13 April 2017
Secure Over-the-Air (OTA) software updates will be key to delivering the future promise of connected and autonomous cars, throughout the vehicle lifecycle. Arthur Taylor, CTO of Advanced Telematic Systems GmbH, is one of the world’s leading experts in secure automotive OTA technology. We caught up with him to find out more.
What are the key issues when it comes to ensuring the security of an OTA update solution?
When we consider the security of OTA solutions, we tend to think of three main aspects - a sound architectural design, a high-quality implementation of that design, and operational security in deployment. From an architectural point of view, the best OTA solutions have peer-reviewed security architectures; OTA solutions that depend solely on in-house security expertise are not able to take maximum advantage of the work going on in the community and in publicly funded security research into the topic of automotive cybersecurity.
In terms of implementation, we believe that transparency is key here. Implementations should at the very least be audited (both source code and production deployment) by independent third-parties on a regular basis, and the source code should in the best case be available for review by the customer themselves. The use of well-maintained open source components can be key here, increasing the likelihood that the code has been reviewed in depth by multiple people, and giving the customer ultimate transparency of implementation.
When it comes to security in deployment, a rigorous approach to identity and access management, for software and update metadata signing, for device and user authentication, and for operational staff administering the systems, is critical. Finally, robust process for disclosure and resolution of reported security issues in the OTA solution should be in place - this should be a core element of the security posture of any credible OTA solution vendor.
What is Uptane and why is it important?
Uptane is a research project carried out in 2016 by NYU, UMich and SWrI in the United States, funded by the US Department of Homeland Security. It builds on existing research into secure software update systems (derived from the Tor Browser project), and extends an existing security framework (TUF) to address automotive threat models and use cases.
This work is important because it shines a bright light on what have previously been hidden processes inside OEMs and OTA vendors. The automotive industry has traditionally been very good at addressing safety issues in software systems, and there is extensive legislation and best-practise guidance on the topic of safety, but it has been slow to define and adopt standards in security.
Some manufacturers treat their security architectures as confidential trade secrets, in the hope that hiding the system architecture from attackers will protect the deployed systems from attack, but there is ample evidence from automotive security breaches in recent years (as well as from the long history of information security) that this approach is flawed. By creating an open, peer reviewed architecture for OTA that is already being adopted as a de facto standard in OTA security in the industry, Uptane has given manufacturers and regulators a tool that they can start to use to encourage better security practises for OTA within the industry.
You are firmly of the view that an open-source approach to security of SOTA platforms is the best way to protect connected vehicles. Why is that?
I certainly believe that open source systems offer adopters more confidence of their security than their proprietary equivalents. It is a well established principle the design of secure systems, that one should assume that your adversary will immediately gain full familiarity with them. One way to ensure that a system is not depending on security by obscurity is to publish the implementation for the world to review.
Aside from that, collaboration between software vendors and manufacturers to develop core, non-differentiating technologies in the open makes much more economic sense than tens of companies independently and secretly developing the same technology to solve a problem that doesn't intrinsically help car manufacturers to differentiate their products. That said, I do not believe that the deployment of SOTA, in and of itself, is enough to fully protect connected vehicles. Vehicles must include multiple independent security mechanisms - trusted hardware platforms, secure boot and secure software platforms, cryptographic key management, secure communications channels, runtime cybersecurity protections - and manufacturers must have a comprehensive approach to security throughout their entire organisation and the organisations of their suppliers.
A robust and secure SOTA platform can only help mitigate the impact of vulnerabilities in connected vehicle systems – it cannot prevent them existing in the first place, and it does not guarantee that a manufacturer is organisationally ready to respond to the challenges of modern automotive cybersecurity.
Author: Ian Dickie
7 October 2016
Ah Paris! The world’s auto industry CEOs (with a few notable exceptions) converged on the city of light last week for the press days of the biennial Mondial de l'Automobile. There was all the usual glamour and razzmatazz of course. But did they drop any clues about how their plans for driverless cars are shaping up, and when we can expect to see product in the showrooms?
Here are a few of the more interesting things we heard in and around the Porte de Versailles this year.
Audi has joined Volvo in declaring that the OEM must take full responsibility for any collisions or even fatalities caused by the Level 3 autonomous driving technology that will debut in next year’s all-new A8 limousine.
Board Member for Sales and Marketing Dr. Dietmar Voggenreiter said the company’s first “hands-off, eyes-off” L3 autonomous production car – the 2017 A8 – will be “almost infallible”.
“Next year we will open up the world of autonomous driving in a real way, with the new A8,” he said. “If you take over responsibility and allow the drivers to take their hands off, then you are responsible. This is the legal situation, it’s not big news. If we take the wheel and the driver is allowed to sit there and write emails, then we are responsible.”
