[jlokier]

> - You're basically at risk of your Jeep going limp (power loss, unable to safely make it to the shoulder) and being stranded on the highway, even as I write this.

This seems extraordinary.

I was going to ask: Are you really saying they kill the vehicle's power system, effictively the engine, while the vehicle is being driven on the highway?

But no need to ask, the article says yes, that's what is reported:

> Instead, the failure appears to occur while driving—a far more serious problem. For some, this happened close to home and at low speed, but others claim to have experienced a powertrain failure at highway speeds.

Wow.

[pinkmuffinere]

Ya, that is shockingly scary. It makes me think we need some new standards about software updates to vehicles in general (or perhaps these already exist but were missed for some reason?). I can totally imagine that software used to be this ancillary selling point that didn't need such tight regulation, but as it becomes core infrastructure for the vehicle this is less of an IoT toy, and deserves stricter standards.

[jacquesm]

How about: you get to say whether you want to update and when and manufacturers are required to very explicitly list all of the changes in an update? That would seem to be an acceptable minimum.

[pavel_lishin]

I don't think that Jeep would have sent out a message saying that one of the changes would brick your machine.

It seems that the ability to trivially roll back any update would be a better choice, at least for this. (But I'm sure there are downstream effects I haven't thought about if that were implemented.)

[conductr]

How do you roll back a fatal car accident caused by the faulty update?

Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens. Allowing them time, gives them and Jeep the ability to slow roll the update so they can halt it if initial feedback is negative.

I say this as a Mac user who does not allow auto updates for MacOS. I wait a week or so until the chatter validates it as non-breaking. They pushed an OS update several years ago that broke a few things I rely on. So I don’t trust them now, but these things just happen on OS’s with third party software. I expect it. But, I also don’t want to be forced to deal with the headaches immediately. I’d rather let the third parties run updates and advise how to deal, before I have to dive into fixing things. With car firmware, there’s really no excuse for this except poor engineering / processes.

[tremon]

Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens

FTFA:

> The buggy update doesn't appear to brick the car immediately. Instead, the failure appears to occur while driving — a far more serious problem

And from the GP upthread:

> There is no way to tell if you received the bad update.

> There is no way to tell if you received the 'fix' either.

[conductr]

Good points, I did miss those. However, if I had this vehicle and I was reading this article today - and had the ability I'm asking for - I would just keep my current version running until they figure this mess out. It's the advantage of letting other people run the updates first, you get to hear about issues before you experience them.

[deepsun]

> user who does not allow auto updates for MacOS.

Many security compliances require auto-updates to be on. It's thought of to be a lesser evil, because many (most) users never update their OS/browsers, which is worse.

[NoPicklez]

Well it could be solved on two fronts, you could issue the update and let users know that the update needs to be installed and will be automatically installed if not done by a specific timeframe.

If there are security related updates where the risk is severe then they may auto update.

[conductr]

The point is it’s up to the device owner to make their own risk calculation instead of the benevolent manufacturer

[throwway120385]

> Giving user’s control over when the update runs allows them to be in a safe and secure setting when that update happens. Allowing them time, gives them and Jeep the ability to slow roll the update so they can halt it if initial feedback is negative.

This does not fix any QA process that is broken. And frankly you should not need to update any control unit firmware after it is sold. The fact that they're even doing this is broken.

Unless your Mac is somehow attached to 5000 pounds of metal going 65 on the highway, the same standards should probably not apply.

[cozzyd]

> going 65 on the highway

Oh you sweet summer child

[WalterBright]

> The fact that they're even doing this is broken.

The NASA space probes are constantly uploaded with new software that has greatly increased the scope of their mission.

[mrheosuper]

on the other hand, if you know your old software is buggy and could cause fatal accident, you release a software update, but for some unknown reasons, the user keeps denying updating software, what would you do ?

[worewood]

In that case you issue a recall, which is the correct way of dealing with potentially fatal manufacturing defects.

