In-brief: Bad data sent by a third party is being blamed for a glitch that crashed the center console in some late Lexus and Toyota Land Cruiser vehicles, the company said.
Editor’s note: Updated to add comment from Lexus. PFR 6/8/2016
Lexus, Toyota’s luxury car brand, has informed customers that a bad software update for its Enform entertainment system software is responsible for disabling the climate control, radio, GPS, Bluetooth wireless networking and other features on a range of models, including the 2016 RX, GS, NX and ES models, among others.
“Errant data” sent by a third party that provides traffic and weather data service was “not handled as expected” by the Enform software that runs the center display on 2014-2016 model year Lexus and 2016 model year Toyota Land Cruiser vehicles, the company said in an emailed statement.
The failure has left Lexus owners and renters fuming about the loss of in-car entertainment and navigation features as rumors fly, including that the bogus update was the result of a third party malicious application, a hack of Lexus, itself, and even U.S. Navy tests of a cellular jamming technology. In a short statement online, Lexus apologized for the incident and said that it is “fully engaged and investigating this issue as a top priority.”
Lexus posted a message to its Facebook page late Tuesday apologizing for the incident, but providing little detail on the incident.
In voicing complaints on Lexus Facebook page, owners describe quirky behavior beginning on Tuesday. A Facebook user with the name Rod Perry described the onset of problems with the so-called “headend” unit on Tuesday for a Lexus he bought just days before. “Had the nav, radio, ac cycle on and off every few sec(onds),” Perry wrote.
According to Perry, unnamed “Lexus officials” said that the company’s “system was hacked.” However, other Facebook users claiming to be Lexus owners reported hearing different explanations from local dealerships, including a bad Enform software update that was not properly tested, problems with satellites and a buggy update for the I Heart Radio mobile application.
The problem appears to be widespread, with users from California to Massachusetts reporting problems. Contacted by The Security Ledger, a spokeswoman for Ira Lexus in Danvers, Massachusetts, said that the dealership had been dealing with problems related to navigation and air conditioning systems since Tuesday. She declined to say how many customers were affected.
Calls to Lexus by The Security Ledger seek were not returned prior to publication.
Whatever the cause, vital in-vehicle services for customers were disabled, most notably: the car’s air conditioning and environmental controls and its GPS navigation. Some customers complained of being stuck hundreds of miles from home without the benefit of GPS, or of being stuck in Southern California freeway traffic without air conditioning.
In an e-mail statement, Lexus Communications Specialist Laura Conrad said that errant data can cause a vehicle’s head unit to “restart repeatedly, affecting operation of the navigation system (if equipped), audio and climate control features.”
Vehicle owners who are experiencing problems need to take their vehicle to a Toyota or Lexus dealer where a “forced reset and clearing of the errant data from the system” will be performed, Conrad said.
[Read more Security Ledger coverage of connected vehicles here.]
While some users have described getting temporary relief from the outage by disconnecting the car’s battery and then reconnecting it – the vehicle equivalent of a ‘hard boot’- others said that problems returned after a few hours.
Lexus was among the first to pair its luxury vehicles with its own entertainment features and a host of smart phone friendly mobile applications, built on the company’s proprietary Enform entertainment platform.
As more automakers embrace over-the-air software updates as a way to push out necessary fixes to vehicle owners, the prospect of unreliable and malicious updates causing real world disruptions has grown. In a March report to Congress (PDF), the U.S. Government Accountability Office (GAO) noted that modern vehicles feature many communications interfaces that are vulnerable to attack, but that measures to address those threats are likely years away, as automakers work to design more secure in-vehicle systems.
While automakers have embraced the Internet and mobile applications as a way to improve the experience for owners, they have not adapted to the role of commercial software vendors, security experts agree.
Ken Munro of the firm Pen Test Partners, which recently demonstrated security holes in a wireless access point found in some Mitsubishi vehicles said that security issues related to software running on vehicles are often “not on (carmakers) radar.”
Craig Smith, an expert on connected vehicle security, said he sees a “split” in the automotive sector, with some car makers embracing open architectures and open source approaches to vehicle software, while others insist on closed ecosystems using proprietary software. In such cases, it can often be hard for automakers with limited security staff to fully vet software security issues for its in-vehicle software, he said.