Over-The-Air (OTA) Updating for AI Self-Driving Cars

1326

By Dr. Lance Eliot, the AI Trends Insider

Windows updates.

You are probably like me in that when you see that it’s time to install Windows updates to your PC it is a moment of internal angst and overall distress.

I am betting this flashes through your mind:

  • Should you go ahead and let the updates be installed, or would you be safer to avoid accepting the updates
  • What is going to be installed and do you really want or need whatever changes that Microsoft thinks you should have?
  • Will it possibly change features into becoming something incomprehensible and that you’ll then have to begrudgingly learn anew how to use?
  • How long will it take for the updates to get installed and will you need to walk away from your PC and go make a pot of coffee or play a game of cards until it eventually and painstakingly is completed?
  • Suppose you start the install and want to stop it – can you do so midstream or will it toast your PC?

Speaking of which, you likely wonder too what the odds are that even if the install completes, whether it might “brick” your system (an expression meaning cause your PC to become unusable like a brick).

Now, in spite of the above downsides of the updating process, it admittedly is handy that you can do updates nowadays via the Internet and not have to get a CD or DVD that you’d need to insert into your PC and run the installs from there. Furthermore, it’s kind of handy that your system can automatically do the updates without you necessarily needing to enter any elaborate commands or have to remember on your own when to do an update. Instead, the system alerts you when updates are needed and does all the heavy lifting of installing the updates.

What does this have to do with AI self-driving cars, you might be asking?

At the Cybernetic Self-Driving Car Institute, we are working on the Over-The-Air (OTA) capabilities for updating the AI of self-driving cars.

You might already be aware that Tesla is known for having an over-the-air capability. Similar in some respects as the aforementioned Windows updates for a PC, a Tesla can do updates via having the updates pumped down into your Tesla car, doing so remotely. In other words, no need to take your car into a dealership and have them physically connect to your Tesla to provide software updates. Instead, you can via an online connection do the updates wherever you happen to have an online connection available.

Cool.

Indeed, one of the touted advantages for self-driving cars involves this OTA capability. For the software that runs your self-driving car, you can get all sorts of updates as needed, whenever needed, wherever needed. This means too that your self-driving car can nearly “instantly” get any of the newest features that the auto maker wants to provide to you. It all seems great and glorious.

To a degree, it is a boon for those that will be owning and using AI self-driving cars. But, as with most things in life, there are also some downsides and aspects to be considered in this expected glory.

Some predictions are that by the year 2022, there will be potentially 160 million vehicles that will have some form of OTA. Now, this does not mean they will all be self-driving cars. Nor are these even going to necessarily be true self-driving cars for those that are self-driving cars – note that there are levels of self-driving cars, with Level 5 being the highest and considered a true self-driving car, one that is driven by the AI in the same manner that a human could drive the car and thus no human driver is needed.

The OTA capability is handy for even non-self-driving cars in that for any kind of software or data that is being used within your car that it can be updated readily via an OTA capability. Therefore, please don’t think that the OTA is solely for self-driving cars. It’s not. Your car might have a cruise control capability that is marginally a self-driving version, but that is performed by software stored in processors on-board your conventional car, and for which updates to that software to presumably improve the cruise control could readily be undertaken via an OTA capability of your conventional car.

Most of the auto makers realize that having an OTA capability is handy for any conventional car, and especially so too for self-driving cars, and so it is gradually going to become a standard feature on all cars. The OTA capability consists of having some kind of communications device on-board the car, and that connects to other components of the car, so that after getting updates across the communications line that then the car can update the internal components accordingly.

Notice this means that the car needs to be designed for this purpose. If the components of the car weren’t designed to be able to get updates, it does little good to have a communications device to get updates. Likewise, if the components of the car were designed to be updated, but if there isn’t a communications device to receive updates then it’s all for naught. Even if you have the right kinds of internal components and the right kind of communication device, you are obviously dependent on the ability to actually communicate via the communications device.

Currently, when you do a Windows update to your PC, you’ve maybe had the experience of Windows opting to do a many mega-bytes update but that you were on a WiFi that was low-speed. I’m betting that it took seemingly forever to get the updates downloaded to your PC. This is the same potential problem for OTA on a car. If the communications device is connecting via WiFi, and if your WiFi network is slow, it could take a long time to get the updates downloaded to your car.

