Secure and Lightweight ECU Attestations for Resilient Over-the-Air Updates in Connected Vehicles
Recent automotive standards and regulations define requirements for over-the-air (OTA) software updates as a mandatory mitigation mechanism to secure the increasingly connected vehicles against future cyberthreats in a timely manner. Targeting these requirements, we design, prototypically implement, and evaluate of a novel security concept targeted at securing the in-vehicle processes participating in the OTA update process. It is designed as complementary security measure to further harden already in-place secure update distribution mechanisms and is compliant to recent automotive standards and regulations. Its security is bootstrapped from the secure interlocking of two trusted computing technologies: The Trusted Platform Module 2.0 (TPM 2.0) as overall hardware trust anchor within the vehicle and the Device Identifier Composition Engine (DICE) for securely bootstrapping the resource-constrained controllers. Our concept allows the controllers to report their currently running software version to the TPM 2.0 in a secure and lightweight way. Depending on the controllers software state, the TPM 2.0 may authorize to transition the vehicle from a update-ready state back to the fully-functional drive mode, e.g., after an OTA software update was successfully installed.