Connected vehicle technology apart from many benefits it offers also make cars vulnerable to hacking by malefactors seeking to remotely steal information, damage or hijack a vehicle, or even injure or kill its occupants.
One means of incursion is to target over-the-air (OTA) software upgrades for on-board telematics systems or the electronic control units (ECU) for brakes, the engine, air bags and more.
The risk of such attacks will only increase, as analysts predict that by 2022, 203 million OTA-enabled cars will roll into dealerships.
OTA updates need to be secured in which open-source systems is one of the popular approaches. One such framework, Uptane is developed by researchers at the NYU Tandon School of Engineering. It is a universal, free, and open-source framework to protect wireless software updates in vehicles. It is part of the OTA cybersecurity toolkit for a growing number of automakers and suppliers.
NYU Tandon has recently joined The Linux Foundation and Automotive Grade Linux (AGL) as an Associate Member. The New York University Tandon School of Engineering is the engineering and applied sciences school.
The AGL project has over 120 members and is on track to be the leading shared software platform across the industry for in-vehicle applications including infotainment, instrument cluster, heads-up-display (HUD), telematics, autonomous driving, safety, and advanced driver assistance.
Some facts about Uptane:
- It was developed by Justin Cappos, professor of computer science and engineering at NYU Tandon, along with industry, academic and government collaborators.
- Uptane is helping to secure the OTA software updates for vehicles manufactured by one of the three major U.S. automakers, and is available to many others, including AGL members.
- It is Based upon Cappos’ widely-used TUF (The Update Framework), and developed with funding by the U.S. Department of Homeland Security.
- Uptane can prevent attacks during software updates by storing the correct encryption keys with the automaker, offline.
- It allows automakers and suppliers not only to secure major software updates to automotive infotainment and telematics units, it also makes possible remote, inexpensive updates to the “edge” — the dozens of in-vehicle ECUs controlling numerous functions in today’s vehicles.
- It also supports deployment of secure fixes for vulnerabilities exploited in an attack and allows automakers to completely control critical software and share that control when appropriate.
- In 2017 the Linux Foundation recognized TUF, of which Uptane is a variant, as a key security system for thwarting attacks, designating TUF to be one of the two new projects hosted by its Cloud Native Computing Foundation.
- Popular Science named Uptane one of the top 100 inventions of 2017.
- Advanced Telematic Systems, a division of leading in-car navigation company HERE Technologies, was the first European company to integrate the Uptane security framework into its OTA solutions.
- When the NYU Tandon team unveiled Uptane last year, they did so with a challenge to security experts everywhere to try to find vulnerabilities before its adoption by the automotive industry. According to Cappos, the effort led to clarifications with Uptane’s reference implementation.
- The platform’s code is posted on Github for anyone to see, test, or use.
Justin Cappos, the developer of Uptane commented:
“Uptane helps Linux secure updates at places where Linux can’t run, since many ECUs, such as brake controllers, have tiny Flash memories. While we are essentially an encryption algorithm independent of Linux, we are part of Linux’ high-end expansion out to smaller devices. We are a good example of the tools Linux is encouraging.Since we are collaborating closely with AGL, it makes sense for NYU Tandon to be a member of the Linux Foundation. We think it’s the right way to move forward and we are proud to be working with AGL and Linux Foundation.”