Managing Automotive Software Security With the Software Bill of Materials (SBOM)

The automotive industry is evolving at an incredible pace, characterized by changes in vehicle architecture, automotive software, and user experience. No longer are automobiles a mere transportation tool, but consumers are now expecting their car to function as their smart mobile device on the road, capable of not just (autonomous) driving, but also personal computing tasks from music and video streaming to in-car payment and cloud-based functionalities. Today, drivers and passengers want their interactions with the car to be personalized, synchronized, and most importantly, effortless.

A smart mobile device relies heavily on software applications. Just like smartphones and tablets, the modern vehicle operates on hundreds of software applications with millions of lines of source code, powered by up to a hundred application processors in the forms of MCUs (microcontrollers) and ECUs (electronic control units)—and in some cases, a couple of centralized CPUs. Whereas conventional vehicles are largely evaluated by their hardware, software is playing an increasingly important role in defining today’s vehicles. We are in an age where two vehicles with the exact same engine and technical specs can drive and feel entirely different depending on the underlying software.

The Role of Automotive Software

In a modern vehicle, a surprising number of features that consumers take for granted are enabled by software. To consumers, the most familiar type of automotive software is the user applications installed in the head unit (i.e., dashboard and infotainment system), which make up the human-machine interface (HMI). Yet, beneath the surface, there are hundreds of software applications embedded throughout the in-vehicle system, underpinning the smart features that are seamlessly integrated into the driving experience. For instance, software is embedded in every camera to process the captured imagery and transmit the visual information to the computing unit, enabling advanced driver-assistance systems (ADAS).

Looking deeper within the vehicle, all ECUs contain pieces of embedded software that act as communication modules, allowing them to communicate with one another throughout the CAN buses, the head unit, the telematics control unit (TCU), and externally to the telecommunications network and the clouds. These communication interfaces lay the groundwork for V2X (vehicle-to-everything) communications and vehicle-infrastructure cooperated autonomous driving (VICAD). Lastly, information collected from the in-vehicle system is likely recorded and transmitted to the OEM cloud, allowing for the vehicle security operations center (vSOC) to detect anomalies and respond to any potential cybersecurity threats. All these software-enabled features run seamlessly without the need for any manual intervention.

Who Develops Automotive Software?

Unlike hardware parts, most of the software components used in automobiles are not directly developed by OEMs or Tier 1 suppliers. Instead, they come from a diverse range of software vendors and providers, including HMI providers, middleware providers, operation systems providers, telematics providers, ADAS software providers, telecommunications providers, cloud providers, security providers, and many more. Some of these software components are installed directly on top of the infotainment system, while others are embedded within the wide array of in-vehicle systems prior to the assembly phase. Oftentimes, software vendors need to work with hardware suppliers and chipmakers during the production process to ensure cross-industry interoperability. As software becomes an integral part of production, the automotive supply chain is looking less like a vertical deliver-and-assemble process but more like a horizontal network of partnerships and co-developments.

The Components of Automotive Software

A vehicle’s software environment is much more complex than that of other computing devices like smartphones and PCs. Smartphones and PCs operate on a single OS, where all software applications are developed for the specific platform. In the vehicular software environment, however, vehicles do not run on a single OS nor a proprietary platform (even though OEMs are moving in that direction—topic for another time). This means that every software component is essentially independent, only to be stitched together by the rules set out by standardized communication protocols and interfaces.

Since automotive software components are developed by individual parties, a large portion of them contain open-source code and licenses. This isn’t surprising given that more than 70% of all the world’s software source code is open source—the most popular mobile OS Android was built on the grounds of the open-source Linux kernel, while over two-thirds of all web servers in the world run on the open-source Unix OS and its variants. Of course, these popular open-source distributions are often developed and managed by large corporations, ensuring that vulnerabilities are monitored, detected, and patched immediately. But this isn’t the case for automotive software, which comes from hundreds of vendors and developers across the world. Since open-source code is widely copied and modified during the development of applications, even developers can lose track of which components or licenses were used, or whether one component could form codependency with another. This makes it much more challenging to manage software updates and ensure that patches get to the right vehicles on time.

Fortunately, there is a promising solution that makes it easy for automotive OEMs to continuously manage their in-vehicle software throughout all stages of the software development lifecycle (SDLC)—the software bill of materials.

