A universal, open source framework to protect wireless software updates in vehicles is now in development.
A consortium of researchers issued a challenge to security experts everywhere to try to find vulnerabilities before it is adopted by the automotive industry.
The new solution, called Uptane, evolves the widely used TUF (The Update Framework) to secure software updates. Uptane is a collaboration of NYU Tandon, the University of Michigan Transport Research Institute, and the Southwest Research Institute, and is supported by contracts from the U.S. Department of Homeland Security, Science and Technology Directorate.
Modern cars contain dozens of computers – called ECUs (Electronic Control Units) – that control everything from safety equipment (airbags, brakes, engine, and transmission, and more) to entertainment systems. The increasing complexity of modern cars accompanies an increasing likelihood of flaws in the software.
To offset this issue, vehicle makers are equipping ECUs with a secure Software Over-The-Air (SOTA) update capability, allowing the software to be changed without visiting a service depot, resulting in fewer recalls and greater customer satisfaction. However, hackers can target these software update mechanisms to install malicious software, viruses, or even ransomware, the results of which could be catastrophic.
In 2013, a single attack, spread by software updates and configuration management systems in South Korea, cost banks and media companies an estimated $750 million.
Uptane moves beyond TUF in order to address the unique problems posed by automotive software. For example, it allows automakers to completely control critical software but to share control when appropriate – for example, when law enforcement needs to tune a vehicle for off-road conditions. It also helps automakers to quickly deploy secure fixes for a vulnerability exploited in an attack or to remotely (and inexpensively) update a car’s electronics.