The car's low-level control is still functional as normal, it's just the user interface that crashes, disabling the main display, all readouts, and all notifications. Rebooting the UI can fix the problem (it will reset itself automatically after two minutes as well). So it's a security issue, but not that serious as the title may suggest otherwise.
Still, apparently, a bad webpage with a loop of JavaScript that hangs the web browser can lead to a complete failure of the entire user interface, even disabling the speedometer, turn signal (only the notification, visual and sound, not the actual signal), and AutoPilot status. Still a red flag and not a sign of good engineering.
"If the automobile had followed the same development as the
computer, a Rolls- Royce would today cost $100, get a million miles
per gallon, and explode once a year, killing everyone inside."
It's concerning how hesitant I am to assert today's consumers wouldn't accept such a compromise.
In the past, not even distant past, just ~15-20 years ago, I'd confidently say that would never fly without hesitation.
It's definitely not the case today. Just look at how willing people are to delegate control over their lives to Tesla's "Autopilot". Even well-educated software engineers are being killed by putting 100% confidence in this glorified cruise control.
> well-educated software engineers are being killed by putting 100% confidence in this glorified cruise control.
If you mean the person who died when his car hit the crash attenuator on the way to work at Apple in California I think you are misrepresenting the situation.
As far as I can tell from the media reports on this case he had reported to Tesla that the autosteer misbehaved at this junction yet he still used it at that place and he was exceeding the speed limit. That's not confidence, it's foolhardiness.
In addition the crash attenuator had been hit by a conventional car a week earlier and had not been repaired.
I have a Tesla S, 2015 autopilot 1, and I use the autosteer feature pretty much every time I use the car. I am also a well educated software engineer but my degree is physics and my career has been in test equipment, embedded controllers, and design software.
I am well aware of the limitations of the feature and I pay attention to the times and circumstances in which it does not behave as well as I would like it to and adjust /my own/ behaviour accordingly. I suspect that most Tesla drivers do the same.
> It's concerning how hesitant I am to assert today's consumers wouldn't accept such a compromise.
Nobody would get in a car that kills you once a year.
But it would be an amazing tool for pulling things. So they might get in a carriage behind it. And people would definitely use that tech to make unmanned truck tractors.
>Nobody would get in a car that kills you once a year.
Sure, PEOPLE wouldn't, but I'd bet that we'd have autonomous driving perfected for deliveries if every car only cost $100 and was essentially free to run.
People crash all the time texting and driving. I see people looking into their phones while the car is coasting all the time. Autopilot is at the very least a much much safer coasting mode. To say Tesla Autopilot, at least the current version of it, net-net increases the chance of crashes is pure speculation, requiring a very hard to measure second-order effect argument of it being significant a cause for distraction and intuitively untrue for anyone who actually uses it day to day.
Yeah, I enable autopilot when I need to adjust the ac/music or switch from my glasses to sunglasses, because (on the roads I normally drive on) it does a decent job staying in the lane.
Also, in traffic, I’ve been finding Autopilot/adaptive cruise control to be really great for enabling me to pay more attention to the cars around me, because I spend a lot less energy worrying about the speed of the car in front of me and following the curves of the road.
The engine behind moore's law is that for the same given silicon area, we can pack more and more transistors. So what, one might say? Because if we can cram more and more die on a wafer (which has remained a standard 300mm diameter since 2000's) then the $/die goes down. Running a semiconductor fab is about how many wafers can be processed per unit time (or also known as WS/W or wafer starts per week). I see problems with this analogy but that's fine, its an analogy after all :)
"If the automobile had followed the same development as the computer, we would produce a billion rolls royces a year, get a million miles per gallon, can transport 10000 people per car and explode once a year, killing everyone inside. Oh and it would cost $3.50 per car."
That's also true with cars for the most part. Not a lot of market for thirty year old cars unless they're very specific models (much like thirty year old computers).
The maybe not obvious point is they have two computer systems, one that manages the "edutainment", one for the drive train. The entertainment one is the one they crashed. I want the web browser updated more than any other single thing on the car. The web browser is separated from the drive train. You can reboot the non-drive train even while driving.
