• Software over-the-air (SOTA) 
• Firmware-over-the-air (FOTA) 
• Over-the-air service provisioning (OTASP) 
• Over-the-air provisioning (OTAP) 
• Over-the-air parameter administration (OTAPA) 

Here are some other subtopics we will cover in this article:

• • How do OTA updates work? 
  • How do connected cars get updates?
  • Why would my car need a software OTA update?
  • How to address over-the-air automotive security challenges?
  • What company makes the security technology for OTA updates?
  • Additional resources around OTA updates

How do OTA updates work? 

A device management system operated by the manufacturer issues a new software or firmware update. The update is uploaded to the cloud where it is queued, downloaded, and verified by the target device over a cellular or mobile connection. Once verified, the device typically triggers an alert that prompts the owner to approve or decline the update. After confirming approval—whether manually or automatically—the system installs the update and sends back diagnostic information to the manufacturer.

Software over-the-air updates are now quite common in the automotive market, with major vehicle manufacturers routinely rolling out SOTA upgrades for infotainment and navigation systems. SOTA can also update software controlling a vehicle’s physical components or electronic signal processing systems. In contrast to SOTA, firmware-over-the-air upgrades have only been implemented at scale by a small number of automotive manufacturers, including Tesla and NIO. This is because FOTA updates typically demand more computing power, faster mobile connections, and higher levels of security. 

Most automakers are already designing vehicle hardware to support software updates. This enables manufacturers to shift to a revenue model that is based on services—rather than a one-time sale of a car or truck. According to Gartner analysts, half of the top 10 global automakers will offer unlocks and capability upgrades via software updates by 2023. It should be noted that Tesla began monetizing OTA upgrades in 2019 when it offered Model 3 owners an acceleration boost—from 4.6s to 4.1s—for $3,000. 

How do connected cars get updates? 

Most cars with infotainment systems can receive software updates. Some automotive operating systems, such as BMW’s OS 7/8, Mercedes MBUX, and Tesla, continuously scan for OTA updates in the cloud. Once identified, the update is downloaded, verified, and run by the telematics control unit (TCU) of a connected vehicle. 

TCUs wirelessly connect cars and trucks to cloud services and other vehicles with V2X standards over a cellular network (4G/5G). The TCU also collects essential vehicle telemetry data, including geographical position, speed, vector, engine information, and connectivity strength. 

Why would my car need a software OTA update? 

OTA updates—which improve the driving experience and create safer roads—are delivered remotely and do not require a trip to a dealership or mechanic. These updates can be grouped into two primary categories: infotainment and drive control.

Infotainment updates refresh map information, upgrade audio capabilities, and optimize user interfaces, streaming services, and apps. Although infotainment updates significantly improve the in-car experience, they are not mission-critical. 

In contrast, drive control OTA updates directly affect the ability of a vehicle to operate safely and efficiently. These updates typically include system enhancements or fixes for powertrain systems, chassis systems, brakes, and advanced driver assistance systems (ADAS). Drive control OTA updates—which may also improve range and charging for electric vehicles (EVs)—are generally considered critical or required. 

Most automakers have already updated new vehicle hardware to support software updates. For example, Tesla pre-designs hardware and software to accommodate future function expansion requirements. New functions, along with full lifecycle updates, are introduced at a steady cadence via software upgrades. 

How to address over-the-air automotive security challenges? 

Unsecured automotive over-the-air updates are susceptible to multiple threats and attacks such as spoofing, tampering, repudiation, escalation of privileges, and information leakage. These threats can be mitigated by encrypting software updates; using a signed certificate containing the public key of the entity requesting the update; digitally signing updates after encryption; securing all network transactions with TLS public key authentication (signed by a trusted Certificate Authority); and (clients) performing hostname verification to ensure they are connecting a verified server. 

Additional mitigation techniques include only delivering updates to authorized devices; the tamper-proof logging of all important events; the initialization of SOTA/FOTA updates with a secure boot mechanism; software update systems that are designed to “fail gracefully” in the case of a denial-of-service (DoS) attack; the utilization of anti-malware protection such as whitelists and in-memory protection; and ensuring that compliant SOTA/FOTA software update systems clear all shared resources of sensitive data and keys that were temporarily stored during software updates. 

In addition to the above guidelines, the National Highway Traffic Safety Administration (NHTSA) has published official OTA update recommendations in its “Cybersecurity Best Practices for the Safety of Modern Vehicles” report. According to the NHTSA, vehicle manufacturers should: 

• Maintain the integrity of OTA updates, update servers, the transmission mechanisms, and the updating process in general. 
• Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities. 

