“Many recent hacks targeting connected cars have created a huge buzz, posing a challenge to the security of the system. Typically, a wireless connection is used to gain access to the CAN bus, which interconnects a large number of control units within the vehicle. This allows remote control of the brakes, accelerator, door locks, air conditioning system, wipers and other functions.
Many recent hacks targeting connected cars have created a huge buzz, posing a challenge to the security of the system. Typically, a wireless connection is used to gain access to the CAN bus, which interconnects a large number of control units within the vehicle. This allows remote control of the brakes, accelerator, door locks, air conditioning system, wipers and other functions.
These kinds of hacking attacks on cars have been in the headlines lately. This is not particularly surprising, since more and more vehicles are themselves equipped with interfaces for exchanging data with the outside world.
The vehicle has become a mobile living space; the car is evolving into a mobile device. Especially among younger customers, there is a growing demand for comfort functions to stay connected at all times, or to share vehicle data such as fuel consumption or power output through applications for subsequent evaluation.
As a result, the connected car has become a reality. This topic is not only relevant for customers and manufacturers, but also involves security researchers and IT experts. And, at worst, hackers involved in crime. For years, security experts have taken note of the fact that personal computers are no longer the only targets of digital attacks. A large portion of malware is now tailored to attack mobile devices. It would be premature to assume that this development will not affect the connected car.
So far, criminal hacking of vehicles and vehicle systems has been a rare exception. However, it is now obvious to OEMs that the safety of the connected car is paramount. When the car becomes a personal mobile device that owners use to communicate, and possibly personalize through apps, this setup is largely subject to manipulation by potential attackers.
Over-the-air software updates for security
But how can the auto industry protect itself and its customers from digital attacks? For some players in the automotive industry, going all-in on the air interface has been a long-standing philosophy, but it’s not in the customer’s interest. The need for data exchange connections is also evident in innovative V2V or V2I services, which will be further developed, and in this regard also have a certain relationship with autonomous driving. Hence, henceforth, there is no way to completely avoid the use of Bluetooth, WLAN or cellular communications in vehicles.
On the other hand, traditional methods – recalling or taking remedial work at a garage will not be able to protect vehicles from digital attacks in a timely manner. Additionally, recall campaigns can be costly and damage the reputation of the automaker.
Winning in this way is clearly impossible in the race against car hackers. Patching all affected vehicles in this way would take months after all. Meanwhile, hackers will continue to carry out their shenanigans. However, avoiding hazards during such a time period would be unacceptable, as a manoeuvred vehicle would pose a significant risk to the driver and his environment. In addition, in many cases, further weaknesses in the vehicle can be discovered during such a period of time. Therefore, the patch is out of date when it is installed.
So let’s take a look at the world of mobile devices in order to find a way to replace repair recalls: suppliers of apps and smartphone operating systems are constantly providing end devices with the latest versions of their products. Sometimes a few small patches make up for a weakness, in other cases a new version with new features is released to the market.
Such updates to software and firmware are delivered “over the air (OTA),” that is, over the air interface. Once transferred to the device, these updates are immediately pulled and installed automatically.
Firmware Over-the-Air (FOTA) solves the challenge of using the latest updates for multiple devices instantly. For example, the update program provides the corresponding patches to quickly and continuously remediate weak points, while integrating new functions and using modern encryption algorithms to ensure the security of the control unit.
To ensure that a large number of control units can be updated via FOTA, we have adopted the gateway approach. A control unit with a mobile wireless interface can act as a middleman between the back end and the control unit to be updated. The control unit receives all software packages over the air interface and distributes the software packages to each target device via a CAN bus system or a higher performance communication channel such as Ethernet. In addition, the gateway ECU has the main function of controlling and coordinating the entire update process. For example, if an error occurs, then a rollback mechanism must be initiated.
In addition to filling the security gap through FOTA, of course, many other technical measures are required on the device side, such as password protection for all ECU interfaces, which is a measure for wireless access under mobile communication, Bluetooth and wireless LAN conditions. Especially applicable.
In addition, corresponding configuration and development processes need to be adopted to adapt to the new environment. For example, an end-to-end risk analysis cannot be used as a general rule, but by now this should be a mandatory part of the manufacturer’s requirements to suppliers. In this work, possible scenarios for an attack on any part of the chain are examined in detail, including the impact on safety and ultimately functional safety. On the basis of these results, adequate safeguards can be taken. Only if the OEM, the supplier of the back-end solution and the manufacturer of the control unit cooperate from an early development stage can a certain degree of success with this approach be guaranteed.
This approach requires that instead of a black-box development approach to the control unit, safety is ensured in a global manner. Furthermore, the provision and maintenance of safety measures must not be terminated after production has started. Security analysis, security-oriented testing, and FOTA-provided remediation for security vulnerabilities must be ongoing throughout the life of any product.
For example, organizational measures related to secure development and production processes can include controls over how confidential data such as keys and certificates are accessed, as well as development specifications for security-related components. Such data and documents must be stored in encrypted form on protected servers, with access restricted to a very small number of people in an authenticated manner.