I mention this aspect because the earlier idealized notion of OTA allowing for updates at any time, and at any place, becomes a bit more murky because you need to be in a place where you have a sufficient communications connection to actually get the updates downloaded. If your self-driving car is parked in your garage at home, does your WiFi extend to and include your garage area? Is it a strong connection or a weak connection? Suppose you self-driving car is elsewhere and driving around, will there be any WiFi connection you could use?  As you can see, it might be problematic to find a good spot and a solid connection for getting the OTA updates.

Let’s take a closer look at how Tesla handles their OTA for their Model S, which is handy as an exemplar. I am not picking on Tesla, and nor nitpicking Tesla, and merely using this as an example for purposes of illustrative discussion.

From the Tesla Manual

According to the Model S owner’s manual:

“Model S updates its software wirelessly, providing new features throughout your term of ownership.”

Notice that they’ve said that the updates are performed wirelessly, which is via their OTA, and they also interestingly state that you can get the updates through your term of ownership. This would seem to suggest that if you transfer ownership of the car to someone else, you no longer are able to get the updates, which I suppose one could say is comparable to if Microsoft allowed you licensed updates for your Windows operating system and did so as long as you were the owner of it.

Suggestion: Be aware of what your OTA licensing rights are when you buy your AI self-driving car.

Next, here’s more of what the Model S owner’s manual says:

“Tesla recommends that you install software updates as soon as they are available.”

This suggests that you should right away make sure to OTA the updates. Of course, as mentioned earlier, you might not be able to do so due to not being in a time or place conducive to do the updates.

We’ll hope and suppose that by-and-large you’ll be safe driving your self-driving car even if you have not yet done the updates, but admittedly it’s one thing to be unsure about having your Windows PC at home updated or not, versus driving around in an AI self-driving car that maybe needs updates that involve life-or-death changes and you’ve not yet been able to make the updates.

This is one of the downsides generally about the OTA. If it provides something essential to the safety and well-being of the AI self-driving car and its human occupants, having potential delays in using the OTA to make the updates could have some very serious consequences.

Here’s some more from the Model S owner’s manual:

“The first time you enter Model S after an update is made available, a scheduling window displays on the touchscreen. The scheduling window displays again at the end of your first driving session.”

One aspect about the OTA is how you as the owner or occupant in an AI self-driving car will even be aware that an update is needed. With a Windows PC, you usually nowadays get a message that pops up on your Windows screen. With an AI self-driving car, the question arises as to how you are to be best notified. In the case of the Model S, the manual says that a scheduling window will display on your touchscreen.

Here’s a question for you. If owners of AI self-driving cars are going to be using their self-driving cars for ride sharing purposes, and suppose a human occupant is in the car, will we be expecting that human occupant to go ahead and take care of doing an OTA update? I wouldn’t think that we’d be anticipating that to happen. Presumably, it’s something the car owner should be taking care of. But, suppose the car owner never even uses the self-driving car themselves, and always rents it out to others. Maybe the owner won’t even be aware that an OTA is needed. I am suggesting that ultimately the OTA’s on AI self-driving cars will probably need to be setup to alert humans via additional means, such as maybe the owner gets an alert on their smartphone that one of their self-driving cars needs an OTA update.

It is envisioned too that AI self-driving cars are going to be engaging human occupants in a verbal dialogue. When you get into a self-driving car, it will talk with you, asking about your desired destination, etc. It would seem likely that the self-driving car would also then possibly engage in a verbal discussion about the need for an OTA. Of course, this must be done sensibly, since if for example a child gets into the self-driving car because the car is going to give the child a lift to school, and if the child says yes go ahead and do the OTA update, we might want instead that an adult would be making such a decision.

Here’s more from the owner’s manual:

“Note: Some software updates can take up to three hours to complete.”

Now, this statement seems a bit curious. One must wonder how an estimate of the amount of time to do an update was determined. It says “up to three hours” which seems like a gutsy statement. If it said that it could take up to three or more hours, that seems to cover circumstances wherein the WiFi is really slow and the update is really big. But the suggestion that it would never take more than three hours, which is implied, seems somewhat unknowable beforehand. Even if they opt to chop the updates into bite sized pieces to try and keep under the three hours, it still seems like a gutsy statement.

