Harnessing the future of mobility over the air
Over-the-air (OTA) will be mandatory in future connected cars, which will see vehicles increasingly more dependent on OTA software updates. OTA cloud-based updates allow automotive manufacturers to fix issues efficiently, roll out campaigns across fleets and minimize the number of car recalls. IHS Automotive has estimated that in 2015 over-the-air software updates could have saved the industry $2.7 billion, and cost-saving potential is projected to rise to $35 billion by 2022. As well as being an effective cloud-based solution, OTA technology represents new revenue opportunities for automotive businesses, such as allowing for the rollout of new features and customization options for drivers. Superior technology, a holistic security approach, and a foundation built with open source and open standards sets OTA Plus apart as an over-the-air provider for the mobility industry.
Why OTA Plus?
Finding a flexible partner in OTA Plus
ATS has developed a full-stack client/server OTA solution that is scalable, secure, and quick to deploy. OTA Plus is open source and based on open standards, so ATS partners are not hindered by vendor lock-in, but rather see maximum flexibility from the product. Developed in Germany by the brightest minds in the automotive technology field, OTA Plus employs a container-as-a-service (CaaS) model, allowing for scalability and easy integration, as well as faster deployment and reduced downtime. ATS designs automotive-specific OTA solutions with the most advanced technology on the market, and works in cooperation with a network of respected partners, including GENIVI, UPTANE, and Fraunhofer AISEC. ATS’s technical aptitude and leadership in the field has led to it being the first cloud-only service provider accepted into the German Association of the Automotive Industry. OTA Plus partners receive advanced bespoke solutions for software updates and beyond, with expert consultation from an international team of developers based in Berlin, Germany.
OTA Plus in action
Offering cost and risk reduction over the air
Architecture & deployment
Making deployment easier with a modular approach
The microservice architecture of OTA Plus, developed in Scala using Reactive software engineering principles, makes it easy to integrate, with well-defined and secure boundaries between services. OTA Plus is packaged and ready to deploy on Container-as-a-Service platforms like Mesos or Kubernetes, or can be delivered as a complete platform. Because it compiles to JVM8 bytecode, it can also deploy directly on existing enterprise Java 8 infrastructure. The flexibility of the architecture also allows for compatibility and integration with various clients; ATS's reference client implementation is a high-quality, dependency-free Rust application with mathematically provable memory safety, but client integrations can be done for any platform or architecture.
OTA Plus key components
OTA Plus key components
Contains all the logic for sending updates to vehicles and creating/monitoring update campaigns.
Maintains an inventory of the software packages and hardware components installed, as well as other characteristics of vehicles in the fleet. Implements a filter language to create targeted updates based on vehicle characteristics.
Provides a graphical administration interface for all OTA functions, as well as a dashboard for drilling down into the data OTA Plus generates about the fleet.
OTA Plus delta creation and management is implemented as an independent microservice, so that source code can undergo a security audit and then be subsequently deployed inside a client's data center. This enables us to have a zero-knowledge architecture with respect to signing keys, or even with respect to the contents of the packages themselves. Supports full system image deltas, binary deltas, and source deltas.
Vehicles and administrators need to be authenticated, and authorized for access to varying classes of resources or updates based on rules defined by administrators. OTA Plus Authentication and Authorization leverages ATS's expertise and existing infrastructure in this area to provide a complete A&A system for OTA Plus. Integration with external identity providers is supported out of the box, as well as support for various authentication factors from vehicles, including X.509 and OAuth 2.
OTA Plus CDN is a global, secure, redundant, and high-availability CDN for OTA powered by Amazon CloudFront.
An optional component of the OTA Plus Client, File Upload gives total visibility into systems in the field. It allows the collection of rich data from vehicles on a broad basis for big data analysis, or the surgical selection of individual files on individual vehicles for highly specific troubleshooting.
Scaling and adapting for a range of licensing needs
What is Auth Plus?
Managing authentication and personalizing the driving experience
Auth Plus is a light-weight, highly secure access management and personalization system. The product has been designed especially for the automotive industry as a one-stop solution for managing partners, services, data requirements, vehicles, in-vehicle devices, and end users. Auth Plus centrally manages the authentication of vehicles, devices, and users, controlling their access to connected services and customizing their in-vehicle experience. Auth Plus is easy to integrate with existing systems, thanks to a base built on open-standards. Since Auth Plus centralizes authorization management and personalization, manufacturers only need one tool to control and change access to specific services on partner devices, or to grant new permissions to existing devices. While providing the highest degree of flexibility, Auth Plus does not compromise on security and the effective management of secure authentication and authorization credentials. Furthermore, Auth Plus presents a uniform authentication API to devices, making the development of client applications faster.
How does Auth Plus work?
Customizing bespoke in-vehicle experiences
Entry to a vehicle works with the head unit authenticating the driver (and passengers) via Auth Plus using one or more pluggable authentication factors (voiceprint, car-key token, Bluetooth link keys, or facial recognition, for example), and then receiving short-lived service access credentials issued by the Auth Plus servers. Once the user is properly authenticated, the system can load a customized and highly personalized HMI and Application Layer, providing an improved user experience and reducing complexity. To activate the driver’s profile settings and premium services, the head unit uses temporary credentials to make requests to the service API(s). The service API(s) validate the access credentials with the Auth Plus server before returning the response. Now the vehicle is personalized according to the driver’s profile and access to specific services is granted. ATS can design service APIs for companies based on a broad range of in-car data requirements, surrounding navigation, media streaming, preferred driver settings and much more.
