V1.0 | 2016-11-29

Vector Congress 2016, Stuttgart, 2016-11-29

OTA and Remote Diagnostics

Connectivity offers greater benefit to the Automotive Industry: Software update Remote diagnostics Data collection

There is a need for prompt delivery of OTA

We have identified the most important success factors: Security Reliability Reuse

A successful implementation requires significant know how in automotive and IT

At a glance Connectivity offers greater Benefit to the automotive industry

2/18 2/18

Classic AUTOSAR and others: Reprogramming monolithic blocks with UDS protocol.

Adaptive AUTOSAR and POSIX-like operating systems: Install and update software packages Consider dependencies between programs and shared libraries.

Updating connectivity and OTA: Maintain the communication and security relevant parts of the vehicle There is a risk for “brain dead” vehicles (no communication)

Software update adds value – and is a way to keep connectivity secure Connectivity offers greater benefit to the Automotive Industry

Classic

Adaptive

3/18 3/18

Compile and send regular vehicle health-reports Summarize present and stored failures, gas consumption, mileage, oil-level, … Useful information for the driver Useful information for the OEM: Get deep insight into fleet health status…

Get remote roadside assistance from central vehicle support centers Allows remote diagnostics when malfunction indicator illuminates:

Continue drive or keep waiting for the towing service? Some EE issues can even be solved immediately.

Make inspection and repair in car workshop more predictable and comfortable Actions, effort, time of visit can be planned beforehand based on vehicle health-report

and an enhanced remote diagnostics when required Spare parts will be ordered early and are already available when car comes in

Remote diagnostics adds disruptive elements to well-known applications Connectivity offers greater benefit to the Automotive Industry

4/18 4/18

Setup a campaign to analyze a certain phenomenon Select vehicles Define measurement configuration and trigger condition Transfer configuration from backend into vehicles of selected fleet Perform measurement, pre-evaluate and collect data Transfer data to the backend Perform data analytics Refine configuration if needed Close campaign

Data Collection provides new insights into vehicles in the field Connectivity offers greater benefit to the Automotive Industry

Backend

Internet

1

1

0

1

1 0

0

0

1

0

1 1

1

0 0

1 1

0 1

1 0 0 0

1 0 1 1 1

0 0

1 1

0 1

1 0 0 0

1 0 1 1 1

0 0

1 1

0 1

1 0 0 0

1 0 1 1 1

0 0

5/18 5/18

The starting signal has been given

First applications are already

available.

Some customers do expect such functions.

There is a need for prompt delivery of OTA There is a Need for prompt Delivery of OTA

http://de.freepik.com/fotos-vektoren-kostenlos/menschen „Menschen vektor durch Kjpargeter – Freepik.com entwickelt“

6/18 6/18

We have identified the most important success factors We have identified the most important success Factors

Security • Establish a secure channel that guarantees privacy and authentication.

Reliability • Make OTA functions robust and efficient.

Reuse • Take advantage of well-proven industry standards. Integrate into existing processes.

Benefits • Provide convenient functionality with additional value for the car owner

7/18 7/18

Security - A threat analysis on the OTA process We have identified the most important success factors

C C

Backend Diag gateway

Assets Flash data along the communication path:

> Over-the-air communication between backend and vehicle. > Storage devices. > In-vehicle communication.

Impacts:

> Financial loss. > Manufacturer reputation. > System malfunction. > Safety functions.

Internet PDX

Gateway Body

Chassis

ADAS Infotainment

Flash

Bootloader

Threats: > Compromising keys. > Data access or manipulation. > Man-in-the-middle. > Denial of services.

Security keys of the devices.

Connectivity

8/18 8/18

C C

Backend

Internet PDX

Assets Flash data along the communication path:

> Over-the-air communication between backend and vehicle. > Storage devices. > In-vehicle communication.

Impacts:

> Financial loss. > Manufacturer reputation. > System malfunction. > Safety functions.

Threats: > Compromising keys. > Data access or manipulation. > Man-in-the-middle. > Denial of services.

Security keys of the devices.

Diag gateway

Gateway Body

Chassis

ADAS Infotainment

Flash

Bootloader

Security - A threat analysis on the OTA process We have identified the most important success factors

Connectivity

Protect the data on storage devices from reading and writing by malicious attacker.

9/18 9/18

C C

Backend

Internet PDX

Security keys of the devices.

Assets Flash data along the communication path:

> Over-the-air communication between backend and vehicle. > Storage devices. > In-vehicle communication.