Securely Manage Automotive Software With the Software Bill of Materials (SBOM)

To counter the security risks that arise alongside the growing popularity of open-source software (OSS), the software bill of materials (SBOM) has become a popular tool to manage OSS vulnerabilities across many industries. An SBOM, as its name suggests, is a machine-derived list that contains a detailed breakdown of all open-source ingredients—including code and licenses—found within a piece of software. In 2021, a US Executive Order on enhancing OSS security made SBOM mandatory for certain sensitive industries. A detailed guideline was later published by the National Telecommunications and Information Administration (NTIA) of the US Department of Commerce.

Like many other industries, the SBOM is the most effective way for OEMs to manage automotive software. Not only does it help establish a vulnerability-free software environment in the first place, but it also allows OEMs to keep track of vulnerabilities in their OSS and licenses during the aftermarket stage and have them patched via OTA (over-the-air) updates to all impacted vehicles.

AUTOCRYPT’s newly launched AutoCrypt® Security Analyzer (SA) is an SBOM-based software analysis and management tool that accurately detects and categorizes software components, enabling OEMs to continuously manage their automotive software during all stages of the vehicle’s lifecycle.

To learn more about AutoCrypt® Security Analyzer and AUTOCRYPT’s mobility service solutions, contact

To stay informed and updated on the latest news about AUTOCRYPT and mobility tech, subscribe to AUTOCRYPT’s quarterly newsletter.

3 Stages of In-Vehicle Security: A Step-By-Step Guide to Vehicular Cybersecurity

Vehicular cybersecurity is now an inseparable component of automobiles. To establish an ecosystem where vehicles can safely connect with the outside world, UNECE’s WP.29 regulations on vehicular cybersecurity require automakers (OEMs) to manage cybersecurity risks at every stage of a vehicle’s lifecycle. This includes 1) pre-production design and development stage, where cybersecurity gets embedded into the supply chain; 2) production stage, where hardware and software components are integrated and tested for interoperability; and 3) post-production stage, where continuous monitoring and timely updates are required to keep the vehicle protected throughout its lifespan.

As a cybersecurity adviser on the International Transport Forum’s Corporate Partnership Board (CPB), AUTOCRYPT has been contributing its expertise in vehicular cybersecurity standardization and policymaking, making the company a specialist in cybersecurity integration and regulatory compliance. Developed to help OEMs integrate cybersecurity with functional safety, AUTOCRYPT’s in-vehicle security solution, AutoCrypt IVS, provides a robust end-to-end security package for all three stages of vehicle production, stretching beyond regulatory requirements.

In this article, we break down AUTOCRYPT’s in-vehicle security process to look at how a vehicle is secured at each stage.

1. Threat Assessment and Remediation Analysis (TARA)

The biggest difference between vehicular cybersecurity and IT cybersecurity is that a vehicle does not run on a host computer, nor a unified operating system. Instead, each vehicle has a unique electronic and electric (E/E) architecture made up of over a hundred electronic control units (ECU), interoperating through the Controller Area Network (CAN bus). This means that there cannot be an off-the-shelf cybersecurity software or tool that is readily installable across all vehicles; instead, in-vehicle security needs to be custom-designed for each vehicle model.

To develop a system and process for a particular vehicle, it is crucial to start by assessing the threats associated with the specific OEM and vehicle model through an engineering methodology called Threat Assessment and Remediation Analysis (TARA). TARA is widely used for the initial assessment of cybersecurity risks, based on a deep analysis of the vehicle’s architecture, followed by a prediction of potential vulnerabilities and entry points. After identifying the risks, security engineers will thoroughly select a pool of necessary countermeasures that can mitigate these specific risks.

During TARA, AUTOCRYPT begins by identifying critical assets within the target vehicle, then compiles a list of attack vectors that hackers could potentially use to access and intrude the system. After that, the level of risk and feasibility of each attack vector is analyzed, before arriving at a final list of threat priorities. These priorities are used to design and develop a security model, where detection engines and software modules get embedded in different parts of the vehicle.

2. Threat Modeling and Security Testing

After initial design and development of the in-vehicle security system, it is then time to conduct a series of tests by simulating real-life hacking scenarios to verify the efficacy of the security model. In this stage, three types of security testing are implemented: vulnerability scanning, fuzz testing, and penetration testing.

