The Lexus brand posted an oblique apology on Facebook and Twitter late Tuesday. But, like many big companies that can't get their cyber-act together, it provided few details to furious customers.
The scant information, of course, had some people convinced it was the work of the government, jamming communications and sabotaging luxury car owners in dark deeds for the NSA. It didn't help that Toyota spokesperson Cindy Knight told Bloomberg that satellite communications to Lexus GPS systems "had been disrupted." One outlet even suggested it was a cyberattack on Lexus itself. (CrowdStrike: It was Russia!)
Others were sure it was hackers in balaclavas getting ready for their cameos on CNN at that conference in Las Vegas. Or, some sort of hideous tentacle porn malware, which would surely take over their cars and strangle and violate them with their seat belts like a terrible cyberpunk Cthulu come to life.
No one knew what to do. On Twitter, some Lexus owners said that disconnecting the battery for a minute forced a system reboot, and that seemed to work.
Lexus said little more than it was "fully engaged and investigating this issue as a top priority." Hey, at least they didn't say it was a "sophisticated" attack.
According to reports, drivers affected spanned from California to Massachusetts. Among other things, these customers "complained of being stuck hundreds of miles from home without the benefit of GPS, or of being stuck in Southern California freeway traffic without air conditioning."
The afternoon statement by Lexus on Twitter was light on details. But Lexus Communications Specialist Laura Conrad told Security Ledger that customers need to bring their cars to a Toyota or Lexus dealership so the service department could do a "forced reset and clearing of the errant data from the system." Basically, the equivalent of turning it off and on again.
This doesn't bode well for what could happen with driverless cars. Who do you call when it's jamming an intersection, endlessly rebooting? Or things like Tesla's Autopilot, which drives the car for you. At least if that particular luxury car drove itself into a fire hydrant because an update gave your car the automotive equivalent of Heartbleed, you could give Elon Musk a hard time about it on Twitter.
The good news? This week's borked Lexus update wasn't critical to immediate vehicle safety because it was for the specific systems related to climate, GPS, and entertainment. But Tesla is one automaker who has moved to software updates that control the whole vehicle, which introduces a whole host of concerns.
Lexus emailed a statement to Security Ledger which reported:
"Errant data" sent by a third party that provides traffic and weather data service was "not handled as expected" by the Enform software that runs the center display on 2014-2016 model year Lexus and 2016 model year Toyota Land Cruiser vehicles, the company said in an emailed statement.
So thanks to something sketchy with a third party in Enform's app suite, which includes everything from Yelp to Facebook and I Heart Radio, one update crashed the entire center console for all drivers who paid for the privilege of Enform.
In addition to the constant resets, drivers also lost roadside assistance, emergency assistance, stolen vehicle location and Enform's vehicle and service alerts "delivered on demand." Its mobile app lets you lock and unlock doors, and start the car, so we can suppose those "features" may have been "down" too.
Great, so now we have to worry about buggy, unvetted third party updates in our cars. Next they're going to tell us to carry a paperclip in case our car stalls. That is, until someone realizes that cars are now going to have to come equipped with CTRL-ALT-DELETE buttons.
And won't that be fun.