Because there is a screen that displays both the current speed and things like turn by turn directions. If you somehow crash that screen, you lose both (for a minute or two)
So some genius somewhere thought having a single screen was more important than keeping basic functionality like speedo and turn signals safe from <checks notes> anything that the cars web browser might be exposed to.
I mean that sounds reasonable, it’s not like a web browser has ever been compromised before.
They make a barebones car, put a custom Linux tablet on top of it, and wire all interior controls to that tablet. The tablet is an all inclusive deal from security to dashboard display to navigation to Netflix while parking, such that it incentivizes users to adhere to that tablet ecosystem. That would be a compelling reason why.
There's one really compelling app, Tesla Waze, at https://teslawaze.azurewebsites.net/. It uses open maps, uses your car's gps location (after asking permission in the browser), and it overlaps waze, traffic, accidents, weather maps, tolls, many other things to give you a super incredible much more useful traffic map. I start it up and use it instead of the built in cool google maps based tesla navigation system.
Also, they block all video and sounds, you can't watch youtube while you are driving or even stopped. They recently added netflix when you are supercharging only.
Stardew valley is a bit of harmless fun that can be safely ignored if you don't want to play. A web browser is obviously a can of worms that opens you up to security issues...
Seriously, what is the use case? YouTube and Netflix ought to have a native app. Do I desperately want to browse HN but I don't have a phone on me? I don't understand.
It's very useful when your mobile is pay as you go and also has a much larger screen which makes referring to it while driving much safer. You can also use abetterrouteplanner to get better route planning than Tesla's own solution.
Your passenger can use it to find a place to eat while you are driving.
Not everyone, not even every Tesla owner, has an always online mobile.
> It's very useful when your mobile is pay as you go
Hmm, is this a regional thing? Prepaid mobiles here typically have 20GB to "unlimited" (note; not actually unlimited; they'll certainly throttle you if you take the piss) per month data.
> which makes referring to it while driving much safer
Eh? You shouldn't be using it while driving! Does it even work while driving?
> Not everyone, not even every Tesla owner, has an always online mobile.
They might be better spending the money they're spending on data service for their car on data services for their phone...
The fact that this one can be rebooted (by the end user, as a matter of course, and it's no big deal) without any hackery whatsoever, and the car can still be driven, makes the system look very good actually.
The joke fits better with the other computers in the car, which were not the subject of the article.
It may be a generational thing. It sounds terrible to me, but I have a car whose computer lasted 30 years before needing attention, and then it was for failing solder joints.
The very opposite actually. The computer crashes, but all car functions work perfectly, including autopilot (read the article update) and all safety features.
So you take out the computer here and it's still a perfectly safe and drive-able car.
Have you ever driven a Tesla and rebooted it while driving? Have you ever even driven a Tesla at all? Or is this just a guess based on your experience with custom ICE cars?
In the rebooting state it's probably still safer than any other car. You aren't missing any critical information that you can't see by looking out the window (the approximate speed). There is no gear shifting, no fuel, and you would have been warned well before this if your charge was low enough to cause alarm. I can really think of nothing you need on the screen that you would seriously miss as a matter of safety while it's rebooting for a few seconds, as long as you're being attentive as a driver, which you should be.
My point is that the actual risk to life and limb from this attack is very low because in the vast majority of situations you can easily and safely get off the road without instruments, and indeed that's exactly what you should do if your instruments fail. If you think that point is out of context where I wrote it, then we will have to agree to disagree.
What? I don't understand how this is relevant at all to my post. Why do you think I am calling something out of context? What do you think we disagree about? You need to explain what you think I said, because I have no idea if it's something I actually said.
Let me summarize my point of view again, very simply:
You are allied with userbinator in saying that it is not "perfectly safe and drivable", despite the quibbles about exactly how it fails that test.
Especially because you're saying "It's safe assuming you won't keep driving it." and they're saying "If you keep driving it, it's not safe.", and both of those can easily be true at the same time.
