Over-The-Air Connectivity Allows Automotive Firmware Updates, but Creates Security Challenges
Picture yourself driving a car. It’s a new model that you just bought, and so far you love it. You’re on your freeway commute, the stereo is playing your favorite music, air conditioning is just right. Suddenly, the stereo shuts off. That’s odd, you think. Did you hit a button? Then the air conditioning stops, and the vents start blasting full heat. What is going on here? As you investigate, the brakes suddenly come on, full force. The car behind honks wildly, only just swerving to avoid a rear-ending. Terrified, you make your best effort to pull over. Despite your vain attempts to figure it out, nothing explains your car’s outright rebellion. For an automaker, it’s a public relations disaster.
Everyone’s worst nightmare, someone externally taking over your car while you’re in it!
An Avoidable Problem
This nerve-wracking situation might seem far-fetched, but a group of computer hackers showed it was entirely possible. As documented by Wired Magazine, nearly all of the key systems of a late-model Jeep Cherokee could be controlled remotely. A vulnerability in the SUV’s “UConnect” system, shared amongst Fiat Chrysler Automobiles’ entire lineup, enabled an internet-based attack via the system’s built-in cell connection. Since nearly all features of the Cherokee are electronically controlled, it turned a two-ton vehicle into a glorified RC toy. Once they learned of the hacking experiment, Fiat Chrysler was forced to recall 1.4 million similarly equipped cars at great expense. However, the fracas could have been easily resolved using over-the-air updates.
If only it were that easy
A Solution: Over-the-air Updates
Thanks to the accelerating pace vehicle systems are being computerized, updating and securing control firmware is a new responsibility for automotive manufacturers. Over-the-air connectivity means crucial patches, especially those closing security holes, can be silently pushed to thousands of cars without user intervention. That said, it’s important to realize that an over-the-air solution presents a double-edged sword: if not implemented properly, vehicle hardware systems can be exposed to attack. It’s absolutely critical to ensure that not only the update system is itself secure, but that the design approach used is inherently resilient.
Best practices for over-the-air updates are still evolving, but can be readily summed up: keep things separated. The more layers, obfuscation, and sandboxes added to key vehicle systems, the better. In practice, this means target assets such as Engine Control Units and the Controller Area Network need to be firewalled from infotainment and telephony hardware and updated separately. While the cost-saving benefits of a consolidated design approach are attractive, a stratified approach is much more resilient. Designers of embedded hardware should also consider using more off-the-shelf solutions, especially those that run on industry-standard operating systems. Not only will this reel in development costs, but an in-house approach might not give enough attention to potential security holes. Finally, for absolute security, consider leaving out the most critical systems outside of an over-the-air update program. Master ECU’s and airbag controllers, for instance, can be updated during dealer visits and technical service bulletins.
Getting OTA updates to be completely secure is still a work in progress
Security without Compromise: The Over-the-Air Manager
That last point might seem like a cop-out, but it doesn’t need to be. It is possible to keep all vehicle systems updated securely, but it demands a little rethinking through a novel approach. Using an independent over-the-air manager, or a lightweight computer in charge of updates assures maximum security. This unit, which firewalls critical systems from the actual communication equipment, acts as a “passport control” for incoming firmware updates. Using either built-in encryption/decryption or a cryptographic checker, the over-the-air manager verifies the update file to ensure authenticity. If the firmware has been tampered with or is fake, the over-the-air manager rejects the file. When implemented along with communication security, such as TLS, this system is theoretically bulletproof. Critical hardware controls remain isolated and firmware updates can be distributed without worry.
Automakers are gradually coming to grips with the new responsibilities that modern car systems create and the role security plays. At first glance, it may seem like a secure, robust solution is resigning developers to greater cost and overhead. However, that needn’t be the case. Through the use of a modern security-aware development tool, like Altium TASKING, high levels of resiliency won’t be a headache. TASKING provides an integrated development environment for embedded systems and is designed with the unique needs of automotive applications in mind. MISRA C and CERT C compliant, TASKING allows rapid development for stratified hardware units without sacrificing reliability or security. Its cost-effectively enables over-the-air updates with targeted firmware development and a long list of supported hardware solutions. Most importantly, TASKING makes it easier and simpler to create fast compiling, low impact code that is highly resilient to vulnerabilities and attacks. Talk to Altium today to learn more about TASKING and what it can do for your particular automotive application.