Trusted Verification of Over-the-Air (OTA) Secure Software Updates on COTS Embedded Systems

Abstract

security and protection for said devices [5], [6]. OTA frameworks assist in remote diagnosis, and upgrades if required, for any reported security breach in compromised EVSEs and BEVs without having to deal with expensive in-person human attendance to fix the issue(s). While an OTA software update framework facilitates security updates, along with operational upgrades, it can also introduce unwanted security loopholes. For instance, in an autonomous BEV, nearly all driving operations (for e.g., where to turn, when to brake, controlling the speed of the car etc.) are automated, while specific manual cognitive decision-making control is left to the discretion of the driver. Thus, if a corrupt OTA update package which contains functional upgrades for the car is installed, an external agent can easily piggyback on the corrupt package to install malicious programs that will compromise the entire BEV thereby leading to catastrophic consequences. Note that even though we motivate our work with specific examples of BEVs and EVSEs for the rest of the paper, our approach can easily be applied to improve the security specifications of any existing system that utilizes secure OTA update framework running on TEE-compatible COTS embedded system. OTA updates in EVSEs and BEVs, therefore, not only need to be (1) secure to prevent unauthorized access, but also (2) support internal software isolation to ensure functional correctness. Protecting and encrypting the communication channel and checking the authenticity of the new software are longstanding and vital security measures for any BEVs and EVSE devices. However, said security measures are inconsequential if the OTA update verification framework itself is compromised [7], [8]. Therefore, there is a need to tackle such a scenario, and design a framework that can detect and protect against such security breaches. Existing approaches to protect the OTA update verification framework include dedicated secure hardware-based solutions (e.g. trusted platform modules (TPMs), secure networking modules, secure grid etc.) [3], [9], [10]. They all require expensive, custom-built hardware with long time-to-market or time-to-deployment cycle. A readily available cheaper alternative is the use of trusted execution environment (TEE) [11] on commercial off-the-shelf (COTS) embedded processors. Examples of hardware support for TEE include the ARM TrustZone [12] which is popular in embedded devices. TEE leverages hardware security extensions to provide platform virtualization to run an application in secure isolation from the rest of the system. TEE can be quickly redeployed if an exploit is found since they are implemented using platform virtualization. Hence, TEE does not require Abstract—Over-the-air (OTA) software updates are an important feature to remotely analyze and upgrade any section of currently running software on battery-operated electric vehicles and its supply equipment. Even though a secure OTA framework can verify and validate updates before installation, the integrity of the framework itself cannot be guaranteed, and can easily introduce system and software vulnerability with potential catastrophic consequences. In this paper, we show how a popular automotive OTA secure update framework (Uptane) can be deployed entirely inside a TEE-enabled commercial off-the-shelf (COTS) embedded device to extend its security considerations and improve its resilience against both internal and external security breaches. We also present a software analysis tool that leverages SAWScript to verify our proposed solution against any functional and logical inconsistency, while validating our approach on a real COTS hardware (Raspberry Pi 3B).