Vulnerability Scanning

Unlike threat assessment in TARA, vulnerability scanning requires the physical vehicle prototype with the adopted security model. Both software static testing and dynamic testing are performed. The former checks for errors in the development stage, including leaks and buffer overflows, whereas the latter executes the code to test for vulnerabilities in runtime environments by analyzing the behaviours of dynamic variables.

Fuzz Testing

Fuzz testing, or fuzzing, is a type of automated software testing technique that feeds a large pool of randomly generated invalid and unexpected inputs into the program as an attempt to make it crash or break it through. If a vulnerability a found, a fuzzer can be used to pinpoint the potential causes. Fuzzing is a quick and useful way to identify unexpected coding errors, highly effective at mitigating most automated hacking techniques.

Penetration Testing

Penetration testing is the most advanced and sophisticated test of the three. It requires security analysts and red team hackers to manually search and exploit vulnerabilities using complex hacking techniques such as password cracking and injection, then try to manipulate and exfiltrate data from the vehicle. AUTOCRYPT’s red team, led by experienced resident white hat hacker Dr. Jonghyuk Song, performs penetration testing to vehicle components and security software prior to final implementation, ensuring that no vehicle leaves the factory in a vulnerable state.

After completion of threat modeling and security testing, all errors and vulnerabilities will be corrected and reviewed. Finally, the vehicle will be ready to enter the market.

vehicular cybersecurity diagram
Figure 1. Three Stages of In-Vehicle Security

3. Threat Mitigation

As the vehicle gets passed down to the consumer, the role of cybersecurity does not end here. In fact, this is only the beginning of a long journey of continuous monitoring, prevention, and incident response. At this stage, the security engineering of AutoCrypt IVS works at its best to protect the ECUs by running both an intrusion detection system (IDS) and intrusion protection system (IPS) to block hacking attempts, encrypting all messages to prevent data tampering, and controlling access to all storages to ensure privacy and financial safety. It also monitors the central gateway for any abnormal behaviour throughout the vehicle’s CAN bus and between the vehicle to the external network. Such data is then collected in real-time by the OEM and reported to AutoCrypt vSOC (Vehicle Security Operations Center) for analysis.

Vehicle Security Operations Center

Similar to the SOC in IT security, vSOC brings enterprise threat intelligence to the mobility environment by monitoring the activities and conditions of all active vehicles using live data collected and shared from the OEM’s cloud. AutoCrypt vSOC provides an easy-to-navigate graphical user interface, allowing the OEM to track and analyze threats by region and prioritize updates and patches.

Vehicular Cybersecurity Made Easy With AUTOCRYPT

Most OEMs do not have the time and capacity to assess, deploy, and manage all three stages of vehicular cybersecurity in-house. Over the past decade, AUTOCRYPT has been filling this gap not only by offering AutoCrypt IVS as a product, but also by designing and developing a complete in-vehicle security solution that OEMs can rely on in the long-run.

To learn more about AUTOCRYPT’s end-to-end solutions, contact

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

Top 6 Cybersecurity Challenges Unique to the Automotive Industry

Cybersecurity is one of the most complex and dynamic fields in the data-driven world, involving a constant battle between hackers and defenders. As internet connectivity reaches every corner of our lives, cybersecurity is now an essential component for automobiles. Yet, many are surprised to find out that cybersecurity in the automotive industry is entirely different from what we are used to encountering in the IT industry, and this means that there are challenges in terms of preparation and prevention. This article takes a closer look at how automotive cybersecurity differs from traditional IT security, with cybersecurity challenges unforeseen in the automotive industry.

1. Massive Scale and Density

As vehicles become increasingly digitalized and connected, many like to draw comparisons between cars and computers, referring to automobiles as “computers on wheels”. However, comparing a car to a computer is not quite fair because a car is, in fact, made up of hundreds of individual computers, which by industry terms are called electronic control units (ECU). The scale of the IT infrastructure in a vehicle resembles that of a small enterprise network, with all the computers, servers, and networking devices densely packed into this metal box. Now imagine having to manage cybersecurity risks for tens of millions of these densely packed “enterprise networks”; a single world-class OEM has between 20 to 100 million active vehicles on the road, a scale never seen in a single corporate IT environment.

Despite this seemingly impossible task, OEMs make cybersecurity scalable by incorporating it into the design and manufacturing stage. Since all vehicles of the same model contain an entirely identical IT infrastructure, they are able to pre-establish cybersecurity measures and embed them into the vehicle parts during the manufacturing stage. This brings us to the next point: type approval.

