• Software over-the-air (SOTA) 
• Firmware-over-the-air (FOTA) 
• Over-the-air service provisioning (OTASP) 
• Over-the-air provisioning (OTAP) 
• Over-the-air parameter administration (OTAPA) 

Here are some other subtopics we will cover in this article:

• • How do OTA updates work? 
  • How do connected cars get updates?
  • Why would my car need a software OTA update?
  • How to address over-the-air automotive security challenges?
  • What company makes the security technology for OTA updates?
  • Additional resources around OTA updates

How do OTA updates work? 

A device management system operated by the manufacturer issues a new software or firmware update. The update is uploaded to the cloud where it is queued, downloaded, and verified by the target device over a cellular or mobile connection. Once verified, the device typically triggers an alert that prompts the owner to approve or decline the update. After confirming approval—whether manually or automatically—the system installs the update and sends back diagnostic information to the manufacturer.

Software over-the-air updates are now quite common in the automotive market, with major vehicle manufacturers routinely rolling out SOTA upgrades for infotainment and navigation systems. SOTA can also update software controlling a vehicle’s physical components or electronic signal processing systems. In contrast to SOTA, firmware-over-the-air upgrades have only been implemented at scale by a small number of automotive manufacturers, including Tesla and NIO. This is because FOTA updates typically demand more computing power, faster mobile connections, and higher levels of security. 

Most automakers are already designing vehicle hardware to support software updates. This enables manufacturers to shift to a revenue model that is based on services—rather than a one-time sale of a car or truck. According to Gartner analysts, half of the top 10 global automakers will offer unlocks and capability upgrades via software updates by 2023. It should be noted that Tesla began monetizing OTA upgrades in 2019 when it offered Model 3 owners an acceleration boost—from 4.6s to 4.1s—for $3,000. 

How do connected cars get updates? 

Most cars with infotainment systems can receive software updates. Some automotive operating systems, such as BMW’s OS 7/8, Mercedes MBUX, and Tesla, continuously scan for OTA updates in the cloud. Once identified, the update is downloaded, verified, and run by the telematics control unit (TCU) of a connected vehicle. 

TCUs wirelessly connect cars and trucks to cloud services and other vehicles with V2X standards over a cellular network (4G/5G). The TCU also collects essential vehicle telemetry data, including geographical position, speed, vector, engine information, and connectivity strength. 

Why would my car need a software OTA update? 

OTA updates—which improve the driving experience and create safer roads—are delivered remotely and do not require a trip to a dealership or mechanic. These updates can be grouped into two primary categories: infotainment and drive control.

Infotainment updates refresh map information, upgrade audio capabilities, and optimize user interfaces, streaming services, and apps. Although infotainment updates significantly improve the in-car experience, they are not mission-critical. 

In contrast, drive control OTA updates directly affect the ability of a vehicle to operate safely and efficiently. These updates typically include system enhancements or fixes for powertrain systems, chassis systems, brakes, and advanced driver assistance systems (ADAS). Drive control OTA updates—which may also improve range and charging for electric vehicles (EVs)—are generally considered critical or required. 

Most automakers have already updated new vehicle hardware to support software updates. For example, Tesla pre-designs hardware and software to accommodate future function expansion requirements. New functions, along with full lifecycle updates, are introduced at a steady cadence via software upgrades. 

How to address over-the-air automotive security challenges? 

Unsecured automotive over-the-air updates are susceptible to multiple threats and attacks such as spoofing, tampering, repudiation, escalation of privileges, and information leakage. These threats can be mitigated by encrypting software updates; using a signed certificate containing the public key of the entity requesting the update; digitally signing updates after encryption; securing all network transactions with TLS public key authentication (signed by a trusted Certificate Authority); and (clients) performing hostname verification to ensure they are connecting a verified server. 