What company makes the security technology for OTA updates? 

Rambus automotive embedded hardware security modules (HSMs) can help manufacturers adhere to the NHTSA’s recommendations. In addition to securing SOTA/FOTA upgrades, these HSMs provide secure boot, secure debug capabilities, and work with other security functions such as MACsec, IPsec, and TLS embedded protocol engines to protect network traffic in cars. To operate properly, components such as electronic control units (ECUs) and other systems must run the manufacturer intended firmware—without tampering. A root of trust ensures firmware is valid and can be securely updated when needed. 

Rambus offers embedded HSM (root of trust) variants for both ASIL-B (RT-640) and ASIL-D (RT-645) that are specifically designed for the functional safety requirements of ISO 26262, an international automotive electronics system standard. The Rambus RT-640 Embedded HSM recently received Automotive Safety Integrity Level B (ASIL-B) ISO 26262 certification. Certified ASIL-B compliance is a critical requirement for automotive manufacturers and their suppliers to ensure vehicle systems meet necessary safety levels. Integrated into an automotive SoC, the ASIL-B certified RT-640 silicon IP design provides powerful cryptographic functions, state-of-the-art safety mechanisms, and anti-tamper technologies to protect critical automotive electronics and data. 

From a holistic perspective, Rambus end-to-end security solutions comprise a tightly integrated ecosystem that enables simple, rapid, and secure integration into automotive supply chains. Chips and devices can be securely provisioned at the time of manufacture with CryptoManager Provisioning and securely managed through cloud-based services over the entire lifetime of a vehicle. The cloud-based Rambus CryptoManager Device Key Management platform also enables automakers and partners to deliver Feature-as-a-Service (FaaS) by leveraging provisioned cryptographic keys and identities. 

Additional Resources:

– Other blogs around Over-The-Air updates (OTA):
1. Securing connected vehicles with Rambus CryptoManager
2. Securing intelligent transportation systems
3. How not to get pwned @ automotive cyber-security
4. Securing chips for the IoT
5. Mitigating DDoS attacks with secure IoT endpoints
6. The challenge of securing smart homes
7. Hack the planet: Security concerns about the IoT

– White Paper: Navigating the Intersection of Safety and Security 

– Market page: Automotive Solutions 

– Products for Automotive Applications: 

• RT-640 Embedded HSM ISO 26262 ASIL-B 
• RT-645 Embedded HSM ISO 26262 ASIL-D 
• MACsec Protocol Engines 
• IPsec Protocol Engines 
• MIPI CSI-2 Controller 
• MIPI DSI-2 Controller 

Image Credit: CES

This demonstration showcased Rambus and Qualcomm Technologies’ efforts on a unique use case highlighting a smart city application. The demo featured both companies’ technologies, illustrating how their combined solutions can provide a more robust and secure IoT end point compared to similar offerings without such solutions. The Qualcomm® Snapdragon^TM 820 processor and the QCA4010 Wi-Fi chip were connected to an IoT cloud service using a protected link while Rambus’ CryptoManager security platform was utilized to illustrate how IoT devices can be safeguarded to significantly reduce service vulnerability to Distributed Denial of Service (DDoS) attacks.

With Qualcomm Technologies’ historic success in embedded hardware processors and Rambus’ success in security-oriented technology, the demo further showcased the combined elements help develop next-generation IoT security features for smart city applications. The CES demo highlighted Rambus’ superior security-focused features which include mutual authentication and encrypted communication embedded into select processors from Qualcomm Technologies. These unique features protect IoT devices from being used by hackers in malicious botnets and prevents the IoT cloud service from being attacked by cloned devices.

As more and more “things” connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger. Indeed, DDoS flooding attacks – which seek to disrupt legitimate access to online services – have been deemed “one of the biggest concerns” for cyber security professionals.

Protecting Internet infrastructure companies and services from DDoS attacks can be quite challenging, as it is often difficult to shield the IP layer from a concerted cyber offensive. However, it is important to note that the impact of DDoS attacks can be significantly mitigated by safeguarding vulnerable IoT endpoints. Put simply, protected IoT endpoints act as a critical bulwark against nefarious botnets that exploit and recruit hundreds of thousands of defenseless “zombie” devices.

For instance, an attacker cannot add a device to a botnet without establishing an unauthorized communication channel. Allowing only legitimate, verified cloud services to communicate with IoT devices will help prevent the creation of such rogue channels. This paradigm, facilitated by a hardware root-of-trust, ensures that each IoT device is uniquely and cryptographically verified to determine if it is authorized to connect to a specific service. Infected and hijacked devices that are not authenticated are denied access to the service – reducing the overall effectiveness (and damage) of a DDoS attack on a provider and other services.