“When you’re driving on a freeway in a normal urban situation at speeds of up to 65km/h, you’ll be able to take your hands off and the car will do the braking, the accelerating, the changing lanes, and you can really read a book or whatever you want to do.
“You can’t step away from the seat, but if the car detects a situation, like you’re coming into a construction zone, then it will ask you to take over again, but it will give you a 15 to 20-second warning of that.”
However, the German luxury car maker is so confident of its computer-contolled ‘Audi Intelligence’ driving tech that Dr. Voggenreiter said it may skip higher-speed Level 4 autonomy and go straight to Level 5, in which drivers will be able to take to the back seat and read, email or even sleep.
“In the long run, for sure, we will see Level 5, cars with no steering wheels and no pedals. This will come and we are working on this technology now. It’s not easy to predict whether it will be 2020, 2035 or 2040, but from a technology point of view, it will be possible.”
Having been a self-declared autonomous vehicle sceptic as recently as 2014, Toyota President & CEO Akio Toyoda made a few revealing announcements at this year’s Mondial.
First off, he told reporters that Toyota is taking a safety-first view, concentrating hard on issues like how to keep occupants safe and how to manage the hand-off from car to driver and back. He told us that more testing will be needed before the company’s autonomous vehicles reach customers. 14.2 billion kilometers, or 8.8 billion miles to be precise. Toyoda also stressed that autonomy will be a big help to those with disabilities, the elderly, and others who wouldn't normally drive a car today.
The other interesting thing Toyoda did was to refer to the car driving itself as “chauffeur mode”. And, true-to-form for a notoriously keen driver and motorsport fanatic, he emphasised that Toyota is committed to keeping some semblance of excitement and pleasure alive in motoring, going as far as to ask, “if a car is not fun to drive, what's the point?” This is an attribute to look out for when the company's autonomous-capable cars start coming to market (as soon as those 14.2 billion KM are out the way).
Ultra-precise mapping is one of the key enablers of fully autonomous driving.
General Motors told us that (in common with Nissan and VW) they are experimenting with a plan to pull video data captured by their customers’ vehicles using camera-based sensor systems from Israeli firm Mobileye. Could this potentially give the automaker an edge over the likes of Google in the acquisition of precision-mapping data?
Daimler has set up a new division to push digital technologies, enabling services like ride-hailing and autonomous driving.
Speaking at the company’s press conference, Chief Executive Dieter Zetsche said: "connectivity, autonomous driving, sharing and electric drive systems - each of these four trends has the potential to turn our industry on its head. Yet the real revolution lies in intelligently linking the four trends."
Daimler is calling its new division CASE, as in Connected, Autonomous, car Sharing and Electric.
“To guarantee the logical fusion of all four future trends, we are bringing together the respective activities. We see the car transforming from a product into the ultimate platform”
Arguably the most aggressive of the mainstream OEMs when it comes to deployment of automated features, the Renault-Nissan alliance plans to launch at least 10 driverless cars by 2020.
However it seems the company is taking a pragmatic approach to real-world conditions in different global markets. CEO Carlos Ghosn told reporters autonomous cars will first hit the streets of nations where drivers are “disciplined” and “respect the rules.” In a (not so thinly) veiled stab at the “flexible” approaches to mapping and driving rules being taken in countries like Brazil and India, Mr. Ghosn said autonomous vehicles would remain off the menu there for now.
“You need to have a mapping which is precise and reliable...You need to have also driving rules which are being respected, because autonomous cars respect the rules,” Ghosn said. “You know very well that in some cities in Brazil, this is a joke, you live in Brazil, I live in Brazil, at night cars don’t stop at the red light. Nobody stops.” Ghosn’s concerns about the adequacy of infrastructure, driver training and enforcement extended to other megacities including Mumbai.
He said he believed self-driving cars would come first “to very disciplined driving countries” like Japan, the United States, France or Germany.
“And then little by little we’re going to apply the technology for countries where things are a little bit more flexible.”
On the eve of the show, Volkswagen bosses shared their view that stage-five autonomous cars are unlikely to happen for a number of years yet.
VW’s electric ID concept car, set to launch in 2020, certainly had a steering wheel - albeit one where, if you hold the badge in the center for 10 seconds, it retracts into the dashboard and control is handed to a bank of laser scanners, ultrasonic sensors, radar sensors, and cameras.
“We are talking about autonomous driving in the future, with the end state of level-five autonomous driving, which might be happening in some years to come,” said sales and marketing chief Jürgen Stackmann.
“That’s a vision. That’s a dream that the car will do whatever it wants to do in any environment. But we all know there are several stages to get that far.”
He added that, while stage-five autonomous driving is “a nice vision”, lesser levels of automation, such as self-parking, will be helpful to customers and are achievable in the near future.
“You will have manual-driven cars for sure, as the standard option. But the architecture will be qualified for the highest levels of automation. That means looking into the steering system… it will be done in a way that all these kinds of automation are possible. Obviously, we think that the car will be highly automated, but in the first case, people want to have the driving controls available. So yes, physically connected from the first day.”