2. Regulations Requiring Cybersecurity Type Approval

In the IT industry, computer and device manufacturers are not directly responsible for the cybersecurity of their products. It is up to the users, mostly enterprises, to implement cybersecurity tools to protect their network and data. As a result, IT cybersecurity regulations tend to be enforced on enterprise users, not manufacturers. For instance, data privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) mandate enterprises to have reasonable security measures to protect the customer data they possess. It is only recently that governments have started to require more transparent reporting from hardware manufacturers due to the latest surge of supply chain attacks.

In contrast, in the automotive industry, since cybersecurity must be deployed during the manufacturing stage, OEMs are directly held accountable for failures in cybersecurity implementation. UNECE’s WP.29 working party was the first to establish a set of regulations that require vehicular cybersecurity type approval, meaning that all vehicles must be assessed and qualified prior to being put on sale. The following diagram illustrates a stage-by-stage comparison of when cybersecurity is implemented between the automotive and the IT industry.

blog image
Cybersecurity Implementation: Automotive Industry vs. IT Industry

3. System Complexity

Besides having greater scale and density, the internal system of a vehicle—referred to as the E/E (electrical and electronic) architecture—is much more complex than that of a computer. With more than 30,000 hardware components moderated by over 100 ECUs, a single vehicle operates on over 100 million lines of code. What makes things more complex is that the in-vehicle system is largely distributed without a universal operating system; as each ECU serves a unique purpose, every one of them is crucial to a car’s functionality. For instance, some ECUs are paired with sensors and actuators. Some are paired with the powertrain. The ECU that provides wireless connectivity is called the telematics control unit (TCU)—or on-board unit (OBU)—overseeing communications between the vehicle and the outside world.

Given that the ECUs are highly sophisticated minicomputers, they are often manufactured by different third-party suppliers that specialize in their own field of expertise. This means that to implement cybersecurity throughout the vehicle, OEMs need to work with both cybersecurity providers and ECU manufacturers to ensure that all needs are aligned and all components interoperable. An example of such multi-party collaboration is demonstrated when AUTOCRYPT partnered with ECU manufacturer NXP Semiconductors to embed its AutoCrypt V2X software development kit (SDK) into NXP’s OBUs. The secured chipsets are then able to be delivered to OEMs for assembly.

As vehicles become more and more sophisticated, the industry is now looking for ways to group the ECUs by their domains of service and slowly work towards a more centralized vehicle system that is easier to assemble and manage, transforming the multi-tier supply chain into a more horizontal supply line.

4. Long Lifespan

Having covered the differences in the manufacturing process, it is now time to look at how car consumers differ from electronics consumers. With increasingly efficient engines, advanced mechanics, and precise quality control systems, vehicles now last longer than ever. As a result, more and more consumers are keeping their cars for longer, with the average age of vehicles on US roads reaching a record 12.1 years in 2020. This is three times the average age of computers in the US.

This might be good news to the consumers. Yet, long-lasting cars pose a new challenge to OEMs as they need to spend more effort into managing software updates for each car model to ensure that they are free of security vulnerabilities. More active vehicles on the road also put more strain on the Vehicle Security Operation Center (vSOC), which needs to constantly monitor all vehicle systems in real-time.

5. Scattered Locations

Speaking of vehicle monitoring, we need to talk about the unique challenges that the vSOC faces as compared to the SOC of an enterprise network. The computers and servers in a company do not move, hence it is easy for the cybersecurity team to monitor suspicious activities at all times and respond to threats immediately. On the other hand, vehicles move around constantly across cities and even countries. Oftentimes, they will enter zones without internet connectivity, making it difficult for the vSOC to detect and respond to threats due to delays in data transfer.

6. Damage Severity and Recovery

Lastly, in case a cyberattack happens, an enterprise will most likely lose sensitive data and experience operation disruptions. However, a successful cyberattack against a vehicle system not only puts data at risk, but the personal safety of the passengers and all those others on the road. Patching vulnerabilities is also more complex in the automotive industry because the OEM needs to work with different Tier 1 suppliers and cybersecurity providers to ensure smooth updates.

How AUTOCRYPT Overcomes Automotive Cybersecurity Challenges

What sets AUTOCRYPT apart from other automotive cybersecurity providers is its capability to offer a complete set of end-to-end solutions that help OEMs overcome all aspects of cybersecurity challenges throughout the vehicle. From securing in-vehicle systems and V2X communications, to EV charging and fleet management, AUTOCRYPT eliminates the complexity of searching for a different provider for each problem, making it a completely personalized experience for each client.