Or you could stay on the road and the reboot will finish in a few seconds. Meantime you have full control of everything as normal through the wheel and pedals, just no screen. It's like driving any other car where those dials are so small you can't read them and they might as well not exist, except that it's back to normal in seconds.
I mean, practically speaking, if the instrumentation in my car fails I'm getting off the road ASAP without checking HN to see how long I have to wait for everything to come back. My point is that the risk is low.
Or have a car who's physical gauges are not crashing, so you always know what speed you're in. I'm pretty sure cars in Europe always need to be able to show what speed you're going in, otherwise you won't be able to control your speed.
"the approximate speed" is not good enough. I challenge you to go on the highway without looking at the speedometer for 30 minutes and guess what speed you're driving in. I don't think a lot of people know what the speed would be, unless they regularly train it.
Where are people getting a few seconds from? The video seems to display the crashed MCU for well over a minute. 30 minutes is unreasonable, but it does seem like the safest thing to do is pull over.
Once the hacker has crashed the MCU of the software (an old version you can't get any more) then it's up to the hacker how long they let it sit there in a crashed state. They could leave it there for hours or days, if they wanted to. I mean the car is in Park.
So, it doesn't make any sense that you are talking about the time starting from when the crash was induced by the hacker, to the time when the reboot finished. You must be talking about what all the above comments were talking about, which is the time to do a reboot.
Well, it was probably a hard reboot. Which can only be done while stopped and with foot holding the brake down. And which takes longer than a soft reboot. So how long was it, exactly, since you claim it was well over a minute?
I checked the video to see what you could possibly be talking about.
The reboot starts at 2:09. The UI comes back at 2:24, which is being conservative... we could easily call it 2:23. 15 seconds. For a hard reboot. Again, soft reboots are even faster.
So, yeah. Saying it took a minute or more is a wild exaggeration. Fifteen seconds.
During these 15 seconds you are missing out on the ability to see your speed, which was shown continuously in the largest font at the closest part of the screen right up until the moment of the reboot. (Except in this case the car was in Park, so it's super odd that anyone would worry about driving safety here). And you miss out on the ability to open the trunk, the frunk, and the charge port. And the ability to look at maps. And possibly voice commands. I don't see any safety issue here. If this bothers people, they can just refrain from rebooting their MCU while driving. And if they really do get hacked, just look at the screen, note the speed, and reboot. Soft reboot should be fine, and can be done while moving or not, it's up to the driver, free choice. Don't like rebooting while driving? Fine, pull over. You don't need to though. Fifteen seconds. Tops. Of not having your screen. Soft reboot probably more like ten seconds.
This is how people form mistaken opinions about Teslas. Lack of personal experience, ignorance, presupposition of facts that do not exist, gullible acceptance of anything you read or hear, and exaggeration of perceived problems to a bizarre level.
I was referring to this video where the car is driving 60mph down the highway, and the MCU stays crashed for over a minute: https://www.youtube.com/embed/UkhwRUaSCA4
> Well, it was probably a hard reboot. Which can only be done while stopped and with foot holding the brake down.
If this is true, then it seems like it is impossible to (hard) reboot the MCU while driving? So they definitely should pull over.
> This is how people form mistaken opinions about Teslas. Lack of personal experience, ignorance, presupposition of facts that do not exist, gullible acceptance of anything you read or hear, and exaggeration of perceived problems to a bizarre level.
You seem to be letting your Tesla fanboy/girlism blind you. I'm not "forming an opinion" about Tesla over this event, simply arguing that should this happen to you the safest and best thing to do is pull over. I would do the same thing in a normal (non-Tesla) car should the speedometer or other important part of the dash fail in those.
Soft reboot should work. I think leaving it crashed for 60 seconds was up to the discretion of the user. He never tried soft rebooting. Of course not, since it was a demo of the hack. But soft reboot would be my go-to thing here and I would also at the same time start looking for safe places to pull over just in case the soft reboot didn't fix it.
