Leveraging Over-The-Air Software Updates to Secure Connected Vehicles

With 146 million connected vehicles projected to take to the streets by 2030, automotive security is more important than ever.

(Image credit: NHTSA)
(Image credit: NHTSA)
John TuttleJohn Tuttle

With 146 million connected vehicles projected to take to the streets by 2030, automotive security is more important than ever. And as connected vehicles evolve and become more technologically advanced—requiring hundreds of millions of lines of software code to operate and power advanced features—the number of potential security threats will grow as well.

Fortunately, the automotive industry recognizes that consumer trust in vehicle and passenger safety and security is a shared interest and is collectively doubling down to ensure connected vehicles are well protected from cybersecurity attacks. New vehicle electrical architectures, multi-layer security approaches, real-time vehicle data collection, and most importantly the ability to quickly and reliably deliver over-the-air (OTA) software updates will be crucial to making this a reality for production vehicles starting with the 2020 model year.

Connected vehicles, if properly designed, are unique in that automakers can continually monitor vehicle status, detect security vulnerabilities as they arise, and quickly deliver appropriate counter-measures to mitigate security threats leveraging OTA software and firmware update technology. To fully leverage OTA updates in the automotive cybersecurity battle there’s several areas that must be carefully considered and provisioned for connected vehicles:


It’s critical that software code transferred between the vehicle and the cloud is exactly what was intended by the automaker, not altered versions introduced by unauthorized entities. For example, an entity with malicious intent may try to create new commands within existing software code that puts the vehicle at risk. Integrity ensures what the automaker intended to send to the vehicle is what was actually sent using industry-standard, digital signatures.


After an automaker has confirmed the integrity of the vehicle’s intended codebase, authenticity protects the vehicle from the installation of unauthorized software. Only software that has been digitally signed by the automaker and verified against the manufacturer’s trust roots should be allowed to be installed in the vehicle.


Intellectual property (IP) is the bloodline of any company’s value creation because it enables product differentiation versus the competition — and competition in the automotive industry is particularly fierce. Confidentiality protects software code IP from being accessed and stolen by unauthorized entities with encryption using industry-standard, high-strength cryptography.


Availability guarantees the transmission of software from the vehicle to the cloud occurs as planned in an efficient, reliable, and highly-scaled manner. This includes the provisioning of highly available supporting infrastructure, real-time anomaly detection and reporting, continuous back-end network traffic monitoring to identify suspicious activity, and active defense of the end-to-end vehicle to cloud network perimeter.

Effective cybersecurity measures are critical for the increasingly connected transportation industry, and secure OTA is central to enabling a robust defense-in-depth approach to vehicle security. Working together, automakers and suppliers are designing and deploying highly-secure vehicle systems and components to ensure consumer peace of mind when it comes to addressing cybersecurity threats and maximizing the potential of future advancements in advanced driver assistance systems (ADAS), vehicle-to-everything (V2X) solutions, and the eventual realization of fully autonomous driving.

John Tuttle is Vice President of Engineering at Airbiquity

More in Cybersecurity