The Challenge Of Updating Cars

News stories about automotive hacking are becoming more common, and so is the concern about how to curb this problem. Security has become a new layer of system design complexity, and it’s being taken increasingly seriously in a market that until very recently largely ignored it.

That attitude is changing rapidly though, particularly with the advent of autonomous and connected vehicles. Security is paramount to avoiding lawsuits, bad press, and maintaining brand loyalty.

“It’s definitely something we’re taking very seriously,” said Ashley Micks, a model-based design engineer at Ford‘s Research and Innovation Center in Palo Alto, Calif. She said Ford is currently developing a slew of algorithms for a simulation tool chain to prevent everything from security breaches to architectural weaknesses that allow those breaches to occur.

Across the automobile supply chain, security has suddenly become a very hot topic due to incidents such as the Chrysler Jeep and Tesla Linux system hacks.

“With the advent of connected cars and the move to more of a consumer market oriented product, carmakers have had to think more about software content in vehicles and how to update that, how to keep it current, and go away from the traditional bending of sheet metal and connecting wires inside,” explained Andrew Patterson, director of automotive business development at Mentor Graphics.

The shift is due to the fact that there are more attack surfaces in cars today. “In the old days when it was just a wiring loom, there was a technology called the CAN bus, and it was relatively hard to hack into that. You actually have to plug in a diagnostic connector, and to do that you have to get into the car or under the bonnet, then link the connector to something remote. It certainly couldn’t be done wirelessly very easily. But with the advent of connected cars, DAB (digital audio broadcasting) radios, Bluetooth links, keyless locking — all of those present new attack surfaces for potential hackers.”

Fortunately, work has been happening both inside and outside the car to try and make that more secure.

Staying up to date
Still, security is somewhat at odds with the automotive business model. When consumers pay tens of thousands of dollars for a car, they want it to stay current with the latest technologies for more than a couple years. They also want to be able to patch security holes as they are identified. The only way to make that happen, short of regular visits to a dealership service department, is with over-the-air software updates or flash drives delivered to car owners.

“It sort of started in the infotainment head units where people wanted new content rather like they do in a smartphone,” Patterson said. “You want an OS update, and carmakers have now realized they need to update their head units certainly more frequently than the lifetime of the car. As a result, they are designing in features to allow both plug-in updates and OTA updates, probably on a three- to six-month type of cycle if there are new apps and updated user interfaces. In the last six months, an important use case has been security patches. As people find software flaws they want to be able to issue patches into their cars.”

He explained that the mechanisms to do that are either a USB plugged into the car, which is probably more secure and thereby the preferred method, or an OTA update.

In general, secrets are stringently guarded in the automotive industry, so it’s not surprising that OEMs like to keep their security procedures under wraps. They very rarely publish exactly how they do ECU security. But they do talk about the breadth of the problem they’re wrestling with.

“For example, in Mercedes S-class, there are approximately 86 ECUs, and there are a similar number in a top BMW, not all of them need updating all of the time,” he said. “It’s generally in the more complex ones like the infotainment head unit, the telematics control unit, instrument cluster — those ECUs are driving a lot of technology. One of the trends in vehicle networks, because 86 is a lot of ECUs and it’s a lot of connections to join them all together, is that people are looking at consolidating those onto ‘brains.’ ‘Let’s find a more capable multicore SoC and put lots of applications on a single brain.’”

He said this actually helps the OTA process because there are fewer ECUs to update, and one more complex brain ECU (also called a gateway ECU) can be targeted and updated. That could then manage internal updates for the other ECUs in the vehicle, providing a single point of entry.

To do the updates securely, carmakers are starting to borrow from traditional computer networks.

“The one that looks most popular and most widely used is asymmetric keys — you have a software patch, you encrypt it with a key that the carmaker would own, and then the owner of the car has a matching but different key, and that can only work together with the public key provided by the carmaker. Patches can then be delivered over the air, and they can only be unlocked by that particular user with their private key. You can make it even more secure by introducing digital certificates, just as you would have for a Windows or Apple system on your laptop or desktop. In the future we may even see digital certificates from patch providers and within the vehicles so that send and receive know they are talking to trusted sources.”