But yeah this is an annoying hack if it hits an average driver. I'd say whether it's dangerous or not depends on how the driver responds. Just as you say, if any important part of the dash fails, the actions to take are largely the same as for a regular car, except I'm adding that there is that additional option of the soft reboot, in the meantime, which may fix it completely before a pullover can even happen.
If they are not aware of soft reboot, they should just drive safely and pull over to call service to ask what to do. If they don't do this, it's just like anyone in any car driving with something non-functional; the responsibility falls on the driver.
>I'm not "forming an opinion" about Tesla
OK, fair enough. If not for you, it can stand as a general comment about the nature of comments often seen in discussions about Tesla.
>otherwise you won't be able to control your speed.
Unless you’re seriously impaired or driving the car for the first time, it really shouldn’t be very difficult to control your speed without a speedometer.
You might get a ticket or two, but if the lack of a speedometer puts you in dangerous situations you shouldn’t be driving in the first place
Why not safe? There is absolutely nothing safety-critical on that display. I probably reboot the entertainment system while driving once a month or so. It’s no big deal.
The situation is just stupid - when I first posted my comment, I said the car would still be functional and that issue is not that serious, I immediately received a reply that basically criticizes me for being a pro-Tesla apologist (now deleted, apparently an honest misread), and now I have comments saying I'm anti-Tesla. But the fact is, I'm neither, I was simply expressing a specific criticism that it's not a good design that the dashboard is not separated from the rest of the entertainment system, and I said nothing about how good or bad Tesla is, as a car overall, or whether Tesla, Inc. is a good company.
> There are numerous problems with other cars and it doesn't receive any coverage
It's simply a result of much more attention and scrutiny of Tesla on HN because it's a popular car/company in the Silicon Valley.
I almost wish there had been another car with a digital cockpit that faced the same issue. Because I can imagine the glee that (some) Tesla owners would have.
Like they did when there was a Jeep remote vulnerability. "Haha. Way to do OTA totally wrong!".
it reboots in under a minute so you can make adjustments then. mean while you keep driving or can pull over or whatever. its not like it happens all the time, once every month or so I push both toggle button and reboot it while I'm driving
Isn't having the wipers freeze for more than 5-10 seconds in heavy rain a big safety issue?
Agreed that the chances of the freeze happening while there is heavy rain are rather slim, but nobody should be relying on their luck in this way.
Is it? Do you think you wouldn't be able to drive safely without a speedometer? (BTW, I am specifically talking about safety, not about whether you get a speeding ticket.) I am not really sure that someone who needs a speedo to stay safe should be on the road...
The Tesla dashboard should be predominantly a real time system. (It appears not to be.)
Different features of the dashboard should be implemented as different services, ideally on different processors or different virtual processors. They should have fixed time sliced allocation. Limit the impact of one process interacting with another.
The different processes should all send and receive visual/touch IO to a master display server. The master display server should be a hard real time system.
I think we all know this is really how it should be done, it's just comical that Tesla says NO! and does it their own unsafe way.
They don't treat the dashboard as safety critical. Despite that is where all essential warnings show up, in addition to the speedometer. You can easily lose access to all those while driving. I have multiple times witnessed the dashboard reboot for a few minutes while driving.
I think the long term outcome is that Tesla mostly gets away with this, other car manufacturers attempt to copy their system with extremely poor results, dangerous failures result, and regulations are created.
I think the long term outcome is that Tesla mostly gets away with this, other car manufacturers attempt to copy their system with extremely poor results, dangerous failures result, and regulations are created.
I am not generally in favour of regulating software development, for the simple reason that I don't think as an industry we really understand how to do that effectively yet and consequently I think we'd get regulations written by high profile fools rather than careful engineers.
However, I am getting deeply concerned about casual programming standards and the inevitable bugs that follow now applying not just to random games and other stuff that doesn't really matter but also to real physical devices with real physical implications when things go wrong.
Creating the regulations after the fact won't help much if the next remote hack, instead of just stranding one aware volunteer in a still dangerous situation in the middle of a fast-moving road, is instead something like accelerating all cars of a certain model that are within range to their maximum speed by deceiving the cruise control.
