[nivla]

Wouldn't that be worse security wise? Say if there is an exploit in the wild. The customer upgrades it to the latest version. Now all the bad guy has to do is to mess around with the firmware enough to trick the system into downgrading to the exploitable version.

[michaelchisari]

If you have enough access to tamper with the firmware, you don't need a more exploitable version.

[nivla]

A car that has an app, a car that can be remotely updated, and a car that has all communication running through the same BUS, may be susceptible to remote break in without requiring any sort of physical access. Now the firmware may require signature verification to be patched, however in this case all we need is to corrupt the existing firmware or atleast make it seem like we had access to it in order to trigger an auto-downgrade.

Regardless, even under your logic an auto-downgrade without a user's input is completely unwarranted for.