Automobiles using Hardware Root of Trust to Securely Provide Software updates Over The Air
My car performed an over the air (OTA) update of the infotainment system last week.
It was really cool! It was performed when I got home and parked the car. I didn't have to waste time, sitting in traffic, going to the car dealer. There was nothing to plug in or wirelessly connect to. It just updated itself.
This infotainment system is essentially like having a tablet or smart phone permanently mounted in your car. In fact, it runs on a mobile operating system. It has a powerful processor, GPU, and all the connectivity that I'd ever (if ever is in the next two years) want; such as cellular, WiFi, Bluetooth and GPS.
Each item above has some sort of software, firmware or driver that can be updated over the air, whether it is for security, bug fixes and/or for feature improvements.
So, this is all great! However, what happens if the firmware update is bad?
OTA, from a security stand point can be used as an attack vector. Updating via OTA requires different thinking from a security and design stand point. This starts at the hardware level with Root of Trust (RoT).
The physical hardware should incorporate a Trusted Platform Module or TPM. A TPM is a tiny chip that is used as a hardware Root of Trust. The TPM basically starts the chain of trusted things. The TPM performs this task using a method that can detect if something is or is not the way it's supposed to be. For example, if performing a cold boot (starts when no power is connected), the TPM checks the boot firmware by measuring it. If the measurement is off, it does not allow it to start or execute. If correct, it allows the boot firmware to execute, until the the next measured item.
In my vehicle, a TPM is used to secure external communication, which is integrated into the infotainment system. It can be used to ensure a secure connection from my car to the correct servers and verify system integrity before an update is allowed to proceed.
While a car has mission critical systems, do not think RoT is overkill for a simple IoT device. If your device will use OTA as its method of obtaining an update, consider designing it with hardware RoT in mind. If you want to know how AMI firmware can help you with securing your device, from boot up to firmware update, please contact us and let us show you how.