A gateway acts as an intermediary between the back end and the control units to be updated.

Cars are increasingly becoming mobile living spaces, making security an important consideration for original equipment manufacturers (OEMs) and suppliers. When used for communication and personalized with apps, cars become vulnerable. Hackers have remotely controlled cars; switched off engines while in use; and gained control of brakes, door locks, air conditioners, and windshield wipers. More vehicles have interfaces for exchanging data with the outside world, enabling these attacks, and adding connectivity to communicate with other smart vehicles in the Internet of Things (IoT) world will lead to even more interfaces, and a higher risk of hacker attacks.

Security measures

To limit openings for hacker attacks on vehicles, one approach is to seal off all wireless interfaces. This is not in customers’ interest, since a connection for data exchange is needed – particularly for innovative car-to-car or car-to-infrastructure services and autonomous driving. Recalls and shop upgrades are also not effective methods for protecting vehicles against digital attacks – they incur high costs, damage the manufacturer’s reputation, and take too long as all vulnerable vehicles must be patched. Additional weaknesses in vehicle software are often identified during the recall interval, making the update obsolete when it is installed.

An alternative can be found in apps and smartphone operating systems. Regular updates and patches are commonplace, and software and firmware are updated over the air via the mobile network interface. Once the update has been transferred to the device, it is automatically unpacked and installed.

A similar method exists in the automotive industry. Firmware-over-the-air (FOTA) can supply updates to many devices in a short time, quickly and continuously correct weaknesses using patches, integrate new functions, and modernize the cryptographic algorithms used to safeguard control devices. A control unit, equipped with a mobile network interface, acts as an intermediary between the back end and the devices to be updated in the vehicle. It receives all the software packages via the FOTA interface and distributes them to the target devices over controller area network (CAN) bus systems or high-performance communications channels such as Ethernet. As the master device, the electronic control unit (ECU) also monitors and coordinates the entire update process.

Technical challenges

FOTA should be reliable in updating devices while not creating additional vulnerabilities. If FOTA could be used to load manipulated software into a unit, the consequences for data security and functional safety could be substantial. The over-the-air interface must be cryptographically protected, and the keys and certificates needed for this should be entered in a secret, tamper-proof manner and stored in a secure memory area. A dedicated hardware security module (HSM) is important to implement secure memory and enable secure execution of cryptographic algorithms.

A secure installation process (secure flashing) and a security check (secure boot) when the device software starts up can protect against unauthorized installation of manipulated software. Digital signatures for validation of software authenticity are used in both methods. Development interfaces such as universal asynchronous receiver-transmitter (UART), USB, or joint test action group (JTAG) should either be disabled in series-production units or protected by cryptographic methods to prevent device penetration. Attackers could use these paths to try to read out or manipulate the software or confidential data.

Wireless interfaces in the car

Development adaptations

Along with technical aspects, organization and development must adapt to the new circumstances. For example, end-to-end risk analyses, currently not standard practice, should be requirements for suppliers. These analyses examine possible attack scenarios on all components of the chain and their impact on data security and functional safety. This procedure can only yield the desired result if the OEM, the supplier of the back-end solution, and the manufacturer of the control units work together, starting with the early development phase. This requires switching from black-box development of control units to an integrated security approach. In addition, measures to achieve and maintain security must persist after the start of production. Security analysis and security testing, and elimination of security gaps by FOTA, should be carried out during the entire product lifetime.

FOTA benefits

In the future, expensive recalls will no longer be necessary in the event of software problems. Many can be resolved without active customer involvement, since patches can be sent wirelessly to the vehicle. FOTA can also help establish new business models and customer relationships, opening new perspectives for OEMs. The value of a new car usually drops by 50% when it leaves the dealer's lot, and this value continues to decline. However, with new functions loaded into vehicles through FOTA, cars might not lose value over time, but instead retain or even increase in value.


About the author: Dr. Holger Hilmer is a senior staff engineer for advanced engineering at Molex.