What Are Over-the-Air (OTA) Car Updates and Why Are They Important to Security?

Just like how IT software and operating systems receive regular updates from their vendors, vehicles receive software updates from their manufacturers. Software updates are an integral part of the overall user experience as they contain important feature enhancements and crucial security patches. Traditionally, software updates are performed in person at service centers. But as cars become increasingly connected today, OEMs are trying a new approach by sending and installing software updates over the air (the Internet) to the cars directly—the same way that smartphones and computers receive updates. Such software updates are called Over-the-Air (OTA) Car Updates.

The Software-Oriented Car: Skyrocketing Software Compliants and Recalls

Many car owners tend to believe that software only exists in a car’s infotainment system and thus downplay the importance of software maintenance. This might have been the case a few decades ago, but a modern vehicle today contains many more software components than it seems. With more than a hundred electronic control units (ECU) equipped in an average car, almost every function is either controlled or monitored by software. For instance, ECUs are built into the powertrain to run features like advanced driver-assistance systems (ADAS) and to monitor turning angles and road conditions to allow for on-demand all-wheel drive and traction control.

Having more software means more software issues. In the mid-2010s, OEMs saw a drastic increase in the number of emergency recalls with regards to software flaws and errors, with the percentage of software-related recalls reaching 46% in 2016. Timely recall is especially important for software parts that are crucial to safety. For example, Mercedes-Benz USA recalled 41,838 of its SUVs in the North American market in early 2021 due to a software error in its Electronic Stability Program, a feature that applies a twisting force to one of the car’s front wheels so that the car pulls itself towards the turning direction during sharp turns to maintain stability and comfort. Clearly, a malfunction in this feature could lead to an unexpected twisting force and potentially cause crashes.

The Growing Importance of OTA Car Updates

Even without major flaws or errors, both hardware and software components need to be maintained and updated regularly during a car’s lifespan. Normally, car owners visit the service center at least once a year to get their scheduled hardware maintenance and software updates. However, as software features become increasingly sophisticated, more frequent updates are required. Having to install software updates at service centers is not only inconvenient for the owners, but also highly costly for the OEMs due to the tremendous labour needed. Additionally, many car owners neglect software updates altogether and put themselves in the danger of outdated software that is not just slow and inefficient, but also prone to cyberattacks.

OTA car updates solve all the above problems by eliminating the need for software-related recalls and make software updates easy and seamless. OEMs simply send the updates and patches over the internet so that the cars can download and install them on their own.

OTA car updates are commonly applied to two major types of systems within a vehicle: drive control and infotainment. Updates in drive control systems include feature upgrades and security patches related to the ADAS, powertrain, and chassis. Updates in the infotainment system include map updates and application enhancements. Even though the infotainment system does not directly affect driving, it is still a crucial component that must be updated and secured as it contains sensitive personal data.

Another important role of OTA updates is that they keep vehicles from depreciating. Since modern vehicles are essentially computers on wheels, they depreciate much faster than conventional vehicles. Without regular updates, software-enabled features can deteriorate and become slow and unusable after a few years. OTA updates prevent this from happening and keep the onboard experience new and fresh.

How Do OTA Updates Work?

To enable OTA updates, cars must be equipped with a telematics control unit (TCU), which is a piece of hardware that contains a mobile communication interface (e.g., LTE, 5G) and a memory to store driving and vehicle data. The TCU must also be able to recover data in case if an update needs to be removed. Whenever an update is available, the OEM delivers the software package to its vehicles from a cloud-based server.

The first OEM to successfully perform OTA updates was Tesla. Other manufacturers like GM and Ford quickly followed. Being able to deliver OTA updates is especially crucial for electric vehicle manufacturers because it allows them to introduce their vehicles to the market as early as possible to gain an early advantage, while working on quality assurance and improvements after they are sold.

How Secure Are OTA Updates?

We now know that OTA updates are essential to keeping vehicle software up-to-date and secure, but the next question to consider is—are OTA updates secure? Giving vehicles wireless internet connectivity has a lot of benefits, but also creates a new world of opportunities for hackers. Attackers could attempt to corrupt the software update kits with malware and enter the vehicle system to steal personal data or even take physical control.

To prevent this risk, not only must OEMs make sure that their vehicle connections are secured, but more and more regulatory bodies are mandating vehicular cybersecurity. Recent releases of the WP.29 regulation now require cybersecurity type approval for all new connected vehicles.

To fill in this gap, AutoCrypt IVS provides an in-vehicle security solution that protects the vehicle’s internal systems from cyber threats, enabling secure communication between the vehicle’s onboard units and the cloud. With AutoCrypt IVS, both OEMs and car owners can rest assured that their OTA updates are original and protected. Apart from blocking malicious traffic from entering the vehicle, it constantly monitors communications within the vehicle for any abnormal activities.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

Data Privacy on the Road: How to Keep Car Data Safe

Since 2007, policymakers, regulators, NGOs, and businesses from all over the world have gathered on January 28 – Data Privacy Day – to raise awareness on data privacy and to promote the latest practices and technologies used to safeguard privacy in this digital world.