To learn more about AUTOCRYPT’s end-to-end solutions, contact

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

What Are Over-the-Air (OTA) Car Updates and Why Are They Important to Security?

Just like how IT software and operating systems receive regular updates from their vendors, vehicles receive software updates from their manufacturers. Software updates are an integral part of the overall user experience as they contain important feature enhancements and crucial security patches. Traditionally, software updates are performed in person at service centers. But as cars become increasingly connected today, OEMs are trying a new approach by sending and installing software updates over the air (the Internet) to the cars directly—the same way that smartphones and computers receive updates. Such software updates are called Over-the-Air (OTA) Car Updates.

The Software-Oriented Car: Skyrocketing Software Compliants and Recalls

Many car owners tend to believe that software only exists in a car’s infotainment system and thus downplay the importance of software maintenance. This might have been the case a few decades ago, but a modern vehicle today contains many more software components than it seems. With more than a hundred electronic control units (ECU) equipped in an average car, almost every function is either controlled or monitored by software. For instance, ECUs are built into the powertrain to run features like advanced driver-assistance systems (ADAS) and to monitor turning angles and road conditions to allow for on-demand all-wheel drive and traction control.

Having more software means more software issues. In the mid-2010s, OEMs saw a drastic increase in the number of emergency recalls with regards to software flaws and errors, with the percentage of software-related recalls reaching 46% in 2016. Timely recall is especially important for software parts that are crucial to safety. For example, Mercedes-Benz USA recalled 41,838 of its SUVs in the North American market in early 2021 due to a software error in its Electronic Stability Program, a feature that applies a twisting force to one of the car’s front wheels so that the car pulls itself towards the turning direction during sharp turns to maintain stability and comfort. Clearly, a malfunction in this feature could lead to an unexpected twisting force and potentially cause crashes.

The Growing Importance of OTA Car Updates

Even without major flaws or errors, both hardware and software components need to be maintained and updated regularly during a car’s lifespan. Normally, car owners visit the service center at least once a year to get their scheduled hardware maintenance and software updates. However, as software features become increasingly sophisticated, more frequent updates are required. Having to install software updates at service centers is not only inconvenient for the owners, but also highly costly for the OEMs due to the tremendous labour needed. Additionally, many car owners neglect software updates altogether and put themselves in the danger of outdated software that is not just slow and inefficient, but also prone to cyberattacks.

OTA car updates solve all the above problems by eliminating the need for software-related recalls and make software updates easy and seamless. OEMs simply send the updates and patches over the internet so that the cars can download and install them on their own.

OTA car updates are commonly applied to two major types of systems within a vehicle: drive control and infotainment. Updates in drive control systems include feature upgrades and security patches related to the ADAS, powertrain, and chassis. Updates in the infotainment system include map updates and application enhancements. Even though the infotainment system does not directly affect driving, it is still a crucial component that must be updated and secured as it contains sensitive personal data.

Another important role of OTA updates is that they keep vehicles from depreciating. Since modern vehicles are essentially computers on wheels, they depreciate much faster than conventional vehicles. Without regular updates, software-enabled features can deteriorate and become slow and unusable after a few years. OTA updates prevent this from happening and keep the onboard experience new and fresh.

How Do OTA Updates Work?

To enable OTA updates, cars must be equipped with a telematics control unit (TCU), which is a piece of hardware that contains a mobile communication interface (e.g., LTE, 5G) and a memory to store driving and vehicle data. The TCU must also be able to recover data in case if an update needs to be removed. Whenever an update is available, the OEM delivers the software package to its vehicles from a cloud-based server.

The first OEM to successfully perform OTA updates was Tesla. Other manufacturers like GM and Ford quickly followed. Being able to deliver OTA updates is especially crucial for electric vehicle manufacturers because it allows them to introduce their vehicles to the market as early as possible to gain an early advantage, while working on quality assurance and improvements after they are sold.

How Secure Are OTA Updates?

We now know that OTA updates are essential to keeping vehicle software up-to-date and secure, but the next question to consider is—are OTA updates secure? Giving vehicles wireless internet connectivity has a lot of benefits, but also creates a new world of opportunities for hackers. Attackers could attempt to corrupt the software update kits with malware and enter the vehicle system to steal personal data or even take physical control.

