How to Best Protect Automotive Over-the-Air (OTA) Updates

How to Best Protect Automotive Over-the-Air (OTA) Updates

These are exciting times for car manufacturers. At-home services are increasing, with car manufacturers enabling over-the-air (OTA) updates that can upgrade a vehicle with new features, or even fix faulty vehicle software by remote. The data speaks for itself. According to a comprehensive research report by Market Research Future (MRFR), the market is projected to be worth $14.47 billion by 2030, registering a CAGR of 18.72% during the forecast period (2022 – 2030), up from $2.89 billion in 2021.

Seemingly, the OTA service is a win-win for both consumers and manufacturers. Consumers can save lots of time and money, not to mention the bother of going to service stations. Manufacturers can save lots on expenses by handling software glitches by remote.


Automotive OTA Updates Are Susceptible to Vulnerabilities

But is it as good as it sounds? Have you ever had your computer stop working or your phone start malfunctioning after an upgrade? Think about if that were to happen while driving on a major highway at 90 miles per hour. What if the same malfunctioning updates were introduced to thousands of vehicles at a time? The cases described above highlight automobile malfunctions due to software glitches or bugs. 

But what about intentional cyberattacks? During 2021, we have seen numerous cyberattacks and an increase in vulnerabilities hitting the automotive sector. Special attention seems to be coming from ransomware threat actors. The threat grows for connected vehicles to be compromised by hackers, even more so when software or firmware updates are involved, and especially during OTA updates.


New Regulations Are Emerging to Help Protect Automotive OTA Updates

According to the UNECE, cars contain up to 150 electronic control units and approximately 100 million lines of software code, four times more than a fighter jet. This is projected to rise to 300 million lines of code by 2030. Once, hacking a car was a difficult task, requiring advanced knowledge of the vehicle’s internals. But hackers are getting better, and automotive security concerns are growing. It’s not only possible for hackers to gain remote control access to an automobile’s steering, acceleration, and brake control, but they can mine a connected car for personal information about the owner or driver.

7 1-1

For this reason, and due to growing threats, new regulations are emerging to manage vehicle cyber risks, and to provide safe and secure updates during over-the-air updates to on-board vehicle software. These regulations such as R155 and R156  establish performance and audit requirements for cybersecurity and software update management for new passenger vehicles. WP.29 incorporates into its regulatory framework technological innovations to make vehicles safer and to provide safe, secure software updates that do not compromise vehicle safety. There are three lifecycle phases specifically described in the cybersecurity regulations: development, production, and post-production, which include monitoring, detecting, and responding to cyberattacks.


Ensure Automotive Security Compliance with Cybellum

In recent months, more and more customers who are receiving at-home services are becoming aware of the security issue, in no small part due to high-profile hacks that have made the news. They are starting to question their service providers about the security practices and how they can guarantee safe updates from remote. Cybellum is supporting OEMs and Tier-1 automobile manufacturers around the globe to safeguard their customers from vulnerable software and cyberattacks. Learn more about automotive regulations and compliance with UNECE WP.29 AND ISO/SAE 21434 in the eBook entitled:  

The Blueprint of a Vulnerability Management Profgram