Incident: Lexus and Toyota Infotainment System Failure Due to Errant Data Broadcast

Published Date: 2016-06-08

Postmortem Analysis
Timeline 1. The software failure incident happened in 2016 [45291].
System 1. Vehicle navigation head unit (center display) of 2014-16 Model Year Lexus vehicles and 2016 Model Year Toyota Land Cruiser [45291]
Responsible Organization 1. The software failure incident in Lexus vehicles was caused by errant data broadcast by the traffic and weather data service provider [45291].
Impacted Organization 1. Toyota and Lexus owners [Article 45291]
Software Causes 1. Errant data broadcast by the traffic and weather data service provider was not handled as expected by the microcomputer in the vehicle navigation head unit, causing the head unit to restart repeatedly and affecting various features [45291].
Non-software Causes 1. Errant data broadcast by the traffic and weather data service provider was not handled as expected by the microcomputer in the vehicle navigation head unit [45291].
Impacts 1. The software failure incident caused blackouts and constant reboots of the infotainment system in many Lexus vehicles, rendering it completely unusable for some users [45291]. 2. Some affected vehicles experienced a flashing purple screen or never-ending boot cycle, further disrupting the functionality of the infotainment system [45291]. 3. The failure led to the inoperability of the navigation system, audio features, climate control, back-up camera, and hands-free mobile phone functions in the affected vehicles [45291]. 4. Owners of the impacted vehicles had to visit the dealer for a complimentary system reset to address the software issue, causing inconvenience and requiring their time for the fix [45291].
Preventions 1. Implementing thorough testing procedures before deploying software updates to ensure compatibility and stability [45291]. 2. Having a robust error-handling mechanism in place to gracefully handle unexpected data or events to prevent system crashes [45291]. 3. Regularly monitoring and verifying data received from external sources to prevent the transmission of erroneous or corrupt data to the vehicle systems [45291].
Fixes 1. A forced reset and clearing of the errant data from the system can fix the software failure incident in the affected vehicles [45291].
References 1. Lexus' Twitter page [45291] 2. Statement from the manufacturer [45291]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to Lexus vehicles experiencing blackouts and constant reboots of the infotainment system due to errant data broadcast by the traffic and weather data service provider has happened before within the same organization. The article mentions that the issue is affecting multiple makes and models of Lexus vehicles, indicating a recurring problem within Lexus itself [45291]. (b) The software failure incident related to the errant data broadcast affecting Lexus vehicles has not been explicitly mentioned to have happened at other organizations or with their products and services in the provided article.
Phase (Design/Operation) design (a) The software failure incident in the article is related to the design phase. The failure was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This issue led to the head unit restarting repeatedly, affecting various features like the navigation system, audio, and climate control. The software glitch was traced back to the data broadcast, and the correction involved a forced reset and clearing of the errant data from the system [45291]. (b) The software failure incident is not related to the operation phase or misuse of the system. The article does not mention any user-related errors or misuse contributing to the software failure. Instead, the root cause was identified as an issue with the data broadcast and how it was handled by the vehicle's navigation system, indicating a design-related failure rather than an operational one [45291].
Boundary (Internal/External) within_system (a) within_system: The software failure incident in the articles was caused by errant data broadcast by the traffic and weather data service provider not being handled as expected by the microcomputer in the vehicle navigation head unit [45291]. This internal issue led to the head unit restarting repeatedly, affecting various features like the navigation system, audio, and climate control, as well as rendering the back-up camera and hands-free mobile phone functions inoperative. The correction for this issue involved a forced reset and clearing of the errant data from the system, which needed to be done at the dealership [45291].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in the articles was caused by non-human actions. Specifically, the issue was attributed to errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This led to the head unit restarting repeatedly, affecting various functionalities like the navigation system, audio, and climate control features. The correction for this incident involved a forced reset and clearing of the errant data from the system, which was implemented by the manufacturer [45291]. (b) The software failure incident did not involve contributing factors introduced by human actions. The root cause was identified as the erroneous data broadcast by the service provider, which was not anticipated by the vehicle's software, leading to the system malfunction. The manufacturer's response focused on rectifying the issue through a system reset and confirming the functionality, without mentioning any human error as a contributing factor [45291].
Dimension (Hardware/Software) hardware (a) The software failure incident in the articles was primarily due to hardware-related issues. The incident was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This hardware issue led to the head unit restarting repeatedly, affecting various features like the navigation system, audio, and climate control, as well as rendering the back-up camera and hands-free mobile phone functions inoperative [45291].
Objective (Malicious/Non-malicious) non-malicious (a) The software failure incident described in Article 45291 was non-malicious. The issue was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This led to the head unit restarting repeatedly, affecting various features like the navigation system, audio, and climate control. The incident was not a result of malicious intent but rather a technical error in handling the data, which affected the functionality of the system [45291].
Intent (Poor/Accidental Decisions) accidental_decisions (a) The software failure incident in the article was not due to poor decisions but rather to errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This issue caused the head unit to restart repeatedly, affecting various features of the vehicle [45291].
Capability (Incompetence/Accidental) accidental (a) The software failure incident in the article was not attributed to development incompetence. The issue was caused by errant data broadcast by the traffic and weather data service provider not being handled as expected by the microcomputer in the vehicle navigation head unit, leading to repeated restarts of the head unit and affecting various features like navigation, audio, and climate control [45291]. (b) The software failure incident in the article was accidental. It was mentioned that the data suspected to be the source of the error was corrected by a forced reset and clearing of the errant data from the system. The incident was not intentional but rather a result of unexpected data causing the system to malfunction [45291].
Duration temporary The software failure incident reported in Article 45291 was temporary. The failure was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This led to issues such as the head unit restarting repeatedly, affecting various features like the navigation system, audio, and climate control. The incident was resolved by correcting the data and performing a forced reset and clearing of the errant data from the system. Owners were advised to visit their dealer for a complimentary system reset and confirmation of the system functionality [45291].
Behaviour crash, omission (a) crash: The software failure incident in the article is described as causing the head unit to restart repeatedly, affecting the operation of the navigation system, audio, and climate control features. Additionally, the back-up camera and hands-free mobile phone functions become inoperative due to the issue [45291]. (b) omission: The software failure incident results in the omission of the system to perform its intended functions, such as the navigation system, audio, climate control, back-up camera, and hands-free mobile phone functions becoming inoperative [45291]. (c) timing: The software failure incident does not seem to be related to timing issues, where the system performs its intended functions either too late or too early. The focus is more on the system not functioning correctly due to the errant data broadcast issue [45291]. (d) value: The software failure incident is not specifically related to the system performing its intended functions incorrectly in terms of providing incorrect outputs or results. Instead, the issue is more about the system not functioning at all as intended [45291]. (e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure, which involves inconsistent responses and interactions. The issue described in the article is more about the system repeatedly restarting and becoming unusable due to the errant data broadcast problem [45291]. (f) other: The software failure incident in the article can be categorized as a crash, where the system loses its state and fails to perform any of its intended functions, leading to constant reboots, blackouts, and an unusable infotainment system [45291].

