Over-the-air (OTA) programming refers to the ability to download applications, services, and configurations over a mobile or cellular network. Over-the-air (OTA) programming is used to automatically update firmware, software, and even encryption keys. Specific OTA categories include:
- Software over-the-air (SOTA)
- Firmware-over-the-air (FOTA)
- Over-the-air service provisioning (OTASP)
- Over-the-air provisioning (OTAP)
- Over-the-air parameter administration (OTAPA)
Here are some other subtopics we will cover in this article:
How do OTA updates work?
A device management system operated by the manufacturer issues a new software or firmware update. The update is uploaded to the cloud where it is queued, downloaded, and verified by the target device over a cellular or mobile connection. Once verified, the device typically triggers an alert that prompts the owner to approve or decline the update. After confirming approval—whether manually or automatically—the system installs the update and sends back diagnostic information to the manufacturer.
Software over-the-air updates are now quite common in the automotive market, with major vehicle manufacturers routinely rolling out SOTA upgrades for infotainment and navigation systems. SOTA can also update software controlling a vehicle’s physical components or electronic signal processing systems. In contrast to SOTA, firmware-over-the-air upgrades have only been implemented at scale by a small number of automotive manufacturers, including Tesla and NIO. This is because FOTA updates typically demand more computing power, faster mobile connections, and higher levels of security.
Most automakers are already designing vehicle hardware to support software updates. This enables manufacturers to shift to a revenue model that is based on services—rather than a one-time sale of a car or truck. According to Gartner analysts, half of the top 10 global automakers will offer unlocks and capability upgrades via software updates by 2023. It should be noted that Tesla began monetizing OTA upgrades in 2019 when it offered Model 3 owners an acceleration boost—from 4.6s to 4.1s—for $3,000.
How do connected cars get updates?
Most cars with infotainment systems can receive software updates. Some automotive operating systems, such as BMW’s OS 7/8, Mercedes MBUX, and Tesla, continuously scan for OTA updates in the cloud. Once identified, the update is downloaded, verified, and run by the telematics control unit (TCU) of a connected vehicle.
TCUs wirelessly connect cars and trucks to cloud services and other vehicles with V2X standards over a cellular network (4G/5G). The TCU also collects essential vehicle telemetry data, including geographical position, speed, vector, engine information, and connectivity strength.
Why would my car need a software OTA update?
OTA updates—which improve the driving experience and create safer roads—are delivered remotely and do not require a trip to a dealership or mechanic. These updates can be grouped into two primary categories: infotainment and drive control.
Infotainment updates refresh map information, upgrade audio capabilities, and optimize user interfaces, streaming services, and apps. Although infotainment updates significantly improve the in-car experience, they are not mission-critical.
In contrast, drive control OTA updates directly affect the ability of a vehicle to operate safely and efficiently. These updates typically include system enhancements or fixes for powertrain systems, chassis systems, brakes, and advanced driver assistance systems (ADAS). Drive control OTA updates—which may also improve range and charging for electric vehicles (EVs)—are generally considered critical or required.
Most automakers have already updated new vehicle hardware to support software updates. For example, Tesla pre-designs hardware and software to accommodate future function expansion requirements. New functions, along with full lifecycle updates, are introduced at a steady cadence via software upgrades.
How to address over-the-air automotive security challenges?
Unsecured automotive over-the-air updates are susceptible to multiple threats and attacks such as spoofing, tampering, repudiation, escalation of privileges, and information leakage. These threats can be mitigated by encrypting software updates; using a signed certificate containing the public key of the entity requesting the update; digitally signing updates after encryption; securing all network transactions with TLS public key authentication (signed by a trusted Certificate Authority); and (clients) performing hostname verification to ensure they are connecting a verified server.
Additional mitigation techniques include only delivering updates to authorized devices; the tamper-proof logging of all important events; the initialization of SOTA/FOTA updates with a secure boot mechanism; software update systems that are designed to “fail gracefully” in the case of a denial-of-service (DoS) attack; the utilization of anti-malware protection such as whitelists and in-memory protection; and ensuring that compliant SOTA/FOTA software update systems clear all shared resources of sensitive data and keys that were temporarily stored during software updates.
In addition to the above guidelines, the National Highway Traffic Safety Administration (NHTSA) has published official OTA update recommendations in its “Cybersecurity Best Practices for the Safety of Modern Vehicles” report. According to the NHTSA, vehicle manufacturers should:
- Maintain the integrity of OTA updates, update servers, the transmission mechanisms, and the updating process in general.
- Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities.
What company makes the security technology for OTA updates?
Rambus automotive embedded hardware security modules (HSMs) can help manufacturers adhere to the NHTSA’s recommendations. In addition to securing SOTA/FOTA upgrades, these HSMs provide secure boot, secure debug capabilities, and work with other security functions such as MACsec, IPsec, and TLS embedded protocol engines to protect network traffic in cars. To operate properly, components such as electronic control units (ECUs) and other systems must run the manufacturer intended firmware—without tampering. A root of trust ensures firmware is valid and can be securely updated when needed.
Rambus offers embedded HSM (root of trust) variants for both ASIL-B (RT-640) and ASIL-D (RT-645) that are specifically designed for the functional safety requirements of ISO 26262, an international automotive electronics system standard. The Rambus RT-640 Embedded HSM recently received Automotive Safety Integrity Level B (ASIL-B) ISO 26262 certification. Certified ASIL-B compliance is a critical requirement for automotive manufacturers and their suppliers to ensure vehicle systems meet necessary safety levels. Integrated into an automotive SoC, the ASIL-B certified RT-640 silicon IP design provides powerful cryptographic functions, state-of-the-art safety mechanisms, and anti-tamper technologies to protect critical automotive electronics and data.
From a holistic perspective, Rambus end-to-end security solutions comprise a tightly integrated ecosystem that enables simple, rapid, and secure integration into automotive supply chains. Chips and devices can be securely provisioned at the time of manufacture with CryptoManager Provisioning and securely managed through cloud-based services over the entire lifetime of a vehicle. The cloud-based Rambus CryptoManager Device Key Management platform also enables automakers and partners to deliver Feature-as-a-Service (FaaS) by leveraging provisioned cryptographic keys and identities.
Additional Resources:
– Other blogs around Over-The-Air updates (OTA):
1. Securing connected vehicles with Rambus CryptoManager
2. Securing intelligent transportation systems
3. How not to get pwned @ automotive cyber-security
4. Securing chips for the IoT
5. Mitigating DDoS attacks with secure IoT endpoints
6. The challenge of securing smart homes
7. Hack the planet: Security concerns about the IoT
– White Paper: Navigating the Intersection of Safety and Security
– Market page: Automotive Solutions
– Products for Automotive Applications:
- RT-640 Embedded HSM ISO 26262 ASIL-B
- RT-645 Embedded HSM ISO 26262 ASIL-D
- MACsec Protocol Engines
- IPsec Protocol Engines
- MIPI CSI-2 Controller
- MIPI DSI-2 Controller
Leave a Reply