Anyway, this points out that if you were thinking that your OTA updates for your self-driving car would happen instantly, you can now see that in this case you should be thinking of perhaps several hours to do the updates. Once we have even greater complexity in AI self-driving cars, it could stretch to even much longer periods of time to do the updates.

Here’s more from the owner’s manual:

“Model S must be in Park while the new software is being installed.”

When you do Windows updates on your PC, you often can’t do anything else on the PC and must wait until the updates are done. It is likely that most AI self-driving cars are going to be designed such that you can only do updates when the self-driving car is not in motion and is otherwise in a full rested stopped position. This could be frustrating though in that suppose you start the OTA for your self-driving car and then suddenly have an emergency that requires you to want to use your self-driving car?  It’s not like your PC that you can just wait for it to finish.

Here’s more from the manual:

“To ensure the fastest and most reliable delivery of software updates, leave the Wi-Fi turned on and connected whenever possible.”

At first glance, it might seem sensible to want to leave your Wi-Fi turned on all the time so that your software updates can occur whenever possible. But, this raises other issues such as suppose you are paying for the Wi-Fi and you suddenly rack-up a large charge because your self-driving car opted to use the connection but you weren’t aware it was doing so. Another concern would be security in that if you leave your Wi-Fi on all the time, it might connect to something nefarious that then digs into the innards of your self-driving car.

Here’s another item from the manual:

“If the Model S is charging when the software update begins, charging stops. Charging resumes automatically when the software update is complete.”

Let’s suppose you park your self-driving car in your garage and it’s an electric car, so you plug it into your at-home charger. Meanwhile, you also approve to do the OTA updates. In this design, suppose your updates take three hours, and as you can see your car charging will be stopped. You might come out to use your self-driving car just after three hours, and there’s not as much charge in it as you assumed. Now, I realize you are supposed to be aware that your self-driving car won’t be charging during updates, but it would be an easy item to have forgotten about or not even realized was the case.

Here’s this from the manual:

“If you are driving Model S at the scheduled update time, the update is canceled and you need to reschedule it. You can then either: • Schedule the update by setting the time you want the update to begin. Then touch Set For This Time. Once scheduled, the yellow clock icon changes to a white clock icon. You can reschedule the update any time before it begins. OR • Touch Install Now to immediately start the update process.”

This aspect is all about the scheduling of your OTA updates. It’s one of those aspects that a human could mess-up on. Suppose you thought you’d be parked at work for the morning and so you scheduled the update to occur. But, while at work, you suddenly realize you need urgently to drive over to the school because your child got hurt on the playground. You jump into your self-driving car, the update cancels automatically. You completely forget that you were doing the update. And, whatever amount was undertaken might not count and you’ll need to start it over again.

Here’s this:

“Note: Over time, the touchscreen may display a software update window informing you to SET FOR THIS TIME or INSTALL NOW. This software update window will persist until you complete the installation of the software update.”

Have you ever been to someone’s house and their clocks are blinking because they had a power outage and they never reset the clocks? This could kind of happen with your AI self-driving car, in that suppose you interrupted an OTA update and didn’t finish it. You might thereafter just ignore the indication to do the software update. With your Windows PC updates, maybe you’d be missing out on some nifty new feature in Word or Powerpoint, but with an AI self-driving car suppose it’s a software update that fixes a bug in the braking system that cause it to not engage properly.

Here’s this:

“You must install all software updates as soon as they are available and any harm relating to the failure to install a software update will not be covered by the vehicle’s warranty. Failure or refusal to install such updates may result in the inaccessibility of certain vehicle features (including incompatibility with digital media devices) or in Tesla being unable to diagnose and service your vehicle.”

If you forget to make your OTA updates, or you decide not to do them, what’s the penalty? Well, the auto maker can say that if you don’t do the OTA updates you aren’t covered by the warranty. This has some teeth, but maybe not that much for some people. The auto maker can say that some features might not work as intended or have other issues. Will this be sufficient to compel people to run their OTA updates? Maybe not.

The point being that for AI self-driving cars, the aspect of OTA’s being kind of optional and having soft penalties might not be enough to ensure the safety of humans. How many people for example today ignore recalls and don’t get the needed recall aspects undertaken? A lot. This is indicative that we might need to have more forceful ways of ensuring that OTA updates occur.

