Securing Automotive Over-The-Air (SOTA) Updates

Modern vehicles are essentially a network of networks – equipped with a range of embedded communication methods and capabilities. Consequently, there is broad industry consensus that vehicle cyber security should rank as a top priority for the automotive sector. In this context, automotive OEMs have begun to provide secure over-the-air (SOTA) updates for various systems.

Recently, the non-profit automotive research consortium known as FASTR published a comprehensive document that provides a detailed framework for secure OTA (SOTA) vehicle updates. Co-authored by Rambus security researchers, the guidelines are intended to assist automotive manufacturers and others involved in evaluating platforms for secure updates by describing threat models, providing recommended cryptographic algorithms and outlining a step-by-step checklist for evaluating SOTA systems.

More specifically, the guidelines identify a number of potential threats and attack vectors targeting OTA updates including spoofing, tampering, repudiation, escalation of privileges, information leakage and denial of service (DoS).

The FASTR document also offers a detailed list of SOTA threat mitigation guidelines such as: encrypting software updates; using a signed certificate containing the public key of the entity requesting the update; digitally signing updates after encryption, with the private key of the entity requesting the updates; securing all network transactions with TLS public key authentication (signed by a trusted Certificate Authority); and (clients) performing hostname verification to ensure they are connecting the correct server.

Additional FASTR SOTA guidelines include only delivering software updates to authorized devices; the tamper-proof logging of all important events; the initialization of SOTA updates with a secure boot mechanism; software update systems that are designed to “fail gracefully” in the case of a DoS attack; the utilization of anti-malware protection such as whitelists and in-memory protection; and ensuring that compliant SOTA software update systems clear all shared resources of sensitive data and keys that were temporarily stored during the software update.

In conclusion, the modern automotive ecosystem demands a robust, dynamic approach to maintain the security, safety and integrity of intelligently connected vehicles on the road. Clearly, operational verification of software components in a forensically sound manner is critical to this effort. The above-mentioned FASTR guidelines will serve as a comprehensive, objective resource to help OEMs analyze SOTA systems and make sound design choices. Given the expected scope and impact of OTA updates, we strongly recommend the use of these guidelines across the automotive value chain.