Article from 2021 (IEEE)

Summary: The concept of software freedom inside cars has become a distant fantasy; the cars that are being manufactured nowadays disregard security and embrace unnecessary complexity

ABOUT a week ago we started this series. We looked at a consultation right here in the UK -- a misguided bit of text which characterises modifying one's own car as "tampering". Shades of "sideloading" in the context of software...

Demonising those who exercise control over a device they bought?

We then looked at what Toyota had begun doing, published Part I about the issue, and then -- several days later -- expanded in Part II and in last night's Part III. We've meanwhile, in parallel, studied just what amount of computing had crept into today's cars (gradually over the years). The data isn't entirely secret, but there are not many publications about it; more importantly, there seems to be no public debate about software freedom in that context. We wish to change that.

"The data isn't entirely secret, but there are not many publications about it; more importantly, there seems to be no public debate about software freedom in that context."Last week we wrote that in today's cars there's "not just a computer onboard but several"; a person contacted us to say "not just a computer onboard but many"...

OK, but just how many exactly? Obviously that depends on the car, but there are many overlaps across models and brands.

I am not clueless about today's cars; I did drive in the past and a decade ago I went to a car agency (that was the last time). Even in 2011 things were already starting to look grim. It was a Toyota agency.

"Most car fanatics I know consider the car a single system and ignore the many microcontrollers," an associate noted a week ago. "I have the feeling that on top of that most of the information is proprietary..."

Certainly, in my experience, the media does not inform people about the situation; I only realised how big an issue it was when supply chain woes caused price spikes and critical shortages; it was getting too hard to get all the bits to assemble new cars [1, 2].

So we decided to study a number authoritative pages about the number of processors and the nature of the tasks they perform. I already knew about the "micro" (processors) ones, which aren't exactly new and are installed at the ends/edges, but was not sure how they qualify with respect to "computer" (the components and their complexity may vary in definition).

As our associate put it, "there are many microcontrollers, I guess based on activities, and at least two full computers." There are publications[PDF] and full articles about it (not necessarily new). As our associate explained, "another site, with a comment going to a dead MIT link, suggests 50 to 70 "Electronic Control Units" in cars as of ten years ago."

That's the last time I went to a car agency. It has certainly increased a lot since then.

"That's even older" than this ("More Auto Computers Means More Complicated, Costly and Longer Repairs" according to this article from 2016), the associated noted, quoting various bits. This page says "high-end cars have as many as 100, and they’re accompanied by 60 to 100 different electronic sensors..."

And these parts are controlled by computers: "Engine control, Exhaust control, Heating/cooling, Fuel pump, Water pump, Transmission, Power steering, Brakes, Traction control, Airbags, Collison warning, Parking assist, Backup monitoring, Door and trunk locks, Power windows, Climate control, Power seats, Wipers, Charging system, Interior lighting, Brake lights, turn signals, Headlamps/daytime running lamps, Navigation, Car audio, and GPS..."

And "add side- and rear-view mirrors to that long list above," our associate noted.

"There are security/safety implications, as we covered earlier this year (in summer)..."Remember that these are all proprietary, some go decades back, but now they get connected to the Internet and more (e.g. Bluetooth connectivity with another device, which may be compromised). So some are connected less directly to the Net, e.g. their local (car) mother ship, which is in turn controlled by a bigger mother ship (vendor/government/cracker).

There are security/safety implications, as we covered earlier this year (in summer), and articles like "How a Hacker Could Hijack Your Car While You Drive" (Tom's Guide) that deal with the main question.

"It's largely ignored because, as mentioned, car fans see the vehicle as a physical object still when in reality most of it is software," our associate said. "Yes, all proprietary and restricted so as to lock out independent repair shops and mechanics. There was a lot of attention to this about 10 years ago in the various security conferences. Then a burst of information as some of the embargoes were lifted. I presume the quietness on that front means that more of the researchers are under NDAs again. Shmoocon, DefCon, and BlackHat usually have automative tracks."

We hope the conversation will be resumed and extended to the Free software world. We need to do more to highlight the dangers and tackle the problem.

"General-purpose computing is niche nowadays," our associate said, "and that niche has been shrinjing. The multinationals also appear to be aiming to eliminate it eventually. UEFI, TPM, DRM etc..."

"We hope the conversation will be resumed and extended to the Free software world. We need to do more to highlight the dangers and tackle the problem."Well, almost nobody covers these issues, so it's a vacuum we can fill in the coming weeks/months. We invite groups like the FSF (even SFC and OSI) to do the same.

More than a decade ago we still saw people saying that software was eating the world (citing famous old words), but nowadays people talk about "apps" and "clown computing" and all sorts of other nonsense. Not too long ago an article entitled "How Software Is Eating the Car" was published in IEEE Spectrum. To quote: "Predictions of lost global vehicle production caused by the ongoing semiconductor shortage continue to rise. In January, analysts forecast that 1.5 million fewer vehicles would be produced as a result of the shortage; by April that number had steadily climbed to more than 2.7 million units, and by May, to more than 4.1 million units. The semiconductor shortage has underscored not only the fragility of the automotive supply chain, but placed an intense spotlight on the auto industry’s reliance on the dozens of concealed computers embedded throughout vehicles today."

Get ready for some numbers that are more recent: "The company further predicts that each new car today has about $600 worth of semiconductors packed into it, consisting of up to 3,000 chips of all types."

"The IEEE article above speaks of "7,000 external signals", "120 ECUs" and so on. They say "Electronic Control Unit" (as euphemism for a computer)."Up to 3,000.

As our associated noted, "security has to be part of the design process, but it hasn't been, thus we end up with not just CAN but with everything integrated with it."

The IEEE article above speaks of "7,000 external signals", "120 ECUs" and so on. They say "Electronic Control Unit" (as euphemism for a computer).

In the next part we'll continue this discussion. One growing concern is, the lobbyists of car-making giants are trying to pass new laws mandating all sorts of things which eventually take "old" or "dumb" cars off the road (even if some manufacturers produce new alternatives that opt out of this whole mess). ⬆