Auth Plus in action
ATS partners can tap into new revenue streams by using Auth Plus for personalization and authorization in vehicles. ATS works in cooperation with businesses to build bespoke solutions that can be configured via a centralized, web-based and user-friendly partner management system (Admin GUI). Using this model, a manufacturer can conveniently configure the service scopes and authorization of access levels for the various partners, devices, and users. An effective tool for controlling secure authentication and authorization credentials, the partner management system offers businesses flexibility through service APIs, such as premium data subscriptions or unlocking additional features. In a car-sharing context, for example, Auth Plus provides opportunities for advanced customization and authorization, which can all be managed centrally via the partner management system. From unlocking real-time traffic updates or activating music streaming services, to charting driver use patterns, Auth Plus adds another dimension for manufacturers and drivers.
Architecture & deployment
Flexible, agile deployment
Auth Plus deploys in a company's own data center or in the cloud. End user devices communicate with Auth Plus to validate credentials and receive secure access tokens, which they send to the service provider’s servers. The service providers communicate with Auth Plus to validate the secure tokens and the level of access they represent, and send appropriate content back to the end user.
Deploying quickly and securely
Auth Plus is built for the unique needs of connected cars. It supports an unlimited variety of authentication factors with a factor interface based on the FIDO®* standard, and it does it all with a fast, efficient, and scalable architecture that can be deployed in your own data center for maximum security. Unlike other solutions, Auth Plus gives full control over system management, data streams, partners, and customer relationships.
*FIDO is a registered trade mark of the FIDO Alliance. See https://fidoalliance.org/.
Standardizing security for stronger products
There are very few topics in automotive security receiving more attention right now than over-the-air software updates. The ability to deliver updates to ECUs and infotainment systems in a fast, cost-efficient way is both a vital business need and a thorny security problem; a SOTA platform is, by definition, a remote code execution platform, and thus a very inviting attack surface. In the marketplace today, there are a number of competing, closed-source SOTA products. The details of their security architecture are not public, and so there has been little progress or standardization in this critical product space. With our efforts on OTA Plus and within standards organizations, ATS is working to improve that situation. SOTA can be understood as consisting in two phases: first, the delivery of the software from the cloud server to the vehicle’s entry point, and second, the installation and verification of the software on the vehicle.
Mitigating risks by building open standards
ATS is committed to open standards, and works with UPTANE, a Department of Homeland Security funded joint research initiative between NYU, the Southwest Research Institute, and the University of Michigan that is working to develop best practices for automotive software update security. UPTANE includes researchers from The Update Framework (TUF) and builds on that effort. The aim is to mitigate all common attacks on software updaters, especially with regards to ensuring update package authenticity. Mitigations include transport security, binary encryption and signing, and an architecture resilient to the possibility of key compromise. The main concern of the security architecture is to ensure that a vehicle receives firmware updates, and that those updates are authentic and verifiable. ATS uses public key infrastructure (PKI) to:
• Authenticate the vehicle to the OTA Plus Server
• Authenticate the OTA Plus Server to the vehicle
• Verify the integrity and validity of the update
• Ensure the confidentiality of the update files.
Layering transport security with encryption, signing, and role delegation provides defense in depth, securing the system against attacks from sophisticated adversaries.
Binary encryption and signing
Supporting multitrust signatures for update safety
OTA Plus implements a sophisticated and resilient hierarchical PKI-based system to verify that an update is safe to install. Keys are revocable at multiple levels in case of compromise, and the most crucial keys are always stored offline. Additionally, since the keys are scoped to individual suppliers or ECUs, the impact of any one key compromise is limited. As well as anticipating the possibility of key compromise, and permitting fine-grained, multilevel delegation of signing authority, ATS also supports multitrust signatures. Signing authority that is limited to a specific ECU or software package can be delegated to the supplier or OEM responsible, and the multitrust signature provides a convenient, efficient, and secure way to implement a review and acceptance system. The chart shows an overview of the system. Supplier A is a vendor of real-time mapping and POI data, and needs to push frequent updates. A is only permitted to sign packages destined for the mapping application on the IVI system. Supplier BC, on the other hand, supplies firmware for an anti-lock brake system (B) and a fuel injector (C). It has an offline key signed by the root project key, and is uniquely permitted to provide updates to those ECUs. (It is assigned a terminating delegation authority for those ECUs.)
Independent metadata signing
Protecting with independent metadata signing
Protecting against malicious updates is necessary, but not sufficient, for SOTA security. Because the most urgent updates are to packages that have security vulnerabilities, a version-freezing or rollback attack can be just as devastating as installing a malicious package. Independent signing of metadata protects against these attacks, and provides a number of other benefits for future expansion, including protection against mirror poisoning and dependency injection. The chart shows the OTA Plus metadata signing system: a root authority keeps track of all valid metadata files for a package, and verifies that an install candidate is providing the correct metadata.
Status and future roadmap
OTA Plus already includes implementations of the techniques outlined here, but ATS is also actively engaged with research groups like UPTANE and with standards organisations like AGL and GENIVI to promote the adoption of these best practices as official standards in the industry, promoting better security in the whole automotive software ecosystem. ATS is pleased to be able to provide the core of OTA Plus as an open source reference implementation of these standards, either for direct deployment by manufacturers or for other solution providers to use as a model.