If you’ve been following along with our WP.29 series, then you are already familiar with the WP.29 Regulation Structure and WP.29 Requirements & OTA Considerations. If not, we advise you to take a moment to get up to speed. For this fourth installment, we will be focusing on Uptane, the open source cybersecurity framework for OTA software updates, leveraged in Sibros' solutions among many other companies that seek to protect remote software updates for a variety of different devices and machines.
Uptane was developed with the automotive industry in mind and is capable of safeguarding OTA (over-the-air) software updates from the highest degree of manipulation and hacking. In the event of a security breach, its multiple access levels function to prevent a system-wide failure.
To shed more light on how Uptane meets key WP.29 cybersecurity management system requirements, we brought in Justin Cappos, NYU Professor and a founding member of Uptane.
WP.29 requirements state that a process must be in place to keep updates secure and prevent manipulation before rollout.
Uptane satisfies this requirement with what is referred to as a “separation of trust.” This means even if a hacker manages to get past a firewall, they will not have access to the entire system. “The image repository inside of Uptane does not contain a key that is trusted to sign updates,” says Cappos. Instead, the system must be entered from multiple points to have full access to the stored updates.
This differs from other existing solutions where hackers can access the entire server via a personal key and image. To prevent software manipulation, Uptane takes its security processes a step further with threshold signing. “It’s not just a single key from a single vendor or person that needs to be compromised.” Any modifications to stored software require multiple sign-in points and approval signatures.
For update delivery processes, WP.29 requires a compromise-resistant system that blocks malicious attempts to deliver updates that are unapproved or tampered with.
“This is really core to what Uptane does,” states Cappos. “Updates do not only get authorized by a company that is running the update infrastructure.” There are additional signatures of approval required before an update can be delivered, such as suppliers, manufacturers, directors, and even third-party vendors. For hackers to succeed, they must simultaneously break into multiple security levels to initiate the approval systems, otherwise, the update will fail to send.
Not having a multilevel cybersecurity system in place leaves OEMs and OTA (over-the-air) software solutions vulnerable to malicious attacks.
“There have been literally dozens of situations where attackers have broken into all sorts of different parts of systems like this and tampered with updates.” According to Cappos nation-state actors are one of the main problems faced by the automotive industry. These are people who want to cause harm on a wide scale. “We’ve seen countries go after each other and cause all sorts of damage, and when you have something like automotive hacking, it’s such a huge risk.”
Breaking into a server with a single online key is not that difficult. Therefore, Uptane focuses on multilevel security and pre-emptive thinking. It includes the use of a secondary repository, which allows for division of responsibility when it comes to verifications. This director repository requires online keys to initiate updates. It works in conjunction with the image repository, which utilizes offline keys to sign metadata to ensure secure update delivery.
The next WP.29 requirement demands that software update authenticity and integrity remain protected.
“We use cutting edge cryptographic algorithms, which have been very heavily reviewed and are used pervasively across everything,” Cappos confirms. These are the same types of algorithms used to protect bank transactions and other sensitive data. Uptane utilizes a strong combination and configuration of these to guard specifically against software update attacks.
Uptane’s compromise-resilient structure is based on a project called TUF (The Update Framework.) It functions under the assumption that attackers will find a flaw through which they can compromise the system. Uptane leaves room for human error by incorporating multiple layers of security. If one wall falls, there is another behind it to prevent any attack from leading to a complete system’s failure.
Under WP.29 regulations, software version numbers must remain unchangeable except by authorized parties and only during a relevant software update.
“That requirement is easy for Uptane because, from an update standpoint, that means only using Uptane,” Cappos explains. Uptane is designed to work on its own, coupling it with any other type of software update management system compromises the integrity of the solution, leaving it open to vulnerabilities.
Uptane requires all software version updates to be signed by multiple authorized parties. This involves the use of both offline and online site keys, the most vulnerable of which are kept offline. If a specific key becomes compromised Uptane has implicit and explicit mechanisms in place for easy revocation and replacement. For consistency and verification compliance, Uptane retains a record of all original signatures.
International Importance of Uptane & Sibros Solutions
When it comes to the international impact of WP.29 and other cybersecurity regulations, Cappos is optimistic, “I think that as a result of these, we’re likely to see better security as more automakers and vendors continue to adopt these requirements and move to systems like Uptane.”
No one wants to buy a car that can be hacked, and a lot of automakers don’t have the proper precautions in place to ensure driver safety. Common sense requirements, like GDPR, have already transformed privacy rights for people around the world in a positive way. WP.29 is the next natural step in ensuring a brighter and safer future for connected vehicles.
One area in which Cappos would like to see additional accountability is in software security farther up the supply chain. It is one thing to provide a tool, but unless OEMs commit to following verification procedures and channels, that tool remains vulnerable to attacks.
This is why Sibros solutions include a safe rollout approach. Sibros trains its customers on best practices before fleetwide rollouts, including bench testing, company engineering, and vehicle testing. At Sibros, we advise OEMs how to create different vehicle groups with the appropriate approval authorities in place and how to identify issues in the lab before releasing updates.
To learn more about the Sibros Deep Connectivity Platform and how to prepare your company for the upcoming 2024 WP.29 compliance deadline, contact us to set up a demonstration.