without regard to where they are or how fast they are going.

    I really don't think software QA is capable of guaranteeing the quality of software that would be needed to make automated vehicle software updates a routine procedure.

    1. coconuthead

      Re: Bricking is not the worst thing that can happen

      It may not be a big deal in the UK, but for sure if your car were bricked in an isolated area of Australia it could kill you, just by dying from the heat and dehydration. I suspect the same might be true in parts of Scandinavia, but from the cold.

      Now consider the scenario of all identical models on some outback road being bricked due to the same bad update. A very large proportion of vehicles in outback Australia are a few models of 4WD. Suddenly the failsafe of someone coming along and getting you to safety (before the water you did have in the car runs out) has also failed.

      1. Dave 15

        Re: Bricking is not the worst thing that can happen

        Then its their fault.. they should have bought an old landy defender and ignored all the fancy crap

      2. Anonymous Coward
        Anonymous Coward

        Re: Bricking is not the worst thing that can happen

        Toyota Landcruiser all the way or Isuzu Trooper - older the better.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bricking is not the worst thing that can happen

      If we aren't able to trust the developers to test the software they release for auto-update to avoid this kind of nightmare, how can we be trusting that the original release they did is any better? A ticking timebomb like this is just as capable of hinding in the day-zero software install as it is in any over-the-air update.

      We hear a lot about updates which are disastrous, but on the whole, OTA updating has the capability to remove high MTBF issues from the installed base before they reach anything like their potential number of negative actual incidents. If we choose not to trust car companies to build software reliable enough to manage multiple tons of moving metal in the presence of our families and others, this is a logical decision and we continue to drive dumb cars. If we are going to allow the software to run at all we should put all possible tools in the hands of the people we are relying on to make the software safe, including OTA updating, telemetry, A-B testing and control of the timing of installation of updates being in the hands of the QA and SysOps staff of the manufacturer, not in the in the hands of the vehicle owner.

      1. Ken Hagan Gold badge

        Re: Bricking is not the worst thing that can happen

        "If we aren't able to trust the developers to test the software they release for auto-update to avoid this kind of nightmare, how can we be trusting that the original release they did is any better?"

        We can't, but after a period of time without catastrophes we gain confidence in the original release. Each new release needs its own probation period. That's why you don't want to be actually driving the damn thing either during or immediately after an update.

  6. Anonymous Coward
    Anonymous Coward

    Over the air you say?

    So, who is going to pay for that data download? What do you mean, 'me'? BTW, you're not going to use that connection to upload everything the vehicle has stored about me, y'know for research puposes?

    1. TechDrone
      Big Brother

      Re: Over the air you say?

      Wanna bet there won't be a legally mandated snoop feature added?

      Road pricing

      Congestion charges

      How many passengers you carry

      Where you shop, drink, hang out, play

      Where your friends / accomplices live or meet

      Everything you say

      Of course cyclists will then have to be banned as dangerous subversives trying to escape the love and care of big brother.

      1. Tikimon
        Mushroom

        Re: Over the air you say?

        "Wanna bet there won't be a legally mandated snoop feature added?"

        Ya beat me to it! I'll go further. This is the beginning of a government-accessible backdoor to automobiles. Expect real-time tracking, monitoring of the occupants and conversation via camera and microphone, and remote-shutdown. If the cops decide they want you, the car might actually lock the doors and drive itself to a police station. Automatic non-user-controllable updates and legally mandated "most recent version" will make sure you have the most recent spyware and cannot disable any of it.

        Every bit of that prediction is based on current and recent practice by governments and the companies that won't stand up to them. Believe me, I'd rather be wrong.

      2. Anonymous Coward
        Unhappy

        Re: Over the air you say?

        > Wanna bet there won't be a legally mandated snoop feature added?

        "Your car is now over three years old: additional start-up safety checks will now be performed before commencement of your journey. For your entertainment during this short wait, please watch this film demonstrating our latest vehicles. The safety checks will only commence once you have fastened your seat belt and closed the doors. If you release your grip on the steering wheel, the checks will start over. Thank-you for your compliance."

  7. John Smith 19 Gold badge
    Coat

    Badly thought out and likely to go TITSUP big time.

    That's about all I want to say about this stupid plan.

    Note how the UK government always puts the needs of a corporation over the safety needs of the actual owner.