[hulitu]

> on the other hand, if you know your old software is buggy and could cause fatal accident, you release a software update

No. You test it. And release it if and when it is fully tested. (you know, V-cycle). But we are Agile now and testing is expensive.

[rurp]

It's not perfect but seems reasonably easy to implement and would certainly help. If the user needs to approve each update and can see what the changes are most updates will either be skipped or delayed long enough that catastrophic bugs will only hit the small subset of cars that update immediately.

I would bet most updates, especially from a company this bumbling, will be more along the lines of increasing telemetry or pointless UI changes than releasing actually useful features and bug fixes.

[danielheath]

You might not accept an update with a bunch of changes that didn’t sound relevant to you.

I certainly wouldn’t accept one while I was still driving the car!

[skywhopper]

The update didn’t happen while people were driving. Rather, the bug took time to occur, well after the update had been applied.

[jwr]

It has become convenient for manufacturers to treat software/firmware differently from hardware, and we should fight that. If you buy a car, phone, or a TV, you buy an appliance, not "hardware stored at your place with software/firmware controlled by us".

OTA software updates should be a convenience, not a requirement, never be automatic, and be otherwise treated just like a visit to a car repair shop.

Similarly, no manufacturer should be able to tell you "oh, but it's a software problem" if your thing doesn't work as expected (I had Apple tell me this, for example).

[jcgrillo]

Exactly. It has become accepted that manufacturers can sell us complicated systems before they're "done" and software is the excuse. It should not be acceptable, and if done well we could see incentives against this behavior causing manufacturers to sell radically simpler, safer, and more maintainable systems.

In this case, it appears somehow that an infotainment system update impacted the drivetrain. In my fully "fly by wire" computerized vehicle from 1999 (M-B E300), even if it somehow could receive OTA updates, these systems are physically separate. The ABS system is a different module from the transmission controller, which is different from the engine controller. They all communicate over CAN, but the only way one could crash another is if somehow it responds poorly to incorrect CAN messages.. And even if these computers crash the mechanical components they control will probably keep working more or less.. What has happened in the intervening quarter century that made it possible for this failure to happen?

[AnthonyMouse]

> Similarly, no manufacturer should be able to tell you "oh, but it's a software problem" if your thing doesn't work as expected

Well, they should if they provided you with the hardware and you got the software from someone else. But that's the other problem: They prevent you from doing that, and then if their software is crap or they decide to turn off the servers, what do you do?

Watch for some carmaker to try to say that the car only had a 10 year warranty and then brick them by turning off some servers after they're over 10 years old, or just go out of business with the same result. It's a travesty that people even put up with that for electronics.

[kube-system]

Release notes won't help a user figure out whether the update is going to brick their car the day after they install the update.

The solution here is that the manufacturer needs to test their damn update before any of their customers get them.

[hulitu]

> How about: you get to say whether you want to update and when and manufacturers are required to very explicitly list all of the changes in an update?

Huh ? What a stoopid idea. Who would protect your security ? Who will protect the children ? /s

[throw74845858]

There is no need to invent new regulations. We already have criminal liability, endangerement from gross negligence, and manslaughter!

I do not see reason, why CEOs of big companies should be exempt from this!

If bus driver makes mistake, or someone drives drunk.... They get punished. This is the same thing!

[dabockster]

> There is no need to invent new regulations.

The current regulations are written for a time where cars didn't have rolling computers in them. And even then, the regulations don't account for Tesla-style linked systems. So I say we do need new regulations.

[thfuran]

Haven't cars been substantially computer controlled for decades? Electronic fuel injection has been common since at least the'90s.

[ibfreeekout]

Yes but it's fairly recent that cars are receiving software updates on their own. Usually if there was an update, it would be from a recall that would necessitate going to a dealer to apply the changes, not something that is auto-downloaded and applied without the owner's awareness.

[dabockster]

And even then, the car is at a dealer and not your garage or some random shop. So it can potentially make the OEM liable if the update goes sideways.

[imglorp]

Yes and we have the NHTSA (unless it's already been neutered by the chaos) who can accumulate statistics and issue recalls.

