Cybersecurity Risks Of Automotive OTA

Modern vehicles increasingly resemble supercomputers on wheels, with many electronic control units (ECUs) networked together as increasingly sophisticated software is installed and updated. Similar to smartphones, vehicle OEMs will contact vehicle owners remotely about operating system updates that add new features and/or fixes, as well as software bugs and vulnerabilities.

But all of this has to be done securely, and over-the-air technology is still a relatively immature technology when it comes to safety-critical applications. Software controls a number of components inside modern vehicles, including the Advanced Driver Assistance Systems (ADAS), along with the electronic dashboard, powertrain, and infotainment systems. With OTA updates, cars could run more efficiently, stay up-to-date on technology longer, and benefit from improved EV battery performance. These updates can be sent directly from the OEMs or through vehicle dealers.

This already is happening. In 2020, Honda recalled 608,000 vehicles in the U.S. to fix software bugs that were causing instruments to show incorrect speed information, and other errors pertaining to the rear-view camera video. Software updates were performed OTA, which allowed Honda to realize cost savings by broadcasting updates simultaneously to many vehicles instead of bringing them into dealerships for the repairs.

Other updates can improve vehicle performance and safety, some of which can be done without the dealerships’ involvement, saving car owners time.

Broadly speaking, updates can be divided into two categories — critical and non-critical. Critical updates directly impact engine and powertrain performance and safety. Non-critical updates provide new features to infotainment systems, for example.

“Within the next 5 to 10 years, many vehicles will be software-defined,” said Robert Day, director of automotive partnerships for Arm’s Automotive Line of Business. “Software and firmware updates for ECUs will be easily performed with OTA. Much like updating the operating system of a mobile phone, the vehicles can do this at the shop, or parked somewhere with access to Wi-Fi. Most importantly, this can be done at the drivers’ convenience.”

According to Market Research Future, the automotive OTA updates market will grow approximately 18% from 2022 to 2030. Industry revenue is forecast to reach $14.47 billion by 2030, up from $2.89 billion in 2021. Some of the suppliers include Continental AG, Garmin Ltd., Delphi Automotive, NVIDIA, Robert Bosch GmbH, and NXP.

But OTA has its downside, as well. In October 2022, Tesla recalled more than 40,00 Model S and Model X vehicles built between 2017 and 2021 due to a software update issue, according to the NHTSA. An OTA firmware release meant to update the calibration values of the electronic power assist steering system caused a different problem. Some vehicle owners experienced the loss of power steering ability after hitting a pothole or a bump, which required another OTA update to fix.

Another challenge is simply that implementing security in any market is difficult, especially in complex systems such as automotive, where the use of third-party IP is growing. That IP can be in the form of software or hardware, and if it is poorly designed or integrated, or so complex that it can never be completely verified and debugged, then it can open a door for cyberattacks.

“Transparency in this comes down to writing down the requirements, not having them scattered throughout the 500 page documentation, and grouping them all together so that the users are very clear about the security functionality,” said Nicole Fern, senior security analyst at Riscure. “Good vendors will have that. But great vendors will also tell you where the limitations are, because every solution that claims to offer some sort of security guarantee has weaknesses. There’s a certain point at which it can’t protect you because every solution can be broken eventually. When design teams are looking at the vast landscape of all the different IP that can potentially be integrated into a product, and how they should make a decision as to which one to integrate, it’s important to look for vendors who are transparent about the strengths, but also what conditions the IP can no longer provide those guarantees in.”

OTA trends
The auto industry is slowly catching up on OTA, but not all OEMs are equally tech savvy. There are some practical challenges involved, and much like installing a piece of software on a laptop, it does not always go smoothly. What happens if a piece of software installed via OTA does not work? Some experts suggest doing a partial installation first. Others advise having a backup solution, as well. The degree of technical expertise varies among vehicle owners, increasing the complexity of OTA updates. Software over-the-air (SOTA) is a little bit more straightforward. Adding firmware updates becomes more challenging for some OEMs.

Some OEMs are taking the lead, while others are adopting a wait-and-see attitude. According to Electrek, OEM OTA capabilities are “all over the map.”