For example, some say that maybe an AI self-driving car should not even be willing to get underway if an OTA is pending that has a high priority safety element in it. But, it’s not such an easy thing to impose. Suppose someone is near death and needs to get to the hospital, and the AI self-driving car without the OTA update could get them there, which is more important at that moment, implementing the OTA update or allowing the human to use the self-driving car for that specific need at that moment?

We also need to consider the risks to other humans besides the owner. Suppose an AI self-driving car is being used by an owner for ridesharing purposes. The owner ignores the needed OTA updates. The self-driving car gets into an accident, let’s suppose due to not having the OTA updates. The self-driving car injures the occupants and hits two pedestrians. As you can see, it’s not just the owner that maybe carries risks, but anyone else that comes into contact with the AI self-driving car is also potentially at risk if the OTA updates are not undertaken.

Here’s this:

“Note: If software updates are not installed, some vehicle features may become inaccessible and digital media devices may become incompatible. Reverting to a previous software version is not possible. If the touchscreen displays a message indicating that a software update was not successfully completed, contact Tesla.”

This points out that you cannot revert to an earlier version of the system. Have you ever done some Windows updates and it made things worse, so you opted to back-out the changes? Sometimes you can revert, sometimes not. From a design perspective, the question will be whether the AI self-driving car makers are going to make it feasible to do a revert or not. They can do so, but it often takes a lot more trickery in the software and system to allow for a revert. The logic of most developers is that why would anyone want to revert? The person or thing clearly needs the OTA updates, otherwise we would not have provided them, they would assert.

Of course, we know that sometimes the OTA updates might not work, or might have adverse unintended consequences. Maybe an update fixes a problem with the use of the camera, but meanwhile messes up aspects of using the radar of the self-driving car. You cannot assume that just because the OTA updates have presumably been tested beforehand that they will always be perfect.

Here’s this:

“When a software update is complete, learn about the new features by reading the release notes. To display release notes about your current software version at any time touch the Tesla “T” at the top center of the touchscreen, then touch Release Notes. Tesla strongly recommends reading all release notes. They may contain important safety information or operating instructions regarding your Model S.”

After you’ve done a Windows update on your home PC, how often do you read the release notes to find out what changes were made? I’d bet that most people rarely if ever read the release notes. For an AI self-driving car, the changes made might have some very important aspects of a life-and-death manner. It would seem crucial to know what those changes are.

Should the auto maker force you to read the release notes?

Well, this is problematic since whom is even supposed to be reading the release notes – the owner, the human occupants, or who? And, if there’s no means to revert, you might say it makes no difference to the human anyway. Plus, the AI is presumably going to be taking care of the driving and so whatever it does is what it’s going to do. That’s not true though for the levels below a Level 5, in that at Levels 4 and lower there is still a human driver involved and responsible for the self-driving car. As such, there might be crucial changes in the behavior of the AI about the driving of the car that the human driver might not be aware of, and at a vital moment of decision making such as an imminent car crash, the human might not know that the self-driving car is going to be doing something that it expects the human to suddenly takeover.

Some say that the AI of the self-driving car should be good enough to make sure that it informs the human drivers as to what the release notes have to say. In other words, rather than asking a human to read the release notes, the AI should engage in a dialogue with the human driver and explain what the OTA updates were for. The AI should then interactively discuss this with the human driver, rather than just passively displaying the release notes.

Computer Security for Self-Driving Cars

Now that we’ve covered many of the essentials about the OTA updates, let’s focus for a moment on something that raises concerns quite a bit about the OTA updates, namely the computer security of the self-driving car.

You could be letting a Trojan horse piece of malware straight into the inner workings of your self-driving car by allowing an OTA update to occur. I realize you’ll say that the auto maker should have made sure that their update doesn’t have any malware in it, but I assure you this is going to be a continual cat-and-mouse game. Unlike a Windows update on your PC, the consequences of a malware into your self-driving car could be quite life threatening.

There’s also the Man-In-The-Middle (MITM) attacks, whereby you think that you are agreeing to do an OTA update from the auto maker, and yet someone has jumped onto your Wi-Fi and they are in-between you and the auto maker. They then secretly feed something untoward into your AI self-driving car. The auto maker might be blissfully unaware that it has happened.

