It could be updated using a file you download to a USB drive and then plug in to a port inside the car. That way it would require physical access to the car, and the update file could be signed to only work in your car specifically.
Signing updates specifically would also still work with OTA delivery. Especially if the update can only be triggered from inside the car while simultaneously pressing some buttons. How the update is transferred should not matter for security.
Assume there's a bug - safety critical bug. You cannot reasonably call people in house all at the same time, and continue to risk their lives as they "don't upgrade".
OTA updates also over time increases software quality, enables experimentation and slow/controlled roll out.
You are worried about short term problems over long term promise.
"thats how we did it before" is the number one inhibitor in the name of progress.
Remember your windows pre updates. Full of security holes and no way to patch, or bugs that linger and create problems that could never be fully eliminated.
Let me tell you something you didnt think of. Imagine i am doing my diligence before releasing a software but didnt fully factor in all the unknowns in the process. It happens, shit breaks all the time, right? Now imagine instead of uncontrollably calling everyone in house, i start 1% roll out, and gather data, find some problems with that investigate and push the real fix. See the efficiency gains? I prevented the chaos of 99% of cars, and i did somrthing data driven
When people are relying on software for their safety, no, it doesn't. Bugs in critical systems for things like planes and cars are rare because going faster kills people. Using 1% of your users as tests is fine if you're making a website but much less fine if your new code means they might die.
Real life disagrees with you. It is a simple math: roll out a safety update to everyone manually and have no idea on the real life performance, or roll out slowly and get the data.
Bringing cars in house makes no improvement over what i am proposing.
Anything safety critical should require a recall, and for everything else if the user isn't bothered that tells you a lot about how important updates to car software actually are.
I'd love to see statistics on how many injuries/deaths occur from recalled problems that users don't bother getting fixed.
I know I've had cars where certain defects (non-safety) were recalled, yet it took 2-3 weeks lead to get an appointment with the dealership, and several days in the shop once it was there (without a loaner vehicle). And I'm not talking full engine rebuilds either, just simple fixes. Most of the time I don't even bother anymore because it's such a hassle.
There's a fairly notable number of recalls that involve flashing new software to body control modules, ECMs, etc. Sometimes for dangerous problems around throttle control, etc. For example: https://repairpal.com/recall/14V583000
> In other words, like almost every ECU on the planet right now.
You're mistaken. Almost every ECU on the planet right now is flashable and they are indeed often updated as part of routine servicing, particularly on brand new models.