Impacts:

> Financial loss. > Manufacturer reputation. > System malfunction. > Safety functions.

Flash

Bootloader

Threats: > Compromising keys. > Data access or manipulation. > Man-in-the-middle. > Denial of services.

Diag gateway

Gateway Body

Chassis

ADAS Infotainment

Security - A threat analysis on the OTA process We have identified the most important success factors

Separating the connectivity module in the architecture provides less attack surface. Even if hacked, there is no direct access to vehicle buses.

Connectivity

10/18 10/18

Security - A threat analysis on the OTA process We have identified the most important success factors

Diag gateway

Assets Flash data along the communication path:

> Over-the-air communication between backend and vehicle. > Storage devices. > In-vehicle communication.

Impacts:

> Financial loss. > Manufacturer reputation. > System malfunction. > Safety functions.

PDX

Gateway Body

Chassis

ADAS Infotainment

Flash

Bootloader

Threats: > Compromising keys. > Data access or manipulation. > Man-in-the-middle. > Denial of services.

Security keys of the devices.

C C

Over-the-air communication uses PKI and certificate handling. The connectivity device handles and stores the key material.

Internet

Backend Connectivity

11/18 11/18

C C

Backend Diag gateway

Internet Connectivity

Assets Flash data along the communication path:

> Over-the-air communication between backend and vehicle. > Storage devices. > In-vehicle communication.

Impacts:

> Financial loss. > Manufacturer reputation. > System malfunction. > Safety functions.

Threats: > Compromising keys. > Data access or manipulation. > Man-in-the-middle. > Denial of services.

Security keys of the devices.

Security - A threat analysis on the OTA process We have identified the most important success factors

PDX

Gateway Body

Chassis

ADAS Infotainment

Flash

Bootloader

End-to-end protection with digital signatures. Additionally, data can be encrypted and

decrypted inside the bootloader.

12/18 12/18

Reliability - Software update with redundant data storage We have identified the most important success factors

Keep current and new version in the ECU: Software download is performed into

the secondary memory section.

In case of a failure, all ECUs will keep on executing the current version.

Keep current and new version at central location:

In case of a failure, the update can be rolled back.

ECU

UDS- Flash

Bootloader

Application V1.0

Application V2.0

Programming Ready for execution

Connectivity

DataV2.0

Diag gateway

Connectivity ECU

DataV1.0

DataV2.0

UDS- Flash

Bootloader

Application V2.0

Programming Diag gateway

13/18 13/18

There are many existing “protocols”.

The best choice depends on the use case: Synchronous or asynchronous, client/server or peer-to-peer, streaming or event triggered.

Which one is the best for given use-cases in the automotive industry?

Reuse: Take advantage of existing protocols - what do we need? We have identified the most important success factors

TCP/TLS UDP

SOME/IP … HTTP(S) M

QTT

BEE

P

SM

TP

(S)F

TP

…

Data

collection

Software

Update

Remote

Diagnostics Ap

p A

Ap

p B

Ap

p C

OMA-DM SOAP

DoIP

{REST}

SOAP

OBD UDS

14/18 14/18

Where to cut between vehicle and backend – on communication or on a more abstract level?

Keep and manage data containers required for interpretation in the backend or the car? Or break down containers…?

Reuse: Onboard - Offboard Responsibilities We have identified the most important success factors

D-PDU-API

MVCI-Server

Autosar

proprietary Tester

Application

ODX*/ PDX*

Abstraction Layer Bac

kend

Ve

hicl

e

JOBs

* Typically proprietary binary runtime format on the abstraction layer of the standard.

1

2

3

15/18 15/18

A successful implementation requires significant know how in automotive and IT A successful implementation requires significant know how in automotive and IT

A sustainable solution integrates in-vehicle and backend/server software seamlessly. 16/18 16/18

Connectivity offers greater benefit to the Automotive Industry: Software update Remote diagnostics Data collection

There is a need for prompt delivery of OTA

We have identified the most important success factors: Security Reliability Reuse

A successful implementation requires significant know how in automotive and IT

Vector is familiar with Automotive and IT.

Summary Connectivity offers greater Benefit to the automotive industry

17/18 17/18

© 2016. Vector Informatik GmbH. All rights reserved. Any distribution or copying is subject to prior written approval by Vector. V1.0 | 2016-11-29

For more information about Vector and our products please visit www.vector.com

Author: Volker Ebner, Armin Happel, Christoph Rätz Vector Germany