To prevent this risk, not only must OEMs make sure that their vehicle connections are secured, but more and more regulatory bodies are mandating vehicular cybersecurity. Recent releases of the WP.29 regulation now require cybersecurity type approval for all new connected vehicles.

To fill in this gap, AutoCrypt IVS provides an in-vehicle security solution that protects the vehicle’s internal systems from cyber threats, enabling secure communication between the vehicle’s onboard units and the cloud. With AutoCrypt IVS, both OEMs and car owners can rest assured that their OTA updates are original and protected. Apart from blocking malicious traffic from entering the vehicle, it constantly monitors communications within the vehicle for any abnormal activities.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

Camera, Radar and LiDAR: A Comparison of the Three Types of Sensors and Their Limitations

Autonomous driving is enabled by two sets of technologies: V2X and ADAS. V2X (vehicle-to-everything) utilizes wireless communication technology to facilitate real-time interactions between the vehicle and its surrounding objects and infrastructure. On the other hand, ADAS (advanced driver-assistance systems) make use of built-in sensors to detect and calculate the surrounding environment. Both technologies complement each other to ensure a safe and seamless autonomous driving experience. We have so far explained how V2X technology works and the different wireless communication standards involved, see: DSRC vs. C-V2X: A Detailed Comparison of the 2 Types of V2X Technologies. In this article, we will focus on the technologies behind ADAS and take a deep dive into the three types of commonly used sensors: camera, radar, and LiDAR.


First introduced in the form of a backup camera by Toyota in 1991, camera is the oldest type of sensor used in vehicles. It is also the most intuitive sensor since it works just like our eyes do. After decades of usage for backup assistance, car cameras had undergone significant improvements in the 2010s as they were applied for lane keep and lane centering assists. Today, camera has become the most essential component of the ADAS and can be found in every vehicle.

Advantages of Camera:

Vision-like sensory. Just like our vision, cameras can easily distinguish shapes, colours, and quickly identify the type of object based on such information. Hence, cameras can produce an autonomous driving experience that is very similar to the one produced by a human driver.

Recognizing 2D information. Since camera is based on imagery, it is the only sensor with the capability of detecting 2D shapes and colours, making it crucial to reading lanes and pavement markings. With higher resolutions, even fading lines and shapes can be read very accurately. Infrared lighting is also equipped with most modern cameras, making it just as easy to navigate at night.

Low cost. Camera is relatively cheaper compared to other types of sensors. This made it possible for OEMs to introduce better autonomous driving features to mid-range and even lower-end vehicles.

Disadvantages of Camera:

Poor vision under extreme weather events. Its similarity to the human eye also makes it a major disadvantage under severe weather conditions like snowstorms, sandstorms, or other conditions leading to low visibility. Therefore, the camera is only as good as the human eye. Nevertheless, most people do not expect their car to see better than their eyes and would not fully rely on their car under such extreme conditions. In fact, Tesla had decided to abandon radar and use camera only for its Autopilot system, starting with its newly produced Model 3 and Model Y vehicles. Named Tesla Vision, the system is expected to decrease the frequency of system glitches because of the reduction of confusing signals from radar.


Radar (radio detection and ranging) was first invented prior to World War II and has been widely used since then to precisely track the position, speed, and direction of aircraft and ships. It was first brought into cars by Mercedes-Benz in 1999 to support its adaptive speed feature. Radar technology can be broken down into a transmitter and a receiver. The transmitter blasts radio waves in a targeted direction. These radio waves then get reflected when they reach any significant object. The receiver picks up these reflected waves and analyzes them to identify the location, speed, and direction of the object.

Advantages of Radar:

Unaffected by weather conditions. The greatest advantage of radar is that the transmission of radio waves is not affected by visibility, lighting, and noise. Therefore, radar performance is consistent across all environmental conditions.

Default sensor for emergency braking. The radar system has been used as the default sensor for emergency braking due to its ability to detect and forecast moving objects coming into the vehicle’s path.

Disadvantages of Radar:

Low-definition modeling. The radio waves are highly accurate at detecting objects. Yet, compared to the camera, radar is relatively weak at modeling a perfectly precise shape of the object. As a result, the system might not be able to identify exactly what the object is. For instance, unlike the camera, the radar system normally cannot distinguish bicycles from motorcycles, even though it has no problem determining their speeds.


