Tesla is the only major automaker that offers over the air (OTA) updates of both software and firmware. This allows Tesla to add new features like new voice commands, driver profiles or blind spot warnings that weren’t available when the car was purchased. It also allows them to fix bugs that were either causing the car to not function as intended or to discourage potential hackers by patching vulnerabilities soon after they are discovered.
Adding new features opens potential new revenue streams by allowing consumers to upgrade their vehicle after purchase, perhaps even renting features for limited times and the security patching can save the automakers money by eliminating costly recalls. So, it seems like a no-brainer for the car maker. Why aren’t they all doing it?
Third-party dealerships in the US make a significant portion of their profit from servicing the vehicles they sell. OTA updates could significantly reduce the number of service visits, which in turn lowers profitability for the dealership. Tesla does not sell their cars via independent dealers, so they don’t meet the resistance that the other car makers face in threatening a dealer’s revenue stream.
During an OTA update the following must happen:
- The automaker must create an update - typically only the changed code to minimize the size of the update
- A wireless communication channel must be established
- The current software/firmware version installed on the vehicle must be determined
- The update must be downloaded to the vehicle while connected and powered
- The download must be verified that is not corrupted and authorized to be installed
- After verification, the update must be installed (flashed) on the proper processor while the vehicle is powered
- The update must be verified that it has been installed correctly
Obviously, a car maker cannot interrupt the function of a critical system during an update, so car makers will require the car to be parked before any update occurs. If an installation is done incorrectly, the OTA system will need to be able to identify the malfunction and reapply the update or restore the processor to its previous state.
OTA updates are both a boon and a bane for security professionals. While they allow manufacturers to quickly and cheaply patch vulnerabilities before they can be exploited they can also provide a wireless entry point to safety and other critical systems that open up the possibility of a fleet-wide cyber-attack. If the OTA system in not fully secure, end-to-end, the result could be catastrophic. Imagine an automotive CEO receiving a message that his/her entire fleet has been infected via OTA with ransomware and that the cars can only be unlocked with an immediate Bitcoin payment of $50M.
How long must a car maker support a vehicle with bug fixes and security updates? Connected cars are relatively new, so the automotive industry hasn’t yet been forced to make the decision of patching a security vulnerability on a 15-year-old car. Do you think you can get a security update for a first-generation iPhone? Of course not; because mobile phone manufacturers understand that consumers upgrade their phones after two or three years. The average age of a car on a US road is 11.4 years, so there would be an expectation of more than a dozen years of support. How do liability and insurance rules impact a car maker if they formally stop supporting security OTA updates for an old car and a cyber-attack occurs? What if the existing hardware can’t support the update?
Finally, there is the looming quantum computing threat on OTA updates. For those who aren’t familiar with quantum computers, they are a developing technology that will bring many benefits to chemistry, meteorology, astronomy, material sciences, etc. Unfortunately, they will also break all popular public key encryption used today. The timing for quantum computers to break encryption is not known exactly, but their availability within the lifetime of a car being built today is highly likely. Public key encryption and digital signatures are the most secure way to implement OTA updates today, but I believe that all of them use algorithms that are vulnerable to quantum computers. There are quantum-resistant algorithms available today, but only one, NTRU, has been standardized and is up to the OTA challenge.
The article was written by Gene Carter, VP of Products. Gene has spent the past 20 years in embedded and automotive product management roles. He holds an MBA from the University of Southern California’s Marshall School of Business and a BSc in Electrical Engineering from Tufts University.