It should be noted that an embedded hardware root-of-trust can also be used to help minimize vulnerabilities discovered in IoT products after deployment by providing a secure device management framework to push over-the-air (OTA) patches and firmware updates.

Interested in learning more about IoT security? You can check out our CryptoManager platform product page here, our article archive on the subject here and our white paper here.

##

Qualcomm and Snapdragon are trademarks of Qualcomm Incorporated, registered in the United States and other countries.

Qualcomm Snapdragon and QCA4010 are products of Qualcomm Technologies, Inc.

Unsurprisingly, malware targeting IoT has matured considerably, with the number of attacks focusing on IoT devices multiplying in recent years. According to Symantec, lackluster security makes IoT devices a soft and appealing target for attackers.

This is because embedded devices rarely receive any notable firmware updates and are typically only replaced upon reaching the end of their respective lifecycles, which may be considerable. Moreover, victims may be unaware that their connected devices are compromised. Indeed, a recent Network World report confirmed that an IoT security camera can be infected with malware merely 98 seconds after going online.

As more and more “things” connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger. It is therefore important for the industry to be cognizant of the very real threat posed by vulnerable IoT devices. Once infected with malware, IoT devices are often hijacked and instructed to join botnets that execute distributed denial-of-service (DDoS) attacks against Internet services.

In addition, vulnerable IoT devices introduce risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations and potential disruptions to critical infrastructure. Nonetheless, IoT security has traditionally been treated as a tertiary afterthought rather than a primary design parameter.

From our perspective, life-cycle management, which includes over-the-air (OTA) updates and vulnerability management, is essential to maintaining the continued security of IoT devices. Life-cycle management should be implemented utilizing a secure hardware root-of-trust to ensure secure updates of firmware and cryptographic keys. A hardware root-of-trust with a unique cryptographic identifier also allows each IoT device to be uniquely and cryptographically verified to determine if it is authorized to connect to a specific cloud service. Spoofed or unauthorized devices are easily identified by the service and denied access.

This secure connectivity paradigm helps mitigate the effectiveness (and damage) of DDoS attacks against the IoT service itself, while ensuring the integrity and protection of collected data. Preventing malicious actors from manipulating the flow of information to and from network-connected devices is the cornerstone of establishing a secure IoT network.

Interested in learning more about mitigating DDoS attacks with secure IoT endpoints? You can check out our white paper on the subject here and our article archive on the subject here.

According Craig Spiezle, Executive Director and President of the Online Trust Alliance, security and privacy is often overlooked in the rush to bring connected devices to market.

“If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings,” he stated.

The most glaring IoT security failures analyzed by the OTA included the omission or lack of rigorous security testing throughout the development process; the lack of a discoverable process or capability to responsibly report observed vulnerabilities; insecure or no network pairing control options and a lack of testing for common code exploits and limited transport security and encrypted storage for user IDs and passwords. Last, but certainly not least, the OTA found that a number of IoT devices lacked a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including a dearth of software and firmware update capabilities, along with insecure and untested security patches and updates.

“Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support,” said Spiezle. “Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike.”

As we’ve previously discussed on Rambus Press, the current security paradigm associated with the mobile and PC world is undeniably flawed. Indeed, serious or even critical vulnerabilities disclosed on an almost daily basis are patched with hurriedly coded software and firmware updates. While a ‘good enough’ approach may have been tolerated for smartphones and tablets, the industry cannot afford to relegate security to a tertiary concern for an IoT that may very well ultimately affect every aspect of our daily lives. A new paradigm, designed from the ground up to provide secure foundations for connected devices, is clearly long overdue. Devices should be secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.

According to Steven Woo, VP of Systems and Solutions at Rambus, the semiconductor industry is slowly beginning to realize IoT security is a critical goal that needs to be treated as a first-class design parameter. Nevertheless, software is often selected as the security medium of choice because it is relatively simple to deploy and layer on top of existing systems.

“It’s certainly no secret that software-based security can be hacked. However, a silicon-based hardware root-of-trust offers a range of robust security options for IoT devices. Enabled by Moore’s Law, integration of a silicon root-of-trust into IoT silicon makes a lot of sense. As more and more devices are brought online, the importance of heightened security will only increase. Providing hardware-based security via a root-of-trust is going to be very important going forward,” he added.

As Dr. Simon Blake-Wilson, VP of Products and Marketing at Rambus Cryptography Research points out, numerous OTA solutions designed to deliver functional updates and security patches use the very same software encryption key for multiple vehicles. Essentially, this increases the vulnerability vector of an update.