In addition, special attention must be paid to safety-oriented testing. Penetration testing, in particular, makes it possible to pinpoint security vulnerabilities. By using hacking methods and methods, testers can deliberately try to break into the system. The results obtained can indicate the current level of security and will inform developers to take relevant countermeasures to seal critical weak points.
Just by looking at the process chain of FOTA and the functional units involved, you can see the complexity and the high technical requirements.
Security has the highest priority here. We must obtain corresponding assurances that the FOTA process itself can be implemented safely without any potential additional attack. If FOTA is misused to mistakenly introduce manipulated software into a device, the repercussions in terms of safety, and eventually even functional safety, could be immeasurable.
Cryptographic protection of the air interface is a prerequisite for a secure FOTA mechanism. The usual practice is to establish a secure connection by means of TLS. The keys and certificates required here must be introduced into the device in a secure manner that is confidential and protected from manipulation, and then stored in a protected storage location on the device. Dedicated hardware security modules (HSMs) are integral to enabling secure storage and secure execution of cryptographic programs.
A secure installation process (secure flash) and security-oriented checks (trusted boot) when starting the device software can prevent manipulated software from encountering installation errors. Under either mechanism, the authenticity of software can be verified through digital signatures.
Development interfaces such as UART, USB, or JTAG must also be disabled on serial products, or protected by encryption procedures to prevent intrusion into the device. Otherwise, attackers may attempt to read or manipulate software or confidential data through these channels.
In addition to safely executing the FOTA process, it should also be done quickly and efficiently. On the one hand, the data volume of mobile communications and the corresponding costs should also be kept to a minimum. On the other hand, the obstruction to the owner should be minimized as much as possible.
Efficient processing is achieved through incremental updates. During this process, changes to the installed software are only transferred and installed as binary or files. The Delta algorithm used and the software partitioning into static and changeable data areas can have a significant impact on the packet size.
The FOTA process must be extremely robust and fault-tolerant to avoid installing incompatible, crashing, or inconsistent software that would otherwise break functionality. For this reason, it is important to identify errors through integrity checks and supervision of the communication channel. When an error occurs, an appropriate response is required, for example, an error-free state can be re-established by rolling back the operation.
Telematics control unit as FOTA gateway
From a technical point of view, any control unit equipped with mobile radio communication can function as a FOTA gateway. However, telematics control units (TCUs) are more up to the task than other devices. For example, the head unit in many vehicles can also be an integral part, along with ample storage space and processing power. However, most head units contain a large number of wireless interfaces.
After all, depending on the requirements, the unit needs to acquire external resources via Bluetooth, WiFi or NFC, and there are many more requirements. This openness to the outside world prevents effective protection from manipulation.
There is also the fact that this unit is mounted directly on the dashboard, which makes it impossible to define the head unit as a FOTA central gateway. After all, hackers may also have easy physical access here.
However, the physical location of the TCU is deeper inside the vehicle, making it difficult to operate from the inside of the vehicle. All in all, it has fewer connections and can be deactivated when needed.
And, until now, the TCU has been providing many other security-critical functions, such as remote activation of anti-theft control systems, and more. It is with these critical security features that the various security measures built into the TCU, such as back-end encoding and validation, are taken for granted. After all, the TCU has become a well-established and mature part of the safety topology, widely adopted by manufacturers.
In order to ensure the safety of the vehicle, we need a holistic solution, so this has become an advantage. Backends, air interfaces, gateways, vehicle buses, and individual control units are all key links in this chain. If the weakest part of the chain is attacked, so will the security of all other units.
For projects in which TCU is the core of the FOTA architecture, from a security perspective, the advantages enjoyed by such projects are not only that the TCU components are highly mature, but also that in terms of manufacturing, suppliers and OEMs are also involved in the design of security processes. relatively rich experience.
Further added value in FOTA
Security concerns are not the only reason why building FOTA through the TCU holds great potential for OEMs.
Recalls are expensive and unpopular with customers due to cost and labor, so when a weak spot in a vehicle occurs, it is no longer an inevitable consequence, at least when dealing with software-related issues. Many issues can actually be resolved without any action on the client side, and as long as patches can be delivered wirelessly to the vehicle, remedies for many of the various weak points in the vehicle will no longer require physical contact.
Moreover, FOTA can also play a very supportive role in establishing new business models and customer relationships. The example of the American automaker Tesla is a good example of this.
The self-driving feature is included in an update the company offers to customers for about $2,000. As such, many Tesla vehicles have continued to evolve into (partially) self-driving cars.
For OEMs, this business setup opens up a whole new perspective. A common scenario today is that the value of a new car drops in half as soon as it leaves the original place of sale. And, over time, the value will continue to decrease. In the future, as new features are introduced over time, the vehicle may not necessarily lose value, but may actually retain or even increase in value.
Well, by now, FOTA is no longer an annoying promise. The importance of this update procedure goes beyond providing the basic prerequisites for the connected car to be safe. And, on this basis, OEMs can continue to create added value on the vehicle, ensure customer loyalty, and maintain active customer relationships long after the sale is completed.