    1. Ken Hagan Gold badge

      Re: Badly thought out and likely to go TITSUP big time.

      This isn't a conspiracy. This is simply what happens when you ask legislators to design an upgrade mechanism. They know nothing about software, nothing about risk management and most of them know bog-all about how it might play out in court after someone had died.

      It is entirely wrong to be writing legislation about this and to be doing it now.

      1. Dodgy Geezer Silver badge

        Re: Badly thought out and likely to go TITSUP big time.

        ....and most of them know bog-all about how it might play out in court after someone had died...

        But a lot of them are lawyers, and so have a considerable interest in setting up situations that might require their services...

  8. Anonymous Coward
    Anonymous Coward

    Data...

    The data could include all of your contacts from your phone, GPS data showing where you live, work, friends, kids school etc., browsing habits, driving habits. After a crash, while being repaired, inspected or transported the car is out of your control so how do you ensure the data is secure? How do you ensure your data is not being copied when it goes for a service?

    The car's software may be licensed to me when I buy the car but the data is all mine and if I choose to delete it - at any time - it should not be a criminal offence, same as my smartphone, camera, laptop etc.

  9. John Mangan

    Surely this is further motivation

    for car ownership to come to an effective, if not mandated, end.

    The manufacturers keep ownership o the cars and are responsible for updates, servicing, etc. Nobody (except for 'enthusiasts') owns their own cars but just order one up when they need one and pay by the minute/hour/day.

  10. Anonymous Coward
    Anonymous Coward

    Romance for IoT/Smart won't even be a one-night-stand

    ""In practice, we are expecting that the overwhelming majority of software updates will be automatically installed over-the-air without the owner needing to do anything,"

    Most in my circle refuse to buy anything with a Smart sticker. Why? Before patching was an option, there was far more critical testing done at the factory. Now with patching: 'lets ship early to hell with it'. Fuck that, its a quality sacrificing scam... Let people choose. We're all power users on here. For those who want the option, lets have a website listing critical patches with details on what they do. Then leave it up to the driver to decide. Why? Because most of those patches will also be filled with sneaky marketing crap and other spyware/bloatware. Have a read here:

    https://www.bloomberg.com/news/articles/2018-02-20/the-car-of-the-future-will-sell-your-data

    1. Anonymous Coward
      Anonymous Coward

      patches will also be filled with sneaky marketing crap + spyware/bloatware. Have a read here:

      https://www.theregister.co.uk/2018/02/14/connected_vehicles_data_and_privacy/

      https://www.bloomberg.com/news/articles/2018-02-20/crunching-car-data-for-cash-an-israeli-startup-takes-on-google

  11. Dave 15

    oh please

    We have autoupdating software in a number of fields. The update process in vehicles is normally ... download the new one. Try it, if it doesn't work we helpfully kept the old one and revert to that.

    Of course there are still theoretical ways it can brick but they are really pretty theoretical.

    The biggest danger is that the keys that sign and ensure the download came from the correct source get compromised in the future and then anyone can do it and then the risk is higher. I think my main concern with all of this is just the software quality in the first place - a driver is judging an imense collection of things and our experience so far of very large and complex software doing things like analysing street scenes, radar images and so forth in order to try and use some form of algorithm to determine safe speed, direction and changes that can actually be made is pretty poor coupled with the question of just how well these self driving cars will cope when the wheels hit the diesel and it wont stop, or the brakes suffer a mechanical failure etc etc. Not that these days many drivers can cope with a trivial dose of snow either.

  12. Anonymous Coward
    Anonymous Coward

    "In practice, we are expecting that the overwhelming majority of software updates will be automatically installed over-the-air without the owner needing to do anything," Sugg wrote ..

    I had a hire car, in the US, that had an OTA update. As I was driving, it initially warned me of it and delayed till I got to the home location. It then asked if it was OK to update. After a brief update, all was done and car continued. I'm assuming that if it had failed, I could have rolled back.

    Being at the home location made all the difference - if it had bricked - I wouldn't have been stranded on some random location or road and would have had access to contact my local garage.

    Why the UK peers can't grasp a use case similar to this isn't surprising - half of them don't even understand technology or the Internet.

  13. sebt27
    Thumb Down

    Fragile

    Doesn't this amount to openly admitting that the software for driverless cars is going to be developed on the fine, industry-standard methodology of

    "Just get it released, we can fix any problems with a mandatory update"

    ?

    following the <i>gloriously successful</i> track record of this revolutionary new method elsewhere in software development?