Some say that the systems of the AI self-driving car should be subdivided so that no one OTA update can harm them all at once. This is a potential approach, but it also makes things more complex overall. Having numerous subsystems, each of which has its own gated wall, can be handy to try and prevent an overarching attack. It presents other issues of speed of communication between the components and their needed seamless interplay.

There are needed protocols about the OTA updates, involving security precautions, encryption, and so on. Most of the auto makers and tech firms that are developing AI self-driving cars are each reinventing the wheel about how to do their OTA updates. Some are calling for the industry to establish standards for this. Also, some believe that disclosures about the OTA capabilities need to be made known to prospective buyers, right away while even considering buying a self-driving car, and not wait until after the self-driving car has been sold. There are activists saying the government should make mandates on this, while those in the industry would often say that its best left to the industry to determine.

We also need to consider the fleet-wide impacts of OTA updates. The beauty of OTA updates is that an auto maker can send out to a million of their already-sold AI self-driving cars that those cars all need to get an urgent update. Remember that for Hurricane Irma, Tesla sent out an update to Tesla’s in Florida that their batteries could go a bit further and unlocked extra battery capacity. This was to help drivers there that were trying to get away before the hurricane hit.

Sidenote: Some were confused at the time and thought that Tesla magically increased battery capacity, but the reality is that Tesla had via software previously capped the allowed use of capacity on some models because the buyer didn’t pay enough to get the larger battery capacity, even though the battery capacity was there in the car all along. All this did was to increase the threshold cap. The battery was still the same battery. No magic involved.

That’s an example of the beauty side of OTA’s, but there’s the ugliness too in that if the update is accidentally a computer virus, you’ve now made it really easy for that computer virus to spread into a million cars, all at once. That’s a rather tempting target for any hacker or terrorist. It would delight some hackers to think that they could suddenly change a million AI self-driving cars to start blinking their headlights on-and-off to the tune of their favorite song. That’s a rather benign change, and just imagine what kind of nefarious changes could be done. An entire “fleet” of AI self-driving cars could overnight become crazed monster cars that go mad and run over people and run off the road.

Generally, few are right now thinking much about this, because the percentage of cars on the roads today with OTA is relatively tiny, and the amount of the control of the car in terms of software is relatively small. Once we have AI self-driving cars that involve a large amount of software and data on-board the car itself, we’ll begin to realize the impacts that OTA can have on those cars. And, once those kinds of AI self-driving cars become prevalent, we’ll begin to realize the vastness of the impacts. Until then, it’s not the kind of eye catching issue that will garner much attention.

Elon Musk has suggested that a “kill switch” be built into AI self-driving cars and would allow a human to use it to cut the link to any OTA connection and allow the human to regain control of the car. It’s not yet clear how this might work. If the self-driving car is a Level 5, it presumably won’t have any controls for the human to drive the car, and thus even if yes they hit the kill switch, the car then presumably becomes a multi-ton useful paperweight. You might say that well at least let some of the AI be active so that you can tell the self-driving car to drive you home. This is problematic because suppose you’ve already loaded the virus and now the AI opts to ignore your instructions and drives the car off a pier.

How would this kill switch function such that it completely disables the car from working at all? Would it be software based or hardware based? Would anyone be able to use it? Suppose a child is in the AI self-driving car and just for fun hits the kill switch? If you hit the kill switch while the car is in motion, what happens? Does the car instantly come to a halt, but maybe doing so puts you into greater jeopardy? And so on.

Besides the intentional attacks on a self-driving car by outsiders, we also need to consider the unintentional aspects. Suppose the auto maker provides an OTA update that bricks your self-driving car. Let’s suppose it passes the security of the OTA and so legitimately comes into the innards of the self-driving car. I know that the auto makers often don’t want to bring up this possibility, but it is a true possibility. We could also even have third-parties that offer ways to jack your self-driving car, and they provide OTA updates that you can subvert the auto maker and have directly go into your self-driving car. I am sure that if someone tells you they can make your self-driving car go faster and take turns tightly, there will be some owners of AI self-driving cars that will be willing to go off-market to get those updates.

Currently, everyone is pretty much going to assume that the OTA stuff works and works properly. Sadly, if there’s not sufficient attention beforehand, we’ll potentially find the self-driving car industry getting into trouble down-the-road, and all of sudden there will be the public and regulators up-in-arms as to how this came to be. Let’s hope we don’t get to that.

This column is originally posted on AI Trends.