That won’t completely stop car hacking, though. “The challenge with security is that you’re dealing with an uncontrolled and evolving environment—hackers gain more knowledge by the day, and also their tools get more sophisticated over time,” said Timo Van Roermund, security architect at NXP. “It is therefore hard, if not impossible, to predict what kind of attacks you will have to deal with, say, 10 years from now. This implies that systems and their security architectures must be maintained (i.e. updated) throughout their entire the lifetime. This holds especially for connected devices, because they are potentially vulnerable to large-scale remote attacks. As such, a move towards OTA updates cannot be avoided for connected cars.”

In theory, an OTA update mechanism can be very useful. It allows manufacturers to regularly update the vehicle’s software, thereby making it resistant against the latest kinds of attacks and allowing vulnerabilities to be patched soon after they are found. But such update mechanisms must be completely secure. Otherwise, an attacker could use the same mechanism to install malicious code.

“OTA software updates are of critical importance to car manufacturers because they allow the car manufacturer to avoid costly recalls, and also give the potential to add new features to vehicles that have already been purchased,” said Alexander Tan, product line manager in the automotive solutions group at Marvell. “But at the same time, the update process is a target for anyone that is targeting to do harm or take control of a vehicle. Current systems are all proprietary in terms of safety, and they vary in level of protection. The number of recent issues for carmakers in keeping their systems secure shows that this is an area that still needs significant development and new technologies.”

Van Roermund stressed that, at a minimum, software updates need to be checked before they are applied, at least for origin and integrity of the software updates. “Fortunately, there is no need to reinvent the wheel,” he said. “Secure OTA updates are already used, with success, in the PC and the smartphone world. So the security tools and mechanisms (such as strong M2M authentication and code/data signing) are well known. As long as manufacturers leverage the knowledge, mechanisms and tools that are readily available, over-the-air updates can be very secure.”

Disruptions to the design flow
Still, most existing designs and architectures do not provide the level of security required for safe over-the-air software updates, Tan contends. “New systems have a requirement for authentication, and also possibly for encryption, depending on the nature of the information being sent in the update. In particular, encryption is recommended for any vehicle data that may be used to determine what updates are needed. These security requirements don’t directly determine the requirements of the data transport in the vehicle, but they will impact the domain architecture and the gateway requirements. Some systems in use today provide security by putting strict limits on what can be accessed over the telematics connection. This limits the effectiveness of the updates, and there are cases when manufacturers were not able to provide needed updates even with a telematics system in place.”

Not surprisingly, next-generation systems will use more robust authentication and encryption methods that preserve this flexibility. At this point, there are multiple technologies and methods being proposed, but there is still significant work required before a reliable solution is developed, Tan noted.

But even if the technology is available, implementing it isn’t so easy. The need for secure OTA updates is causing disruptions in the design process, said Adam Sherer, product management group director for automotive safety in the Systems Verification Group at Cadence. “Engineering teams need to define checkers to ensure that the software updates are from verified sources, are only provided through verified interfaces, and that the updates themselves are legitimate. This requires both additional design and verification, as well as careful adherence to requirements to ensure proper implementation.”

In effect, security must become a fundamental part of the entire lifecycle of a vehicle, Roermund said. “It needs to become an integral part of the design process, as opposed to an afterthought. Furthermore, the security architecture requires regular maintenance. One cannot design and sell a vehicle, and then forget about it. Instead, the software needs to be actively maintained afterwards.”

This will impose an extra challenge—maintaining a separate software stack for each car model over its entire lifetime, which will require a lot of extra effort.

“Manufacturers will probably need to find ways to streamline processes in order to reduce the effort required for that, such as using a platform approach with well-defined software modules to allow larger reuse of software modules across different vehicle models,” Van Roermund said.