[AlotOfReading]

NHTSA's power is simultaneously very broad and narrow. They're empowered to investigate potential safety issues after the fact, but this may not be a safety issue in the very pedantic sense often used. NHTSA can proactively set standards, but the standards they've set (FMVSS) largely ignore modern electronics. So on and so forth.

[kube-system]

NHTSA has been involved in recalls of OTAs that involve safety issues in the past, sometimes for things more minor than this, as long as it is something that affects safety equipment. e.g. stereo recalls because the backup camera took too long to display when shifted into reverse.

[trhway]

i'd venture a guess - you've never seen "Fight Club" :)

[hulitu]

> It makes me think we need some new standards about software

No way. Testing is expensive. /s

[trenchpilgrim]

Relevant: "Hackers Remotely Kill A Jeep On the Highway With Me In It" (2015)

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-hig...

[worik]

>> - You're basically at risk of your Jeep going limp

This has happened to me twice with a Nissan Leaf. I paid money to get a read out from the computer system, and there were no timestamps on the screens of data.

Modern cars "computers on wheels" are dreadful.

Is it possible to disconnect the power from the radios used for "over the air" nonsense? Then at least they would be stable.

[iAMkenough]

In the Leaf, you can disconnect the TCU from the CAN gateway controller located behind the infotainment system to disable its remote connections.

It will throw a perpetual "check engine" light and disable the hands-free microphone, but OVMS users have made a "dummy TCU" that gets around that annoyance.

I have the opposite problem. The specific infotainment system update I need requires a $200 visit to a dealership with a specific model of a USB 2.0 SanDisk Flash Drive (NI-52727-1). Not available OTA despite the Leaf's OTA capabilities.

[raxxorraxor]

In my country that car would then fail inspection immediately. Of course you could reattach before the check up, but then there is no excuse for just shutting it off.

Buying a modern car seems to come with too many strings attached these days.

[reaperducer]

Is it possible to disconnect the power from the radios used for "over the air" nonsense? Then at least they would be stable.

I've read online that for some cars, you have to dig deep inside to disconnect the cellular antenna.

I'm a little more lucky. On my car, you can pop out the SIM card from a slot in the ceiling, behind the rear-view mirror.

This assumes you haven't given your car access to your home WiFi. (Some people do this so they don't have to pay for a data plan for their car, and it kinda sorta "syncs" when you get home.)

[araes]

From a GPS software update... [1] "This is a telematics box module update" Telematics is primarily GPS and on-board diagnostics for location, speed, and fuel usage.

A GPS update kills your entire powertrain. Appears to also engage parking for some users, super dangerous. Catbones, "Almost died on the thruway today ... with an 18-wheeler behind me. ... Jeep died, locked its hand brake and jolted so hard my face almost ended up in the steering wheel at 70mph." [1]

[1] Wrangler 4xe forum, JeepCares and Catbones accounts: https://www.4xeforums.com/threads/wrangler-4xe-ota-update-10...

Personal bet: Jeep accidentally enabled the remote kill switch for repossessing automobiles. [2] Possibly the "impaired driver" kill switch. [3]

[2] Stateline, Late Payment Kill Switch: https://stateline.org/2018/11/27/late-payment-a-kill-switch-...

[3] Trackhawk, Federal Kill Switch Law: https://trackhawkgps.com/blog/kill-switch-law

[casenmgreen]

Incredible that Jeep did not think to have updates only go out to cars which are stationary with engine off.

[mulmen]

They did.

> The buggy update doesn't appear to brick the car immediately. Instead, the failure appears to occur while driving—a far more serious problem.

[casenmgreen]

Top post in this thread says;

> My 4xe died in my driveway on Saturday after the update.

It seems not driving bricks as well.

[otterley]

It’s a possibility that the engine was running and the transmission was in the R or D position when it happened. The OP can clarify.

[klooney]

You know, if Stellantis and other manufacturers can't behave responsibly, OTA updates will be illegal. They really should get their act together.