Connected Vehicles

Software-defined vehicles need secure OTA automotive updates

February 11, 2021

The world is seeing a major transition, a paradigm shift in the way cars are being designed and how they are being driven. 21st century vehicles are defined by their software. They are no longer driven from the showroom as unique, isolated mechanical entities with customized upgrades completed only during the delivery preparation. 

Software can be updated on the go and we have only started to tap the potential of customizable functions and features. Drivers will be able to customize their driving experience to such a degree that cars will simply need a profile upload to apply personal settings. This can only become a reality if automakers will be able to provide repair, safety improvements and enhancements whenever and wherever necessary through secure automotive over the air (OTA) updates.

Drivers will be able to download and update different pieces of software to change their car functionality, and inherently driving experience, based on the season or weather or the type of trip planned. The vehicle configuration straight off of the production line is no longer scalable, even if it offers smooth handling, leather seats and digital radio. Today’s drivers are used to having everything available at their fingertips at all hours of the day and they will only get this with a software-defined car.

Smartphone-ized Vehicles are Instantly Customizable

Drivers are looking for a connected, immersive experience for the hours they spend driving their cars. Whether it be during their daily commute, an annual road trip or over snow covered mountains, drivers will come to expect their vehicle to be always connected, updated and personalized with their favorite apps, features and configurations. 

This is only the tip of the iceberg where software innovations are turning drivers into subscribers of services and apps. These new services and apps will be downloadable and updated over-the-air (OTA) as vehicles reach even higher levels of connectivity. Major improvements in vehicle communications, connectivity, security and overall computing power are on the way making this a reality.

Connected Vehicles Are Vulnerable Vehicles

While an always connected vehicle benefits both consumer and industry by providing a world of opportunity for customization and enhanced driver experience, it also creates a vulnerability to malicious cyber attacks that can cause loss of control, collisions, and even severe injury or loss of life. Driver and passenger safety is paramount in the automotive industry and cybersecurity of automotive OTA updates is equally critical. 

Right now, ISO is preparing a committee for regulation 24089 that will define minimum requirements for secure automotive OTA updates.

The Industry is Responding to the Cybersecurity Threat

A joint working group between the International Standards Organisation (ISO) and the Society of Automotive Engineers (SAE) created a comprehensive and robust worldwide standard, ISO/SAE 21434, for automotive cybersecurity. It addresses the entire vehicles lifecycle from concept to decommissioning and also lays out requirements and activities on an organizational level.

The United Nations Economic Commission for Europe’s (UNECE) Sustainable Transport Division’s World Forum for Harmonization of Vehicle Regulations (WP.29) has developed a regulatory framework for technological innovations to make vehicles safer and more environmentally sound. 

The cybersecurity and software update proposals adopted by WP.29 require automakers to implement measures to:

  • Manage vehicle cybersecurity risks
  • Secure vehicles by design to mitigate risks along the supply chain 
  • Detect and respond to security incidents across the vehicle fleet
  • Provide safe, secure software updates that do not compromise vehicle safety

Passenger cars, vans, trucks and buses and other light vehicles are subject to the regulation, which entered into force in January 2021 in 58 countries including the EU, UK, Japan, and South Korea and any country selling into these markets. 

Providing Safe and Secure Software Updates

Providing safe and secure software updates can be boiled down to 5 steps. Starting with the system designers who translate the design into executable code, through the release and distribution processes all the way to the receiving vehicle’s targeted electronic control unit (ECU) through an over-the-air (OTA) connection rather than bring the vehicle into a service center. 

The software release must traverse the internet and through many and sometimes unknown hands, and there are many potential attackers who might attempt to manipulate the software distribution process and alter the software release binaries for their own real-world gain. 

Download the full whitepaper on Secure-Over-Air (OTA) Updates.

Diagram 2 figure 3-01-small

Stakeholders in the OTA Security Process

In-Field OTA Updates

The modern vehicle is a complex network of computers on wheels with huge processing power, tremendous data storage and numerous communication channels. In order to meet the ISO/SAE 21434 & UNECE WP.29 requirement to “Detect and respond to security incidents across the vehicle fleet”, the authenticity and security of all OTA updates in response to identified potential or actual security incidents is paramount. 

The goal of the application security architecture is to build out a system design complete with appropriate and sufficient security controls to create an appropriately high assurance in the face of such adversaries.

To comply with the regulations, OEMs will need to implement in-field OTA software updates along with a solid, deterministic security system containing a robust digital signature, coupled with the best authenticity assurance possible. In addition, a signed metadata which gives stakeholders the ability to identify and control compatibility, lifespan, and dependencies will provide for a safe and secure vehicle.

The requirement for a full software distribution process includes both the pathway the software release binaries follow through the network and the digital signature that needs to be applied. The release engineer invokes the release authority by signing the software release binary with the signing key stored in the secured offline key repository. Controlling access to the system which actually uploads new software release binaries is less critical, as the digital signature is created outside of that system.

 

Diagram 6 figure 7-01-01-small

End-to-end digital signature over software release binary as well as its metadata

Combining Confidentiality and Authenticity Cryptography

The system designer will need to consider whether the authenticity checks should be inside or outside of the encryption. Generally speaking, for logistic reasons, the encrypted binary will need to be signed, meaning the digital signature is “outside” the encryption. If the encrypted binary is not signed, it will not be possible for systems in the middle of the transmission chain to verify the contents of the software release binary using a digital signature without first decrypting it, which is both extremely impractical and would weaken the confidentiality system to the point of potential uselessness. Therefore, the signatures used for the software distribution system must be on the encrypted binary.

Diagram 12 figure 15-01-small
OEM cryptography and key management

Industry Impact of Automotive OTA Updates

This greatly affects the entire vehicle ecosystem, manufacturers, suppliers, insurance companies, fleet operators, telematic providers, mobile network operators, and more. As we increase vehicle functionality and customization, security becomes even more important in a software-defined environment. Vehicle drivers and owners need the confidence to trust that these modern complex networks of computers on wheels are sufficiently protected.

A comprehensive solution for protecting OTA updates for vehicles is strongly supported by the shift towards hardware and software modularity. This is happening these days as auto manufacturers are moving into Zonal E/E Architecture. The new architecture moves the vehicle electronics towards a high-speed Ethernet backbone with multi-functional computers to replace single function ECUs and a software-driven Service-Oriented Architecture (SOA). Automitve SOA enables app-store like purchase and field reconfiguration of software for post-delivery paid upgrades delivered through Over-The-Air updates.

The protection and safety of the vehicle relies on the adoption of robust Cybersecurity processes.

Blog CTA

Lets’s Talk