From recall remedy to feature enhancement, auto manufacturers and Tier 1 suppliers have been investigating the possibilities of over-the-air (OTA) vehicle software updates as a way to reduce maintenance costs and improve functionality. But while automakers such as Tesla, General Motors, and Audi are moving quickly to improve vehicle connectivity and, in some cases, already deploying OTA software updates to automotive subsystems beyond the infotainment system, safety and security concerns are still being fleshed out before the automotive industry can utilize this technology on the road to vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) implementations.
In the age of connectivity it seems we can't connect anything fast enough. Watches, appliances, door locks, and light bulbs are all recent inductees into the world of the Internet enabled, helping feed our obsession for information and convenience in almost every way imaginable. In recent years, the ubiquitous connectivity movement has entered automobiles as well, with car manufacturers releasing models with the option for built-in Wi-Fi and 4G LTE services as early as this year.
But beyond the ability to offer revenue-generating services and additional features through in-vehicle infotainment (IVI) consoles and head units, the long-term prospects for the connected car perhaps yield something more significant in the form of over-the-air (OTA) software updates capable of remedying software issues in other automotive subsystems. For example, while Ford, General Motors, Cadillac, and Fiat all experienced recalls related to embedded software bugs in 2014, OTA pioneer Tesla avoided a potential recall related to defective adapter plugs by issuing a remote software update, and also used the center console as a gateway to upgrade the transmission systems of Model S sedans with a creep option – as seamlessly as Apple or Samsung update your smartphone. In an industry where billions of dollars are at stake with every recall and consumer satisfaction can mean the difference between profit and loss, OTA is quickly becoming a necessity rather than a luxury, and the automotive ecosystem is mobilizing now to make the technology refine the technology for next-generation vehicles, says Andreas Dharmawan, Senior Director, Solutions and Services, Electric Cloud, Inc. ().
"The modern car has over 300 million lines of code (MLOC), and this is going to grow even more once self-piloted cars become common on the road," Dharmawan says. "With 300 MLOC, you have to deliver patches because there are so many components and subcomponents that make up a system, many of which are actually being made by supply chain partners. So, because of the complexity, it's bound to have interoperability issues, integration issues, and even bugs inside the modules. Because of this, the need to update or deliver patches increases as the size of the code grows in the car.
"If it becomes frequent that your in-car software needs to be updated, you cannot ask the service engineers to constantly be trained and service cars going into the dealer for software updates," he continues. "That will create bottlenecks in car dealerships across the country. And also, it's going to be very costly, because there is no money in updating software. There is money when you have to fix the transmission, the exhaust system, and the brakes because these are hardware parts that you can sell. So, car manufacturers do not want cars to come back to the dealer for software updates because of economic reasons, and because of convenience."
"OTA capabilities have the potential to make the development process easier," says Marques McCammon, Senior Director, Automotive Solutions, Wind River (). "Tier 1s have hundreds of systems to develop in the last cycle of car production. Often, software is the last thing that gets updated before a car is released. In the development process, imagine having hundreds of vehicles in a fleet test and the team is faced with several software revision cycles. This could be a versioning nightmare, especially as OEMs are under pressure to increasingly compress their development time. If you have ability to perform OTA updates and avoid time-consuming individual car updates, this is a huge cost and time advantage.
"One specific use case is around software-related recalls; there have been a number of safety campaigns and recalls around vehicle software in recent years," he says. "At some OEMs the costs of managing warranty and recalls can reach into the billions of dollars. These events can impact literally millions of vehicles at a time, and several global markets. By conventional means the cost per vehicle to implement these recalls can be in the hundreds of dollars per vehicle and that says nothing about the factor of time.