We need more grumpy engineers, and we need very public warnings from credible groups of them about the dangers here, so the people buying these vehicles know what they're really getting, and so the politicians and corporate executives and investors know that if they don't act then there will be nowhere to hide if the big disaster happens on their watch.
My interpretation is that they do not consider the infotainment display or associated processor to be safety-critical. All of the safety-critical stuff is in one or more separate processors that stay running if the dash computer crashes.
I can see that perspective as long as the processors are segregated and the display doesn’t display any info necessary to mitigate a hazard.
The problem with a lot of software on embedded systems is that it’s easy to go down the rabbit hole and be one or two degrees away from declaring it critical. If everything is critical then nothing is
What (user) invisible said. year.week or year.week.patch if there has been a patch. And there's a build number after that. We're on 4fbcc4b942a8, probably the prefix of a git hash I'm guessing. But then there's kind of a marketing version number as well, for which we are currently on v10.0 or v10. something:
I don't believe that autopilot stopped functioning. In my experience autopilot functions fine even if the MCU crashes or reboots. And there's clearly an autopilot disengagement chime after the MCU freezes, probably caused by him manually disengaging autopilot.
> Important Note: I stated in the video that this disables the autopilot functionality, but that is incorrect. This will only disable the notification to place pressure on the wheel. If you keep pressure on the wheel, AP will continue to function.
Thanks, makes sense. Almost all autopilot functionality is preserved during MCU problems. The attention warning indicator (pressure on steering wheel needed) being one notable exception, but that's pretty benign.
Not only is autopilot functionality preserved, but there is a seperate speaker for alerts (like the "take over immediately" sound) as well for if the display MCU crashes.
Some vehicle systems use a VNC compatible client for this. Essentially put the "web parts" into their own system entirely, even physically, and then project the results into a window on the "safe part" UI. If something bad happens the VNC server might crash and client lose connection, but that's the limit of the danger.
I know around the time Carplay became popular several auto manufacturers were pushing this idea as a Carplay/Android Auto alternative implementation: glorified VNC. But I guess the data wasn't "rich" enough for some parties.
There is a separate computer system. On the S the separate computer system for the drive train has its own screen (in front of the driver). On the 3 they use one display. you can separately reboot the non-drivetrain one.
I've had the FSD computer (HW3) freeze in my X once. The autopilot/TACC, gps location and even the wipersn which are controlled by this even if you're not using auto-wipers (deep rain), stopped working. I had to stop and power off the car for a few minutes to make it work again.
Everything else was fine though so I think they have isolated the driving itself quite well.
I've also had the MCU crash 2-3 times but the two finger salute always fixes it.
My car is 8 months old so these events are quite rare.
I drive an old car that is missing a nice, modern infotainment systems, so my experience is out of date, but several crashes in 8 months seems pretty frequent? My expectation is that it would not happen at all.
I have a car which doesn't require any computer to drive, and the instruments definitely don't malfunction anywhere that frequently --- and when they do, it's not all of them at once. I think the only things that I've had to replace in over a decade were an indicator bulb and a speedometer drive gear.
8 months between failures definitely sounds unacceptable to me.
You don't need to go full luddite on this. I have a 10yo Prius, which obviously for the hybrid system has a pretty complicated computer system. I've only had to have a few software updates which were done when servicing. The infotainment system is garbage compared to modern cars - it has Bluetooth though, so it does what I need it to do - but the drive system works as well as it did when I bought it.
The only issue I've had is when the 12v battery needed replacing and it was -20c outside, half of the dash (the trip computer, efficiency and seatbelt display) wasn't working.
I'm not exactly sure what new features they could add with just a software change.
>My expectation is that it would not happen at all.
I had a 2011 Nissan, and if you went somewhere the nav system didn't recognize (like a new highway) the nav interface would freeze and reboot. Was annoying.
People can have older style infotainment systems with fewer to virtually no bugs and significantly less performance or they can have what are essentially computers with much better performance and significantly more bugs.
The trend has been towards better performance at the cost of normalizing bugs, but at some point maybe we will normalize poor performance to minimize bugs.