LiDAR (light detection and ranging) adopted its name the same way as radar did. Despite its underlying mechanism being similar to radar, LiDAR utilizes laser lights instead of radio waves. Invisible laser lights are fired to the vehicle’s surroundings. The computer then uses the reflection time paired with the speed of light to calculate the distance of the reflector.

Advantages of LiDAR:

High-definition 3D modeling. LiDAR can be seen as a more advanced version of radar. It has a detection range of as far as 100 meters away with a calculation error of less than two centimeters. Hence it is capable of measuring thousands of points at any moment, allowing it to model up a very precise 3D depiction of the surrounding environment.

Unaffected by weather conditions. Same as radar, LiDAR’s efficacy is not affected by the environmental condition.

Disadvantages of LiDAR:

Highly sophisticated. In order to provide an accurate 3D model of the environment, LiDAR calculates hundreds of thousands of points every second and transforms them into actions. This means that LiDAR requires a significant amount of computing power compared to camera and radar. It also makes LiDAR prone to system malfunctions and software glitches.

High cost. As expected, due to the sophistication of the software and the computing resources needed, the price to implement a set of LiDAR sensors is the highest among the three.

Are Sensors Reliable?

All three types of sensors have their pros and cons. Therefore, most OEMs use a mix of at least two of the three to complement each other and outweigh their weaknesses. As sensor technologies become more mature, more and more vehicles are expected to reach autonomous driving levels 3 to 4 in the next five years.

Yet, no matter how advanced and sophisticated sensor technologies become, they are nothing more than computers; and connected computers are always at risk of cyberattacks. Therefore, just as we trust these sensors to take over our wheels, cybersecurity measures must be in place to ensure they do not get tampered with by malicious actors. The automotive cybersecurity regulation outlined by WP.29 ensures that all OEMs build their vehicles with secure cybersecurity systems in place, so that we can all trust the sensors to do their job.

AutoCrypt IVS is an in-vehicle security solution chosen by some of the top ten OEMs in the world for vehicular cybersecurity type approval. Not only does IVS block malicious threats from outside the vehicle, but it also monitors communications within the vehicle, and responds to abnormal and malicious activity in real-time.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

The Changing Automotive E/E Architecture and What it Means for the Supply Chain

Computer on Wheels: The Software-Oriented Car

The E/E architecture of the car is changing dramatically. As the common saying “computer on wheels” suggests, automotive technologies are now divided into two streams: the “wheels” and the “computer”. The “wheels” represent the hardware, the good old engines and hydraulics that keep the car rolling, while the “computer” represents the software programs that give instructions to the hardware on what to do. Cars are literally becoming computers, where software programs utilize hardware resources to deliver results.

This is not to say that hardware is no longer important. Of course, the core of the vehicle still lies in its hardware, which serves as an ultimate indicator of its performance. However, as OEMs continue to introduce software-enabled features from adaptive cruising to hands-free voice command, the average car buyer is caring less and less about horsepower and torque, but more about tech features and carbon footprint. As a result, most of the innovations and breakthroughs in the automotive industry today occur on the software end, guided by four major industry trends: connectivity, electrification, automation, and mobility-as-a-service (MaaS).

Likewise, the more consumers demand these features, the more OEMs must focus on improving them. This cycle has not only brought significant changes to the car manufacturing process but has forced the OEMs and Tier 1 suppliers to redefine their roles and responsibilities, leading to a ripple effect down the entire supply chain.

In this article, we will look at some major changes and trends with regard to vehicle architecture.

Centralization of the E/E Architecture

Up until recently, Tier 1 suppliers have been responsible for both hardware and software. They supply OEMs with complete vehicular parts integrated by the necessary software, while software firms mostly acted as Tier 2 suppliers who served their technologies to the Tier 1 suppliers. This architecture worked because when electronic systems were first brought into cars, they were simple programs that served as add-ons to the existing hardware. Each of these systems were built into an electronic control unit (ECU), which would then get integrated into the hardware. Individual ECUs have very low computing power such that every ECU is designed to control only one part of the hardware. Take the remote key fob for example: the ECU that manages the door lock system receives the signal, then instructs the door on what to do.

However, as more and more sophisticated add-on features were built into the car, the traditional architecture has become very costly and inefficient. Drivers today expect their smart keys to not only control the door lock system, but also allow them to remotely switch on the car, adjust the climate, and even give the car instructions for self-parking. This means that the smart key features alone require up to a dozen of ECUs each in charge of a single function.

