Secure and Lightweight ECU Attestations for Resilient Over-the-Air Updates in Connected Vehicles

Recent automotive standards and regulations define requirements for over-the-air (OTA) software updates as a mandatory mitigation mechanism to secure the increasingly connected vehicles against future cyberthreats in a timely manner. Targeting these requirements, we design, implement, and evaluate a novel security concept targeted at securing the in-vehicle processes participating in the OTA update process. It is designed as complementary security measure to further harden already in-place secure update distribution mechanisms and is compliant to recent automotive standards and regulations. Its security is bootstrapped from the secure interlocking of two trusted computing technologies: The Trusted Platform Module 2.0 (TPM 2.0) as overall hardware trust anchor within the vehicle and the Device Identifier Composition Engine (DICE) for securely bootstrapping the resource constrained controllers. Our concept allows the controllers to report their currently running software version to the TPM 2.0 in a secure and lightweight way. Depending on the controllers’ software state, the TPM 2.0 may authorize to transition the vehicle from an update-ready state back to the fully functional drive mode, e.g., after an OTA software update was successfully installed.