For example, GM took the lead in OTA as early as 2009 with the OnStar infotainment platform. By 2019 GM’s vehicle intelligent platform could send OTA updates to ECUs and to the infotainment systems of most models. Mercedes-Benz OTA primarily focuses on infotainment and navigation. BMW initiated OTA in 2018. It provides OTA updates to most models, but compared with other automakers, it is still behind, experts say. Audi offers OTA on navigation updates only.

Some OEMs are trying to accelerate their OTA expertise by forming partnerships. For example, BYD, the first Chinese car manufacturer to offer OTA solution in 2018, formed a partnership with Aurora Mobile Ltd. in 2021 to provide additional OTA capabilities. Hyundai attempted to catch up by forming a partnership with NVIDIA. So far, Hyundai’s OTA update capability is limited to only infotainment and maps.

OTA support for engine performance has been free of charge to vehicle owners, but charging for OTA infotainment updates has been discussed, as these updates add new features and convenience. If this model works, it will bring additional revenue to OEMs.

How OTA works
Automotive OTA is a process by which OEMs can broadcast software over Wi-Fi or cellular (4G/5G/LTE) networks to the target vehicles. The intent is to update vehicle software and firmware as well as installing useful configuration information. There are five general categories: software over-the-air (SOTA), firmware-over-the-air (FOTA), over-the-air provisioning (OTAP), over-the-air service provisioning (OTASP), and over-the-air parameter administration (OTAPA).

SOTA is by far the most common OTA offering. FOTA is more challenging because it requires higher computing performance and connection speeds. Tesla is one of the automakers providing FOTA. The other types of OTA are used mostly for software and system configuration purposes.

Typically, a remote server sends OTA content to the vehicle’s telematic control unit (TCU). Then the information is passed along to various processors, ultimately resulting in the updated information being stored in a memory device such as a SIM card.

Fig. 1: OTA can simultaneously broadcast updated software to multiple vehicles. Source: Rambus

Is OTA secure?
Any wireless network can be a cyberattack target, and design vulnerabilities can provide a way for hackers to gain access to the networks. Inside autonomous vehicles, there are multiple sophisticated mini networks connecting multiple electronic control units, including the telematic control unit (TCU), which is a gateway to the outside world.

A TCU is capable of connecting 4G/5G, LTE, Wi-Fi, and other short-range wireless connections. The various TCU components include network and GPS chips, e-SIM, MCU, memories (to store driving and vehicle data), and interfaces such as CAN, Ethernet, and USB. Any of these components can be a target. Once the TCU is compromised, the rest of the networks and systems are exposed.

As vehicles have both noncritical systems such as those for infotainment, and critical systems such as those controlling ECUs, an attack on an infotainment system may cause inconvenience, while a successful attack on ECUs can be fatal.

Autonomous vehicles (AVs) rely on many sensors, including radar, lidar, and cameras to navigate. When a sensor is attacked, it may have serious consequences. For instance, one scenario demonstrated that an attack can skew the camera sensors’ view. An AV was given an instruction to auto park. However, the AV lined up behind another car and turned off the engine, unaware that the other “parked” car waiting to enter a parking garage. In other scenarios, the consequences can be more serious.

“OTA is very software-intensive,” said David Fritz, vice president of hybrid and virtual systems at Siemens Digital Industries Software. “If hackers are successful in infecting the software, they can do a system reset and take control of the vehicle. It is much more secure to implement hardware security, such as using secured chips, or to incorporate security IP in the design. Take the case of the telematic control unit, which comprises both software and hardware. If the TCU gateway is infected, the whole system will be compromised. The two fronts in security need to be deployed. The contents of OTA need to be secured by the OEMs before they are broadcast, and at the receiving end, the vehicles need to be secured, as well.”

User requirements from the application trickle through the design chain and need to be considered carefully at the chip-level.

“Safety and security aspects are closely linked and maintaining coherency of system configurations during OTA updates is critical to make sure no sub-systems are ‘left behind’ in a potentially non-coordinated, potentially unsafe and non-secure state,” noted Frank Schirrmeister, vice president of solutions and business development at Arteris IP. Dealing with security and safety aspects of data will require consideration all the way from the system-level software though the PCB, the 3D-IC interconnect, and the networks on chips (NoCs) at the chip-level. Monitoring and assessing the integrity of data at all of these levels is critical, and it will be interesting to see whether and how the regulatory environment – like UN R155 and UN R156 – for OTA updates will influence the direction and requirements at the chip and system-level.”