"For example, if there are software issues after the car is sold, the ability to use OTA to update software or fix issues is more convenient, more efficient, and less costly than to physically bring cars into service shops," McCammon continues. "With a robust and dependable OTA strategy, OEMs can update the automotive systems in near real-time over the lifetime of the vehicle from development through production. Additionally, as the useful life of vehicles continues to grow, there is further opportunity to increase the value of the deployed vehicle base by continuously freshening the product experience. This may open new revenue streams to the industry that were not practical before."
sECUring safety-critical systems
The term "connected car" typically refers to using some means of wireless communication to provide vehicles with Internet access, but rarely is it interpreted as an expansion of connectivity between the various subsystems of the vehicle itself. While IVI systems and telematics control units (TCUs) are quickly becoming the de facto methods of connecting the car in general, intra-vehicle networks linking the electronic control units (ECUs) of internal systems are required in order to enable updates such as those implemented on Tesla's Model S. However, vicariously connecting safety-critical vehicle subsystems to the Internet also presents significant security challenges for automotive engineers, as cars are essentially transformed into clients in a vast IT ecosystem. This has resulted in a rethink of automotive security to protect both private information as well as non-IVI systems that could present safety risks if compromised, McCammon says.
"Besides IVI, we see a huge opportunity for OTA updates on more critical vehicle systems," he says. "Many vehicle functions today are electronically actuated where they were once all mechanical. Steering, accelerator function, and braking are all systems that have moved, or are moving to electrical actuation where they were once exclusively mechanical. As these functions are critical to vehicle operation it is essential that they operate with the latest and most complete software. In these cases the ability to affect OTA updates may have real impact on a vehicle's ability to protect the life of its occupants.
"More automotive systems are increasingly integrating and relying on software, and quite frankly any point where the data in or function of the car can be accessed remotely is a potential point of risk," McCammon continues. "There are several places along the data connection that must be secured or follow appropriate protocol, not only from the embedded device, but also the website where the software was launched and even to the data center. There is work currently being done in the industry to investigate the need for automotive-only data centers. Companies are looking at different modes of isolation to ensure the discrete pass of communication from device and over the air."
"The fact that the connected car is a complex system containing software, hardware, and communication capabilities exposes it to various threats. For instance, the software may be compromised by hacker attacks or the wireless communication may be the target of interceptions. In addition to the single component's weak point, many leaks can exist between the interfaces of the different elements. "The car security architecture must be considered more with connectivity and security risks in mind. This is where machine-to-machine (M2M) technology and mobile network operators can be of significant value, especially M2M Connectivity with a car having its own M2M SIM card that can be limited to trusted parties." – Andrew Morawski, Head of M2M, Americas, Vodafone
"The vehicle is becoming more connected within itself, or networked, if you will," says Grant Courville, Director, Product Management, Automotive and General Embedded, QNX Software Systems (). "Within vehicles what we're seeing is an ECU, which could be the infotainment system or it could be the telematics system, that will be used as your wireless gateway to connect to the cloud. That device will connect to the cloud through a wireless connection, and then there's the interconnectivity within the vehicle where you'll perhaps see the infotainment system as your gateway for OTA software updates. Then what you're looking to do is provide software updates to the various other ECUs within the vehicle that are capable of receiving them.
"So from a security perspective, there's security of the connectivity itself, whether that's through SSL or TLS or some of the other security mechanisms you'll have for the connectivity. There's the authentication – am I talking to the server I should be talking to and is that server talking to the device it believes it's talking to? Then there's the payload itself – am I receiving the payload I should be receiving, has it been tampered with? And then there's the installation of that payload," Courville continues while explaining the company's OS for Automotive Safety (Figure 1). "From an embedded perspective, in terms of being able to provide a software update you have to go through all of those scenarios. Let's assume that the software payload was delivered securely, properly, and now I have an image sitting there. Depending on what you're updating, you have to worry about physical space – do I have the space on my solid-state storage (SSD) to install it? When I'm installing it, are any of my active or passive systems disabled, or can I do this software update while I'm driving? And, if so, are there any systems that become disabled as a result?"
