Assuring Vehicle Update Integrity Using Asymmetric Public Key Infrastructure (PKI) and Public Key Cryptography (PKC) 11-02-02-0013

Over the past forty years, the Electronic Control Unit (ECU) technology has grown in both sophistication and volume in the automotive sector, and modern vehicles may comprise hundreds of ECUs. ECUs typically communicate via a bus-based network architecture to collectively support a broad range of safety-critical capabilities, such as obstacle avoidance, lane management, and adaptive cruise control. However, this technology evolution has also brought about risks: if ECU firmware is compromised, then vehicle safety may be compromised. Recent experiments and demonstrations have shown that ECU firmware is not only poorly protected but also that compromised firmware may pose safety risks to occupants and bystanders. While there have been no known instances of ECU firmware tampering on consumer vehicles outside of controlled academic or security research, and other work has been done to separate and compartmentalize ECUs, the security risks of unprotected ECU firmware must be addressed, especially as additional ECUs are developed to enable Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2X), and automated driving functionalities. To this end, we propose an asymmetric key-based infrastructure for signing and validating ECU firmware leveraging the existing federation in the vehicle component manufacturing space that exists between major automotive manufacturers and their major suppliers (“Tier-1 Suppliers”). Verification of firmware integrity occurs at ECU boot as well as during firmware updates. We developed a software implementation to demonstrate the feasibility of the approach and its resistance to certain types of attacks. Lastly, we performed an analysis of the scheme’s possible attack surface, demonstrating how our proposal can enhance the current state of the art in ECU firmware integrity.