In recent years, vehicles have evolved from offering simple audio playback to offering seamless and unparalleled experience in comfort and entertainment. The growth in cellular connectivity coupled with the continual reducing cost of associated hardware has resulted in a sophisticated feature-rich vehicle, also referred by some as an “iPhone on wheels”. The vehicle of today contains miles of cables, tens to hundreds of ECUs (Electronic Control Units) and multiple networks (LIN/CAN/MOST/FlexRay/Ethernet) catering to different features and functions. These vehicles are now capable of connecting to the Internet and thus unlocking a plethora of opportunities and challenges.
Connectivity opens up an exciting avenue for automotive manufacturers (“OEMs”) by empowering them with the ability to offer Over The Air (OTA) updates from their cloud servers to the numerous connected components within a vehicle. OTA updates are essential to keep a vehicle up to date with the latest security patches and to quickly remediate a software issue or a security vulnerability. It is being used by OEMs as a cost effective tool for recalls that can be reduced or even eliminated with remote software updates.
Software OTA is projected to grow at a CAGR of 18.2% from 2017 potentially reaching US$3.89 billion by 2022 [Source: RNR Market Research, 2017]. Software OTA updates are going to play a critical role for the OEMs and consumers when dealing with safety, cybersecurity and vehicle malfunction issues.
The idea of having a deeply networked vehicle, wherein the components can seamlessly communicate with each other, and with the vehicle open to the Internet is indeed alarming. If a fraudulent user gains access to the Cloud system responsible for SOTA/FOTA (Software OTA/Firmware OTA) update, they could potentially inflict harm to the vehicle and its occupants. If a bad actor can successfully stage a Man In The Middle attack, they can send fraudulent software to a vehicle resulting in undesired software updates which can severely compromise a vehicle’s security posture.
It is therefore imperative that maximum care is taken when dealing with OTA updates. It is not just the cloud that offers these software updates that needs to be protected, but end to end transmission, communication, reception and the update process must be secured in a manner that thwarts and discourages tampering and also is smart enough to take appropriate corrective actions when an anomalous behavior is observed.
An end to end secure OTA update ensures that the desired outcome is achieved without compromising or risking the vehicle’s or its occupants’ safety. Some critical things to consider are:
-
Establishing the security chain of trust: A security chain of trust ensures that software only from trusted source(s) are in use and can validate the trust starting from the end entity all the way up to the root certificate.
-
Cloud application and infrastructure: Care must be taken to ensure the integrity and secure the cloud infrastructure that stores and delivers the software.
-
Denial of service prevention: A critical update to address a software issue or a security vulnerability may be unavailable to be pushed out to vehicles if an adversary can successfully launch a DoS attack.
-
Safeguard against Data Breach and Data Leak: Theft of software/firmware or diagnostics data may lead to interference with vehicles by bad actors and is clearly a privacy risk.
-
OTA Authentication: The SOTA update application and the cloud server should mutually authenticate each other to ensure that the software is not made available to an unknown source and that the server is not dealing with a stolen identity.
-
Software signing: Software and firmware binaries should be digitally signed so that its integrity can be verified by the requestor (vehicle).
-
Key management: Utmost care must be taken to protect private keys so that they are not compromised.
-
Logs and audit of critical events: Every critical communication, transaction, errors and anomalous behavior should be logged.
-
Secure boot: secure boot is a must to establish the chain of trust and to ensure that only trusted applications are invoked.
-
Payload verification: The signature of the payload (update software in this case) should be be verified to establish the fact that the payload is coming from a trusted source.
-
Software Failure handling and OTA rollback: For update failures, the OTA update client must ensure that the ECU is reverted to its last working condition with the most recent software version that is known to work.
Excelfore’s approach to Over The Air updates, while offering the ability to update every updatable component in the vehicle using minimum bandwidth coupled with faster updates using its patented adaptive delta technology, ensures that a layered security infrastructure is in place to ensure safe and secure transmission and application of software updates.
Leave a Comment