Additional mitigation techniques include only delivering updates to authorized devices; the tamper-proof logging of all important events; the initialization of SOTA/FOTA updates with a secure boot mechanism; software update systems that are designed to “fail gracefully” in the case of a denial-of-service (DoS) attack; the utilization of anti-malware protection such as whitelists and in-memory protection; and ensuring that compliant SOTA/FOTA software update systems clear all shared resources of sensitive data and keys that were temporarily stored during software updates. 

In addition to the above guidelines, the National Highway Traffic Safety Administration (NHTSA) has published official OTA update recommendations in its “Cybersecurity Best Practices for the Safety of Modern Vehicles” report. According to the NHTSA, vehicle manufacturers should: 

• Maintain the integrity of OTA updates, update servers, the transmission mechanisms, and the updating process in general. 
• Take into account, when designing security measures, the risks associated with compromised servers, insider threats, men-in-the-middle attacks, and protocol vulnerabilities. 

What company makes the security technology for OTA updates? 

Rambus automotive embedded hardware security modules (HSMs) can help manufacturers adhere to the NHTSA’s recommendations. In addition to securing SOTA/FOTA upgrades, these HSMs provide secure boot, secure debug capabilities, and work with other security functions such as MACsec, IPsec, and TLS embedded protocol engines to protect network traffic in cars. To operate properly, components such as electronic control units (ECUs) and other systems must run the manufacturer intended firmware—without tampering. A root of trust ensures firmware is valid and can be securely updated when needed. 

Rambus offers embedded HSM (root of trust) variants for both ASIL-B (RT-640) and ASIL-D (RT-645) that are specifically designed for the functional safety requirements of ISO 26262, an international automotive electronics system standard. The Rambus RT-640 Embedded HSM recently received Automotive Safety Integrity Level B (ASIL-B) ISO 26262 certification. Certified ASIL-B compliance is a critical requirement for automotive manufacturers and their suppliers to ensure vehicle systems meet necessary safety levels. Integrated into an automotive SoC, the ASIL-B certified RT-640 silicon IP design provides powerful cryptographic functions, state-of-the-art safety mechanisms, and anti-tamper technologies to protect critical automotive electronics and data. 

From a holistic perspective, Rambus end-to-end security solutions comprise a tightly integrated ecosystem that enables simple, rapid, and secure integration into automotive supply chains. Chips and devices can be securely provisioned at the time of manufacture with CryptoManager Provisioning and securely managed through cloud-based services over the entire lifetime of a vehicle. The cloud-based Rambus CryptoManager Device Key Management platform also enables automakers and partners to deliver Feature-as-a-Service (FaaS) by leveraging provisioned cryptographic keys and identities. 

Additional Resources:

– Other blogs around Over-The-Air updates (OTA):
1. Securing connected vehicles with Rambus CryptoManager
2. Securing intelligent transportation systems
3. How not to get pwned @ automotive cyber-security
4. Securing chips for the IoT
5. Mitigating DDoS attacks with secure IoT endpoints
6. The challenge of securing smart homes
7. Hack the planet: Security concerns about the IoT

– White Paper: Navigating the Intersection of Safety and Security 

– Market page: Automotive Solutions 

– Products for Automotive Applications: 

• RT-640 Embedded HSM ISO 26262 ASIL-B 
• RT-645 Embedded HSM ISO 26262 ASIL-D 
• MACsec Protocol Engines 
• IPsec Protocol Engines 
• MIPI CSI-2 Controller 
• MIPI DSI-2 Controller 

“Multiple vendors are responding with products meant to keep the IoT devices protected from the cyberattacks that are becoming more common,” he explained. “While IoT privacy remains a key concern for consumers and homeowners, IoT security has taken on top-of-mind priority for the many companies entering and serving the market.”

As Dorsch points out, hardware vendors have been focused on this issue for some time, often with mixed results.

“[This is] because threat levels—and perceived threat levels—vary greatly from one market to the next, and from one product to the next,” he added.

