13 April 2017
Secure Over-the-Air (OTA) software updates will be key to delivering the future promise of connected and autonomous cars, throughout the vehicle lifecycle. Arthur Taylor, CTO of Advanced Telematic Systems GmbH, is one of the world’s leading experts in secure automotive OTA technology. We caught up with him to find out more.
What are the key issues when it comes to ensuring the security of an OTA update solution?
When we consider the security of OTA solutions, we tend to think of three main aspects - a sound architectural design, a high-quality implementation of that design, and operational security in deployment. From an architectural point of view, the best OTA solutions have peer-reviewed security architectures; OTA solutions that depend solely on in-house security expertise are not able to take maximum advantage of the work going on in the community and in publicly funded security research into the topic of automotive cybersecurity.
In terms of implementation, we believe that transparency is key here. Implementations should at the very least be audited (both source code and production deployment) by independent third-parties on a regular basis, and the source code should in the best case be available for review by the customer themselves. The use of well-maintained open source components can be key here, increasing the likelihood that the code has been reviewed in depth by multiple people, and giving the customer ultimate transparency of implementation.
When it comes to security in deployment, a rigorous approach to identity and access management, for software and update metadata signing, for device and user authentication, and for operational staff administering the systems, is critical. Finally, robust process for disclosure and resolution of reported security issues in the OTA solution should be in place - this should be a core element of the security posture of any credible OTA solution vendor.
What is Uptane and why is it important?
Uptane is a research project carried out in 2016 by NYU, UMich and SWrI in the United States, funded by the US Department of Homeland Security. It builds on existing research into secure software update systems (derived from the Tor Browser project), and extends an existing security framework (TUF) to address automotive threat models and use cases.
This work is important because it shines a bright light on what have previously been hidden processes inside OEMs and OTA vendors. The automotive industry has traditionally been very good at addressing safety issues in software systems, and there is extensive legislation and best-practise guidance on the topic of safety, but it has been slow to define and adopt standards in security.
Some manufacturers treat their security architectures as confidential trade secrets, in the hope that hiding the system architecture from attackers will protect the deployed systems from attack, but there is ample evidence from automotive security breaches in recent years (as well as from the long history of information security) that this approach is flawed. By creating an open, peer reviewed architecture for OTA that is already being adopted as a de facto standard in OTA security in the industry, Uptane has given manufacturers and regulators a tool that they can start to use to encourage better security practises for OTA within the industry.
You are firmly of the view that an open-source approach to security of SOTA platforms is the best way to protect connected vehicles. Why is that?
I certainly believe that open source systems offer adopters more confidence of their security than their proprietary equivalents. It is a well established principle the design of secure systems, that one should assume that your adversary will immediately gain full familiarity with them. One way to ensure that a system is not depending on security by obscurity is to publish the implementation for the world to review.
Aside from that, collaboration between software vendors and manufacturers to develop core, non-differentiating technologies in the open makes much more economic sense than tens of companies independently and secretly developing the same technology to solve a problem that doesn't intrinsically help car manufacturers to differentiate their products. That said, I do not believe that the deployment of SOTA, in and of itself, is enough to fully protect connected vehicles. Vehicles must include multiple independent security mechanisms - trusted hardware platforms, secure boot and secure software platforms, cryptographic key management, secure communications channels, runtime cybersecurity protections - and manufacturers must have a comprehensive approach to security throughout their entire organisation and the organisations of their suppliers.
A robust and secure SOTA platform can only help mitigate the impact of vulnerabilities in connected vehicle systems – it cannot prevent them existing in the first place, and it does not guarantee that a manufacturer is organisationally ready to respond to the challenges of modern automotive cybersecurity.
Author: Ian Dickie