Ford Motor Co.
Interestingly, Ford decided to skip this year’s Paris auto show. Rumour has it that the blue oval plans its own, private auto show in Cologne in November this year where further updates on its autonomous ambitions will be given.
We already know that Ford intends to start selling driverless cars to the public by about 2025. Ford’s focus (no pun intended) is on lowering costs sufficiently to make AVs affordable to the mass market. In August Ford revealed plans to roll out autonomous taxis - with no steering wheel, gas or brake pedals - and to expand into the mobility business by providing bikes and shuttle services in major cities. CEO Mark Fields said that after starting with sales of robot taxis to ride-hailing services by 2021, “around mid-decade we’ll make vehicles available for people to purchase for themselves.”
“We believe this next decade is really going to be defined by the automation of the automobile. We’re dedicated to putting autonomous vehicles on the road for millions of people, not just those who can afford luxury cars.”
“We don’t expect to see fully autonomous vehicles for personal use for several years after they are first introduced”
In a philosophy shared by Alphabet's Google, Ford does not intend to concentrate on incremental autonomous systems that would occasionally require drivers to take the wheel, committing instead to a full self-driving car.
"We abandoned the stepping-stone approach," Fields said, saying there are too many risks involved in the safe "hand-over" of driving responsibility between car and driver.
Raj Nair, Ford’s Chief Technical Officer added that the company had decided to make the leap to full autonomy “because we have not found a technology that can ensure driver engagement when not in control”.
Fiat Chrysler Automobiles
Fiat Chrysler CEO Sergio Marchionne canceled his appearance at the Paris show this year and the company made few statements regarding its plans for automated vehicle offerings.
FCA’s partnership to build self-driving vans with Alphabet (Google) is seen by many analysts as de facto outsourcing, given the Italian automaker’s weak finances, limiting its ability to invest in its own software expertise.
Author: Ian Dickie
27 February 2015
Clarke Gable was a big fan of iconic British sports car maker, Aston Martin. Legend has it that he once visited the factory in Newport Pagnell to see the latest model being built. Following a tour of the workshops and an agreeable lunch, the Hollywood legend turned to David Brown, the then entrepreneurial owner, and said “I’d like to own one of these new Astons. But as a famous movie star, I’ll bring valuable publicity to your company, so I’d only like to pay cost price.”
“That’s awfully decent of you Mr. Gable” replied Brown. “Most of our customers pay around £2,000 less than that.”
I’m reminded of this story because Volkswagen Group has just sold the 450th and final Bugatti Veyron, marking the end of one of the most exclusive supercars ever built. The last Veyron (imaginatively named La Finale) will be on display next week at the Geneva auto show before heading off to its new owner somewhere in the Gulf.
In all 450 Veyrons were sold for an average price of about EUR 2.3m each. Sounds good? Analysts Sanford Bernstein estimate that VW lost a jaw-dropping EUR 4.6m on every Veyron sold, putting David Brown’s negative margins in the shade and making the mighty Bugatti one of the biggest financial failures in the history of car-making.
Assuming the analysts are right, the group would need to sell more than 5,000 Polos to recover the cost of selling one Veyron. VW, which shifted 10.14m cars last year, can easily afford this kind of vanity project. Even losses of EUR 200m per year amount to less than rival OEMs spend on Formula 1.
And like F1, the theory is that prestige projects such as the Veyron showcase the technological excellence of the parent company. But is anyone really buying a Golf on the strength of the fact that a tiny, elite sub-set of the VW group is able to make a car which is capable of 253mph and convey its owner to the opera in comfort and style? I’m not convinced.
Mazda famously used the now iconic MX5 roadster as a “halo car” to raise the sporty credentials of its otherwise ordinary family models. But the MX5 is a perfectly attainable proposition for most Mazda customers. It could easily be a second car, or retirement treat. It’s a common sight on the roads, helping to lend the marque a more youthful, fun image. And whether it actually raises the status of Mazda’s saloon car range or not, the MX5 has always made a healthy contribution to the bottom line. It makes sense. I’m not so sure the same can be said for Dr. Piech’s masterpiece, brilliant though it is.
Personally, I think I love and hate the idea of the Veyron in equal measure. I admire the undeniable feats of technical excellence and refusal to compromise on the part of the engineers who created it. At the same time though, I can’t help but find it vulgar, excessive and a little pointless. 10 radiators? 8mpg urban? EUR 28,000 for a set of 4 tyres that have to be changed every 2,500 KM?
VW is already working on a successor to the Veyron. No doubt it will be even more spectacular than its predecessor. Doubtless the well-heeled of Moscow and Dubai can’t wait to find out what it will look like. I’m more interested to know if VW will find a way to make it pay for itself.
Author: Ian Dickie