It is important to understand that OTA faces a growing list of attacks, including spoofing, unauthorized access, tampering, repudiation, man-in-the-middle, privilege escalation, and distributed denial of service (DDOS). Another concern is information leakage that allows bad actors to inject malware and viruses. And because OTA is relatively new and the cyberattacks have not been in full force yet, the automotive industry is in a vulnerable situation.

A strong defense
Defense systems for OTA should cover the source, the destination, and everything in between, leaving no room for hackers to attack. Because OTA designs involve software, firmware, hardware, and systems, developers need to be well versed in each and secure each of these components independently.

“It is critical to safeguard the security of OTA,” said Bart Stevens, senior director of product marketing for security at Rambus. “Some practices developers should pay attention to include encrypting software updates, using a signed certificate containing the public key of the entity requesting the update, digitally signing updates after encryption, securing all network transactions with TLS public key authentication (signed by a trusted certificate authority), and (clients) performing hostname verification to ensure they are connecting to a verified server.”

Additionally, it helps to deliver updates to authorized devices, do tamper-proof logging of all important events, and initialize SOTA/FOTA updates with a secure boot mechanism. Software update systems also need to be designed to “fail gracefully” in the case of a denial-of-service (DoS) attacks, utilize anti-malware protection such as whitelists and in-memory protection, and ensure that compliant SOTA/FOTA software update systems clear all shared resources of sensitive data and keys that were temporarily stored during software updates.

And that’s just for starters. “OTA management at the end point will continue to have more hardware involvement with ever growing adoptions of hardware roots of trust,” said Jason Oberg, CTO at Cycuity. “The hardware root of trust is often responsible for decrypting and authenticating the update to ensure it cannot be stolen or modified, and that it’s from a trusted source. A systematic process that can help prevent design weaknesses in hardware roots of trust will help increase the assurance in OTA at the endpoint. Techniques that systematically deploy analysis of things like MITRE Common Weakness Enumeration (CWE) we have found to be particularly effective in building such a process.”

To increase automotive safety including cybersecurity regulations for OTA, the World Forum for the Harmonization of Vehicle Regulations published the first international standard UNECE WP.29 Automotive Cybersecurity Regulation in 2020. UNECE stands for United Nations Economic Commission for Europe. The WP.29 provided the process for technology manufacturers to follow to achieve cybersecurity for automotive. Among other things, WP.29 required OEMs to be able to detect threats, vulnerability, and prevent cyberattacks.

Separately, the eSync Alliance, a non-profit trade association, is driving a multi-company cooperation to create a standard specification for OTA pipelines, including security. The five founding members were Alps Alpine, Excelfore, Hella, Molex and ZF, with 15 other members made up of tier-1 suppliers, automakers, cybersecurity firms, and semiconductor companies. The organization has created an eSync software platform to provide a secure data pipeline to devices within a vehicle. Along with the v2.0 specification which included information on cybersecurity (Sect. 9) and WP.29 compliance (Sect. 9.1), the has a certification program is also provided

Rambus’ Stevens also recommends following the National Highway Traffic Safety Administration’s updated recommendations to maintain the integrity of OTA updates, server updates, the transmission mechanisms, and the updating process in general. “Being aware of the security risks of insider threats, man-in-the-middle attacks, and protocol vulnerabilities will go a long way.”

Conclusion
OTA is still in its infancy. It has many benefits, including cost saving for OEMs. As suggested by Arm’s Day, many vehicles will be software-defined within the next 5 to 10 years. OTA will be an important tool for software and firmware updates. Most of these leading OEMs, including GM, Mercedes-Benz, BMW, and many others are developing OTA capabilities.

“Like any other wireless technologies, OTA is exposed to the same cyber risks,” said Ron DiGiuseppe, senior automotive IP segment manager at Synopsys. “By addressing the cyber vulnerabilities, the OTA benefits outweigh the risks. There will be major cost savings for the OEMs and the vehicle owners by reducing the frequency of dealer visits. Additionally, OTA potentially can create a new business model for OEMs by offering additional features, say for the infotainment systems. Also, OTA can update software vulnerability much faster.”

While OTA faces many challenges, including incomplete testing, potential cyberattacks, adding full features to the offerings, and more, it is still a technology of the future, with more OEMs expect to participate.