As the world enters the IoT (Internet of Things) age, concerns on data privacy are no longer limited to traditional IT environments. Connected devices like CCTV cameras, AI speakers, and now even cars, all collect and stores data from our daily activities.

As cars become increasingly digitalized and connected, ensuring data privacy becomes a new challenge for the automotive industry. Cars today are computers on wheels. Just as a computer stores data inputted by its user, a car collects data generated from the drivers’ behaviours. A typical car today generates exceedingly large amounts of data from cameras and sensors, electronic control units (ECU), and in-vehicle infotainment systems.

Data from Electronic Control Units

There is no need to explain how cameras, sensors, or infotainment systems generate data, as they work just like any other digital devices. Instead, we will discuss how electronic control units (ECU) generate and store data.

ECUs are embedded minicomputers in a vehicle that control its electrical systems, which then determine the vehicle’s movement. A modern car today contains around 80 of these units. Some of the ECUs include the engine control module (ECM), powertrain control module (PCM), and transmission control module (TCM). These units serve as the car’s computer. In most vehicles, each ECU operates separately on its own. However, some manufacturers such as Tesla are looking for a new approach to combine all ECUs into a central computer.

How do ECUs generate data? Let us look at the engine control module (ECM) as an example. A mixture of air and fuel is needed for an engine to operate. Too much air and fuel will overpower the engine, while too little of this mixture will not be enough to power the car. The ratio of air and fuel is also important. Too much air would make the car slow, while too much fuel would be pollutive.

Traditionally, an analog metering device was used to measure and determine the injection mechanically. However, tighter environmental regulations and rising oil prices meant that relying on analog means was no longer sufficient to reach to high fuel efficiency needed today. This had led to the digitalization of cars. Today, instead of using analog measures, the ECM uses optimization equations stored in its chips to calculate the optimized amount and ratio needed and injects the perfect mixture into the engine.

Since the ECUs are computers that send signals to control the car, these signals can be tracked and stored in the form of data and later used for a variety of purposes, from vehicle maintenance, driving experience optimization, as well as fleet management.

Then, what are some of the types of data generated by cars?

Types of Car Data and Their Uses

1) Driving behaviour
The cameras, radars, and lidar sensors equipped around the vehicles contain information on the vehicle’s speed, acceleration, braking, and steering. Such big data can be collected and used to enhance the driving assistance systems and improve responsiveness in emergency situations. These can also be used by taxi and rental companies to manage their fleet, making sure that drivers operate the vehicles safely. Lastly, insurance companies can use them to calculate highly accurate insurance premiums to better serve its customers.

2) Vehicle condition
The ECUs can provide critical data on a vehicle’s health condition. Information on tire pressure, wheel alignment, engine status, as well as other measures can be used to indicate the vehicle’s health, so that maintenance and repairs can be done immediately, eliminating any underlying safety hazards. Such information can also be collected by OEMs to improve their vehicles’ quality and performance.

3) In-vehicle services
Other data generated from in-vehicle infotainment systems may not be directly related to driving, but do contain sensitive personal information such as contacts, calls, and messages. Data on the usage pattern of mobility services, such as frequently visited locations, parking lots, gas stations, are also collected so that third-party service providers can use them to offer more personalized services and seek for new business models, such as smart parking and pay-as-you-go services.

How Are Car Data Shared with Outside Entities?

Many OEMs would ask consent for the car owner to share the data generated by the cameras, sensors, and ECUs to enable better driving experiences for the future. For example, the BMW Group collects telematics data generated from BMW and Mini vehicles (only under consent), and stores them in its data center to further expands its services.

Cars can also connect to the Internet directly. Many cars today are equipped with a SIM card slot, allowing the owner to subscribe to cellular internet service for in-vehicle infotainment. This allows the vehicle to receive live updates for its navigation system, allows the passengers to stream music with the car, as well as using it as a Wi-Fi hotspot to power other mobile devices on board.

Lastly, car data are a crucial asset for autonomous driving. V2X (vehicle-to-everything) systems not only shares the vehicle’s location, speed, and direction with other vehicles on the road, C-V2X technology will soon allow the onboard units (OBU) to communicate directly with the cellular network. This would lead to an explosion of transportation and mobility data.

How to Keep Car Data Safe?

Due to the sensitivity of car data, safeguarding data privacy comes as a prerequisite for connected cars. This means that drivers can rest assured knowing that their cars are much better at protecting their data than their computers at home. To protect car data from unauthorized access, authentication and encryption technologies are used to ensure that the sender and receiver of car data are properly authenticated, and that the data stored in the servers are safely encrypted. These security technologies are usually embedded in the ECUs and other onboard units such as the infotainment system to not only ensure data privacy, but also to make sure that these data are not altered or manipulated to cause physical harm.

AutoCrypt V2X and AutoCrypt PnC are software-based security solutions that are built into the chipsets during the manufacturing stage, protecting data privacy in the age of connected mobility. Working with chipmakers around the world, AUTOCRYPT is a major mobility security supplier for some of the world’s largest OEMs.

To keep informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.