"The main fear is that the update package comes from a non-authorized back end, or a hacker, and it convinces the car that the IP address of the hacker's server is the IP address that the car should use in order to perform the software update, and an unwanted firmware will go to the car," says Yoram Berholtz, Business Line Director, Automotive, Red Bend Software (www.redbend.com). "Our solution has several mechanisms to address that (Figure 2). First is the standard security functionality that exists in the OMA-DM protocol. Second, we're partnering with leading security companies like ESCRYPT and Cisco to provide a client-server security architecture, which means that in the back end there is also a key management system so that every package we are sending to the car must first go through this key management system in order to get a signature and possibly be encrypted. Then in the ECU in the car there is a security client that analyzes if this key is correct and performs encryption. By doing so we are guaranteed that the update channel is secure."
Additional automotive update challenges
Beyond the IT-style security concerns being introduced into connected cars, OTA updates must also contend with other challenges inherent to autos, for example, the reality that vehicles will inevitably travel to or through areas with insufficient cellular coverage or the possibility of a catastrophic power failure. In addition, as vehicles age there is the chance that massive updates may be required that potentially harm hardware systems, Dharmawan says.
"In the worst case, there is a scenario that I can potentially see in the future that there is so much that needs to be updated that if the upgrade fails it may damage some of the components," says Dharmawan. "In the off chance that this happens, there should be a backup software that allows the car to operate at some minimum capacity so the car is still drivable but your radio doesn't work, for example. This type of practice has been implemented in the airline industry, as well as in the aerospace and defense industry.
"So, if for some reason your new firmware is unable to install, there's always a failsafe strategy, which is basically that the system will fall back to the original firmware from when the car comes out of the factory, and then it cannot be erased because it's part of the protected memory space," Dharmawan says. "That's a backup so you can actually fall back into that mode. These types of best practices in developing high-availability, reliable software and disaster recovery processes have been around for a long time, but this discipline needs to be applied in the automotive industry."
"What happens if power goes out?" asks Courville. "I need to be able to roll back and roll back safely. Vehicles are so interconnected today that if all of a sudden you had an inoperable infotainment system, I guarantee that it would not only be the infotainment system that had been affected. Chances are you'd see other ECUs or systems within the vehicle that could have been affected to the point where potentially your vehicle could be rendered non operational. So you start to have discussions about essentially having an image you can always fall back on, and having a secure way but also a very reliable way to make those software updates. (Editor's note: See Sidebar 1)
"There are some things that are very intuitive," Courville continues. "If I can update software incrementally instead of one big blob of software, that's obviously a lot safer, and depending on what's disabled in the vehicle, that's also much more convenient for the user."
"The solution should be designed with assumptions that connectivity will be lost, and power will be lost as well," Says Walter Buga, CEO, Arynga (www.arynga.com). "Arynga's CarSync is designed to accommodate that. It includes queuing capabilities for data delivery to vehicles, so if connection is lost the data stays in the queue, without the loss of data. The update process in vehicles includes multiple steps and recovery procedures in case of power or other failures, and the idea is the same – we will resume for a ‘lost' point and
OTA to V2X
Over-the-air update technology is key to realizing a truly connected car and paves the way for more advanced automotive architectures, including autonomous vehicles that will rely heavily on vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications to navigate tomorrow's roads. With pilot V2X implementations already underway (see www.densodynamics.com), industry and government are now innovating to accelerate the future of transportation.
"Now that vehicles are very fast becoming connected, all of a sudden it opens a window of possibilities," Courville says. "It opens the door to having more connected vehicles, convenient vehicles, safety comes into play, and V2V/V2I – or more generically V2X – and obviously those require vehicle connectivity, either to infrastructure or other vehicles. So there are a number of initiatives under way there.
"I was at a conference in July that had to do with vehicle connectivity, and a heavy focus on V2X, and it was everything from cellular modules to the frequency spectrum that's going to be allocated to V2X technology," he continues. "So there's a lot of discussion about that, but then a lot of discussion also about best practices. For all of this to come together there's a need for private industry as well as government as regulatory bodies to all work together and we're really starting to see that. You're starting to see trials out there and pilots. That's exactly what needs to happen."