Nevertheless, the U.S. Department of Homeland Security recently outlined six principles for securing the Internet of Things, including incorporating security at the design phase.

As Asaf Ashkenazi, senior director of product management in Rambus’ Security Division notes, building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.

“This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and its cloud service,” he told Semiconductor Engineering.

As Ashkenazi tells Rambus Press, the DHS also recommends that device manufacturers promote security updates and vulnerability management. To be sure, even when security is included at the very beginning of the design process, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates and vulnerability management strategies.

“From our perspective, life-cycle management, which includes over-the-air (OTA) updates and vulnerability management, is essential to maintaining the continued security of IoT devices,” he stated. “Life-cycle management should be implemented utilizing a secure hardware root- of-trust to ensure secure updates of firmware and cryptographic keys.”

In addition, says Ashkenazi, a hardware root- of-trust with a unique cryptographic identifier allows each IoT device to be uniquely and cryptographically verified to determine if it is authorized to connect to a specific cloud service.

“Spoofed or unauthorized devices are easily identified by the service and denied access. This secure connectivity paradigm also helps mitigate the effectiveness (and damage) of DDoS attacks against the IoT service itself, while ensuring the integrity and protection of collected data,” he added. “Preventing malicious actors from manipulating the flow of information to and from network-connected devices is the cornerstone of establishing a secure IoT network.”

Unsurprisingly, malware targeting IoT has matured considerably, with the number of attacks focusing on IoT devices multiplying in recent years. According to Symantec, lackluster security makes IoT devices a soft and appealing target for attackers.

This is because embedded devices rarely receive any notable firmware updates and are typically only replaced upon reaching the end of their respective lifecycles, which may be considerable. Moreover, victims may be unaware that their connected devices are compromised. Indeed, a recent Network World report confirmed that an IoT security camera can be infected with malware merely 98 seconds after going online.

As more and more “things” connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger. It is therefore important for the industry to be cognizant of the very real threat posed by vulnerable IoT devices. Once infected with malware, IoT devices are often hijacked and instructed to join botnets that execute distributed denial-of-service (DDoS) attacks against Internet services.

In addition, vulnerable IoT devices introduce risks that include malicious actors manipulating the flow of information to and from network-connected devices or tampering with devices themselves, which can lead to the theft of sensitive data and loss of consumer privacy, interruption of business operations and potential disruptions to critical infrastructure. Nonetheless, IoT security has traditionally been treated as a tertiary afterthought rather than a primary design parameter.

From our perspective, life-cycle management, which includes over-the-air (OTA) updates and vulnerability management, is essential to maintaining the continued security of IoT devices. Life-cycle management should be implemented utilizing a secure hardware root-of-trust to ensure secure updates of firmware and cryptographic keys. A hardware root-of-trust with a unique cryptographic identifier also allows each IoT device to be uniquely and cryptographically verified to determine if it is authorized to connect to a specific cloud service. Spoofed or unauthorized devices are easily identified by the service and denied access.

This secure connectivity paradigm helps mitigate the effectiveness (and damage) of DDoS attacks against the IoT service itself, while ensuring the integrity and protection of collected data. Preventing malicious actors from manipulating the flow of information to and from network-connected devices is the cornerstone of establishing a secure IoT network.

Interested in learning more about mitigating DDoS attacks with secure IoT endpoints? You can check out our white paper on the subject here and our article archive on the subject here.

“For many [CIOs], this will be the first time they’ll have to actively manage such embedded devices across their networks. Indeed, for some it will be the first time the walls of their datacenter have extended beyond the web portals used for customer services and other customer-facing engagement,” Dastoor explained.

“The army of IoT devices needs a strict regime of security applied to them. Protecting from attempts to attack the current firmware, eavesdrop on the data being sent, or creating a man-in-the-middle attack to change data being sent are all potential threats.”