IoT System Layer

Layer Option Rationale
Perception processing_unit, embedded_software (a) sensor: The software failure incident mentioned in the article was not related to a sensor error. (b) actuator: The software failure incident was not directly related to an actuator error. (c) processing_unit: The software failure incident was related to the processing unit, specifically the microcomputer in the vehicle navigation head unit, which was not handling the data broadcast by the traffic and weather data service provider as expected. This led to the head unit restarting repeatedly, affecting various features like navigation, audio, and climate control [45291]. (d) network_communication: The failure was not directly related to network communication error. (e) embedded_software: The software failure incident was related to embedded software error in the microcomputer of the vehicle navigation head unit, which was not handling the data from the service provider correctly, leading to the system restarts and malfunctions [45291].
Communication connectivity_level [a45291] The software failure incident reported in the article was related to the connectivity level of the cyber physical system. The issue was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This led to the head unit restarting repeatedly, affecting various features such as the navigation system, audio, and climate control. The failure impacted the network or transport layer of the system, requiring a system reset to correct the issue.
Application TRUE The software failure incident reported in Article 45291 was related to the application layer of the cyber physical system. The failure was caused by errant data broadcast by the traffic and weather data service provider, which was not handled as expected by the microcomputer in the vehicle navigation head unit. This led to issues such as the head unit restarting repeatedly, affecting the operation of the navigation system, audio, and climate control features. Additionally, the back-up camera and hands-free mobile phone functions became inoperative due to this software failure incident [45291].

Other Details

Category Option Rationale
Consequence delay, non-human, theoretical_consequence The consequence of the software failure incident described in the article was primarily related to inconvenience and potential safety concerns for the users of the affected vehicles. The software issue caused the infotainment system to experience blackouts, constant reboots, and other usability problems, such as the screen flashing purple or getting stuck in a boot cycle. Additionally, the backup camera and hands-free mobile phone functions became inoperative due to the software failure. As a result, affected Toyota and Lexus owners were advised to exercise caution when driving until the issue was resolved. The manufacturer, in this case, Toyota and Lexus, offered a complimentary system reset to address the software problem, but this solution required a trip to the dealer, potentially causing inconvenience to the owners in terms of time and effort [45291].
Domain transportation (a) The software failure incident reported in the article is related to the transportation industry. The affected systems were in modern vehicles, specifically 2014-16 Model Year Lexus vehicles and 2016 Model Year Toyota Land Cruiser, which experienced issues with the navigation system, audio, climate control features, back-up camera, and hands-free mobile phone functions [45291].

Sources

Back to List