In 2013, Tesla Motors had a problem with battery fires in the company’s Model S electric car. In January 2014, nearly 30,000 of Tesla’s Model S vehicles were recalled by the National Highway Traffic Safety Administration due to the possibility of overheating charger plugs causing fires.
Engineers at Tesla Motors took care of both problems without the need for any of the cars to visit a dealership. The cars were sent a software update using cellular networks. In a MIT Technology Review column, Kevin Bullis writes, “Expect over-the-air updates to become more common, although companies will need to work to make sure they can be done securely.”
SEE: Car Tech 101: Everything you need to know about OTA updates (CNET video)
Introducing software updates OTA for vehicles
Traditional automotive companies, seeing the advantages of remote software updates, are now sending over-the-air updates to the mini computers called electronic control units (ECUs) used to control vehicle subsystems, if the vehicle has cellular capability. To accomplish this, vehicle manufacturers are equipping the ECUs with software updates over-the-air (SOTA) capability.
SOTA and similar systems make vehicles easier to remotely access. Charlie Miller and Chris Valasek in their paper Remote Exploitation of an Unaltered Passenger Vehicle (PDF) and Andy Greenberg’s WIRED article have confirmed that hackers can remotely exploit and control a vehicle.
“Immediately my accelerator stopped working (Miller and Valasek remotely disengaged the transmission),” writes Greenberg. “As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.”
It’s a pretty safe bet this capability is not lost on bad-guy hackers who will eventually figure out how to manipulate these software-update mechanisms to install malicious software, viruses, or even ransomware, causing all sorts of mayhem. “Although widespread attacks are still difficult and expensive, they lie within the capabilities of nation-state cyber warriors, and it is time to begin securing the infrastructure, particularly as automotive electronics increase,” states Professor Justin Cappos of NYU’s Tandon School of Engineering in this press release.
As to mayhem, let’s use ransomware as an example. The malware has significant implications when it prevents users from accessing data on their computers. Imagine what it means if cybercriminals figure out how to hold cars ransom, requesting a monetary payment to return control of the car to the owner.
Uptane might be the answer
Cappos and a team of researchers are so concerned about the ease with which hackers can access vital vehicle systems they developed a new automotive software update system called Uptane. In their paper Uptane: Securing Software Updates for Automobiles (PDF), the researchers write that existing update methods fall short because they do not:
- solve problems unique to the automotive industry (multiple, distinct computers or ECUs)
- address security attacks that can cause a vehicle to fail or become unsafe.
Next, the paper’s authors suggest that Uptane is the first software-update framework for automobiles that addresses a comprehensive and broad threat model. “Our work enhances the security of previous update systems by adding and validating new types of signed metadata to improve resilience to attacks,” explains the authors. “Since different automobile manufacturers and tier-1 suppliers have their own development and deployment infrastructure, Uptane does not prescribe a rigid, one-size-fits-all solution. Instead, we provide a flexible framework that enables different parties to configure the provided security benefits to their needs and environment.”
Martin Rowe in his EETimes commentary suggests the key advantage of Uptane is the moving of the director role to the server, as opposed to the more traditional client locations. “The design overview (Uptane) explains how the director identifies updates in its database and uses a vehicle’s VIN to verify the vehicle to receive the update because each ECU has a unique serial number,” explains Rowe. “Once all are verified, download and installation instructions are invoked, and updates can begin.”
The NYU Tandon press release notes that Uptane is an open-source project, and the research team wants security experts everywhere to help find flaws in Uptane’s code. “It’s possible that we missed something,” says Cappos to EETimes Rowe. “We want smart people to try to break the code. Evaluations by hundreds, and perhaps thousands, of experts can find many flaws.”
The Uptane research is led by principal investigators Cappos at NYU Tandon, Sam Lauzon at the University of Michigan Transportation Research Institute, and Cameron Mott at the Southwest Research Institute. The Uptane design and software are available on GitHub.