The Case for FOTA in AV Data Security

Firmware over-the-air data transmission helps OEMs drive secure vehicle autonomy.

To help thwart the global vehicle-hacking threat, Firmware Over-the-Air (FOTA) can quickly and continuously correct weaknesses while integrating new functions and modernizing the cryptographic algorithms used to safe-guard control devices. (Image: Molex Connected Mobility Solutions)

Cars are increasingly becoming mobile living spaces. That’s why the subject of security is so important for OEMs and suppliers. When a car becomes a personal mobile device that the owner uses for communications and personalizes with apps, it becomes vulnerable to opportunities for manipulation.

Hacker attacks on connected cars have already made the headlines. In one example, a wireless connection was used to access the CAN bus that controls many network units in the vehicle. This allowed the hackers to remotely control the car and switch off the engine while it was in use. Other criminals have managed to gain control over brakes, door locks, air conditioners and windshield wipers. This is hardly surprising, since more and more vehicles have interfaces for exchanging data with the outside world.

As the trend continues to move to networked cars that communicate with other smart vehicles within the Internet of Things (IoT), it will lead to even more of these interfaces, and thus to a higher risk of hacker attacks.

Cat-and-mouse with hackers

The car industry wants to protect its customers and itself against attacks, and so is looking for ways to limit the options for hacker attacks on vehicles. One approach is to seal off all wireless interfaces. However, this is not in the interest of customers. A connection for data exchange is needed – particularly for innovative V2X infrastructure services and autonomous driving. Furthermore, with the traditional method of recalls and shop upgrades it will not be possible to reliably protect vehicles against digital attacks.

A cellular gateway acts as an intermediary between the backend and the control units to be updated. Image above shows wireless interfaces in the vehicle; below is the FOTA gateway approach. (Image: Molex Connected Mobility Solutions)

Recall campaigns incur high costs and damage the reputation of the OEM. Recalls also take too long until all vulnerable vehicles have been patched. Meantime, it’s open season for hackers. A vulnerable vehicle poses an enormous risk to the driver and their surroundings, so prolonged time frames are not acceptable. In addition, it is often possible to identify additional weaknesses in the vehicle software during this interval. This makes the update obsolete when it is installed.

An alternative can be found in the world of apps and smartphone operating systems. Regular updates and patches are commonplace. The software and firmware are updated over the air (OTA), which means via the mobile network interface. Once the update has been transferred to the device, it is automatically unpacked and installed. Similarly, for the automotive industry, Firmware Over-the-Air (FOTA) can help with supplying updates to a large number of devices in a short time. This method could be used to quickly and continuously correct weaknesses by means of patches, integrate new functions, and modernize the cryptographic algorithms used to safe-guard control devices.

Many devices can be updated using the FOTA method. A control unit equipped with a mobile network interface acts as an intermediary (cellular gateway) between the backend and the devices to be updated in the vehicle. It receives all the software packages via the OTA interface and distributes them to the target devices over CAN bus systems or high-performance communications channels such as Ethernet. As the master device, the cellular gateway unit also monitors and coordinates the entire update process.

Technical challenges of OTA

Dr. Holger Hilmer is senior staff engineer at Molex, with a current focus on security, including software OTA update of automotive control units.

FOTA poses major technical challenges. For example, it is necessary to ensure that the process can be reliably executed and does not bring any additional vulnerabilities. If FOTA could be used to load manipulated software into a unit, the consequences for data security and functional safety would be immeasurable. This means that the over-the-air interface must be cryptographically protected, for example by encryption with the TLS protocol.

The keys and certificates needed for this must be entered in the devices in a secret and tamper-proof manner, and they must be stored in a secure memory area in the devices. A dedicated hardware security module (HSM) is vital to implement secure memory and enable secure execution of cryptographic algorithms.

Protection against unauthorized installation of manipulated software could be achieved by using a secure installation process called secure flashing and a security check when the device software starts up called secure boot. Digital signatures for validation of software authenticity are used in both methods. Development interfaces such as UART, USB or JTAG must either be disabled in series-production units or protected by cryptographic methods to prevent device penetration. Attackers could use these paths to try to read out or manipulate the software or confidential data.

Adaptations needed

Along with technical aspects, organizational and development aspects must be adapted to the new circumstances. For example, end-to-end threat analyses and risk assessments are currently not standard practice, but they should be included in the requirements that manufacturers set for their suppliers. These analyses examine possible attack scenarios on all components of the chain and their impact on data security and functional safety. Based on the results, suitable protective measures can be defined. This procedure can only yield the desired result if the OEM, the supplier of the backend solution and the manufacturer of the control units work together starting with the early development phase.

The approach requires switching from a black-box development of control units to an integrated approach with regard to security. In addition, measures to achieve and maintain security must persist after the start of production. Security analyses, security testing, and elimination of security gaps by FOTA must be carried out continuously during the entire product lifetime. The upcoming ISO/SAE 21434 standard ‘Road vehicles – Cybersecurity engineering’ provides rules and guidelines for all phases of the vehicle lifecycle.

FOTA offers more than just security benefits for OEMs. In the future, expensive recalls will no longer be necessary in the event of software problems. Many of them can be resolved without active customer involvement, since patches can be sent wirelessly to the vehicle. FOTA can also play a role in establishing new business models and customer relationships, as shown by the example of Tesla. Its models equipped with the company’s Autopilot system have evolved into semi-autonomous vehicles. This opens new perspectives for OEMs.

The value of a new vehicle typically drops by 50% when it leaves the dealer’s lot. Subsequently the value continues to decline. In the future with new functions loaded into vehicles via FOTA, cars might not lose value over time, but instead retain or even increase their value.

Standardization of FOTA is essential

Molex understands the critical need to ensure that security and safety are top priority as these changes occur. Along with likeminded companies an alliance known as eSync has formed to address the need for developing and promoting the technology required for automotive OTA and in-vehicle networks. The industry-wide initiative is working to reduce the cost of software and firmware updates, recalls and improve data services for the connected car.

This commitment to address a lack of standardization by promoting a secure and open path for end-to-end OTA vehicle data transmission helps OEMs create advances needed to further drive the industry.