To support even more complex features like the adaptive driving assistance system (ADAS), which requires the cooperation of many cameras and sensors, a typical car today can contain up to a hundred ECUs. Clearly, this scattered vehicle architecture is becoming increasingly expensive and unsustainable because there is simply not enough space in a car to accommodate hundreds of ECUs and wires.

This has led to a major change in the electrical and electronic (E/E) architecture of the car. Instead of having an entirely distributed model, with every ECU serving a particular function, the industry is moving towards a centralized E/E architecture. OEMs are starting to group all ECUs by their domains of service in a process called domain consolidation. For instance, all ECUs and sensors with regards to the powertrain are grouped into one domain, while all these with respect to the infotainment system are grouped into another domain. The entire domain is then controlled by the domain controller, which consolidates all the functions within that domain to ensure optimized system performance. Lastly, a gateway collects all information from the domain controllers and communicates such information with external parties when necessary.

This centralized E/E architecture is expected to significantly reduce the number of wires and increase the overall computing power of the vehicle. Expected to become the predominant vehicle architecture by the mid-2020s, this new model will help OEMs reduce manufacturing costs and free up room for more software features to further enhance the capabilities of autonomous vehicles, contributing to a seamless driving experience.

Segregation of Hardware and Software

The increased complexity of software-enabled features has led to another change: the separation of hardware and software in the car manufacturing process. As the E/E architecture becomes centralized, it is no longer efficient to build hardware parts with individual software programs attached. Manufacturers now need to build more complete software programs that oversee a whole domain of functions. As a result, it becomes more efficient to segregate the manufacturing process of hardware and software components.

Therefore, instead of having a single piece of software added onto every hardware element, both the hardware and the software are treated as core components in the architecture. Additionally, with the increased sophistication of software technologies, software components need to be developed on specialized and segregated platforms from the hardware.

Soon after, the industry may reach a point where a few software programs take control of all the functions of the hardware, just like how a single operating system controls all the hardware of a computer.

What it Means for the Supply Chain

For many decades, the automotive supply chain operated like a tier system. The OEMs were at the top of the pyramid, after which Tier 1 suppliers like Magna, Bosch, and Continental supplied completed parts to the OEMs. Raw materials were provided by Tier 2 suppliers. With a sudden surge in software needs throughout the past two decades, software firms joined the supply chain at Tier 2. These firms provided middleware and software development kits for every hardware component and sold them to the Tier 1 suppliers so that they could integrate them into the hardware. Many of the Tier 1 suppliers also set up their own software divisions or acquired software firms to enhance their power.

Today, most Tier 1 suppliers are responsible for integrating software functions into hardware parts, after which the finalized parts are sold to the OEMs. In other words, Tier 1 suppliers oversee the software integration process, while OEMs have the power of determining which parts to use.

However, the current model is facing another disruption. As the E/E architecture gradually becomes centralized, software programs are clearly becoming more crucial to the car. At the same time, the segregation of hardware and software means that more specialized software providers will emerge in the market. The role of the OEMs will be to consolidate the software platforms into their vehicle hardware. Currently, most software components are non-differentiated, meaning that they could be installed across different vehicles. As the centralization process continues, a significant portion of software will be differentiated, which means that they would need to be programmed specifically for individual car models. As such, it is crucial for OEMs to work closely with the software suppliers because once a software platform is fixed, the entire system would need to be built on that platform. Once a software platform is locked up, it becomes very expensive for the OEM to switch to other alternatives.

Clearly, these changes will likely disrupt the tier system and flatten the automotive supply chain so that suppliers of hardware, software, and semiconductors, along with OEMs, play equally important roles. Instead of having one supplier working on top of the other, horizontal collaboration is more important than ever. Eventually, the automotive market could look very similar to the PC and smartphone markets, where hardware manufacturers consolidate components provided by semiconductor firms and software companies.

AUTOCRYPT and Its Role in the Automotive Supply Chain

An automotive cybersecurity vendor, AUTOCRYPT is taking a crucial role in the software end of the vehicle manufacturing process. As an end-to-end solution provider that covers every dimension of security from in-vehicle and V2X, to EV charging and fleet management, AUTOCRYPT is actively working with OEMs and infrastructure developers to build a strong foundation for connected mobility by offering a complete cybersecurity ecosystem.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.