To simplify life for their customers, says Dastoor, IoT device manufacturers will deploy an over-the-air approach to updating firmware and configuration data – in an attempt to keep truck-rolls to an absolute minimum. However, the Wind River VP warns this approach could “open up” other attack routes unless carefully reviewed.

Dastoor also points out that protecting access to IoT data is an equally complex task, as are the issues of information ownership and infrastructure.

“The need to establish domains of trust and how to actively control them are paramount,” he emphasized.

According to Dastoor, the Internet of Things is becoming an agent of change – making “transformative affects” throughout the enterprise.

“Like all change, it needs to be carefully planned and reviewed for the anticipated benefits to be realized,” he added.

Perhaps not surprisingly, hacker turned security consultant Kevin Mitnick recently told an IoT security symposium that he doesn’t know of “any system” considered impenetrable.

“In our experience, when we are hired by clients to attack their systems, our success rate is 100%,” he confirmed.

More specifically, says Mitnick, the IoT is plagued by many of the same issues corporate computer networks face, including lack of encryption, authentication weaknesses and password resets.

“Those same vulnerabilities exist in the IoT,” he added. “If I want to get information from a device, all I have to do is go out and buy one and then extract the firmware.”

Kendra De Berti, a marketing manager at Rambus, recommends manufacturers of IoT devices and platforms adopt a hardware-based security strategy – beginning at the SoC level itself.

“A hardware-centric approach will help ensure SoCs powering the IoT remain secure during the manufacturing process. In addition, embedding the appropriate security IP core into an IoT device or platform will go a long way in helping companies design systems that remain secure throughout their respective lifecycles,” she concluded.

Jill Ingrassia, the Managing Director of Government Relations and Traffic Safety Advocacy at AAA, told conference attendees the auto industry has managed to significantly reduce the amount of vehicle crashes in recent years. However, more progress must be made, as thousands of people a year still lose their lives in traffic accidents.

According to Ingrassia, connected vehicle technology can help reduce accidents. As the AAA exec noted, multiple intelligent transportations systems – already deployed in the field – have continued to evolve over the years. The next stage of ITS is expected to include advanced systems, such as lane departure and forward collision warnings, braking and parking assistance systems, as well as adaptive headlights. All will be designed to help counteract human error and tendencies.

Perhaps not surprisingly, Ingrassia acknowledged that the industry faces a myriad of challenges in designing and deploying fully autonomous vehicles. Indeed, automakers have entered a transitional stage between semi-autonomous and fully autonomous capabilities. This evolution, says Ingrassia, presents its own set of concerns.

According to Joe Gullo, the senior director for Rambus Ecosystem strategy and development, security is one primary concern the industry must immediately address for intelligent transportation systems. To be sure, modern vehicles are essentially a network of networks – packed with a range of embedded communication methods and capabilities.

“Of course there is broad consensus that vehicle cyber security ranks as a top priority for the automotive industry,” Gullo told Rambus Press during an interview on the sidelines of CES 2016. “Unfortunately, there are still no clearly defined vehicle security specifications. This is not a problem that will be going away soon. In fact, it will only get worse as more and more connected vehicle systems are manufactured and installed in the next generation of semi-autonomous cars and trucks.”

Potential vulnerabilities include altering over the air (OTA) firmware updates, unsecure vehicle-to-vehicle communication, the unauthorized collection of driver or passenger information, seizing control of critical systems such as brakes or accelerators, intercepting vehicle data and tampering with third-party dongles.

As Gullo emphasizes, adopting a hardware-first approach to security and implementing the necessary functionality on the SoC level is a key element of protecting intelligent transportation systems – both now and in a fully autonomous future.

“To avoid potentially dangerous scenarios, vehicles should be equipped with robust DPA countermeasures to protect against side-channel attacks,” Gullo added. “In addition, the automotive industry needs to shield vehicle peripherals and components against tampering, as well as provide secure OTA updates for various systems.”