For some time, we’ve all been privy to the remote updates that our mobile devices perform periodically. Now, we’re buying cars and some car makers are highlighting ‘OTA software updates’ as one of the features of the vehicle. But what are OTA (over-the-air) updates? And are they safe?
One of the quickest ways to tell a used car’s age is to sit behind the wheel and take a look at the centre console screen. The infotainment graphics look dated, the menu nesting is illogical and the layout is poor. Up until recent years, the only way to update the software and navigation maps was to visit a dealership or download an update using a USB stick. Apple Carplay and Android Auto have seen increasing popularity, since these companies are able to remote updates via mobile phones, to which we are all more familiar.
Nevertheless, technology is a divisive topic. On the one hand there are those that swallow all the frustrations apps bring to our lives. That’s because on the flip side, in many ways such tech makes life more convenient, more fun and safer.
On the other hand, those that think cars are way too techie, screens are massively distracting and don’t want to share their personal data with every corporation under the sun. These are some extremely valid points too.
Though all of us find different features of our cars confusing, the reality is connected features are becoming more common, whether we like it or not. Like most things in life, there are benefits and there are demerits to such developments.
Why does software need updating?
Software coding is a complex task, particularly when integrating lots of different features. Making one thing work as expected can make another area of code work less well, or worse still, break it. The complexity of code means that for basic tasks, large chunks of coding language are shared. Custom code is then added in to create a particular feature.
KSVs, or ‘known security vulnerabilities’, are bugs in programmes that surface over time. If the code being copied has a KSV in the first instance, any copies need an update or the programme susceptible to attack. This is exactly what happened in the WannaCry hack, which affected many corporations including the NHS and Renault-Nissan.
Tesla, for all models including the Y, has pioneered the use of remote updates for customer features, including seasonal releases for Halloween and Christmas, where owners’ vehicles have contained special hidden messages or functions (known as easter eggs). One of the more practical examples of such functionality improvement is that of ‘Cabin Overheat’, more recently renamed to ‘Dog Mode’, which when initiated managed the climate of the cabin so beloved pets are comfortable while you pop into the shops. This was a feature rolled out after receiving customer feedback.
In addition to protecting the code that enables all the fancy features in our cars, remote updates can also assist car makers refine the driving and in-cabin experience. We’re seeing incremental improvements in the miles of electric range, increased by software tweaks and tinkering to eke out better performance. Essentially remote updates can make cars age more slowly and help maintain residual values.
Can cars be hacked?
That’s the fear driving the very cautious roll-out of remote updates in cars. Tesla brought OTA updates to the mainstream in 2012, though General Motors has been updating its Onstar system since 2009. It wasn’t until 2016 that European car brands followed suit and started enabling remote updates and that was down to the security implications.
‘White hat’ hackers ‘penetration-test’ programmes as a full-time job, or for fun; playing around with a feature or system and deliberately trying to break it. If they spot a vulnerability, they typically inform manufacturers, as part of their code of ethics—sometimes for handsome rewards, not so handsome rewards, or even a job. They don’t actually like being called hackers, preferring the term ‘security experts’.
Conversely, ‘black hat’ hackers are the nefarious ones we usually find in movies, breaking into the Pentagon, stealing secrets to blackmail people for money. (In fairness to the good guys, who’d want to be associated with that?)
You’d like to think digital teams of large corporations would immediately take action, but plenty of instances in the past evidence that they aren’t always as quick to respond as perhaps they should be, leaving our data open to unauthorised acquisition.
Right now, the number of people that have the capability of hacking a car and doing something covertly malicious is very small. Cyber attacks in general are making greater use of artificial intelligence, but conversely, security experts, such as Argus Cyber Security and Towersec Harman, are deploying similar tactics to fight back and secure their clients’ systems.
Why is updating software in cars such a challenge?
At the moment, the connectivity in our cars is limited. That is to say, companion apps help control the lights, beep the horn and unlock the doors. If a bad actor did find a way in remotely, there’s not too much they could mess with. Highly unlikely they’d be proximate enough to physical enter the vehicle (though nothing is impossible) so at most they might wipe the journey history.
The way the vehicle’s electronic system has been initially designed never anticipated that one day, it would be connected to the internet and be able to be remotely controlled. While it’s cool to be able to remotely pre-set the climate, such features carry risks and it’s the duty of the car makers to minimise these risks.
In April 2022—a decade on from Tesla’s pioneering decision—Volvo finally announced all of its new vehicles would be supported by OTA updates. Affecting 190,000 vehicles, Volvo drivers won’t just get updates to their infotainment systems, where new apps and forthcoming video streaming will arrive. There are also feature improvements to better manage energy, climate and mobile integration.
In tandem, Polestar deployed a second iteration of the Android R and marked 100 improvements in its system since launch.
What else should I know about remote updates?
OTA updates aren’t always free-of-charge. In fact, car makers are being pretty upfront about the fact they see such features as a source of revenue. As with the Tesla model, all the hardware is being integrated into the vehicles at the point of production. Whether customers choose to enable a particular feature will be customer-specific. Therefore, if the vehicle gets sold and another owner wants to enable aforementioned feature, they can do so for a fee.
As self-driving cars become more prolific, cyber security will be significantly more important, as the stakes will be higher.
What is clear is that remote updates will prove both the problem and the solution in such cases.
