Updating applications and firmware is essential for the development of new features and even more to fix security bugs. However, if a malicious third party manages to alter the content during transport, it could alter the functioning of the system and/or applications. The security of the updates is therefore a critical point to evaluate in order to guarantee the integrity, the confidentiality and the legitimacy of the transmitted data.

Attack Vectors

Updates Over The Air (OTA) are one of the most common points where an attacker will penetrate. An OTA update mechanism is one of the highest threats in the system. If an attacker is able to install his own application or firmware on the system, he can get the same level of access that the original application or firmware had. From that point, the intruder can get unfettered access to the rest of the system, which might include making modifications, downloading other pieces of software, and stealing assets.

Man In The Middle (MITM)

The man-in-the-middle attack is the most classic example of an attack, where an adversary inserts himself between two communicating entities and grabs whatever is being communicated. In the case of OTA attacks, the connection in the network may be intercepted:

There are many ways to mount a MITM attack. For example, proxy tools like Burp Proxy can be used to intercept web traffic as a man-in-the-middle. Under the guise of being a testing tool, the proxy server is often used in attack scenarios. It runs on a variety of platforms.

As another example, false base station attacks are known to be fairly easy to set-up. The problem is apparently fairly prevalent in countries like China and in the UK. These fake base stations are sometimes just eavesdropping on the communication, but others have the potential to do serious harm.

Defenses against MITM attacks include encrypted and signed data pipes. Furthermore, architects and developers are also recommended to encrypt and sign the payloads that are being passed over these pipes, to defend against perusal of the data.

Man At The End (MATE)

The man-at-the-end attack is when an intruder analyzes the end-point of the communication when software is accessing the data communication. This is a more severe attack type where the attacker can:

Acronyms and Abbreviations

The following table lists the terms utilized within this part of the document.

Acronyms or Abbreviations Description
FOTA Firmware Over The Air
MATE Man At The End
MITM Man In The Middle
OTA Over The Air
SOTA Software Over The Air
TUF The Update Framework

Firmware Over The Air

The firmware update is critical since its alteration back to compromise the entire system. It is therefore necessary to take appropriate protective measures.

AGL includes the meta-updater Yocto layer that enables OTA software updates via Uptane, an automotive-specific extension to The Update Framework. Uptane and TUF are open standards that define a secure protocol for delivering and verifying updates even when the servers and network--internet and car-internal--aren't fully trusted.

meta-updater includes the application aktualizr, developed Advanced Telematic Systems (now part of HERE Technologies) that enables OTA for an ECU. aktualizr combined with Uptane is suitable for updating the firmware, software, and other packages on even functionally critical ECUs. aktualizr can be enabled with the free, open souce backend ota-community-edition.

This FOTA update mechanism can be enabled through the agl-sota feature.


To build an AGL image that uses aktualizr, the following can be used.

source meta-agl/scripts/aglsetup.sh -m <machine> agl-sota <other-features...>

During the build, meta-updater will use credentials downloaded from ota-community-edition to sign metadata verifying the build as authentic. These signatures are part of the Uptane framework and are used to verify FOTA updates.

Atomic Upgrades with Rollbacks

aktualizr's primary method of updating firmware is to use libostree with binary diffs. The binary diffs use the least amout of bandwidth, and by it's nature libostree stores current and previous firmware versions on disk or in flash memory to allow for rollbacks.

libostree is a content addressable object store much like git. Versions are specified via SHA2-256. These hashes are signed in the Uptane metadata and are robust against cryptographic compromise.

Software Over The Air

Software updates in connected vehicles are a very useful feature, which can deliver significant benefits. If not implemented with security in mind, software updates can incur serious vulnerabilities. Any software update system must ensure that not only are the software updates to devices done in a secure way, but also that the repositories and servers hosting these updates are adequately protected. As the process of updating software migrates from a Dealership update model towards an OTA update model, securing these processes becomes a high priority.

SOTA is made possible by AppFw (See Platform part). It will be possible to manage in a simple way the packets (i.g. Android like).

Domain Improvement
Update-SOTA-1 Part to complete.