In contrast, updates provided by Movimento and Rambus are delivered via one-time, single-use keys that are unique to each vehicle – effectively minimizing vulnerabilities and maximizing security. More specifically, Movimento’s OTA technology uses CryptoManager to enable in-field provisioning of encrypted keys generated for a specific vehicle, thereby facilitating secure communication between cars and the Cloud.

“CryptoManager offers an integrated security platform with flexible implementation, comprising a hardware root-of-trust and secure firmware,” Blake-Wilson explained. “When combined with Movimento’s OTA technology, CryptoManager enables the next level of integrated chip-to-Cloud-to-car security. Simply put, CryptoManager is an embedded hardware solution that minimizes the attack surface of the vehicle by providing end point security,” Blake-Wilson concluded.

Movimento CTO Mahbubul Alam expressed similar sentiments.

“As cars continue to increase in complexity and connectivity, often depending on more than 100 million lines of code to function, car makers and consumers alike are demanding simple and secure methods to download, authenticate and install vehicle updates,” said Alam. “By partnering with Rambus and integrating the CryptoManager security platform with Movimento’s OTA solutions, we are able to further our strategy of building a best-in-class ecosystem of integrated solutions to enable the software defined car and data analytics.”

Interested in learning more? Movimento and Rambus are slated to demonstrate their joint security solution at TU-Automotive (Detroit) in booth C67. In addition, the official Rambus CryptoManager product can be viewed here, while an extensive article archive covering the security platform is available here.

“In-field feature configuration capabilities are clearly an attractive proposition for many in the semiconductor industry. Unfortunately, companies are often forced to forego programmable logic devices (PLDs) due to a significant price differential,” Simon Blake-Wilson, VP of products and marketing for Rambus’ Cryptography Research Division, explained.

“Using CryptoManager, ASIC and ASSP SoCs can be fabbed with highly secure configurable features and/or services within a single chip design – such as in-field provisioning of sensitive data and feature controls – that are typically associated with higher-cost FPGAs. Simply put, these CryptoManager-based SoCs are positioned at the same price as conventional ASICs/ASSPs

SoCs that can be securely configured downstream, says Blake-Wilson, represent the next step in the evolution of silicon and have the potential to redefine the current semiconductor paradigm by unlocking the true — or full — value of chips and extend device lifecycles. Chipmakers already implement limited feature configuration using e-fuses, but such an approach is limited to configuration during chip manufacturing. CryptoManager extends feature configuration throughout the supply chain and into the field.

“This is especially true for higher-end systems, such as those found in semi-autonomous vehicles and at the heart of mobile devices. For example, a recall on some level is currently likely if hackers manage to crack a critical security algorithm in a new electric car,” Blake-Wilson told Rambus Press.

“Such a scenario could be avoided with CryptoManager-based SoCs that drivers manually or automatically update via a cloud-base mobile app. Since CryptoManager-based SoCs are equipped with a hardware root-of-trust, the OTA firmware update would be secure and effective on par with smartcard technologies. There would simply be no need to involve a mechanic, physically rip out systems or conduct a worldwide recall.”

CryptoManager SoCs, says Blake-Wilson, also benefit owners of mobile and IoT devices such as smartphones, tablets and wearables.

“We are essentially asking the end-user: ‘What would you like to do with your chip today?’ By democratizing hardware with an intuitive Features as a Service (FaaS) secure provisioning layer, we are eschewing a one-size fits all approach and allowing consumers to exert greater control over their devices,” he explained. “This effectively means an end to blanket firmware updates. We can offer a more targeted and optimized approach. Want to quickly update your mobile payment capabilities and leave everything else alone? Well, now you can. Want to disable 4G to avoid excessive roaming charges while abroad but find the default software interface confusing? The CryptoManager UI will allow you to do this on a hardware level – so you know 4G is actually switched off.”

According to Blake-Wilson, CryptoManager enabled SoC devices that can be securely reconfigured for specific tasks will also play a major part in building the Internet of Things (IoT). Indeed, as Jim Turley of EE Journal recently reported, developers currently using 8-bit MCUs will soon upgrade to 32-bit units, spurring sales of microcontrollers with licensed processors inside.

“Architects of future smart cities will inevitably design infrastructure equipped with chips in places that are difficult to reach, such as subterranean water pipes, air conditioning ducts and even under roadways,” said Blake-Wilson. “The 32-bit MCUs Turley refers to will need to be ‘future-proofed’ to avoid frequent maintenance, security upgrades and physical upgrades. Using CryptoManager, system architects can significantly extend the lifetime of numerous systems by securely reconfiguring CryptoManager SoC chips – multiple times – to execute new tasks.”