Better performance in the same way a laptop performs better than a microwave, or a mechanical device.
People were fine with mechanical speedometers, but manufactures moved to microprocessors because of cost/features, and seem to be moving towards mainstream computers for the same reason.
People don't need these features. A mechanical speedo would suffice, but they seem to want them.
Along the same lines, people would be fine if the only car available were some kind of utilitarian hatch or station wagon, but people want cars with different attributes and manufactures offer and optimize for those attributes.
Having in car entertainment can help to make longer refueling stops more pleasant, which arguably helps with adoption. But it's not a requirement. Tesla could have skipped it and lived with however many different sales, in the same way including it led to different sales.
It still works as a "normal car" when the computers are crashed so it matches your expectations in that respect. The MCU and FSD computers are independent of the driving systems.
The first time I got in that situation I was confused. They should really teach you the "two finger salute" (I'm stealing that btw) when you pick up your car.
Not really, I've "lost" wipers before in regular cars due to shitty conditions and poor quality wipers. This is especially prevalent here in Norway when they salt the crap out of the roads in winter making a saline slush that sticks to everything. That's much more dangerous.. Or running out of wiper fluid!
If I really needed them in the X I could just pull over and let the FSD reboot itself and they work again. It also did not happen while driving, it was like that from the start of the drive so it was quite easy to identify. But I chose to go on to see how the car would behave without the FSD as an experiment.
I've often wondered if Tesla 'bit off more than it can chew' by focusing on software, autopilot, and other things outside of the strict 'electric car' concept. Cool UIs and self-driving cars really have nothing to do with reducing emissions from fossil fuels.
Personally, I would be more willing to buy a Tesla if it didn't have all of these software integrations and was simply a mechanical car with an electric engine.
A lot of what makes Tesla models more practical electric cars comes from the software. The UI whines at you when you charge the battery too much, which extends cell life. The navigation system prevents you from forgetting to charge along the route, mitigating range anxiety. The artificial throttle is also calibrated to improve efficiency.
Yes I think you know this but you made it sound pretty scary. For anyone reading, the car drives as normal, can still smoke pretty much any... let's not mention brands here, but suffice it to say, there's nothing to prove, and everything continues to work just fine. The UI comes back in a few seconds.
Well, it is pretty scary. The UI crashing and you not knowing how to restart it is a big deal.
It's not even like a traditional car where you can "restart" the electronics by turning it off and on again. It's a very specific sequence detailed in the manual...which most people aren't going to memorize.
It sounds like you haven't had experience with doing a soft reboot.
And yet, apparently you have, from your parent of parent comment... bizarre.
You make it sound like some elaborate easter egg that's hard to remember and is only buried deep in the manual as a crazy special detailed long sequence of steps.
It's neither some very mysterious sequence, nor hard to memorize, nor hard to learn about. And you don't even need to know it.
As you well know it's just holding down two buttons which are right on the steering wheel basically where your thumbs are already resting as you drive. So why are you spreading FUD?
You don't even need to take your eyes off the road. Not even for one second. The buttons are right there where you can feel them.
And no, it's not something you could or would ever do accidentally unless you were trying odd stuff just to see what would happen. And if you did, it would be no big deal, and the car would continue driving just fine, and the UI would come back by itself after a few seconds. But again, this wouldn't happen.
>It's a very specific sequence detailed in the manual...
That is overly dramatic. Like, to the point where you should win an award. And the manual is not the only source for this "vErY sPeCiFiC sEqUEncE."
It's one step: hold the two buttons for a few seconds. As you said yourself.
In the unlikely even that A) a person driving the car doesn't know about this, B) they are running software that most cars don't have any more, C) they are using their web browser while driving, and D) they loaded a strange site that contained a hack, then they could just pull over and call for advice from service.
Service would tell them to press the buttons for a few seconds, and they could be on their way in under a minute including the time for the phone call.
Well the scary for a newbie part I can agree with! So that one slight criticism didn’t lead to that essay.
It’s was the other stuff: “very specific sequence detailed in the manual” which got me, because the wording is so amped up and over dramatized. I mean I almost mentioned “JFC” myself before you did, but explained it instead. You can’t please everyone though.