    "safety critical update."

    Don't be silly. ALL updates are safety-critical. Because safety'n'security is the new way to get people to Obey. It's like saying "in the name of God". You <b>must</b> install this update

    <s>so that we can slurp more of your data</s>

    <s>to disable the cigarette lighter in line with legislation</s>

    for the safety'n'security of you and other road users.

  14. Christoph

    The problem with the various above suggestions of delayed update is security patches.

    There are already instances of security holes being attacked very shortly after the patch is released, by people who have reverse-engineered the patch to find the hole.

    If you delay updating for several days to avoid any chance of bricking the car, you might find that it's been hacked. Which for a car might have very nasty consequences - the people doing the hacking are unlikely to do extensive safety testing!

    1. Ken Hagan Gold badge

      Security holes? If my car depends on an internet connection, it isn't going to be safe. If it doesn't, I can just switch off the connection. There ... secured.

      In fact, that (hypothetical, but essential) switch is the most plausible mechanism for delaying an update.

  15. Red Bren
    Black Helicopters

    OTA Obsolesence

    Gazing into my crystal ball...

    My three year old car that I've just finished paying the finance on installs an OTA update without my knowledge or permission. Suddenly, the frequency of needing a recharge goes up and the flux capacitor is more sluggish. Every commercial break on the radio now starts with an advert for the latest model of my car.

    My neighbour bought the same car at around the same time, but he's on a 5 year finance deal. His car is still performing as well as it did when it hovered off the forecourt. The only adverts he hears on the radio is for help claiming mis-sold car finance...

    Now where did I put my tinfoil hat?

    1. SImon Hobson Bronze badge

      Re: OTA Obsolesence

      Not only that, but as mentioned above there is the EoL issue - how long does the manufacturer provide updates for. Not hard to see cars hitting EoL for software updates and the options being to scrap them or pay ever increasing contract prices for ongoing support. Think MS and Windoze XP extended support.

      Add in the way that (for example) John Deere in the USA has used their DMCA laws to prevent third parties from repairing tractors and you can see the scope for shenanigans.

  16. thames
    Stop

    It doesn't take much imagination to see how this could go horribly wrong.

    Now waiting for a nation state to infiltrate the over the air update system and deliver a patch which bricks every vehicle in the country simultaneously, causing transport, the economy, and society in general to collapse with no practical means of recovery.

    Meanwhile the government will defend their plans on the grounds that they just make policy and law, but it's someone else's role to be held responsible for the consequences of it when the government's plans invariably go wrong.

  17. Anonymous Coward
    Anonymous Coward

    And this is before anyone starts talking about the software getting infected with a virus.

    A car is just another IOT device.

  18. annodomini2
    FAIL

    Irrational...

    Forced updates are irrational for all the above reasons:

    1. Crash/bluescreen.

    2. Incomplete/Incompatible updates.

    As they want to prevent potentially dangerous software from being active on the road, which is a valid request.

    Require that particular operation/feature to not be available until the update is applied, rather than forcing the update.

  19. Anonymous Coward
    Anonymous Coward

    Don't for a minute think that workshop visits will be a thing of the past with autonomous (and/or) electric vehicles. There will still be a requirement for regular visits, brakes, tyres, wiper blades etc. will still require replacement, new challenges will arise in cooling systems - vital for the electric motors to function and reduction gearboxes / final drive systems. On top of this, some manufacturers are already using switched packet networks as a replacement for CANBus due to the data density, JLR have deployed DOIP ('Pathfinder') across many models, it's in it's infancy but it's common for a 'service' to include up to 90 minutes of software updates to the vehicle systems, the downside is that it currently takes about 15 mins to establish a diagnostic session - not great if all you need to do is top up the DEF tank!

    It's also worth stating that many premium brand vehicles exceed design life by a significant margin, second, third and fourth owners will ensure that a lot of 'dumb' cars will be on the roads for many years yet - or until legislation or trouble in the middle east makes them extinct

  20. Anonymous Coward
    Joke

    Legality not l'égalité

    > illegal to use an auto auto in auto mode "unless the application software relating to the vehicle's automated function is up to date"

    "But Officer, it was up-to-date when I started my journey..."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like