Interested in learning more about CryptoManager? You can check out our official product page here and our article archive on the subject here.

Jill Ingrassia, the Managing Director of Government Relations and Traffic Safety Advocacy at AAA, told conference attendees the auto industry has managed to significantly reduce the amount of vehicle crashes in recent years. However, more progress must be made, as thousands of people a year still lose their lives in traffic accidents.

According to Ingrassia, connected vehicle technology can help reduce accidents. As the AAA exec noted, multiple intelligent transportations systems – already deployed in the field – have continued to evolve over the years. The next stage of ITS is expected to include advanced systems, such as lane departure and forward collision warnings, braking and parking assistance systems, as well as adaptive headlights. All will be designed to help counteract human error and tendencies.

Perhaps not surprisingly, Ingrassia acknowledged that the industry faces a myriad of challenges in designing and deploying fully autonomous vehicles. Indeed, automakers have entered a transitional stage between semi-autonomous and fully autonomous capabilities. This evolution, says Ingrassia, presents its own set of concerns.

According to Joe Gullo, the senior director for Rambus Ecosystem strategy and development, security is one primary concern the industry must immediately address for intelligent transportation systems. To be sure, modern vehicles are essentially a network of networks – packed with a range of embedded communication methods and capabilities.

“Of course there is broad consensus that vehicle cyber security ranks as a top priority for the automotive industry,” Gullo told Rambus Press during an interview on the sidelines of CES 2016. “Unfortunately, there are still no clearly defined vehicle security specifications. This is not a problem that will be going away soon. In fact, it will only get worse as more and more connected vehicle systems are manufactured and installed in the next generation of semi-autonomous cars and trucks.”

Potential vulnerabilities include altering over the air (OTA) firmware updates, unsecure vehicle-to-vehicle communication, the unauthorized collection of driver or passenger information, seizing control of critical systems such as brakes or accelerators, intercepting vehicle data and tampering with third-party dongles.

As Gullo emphasizes, adopting a hardware-first approach to security and implementing the necessary functionality on the SoC level is a key element of protecting intelligent transportation systems – both now and in a fully autonomous future.

“To avoid potentially dangerous scenarios, vehicles should be equipped with robust DPA countermeasures to protect against side-channel attacks,” Gullo added. “In addition, the automotive industry needs to shield vehicle peripherals and components against tampering, as well as provide secure OTA updates for various systems.”

“Unless you are on the inside track and know better, one would think that all that data is secure. Reality is somewhat different,” Worthman explains. “A mobile society has tremendous benefits, but those benefits come with a price. The advantages are obvious, but the price can be very steep if security isn’t a primary consideration.”

Steve Woo, a VP and distinguished inventor at Rambus, tells Semiconductor Engineering the most important thing one can do to protect mobile devices such as smartphones and tablets in the age of the IoE is to secure the silicon itself.

“If a degree of security can be integrated at the chip level, then issues with over-the-air (OTA) programming can be minimized, if not eliminated,” he says. “It is the most robust way to secure things.”

Indeed, as Patrick Nielsen, senior security researcher at Kaspersky Labs confirms, OTA is one of the weakest security vectors.

“By far the biggest problem that mobile security has is [OTA] update delivery,” says Nielsen.

Exacerbating the problem is the way in which the developer model has evolved.

“The developer ecosystem has moved to a model where anyone can become a developer and develop active content that lands on hundreds of millions of devices,” notes Intel Security CTO Steve Grobman. “On some of the platforms there are high levels of ‘latency’ between the detection of a vulnerability and a patch being applied.”

Looking beyond traditional mobile devices, Simon Blake-Wilson, a VP at Rambus’ Cryptography Research Division, says the rapidly evolving IoE can be viewed as “mobile on steroids.” And although manufacturers may consider deploying dedicated security chips for mobile phones and tablets, this approach might not be appropriate for low-cost devices such as sensors.

According to Blake-Wilson, IoE trends are likely to favor the integration of security into general-purpose (GP) chips for many lower-end devices – instead of deploying unsecured GP chips paired with dedicated cryptography processor.

“However this goes, key security will still be the number one action item for mobile devices,” adds CEO of PFP Cybersecurity Steven Chen. “[This is] because there will still be a lot of hackers trying to compromise security keys on mobile devices, from reverse engineering to side-channel attacks.”

Clearly, a collaborative effort by all interested players needs to be implemented if the IoE is to be secured.

“Everybody brings something to the table. The security platform will be much more effective if players realize that security is a component that is best handled by certain components, at certain layers and by the experts that do it best,” concludes Worthman.