I think it’s interesting how Tesla has addressed all the different UX challenges of the car. Fascinating really. I know UX people and they have my utmost respect because they often solve problems like this one in such effective ways.
So how does the rollout for Tesla updates work? Are there specific updates that are marked mandatory before you can drive the car? Wondering how these disclosures are avoided from being exploited when not all of the cars have the patch.
Hey, it's the guy from the video. I worked with Tesla on this and we waited until a sufficient amount of vehicles had the patch before releasing it out. But if someone that acts maliciously, just releases it out without co-ordination with Tesla, that's a different ballgame. I would imagine they would roll it out ASAP.
Cars get eligibility for updates depending on when they were purchased, what hardware they have (including incremental revs that happen with newer versions of a model), what features they have that relate to the update, whether they have purchased the (future) full self driving add on, whether they are in the Early Access Program, and whether the customer has complained to service about a related issue that the update covers... those are the ones I know about.
On top of this (or maybe under it) they have a layer with rollout tiers for Tesla owned cars, cars of employees who opt in for early updates, and customer cars. Probably more than just this. And then with all that they roll it out over time, so we're not all getting the update the same hour, but generally it starts with a trickle the first week and then becomes a flood of users getting a given update over the course of the following week or two.
If you're not on WiFi you might get the "Update Available" notice in the UI first, and then when you get to WiFi it downloads it. But it doesn't wait, if you don't see that notice and it has WiFi, it just downloads it.
Also Tesla says that if conditions warrant, it will download the update even when there is no WiFi. But I think it waits a while to try to opportunistically get on WiFi if it can, to reduce load on the LTE network it uses. If your car never connects to WiFi (which is up to you to do) then it will download, if it can, over LTE if the update is high enough priority.
There are probably silent updates as well as another commenter indicated. Don't know about those but it makes sense.
Note that (a) you’d have to load a specific web page to make this happen; (b) you’re usually not surfing the web while you’re driving, but maybe a passenger would ... (c) this crash just makes the screen hang until the watchdog resets it (apparently 2 minutes) or the driver forces a reset by holding down the two steering wheel buttons.
Rebooting the infotainment screen while driving is no big deal. The car drives just fine without it, and so do I.
They’re not mandatory to drive. Tesla does silent over the air updates with important fixes since the car has data capabilities. Larger updates happen over WiFi.
Every Tesla comes with always-on cellular connection which their cars use to log onto mothership.tesla.com or authenticate your phone through it to allow you to drive.
Save for small numbers of cars explicitly ordered off-menu with that feature removed, or has been hiding under the rock for six months, they keep the VIN, the connection, and rotating ssh keys to log into any instances of cars of their current models that have ever delivered, and it's not like there are trillion Teslas on the road.
There's no mandatory updates that I've seen. You get an alert that there's an update, and it shows up every time you put the car in Park. It prompts you to update now or schedule a time.
You usually have to be in range of wifi to download updates, afaik.
This is the turning point, where I go from a technology lover to a nutcase who wraps everything in aluminum foil. At the minimum, anything that can browse the web but isn't a standard computer needs to be wrapped up.
Shrug, it's really no big deal. I have a Tesla Model 3 and never visited a website, nor plan to.
It's a car, has games, maps, music, nav, etc. Can't think of a reason to visit a website. Sure you dig in and use the screen to type in a URL, pretty painful. There's no RSS Feed, news of the day, etc to tempt you into web viewing.
I once managed to get my Tesla to slow down dangerously while on autopilot by having a friend hold a copy of a fake speed limit sign by the side of the road.
I'd like to name this act "Tesla swatting".
Next task: can I make the Tesla following me slow down or speed up by attaching a fake speed sign to the back of my car?
Still, apparently, a bad webpage with a loop of JavaScript that hangs the web browser can lead to a complete failure of the entire user interface, even disabling the speedometer, turn signal (only the notification, visual and sound, not the actual signal), and AutoPilot status. Still a red flag and not a sign of good engineering.