Vehicles are becoming increasingly "intelligent," as seen in the development of advanced driver assistance systems (ADAS) and the introduction of autonomous driving, among other advancements.
Such intelligent vehicles are controlled by software, and a huge volume of software programs are being installed in them. The software needs to be updated promptly and safely.
For this purpose, Hitachi, Ltd., Hitachi Automotive Systems, Ltd. and Clarion Co., Ltd. have developed the "OTA (Over the Air) Software Update Technology" to remotely update software in vehicles in an efficient manner.
TERAOKA Hidetoshi
Senior Researcher
IDEGUCHI Kota
Senior Researcher
(Publication: April 27, 2017)
TERAOKAIt is a technology to update software remotely through Over the Air (OTA) transmission. In the case it is applied to vehicles, the data for software updates are sent to vehicles from a data center called the "OTA Center." The data goes through the telecommunication equipment and the gateway inside the vehicle to the electronic control units (ECUs), which control vehicles. The ECUs then update the software.
Conventionally, when updating the software of the ECU in your vehicle, you had to contact your dealer or repair shop, bring the vehicle to them and have the software updated. Once the OTA Software Update Technology is used, the data updates of the software are wirelessly delivered to vehicles, and the vehicle users can update the software at home or anywhere else without having to go to their dealers or repair shops.
Figure 1: How OTA changes the way to update software
TERAOKAIn-vehicle software has become increasingly massive over recent years. This is due to such factors as development of ADAS, represented by automatic braking, and the introduction of autonomous driving technologies. In this situation, it has become a big issue to maintain and improve the quality of such software. However, users would feel it inconvenienet if they have to bring their vehicles to dealers each time they have the software updated to maintain and improve its quality. On the other hand, if they do not want to bother themselves to bring their vehicles to the dealers and the software is not updated, that may put the vehicle in danger. How can we manage to improve such a situation? That was one of the triggers to this development.
IDEGUCHIWhen vehicles are connected to networks, specific vehicles can be identified and accessed even from a remote location. This means a higher risk of cyberattacks. If vehicles are cyberattacked to show abnormal operations, human lives are at stake. In 2015, news that some vehicles produced by a certain automobile manufacturer were hacked became a topic. I hear that, to address the issue, the manufacturer delivered media that contained software data updates to each user. In the face of such a risk, automobile software must be updated as quickly as possible to keep vehicles secure. In this regard, updating software via OTA transmission is an extremely important technique.
TERAOKAThat's correct. Let's take a smartphone, for example. You buy a smartphone and, after some time, you notice that certain functions have been added to it to allow you to do something new. As for vehicles, the manufacturers' business is to produce vehicles and sell them to users, and that's the end of the story. This has been the case to date. However, going forward they may want to add new functions after they have sold the vehicles. Such a new business model will enhance the added value of vehicles and, for this goal, the OTA Software Update Technology can be utilized.
TERAOKAThere are largely three characteristics that are particular to vehicles. The first is more stringent requirements for reliability. Vehicles may not be driven if software is not updated properly. Once they stop driving, you cannot fix them easily. So reliability, including safety and security measures, is extremely important.
IDEGUCHIThe second is the very large number of ECUs incorporated in a vehicle. In a single vehicle there are several tens to around 100 ECUs that are subject to software updates. Each of these ECUs has different characteristics. For example, the ECU for engine control does not have much memory capacity, while the ECU for autonomous driving requires a lot of memory capacity as it incorporates many logic ICs. We need to take into account such differences in characteristics.
TERAOKAThe third is the difference in how the products are used. In the case of a smartphone, it is usually turned-on around the clock and is available for communications at any time. In contrast, some people may drive vehicles only on holidays. Some vehicles may be parked in underground parking lots where communication is not possible. If it takes a long time to update software while the engine is off, the battery may go dead. Therefore, we have to shorten the time for updating software as much as possible to respond to a variety of use situations.
IDEGUCHIWith regards to security that matters in terms of the reliability of vehicles, we listed all possible threats to security in the entire scheme from the OTA Center to ECUs. Attackers may target whatever possible and in any possible way to cause harm. For example, they may tamper with communication data, or use fake servers to transmit wrong data to vehicles. In light of this situation, we worked to identify what are important points and to which degree we have to protect to secure safety.
TERAOKAIn doing so, we used a method developed by Hitachi researchers to analyze automotive security. The method has become one of the standard methods in Japan used as a guideline. As such, we utilized what Hitachi has fostered to date, combining its know-how on applying security technologies to information systems and its knowledge in developing in-vehicle systems. By doing so, we determined what measures should be taken on security for OTA software updates.
IDEGUCHIIn conclusion, we set the essential security functions on the vehicle gateway, which bridges external networks and in-vehicle networks, in order to protect vehicles from attacks via a variety of external channels. The idea was to first protect security on an end-to-end basis between the OTA Center and the gateway and, based on this arrangement, provide multi-layered protection to enhance vehicle security. We set our policy by identifying which functions are needed where. In actually incorporating such functions, we designed them in a specific manner by taking into account the differences in computation performance of ECUs, etc., as I mentioned with regard to the second characteristics.
TERAOKAAs for the third aspect, or shortening the time for updating software, we have employed a technology called differential update. For rewriting software, the technology sends only the differences between the new updated program and the currently installed program, instead of sending the updated program as a whole. The technology is used for mobile phones as well, but we have developed the differential update technology so that it is tailored to suit the characteristics of ECUs, such as having a limited memory capacity.
Figure 2: Threats to security for OTA Center to ECU and countermeasures
IDEGUCHIWe focused on ensuring security on an end-to-end basis, from the OTA center to vehicles. We should never compromise on security that governs safety.
TERAOKAHitachi has developed the entire system for the OTA Software Update Technology, from the OTA Center to ECUs incorporated in vehicles. Technological development has been conducted after clarifying what functions are needed for the respective parts and how the interface between the parts should be. Therefore, we can create what is optimum for each part. Since Hitachi has developed the entire system, we can take this approach.
IDEGUCHIFor telecommunications, we designed the system by using lightweight cryptography and cryptographic protocol, as the performance of microcomputers used for in-vehicle systems is relatively low in general. Furthermore, we used a scheme that should reduce the load at the OTA Center, as millions of vehicles are connected to the OTA Center.
TERAOKAOf course, the OTA system can be built even if some parts are products of other companies. We work to use standard technologies and standard protocols as much as possible, so that we are able to check functions together with respective vehicle manufacturers by making only small customizations.
IDEGUCHIWe presented the OTA Software Update Technology at exhibitions for customers in 2015 and 2016, and we were well accepted. There were opinions that the technology integrates OTA and security and that it is good for Hitachi to take such initiatives.
TERAOKAIn 2015, we were still hearing opinions wondering about the legal regulations and whether or not such a technology could be realized at all. In 2016, however, we saw changes in the mindset of people at vehicle manufacturers and the questions they gave us. They now assumed that OTA software updates would be necessary, saying that they would have to do it and had better do it and asking what they must do specifically to realize the technology. I felt the amount of expectations they had for Hitachi's OTA Software Update Technology.
TERAOKAI have been involved in this project since its launch. As it covered the total system from the OTA Center to vehicle ECUs, we made technical developments in coordination with many business divisions and affiliate companies, including the business divisions in charge of the center system, the business divisions producing ECUs and the business divisions that create communication modules. In the coordination, we in the laboratory had to see the entire system and, as the hub, provide support to what was hard to be covered by individual divisions. In doing so, I myself visited various sections and frequently held discussions. Personally, I had never experienced such a way of working and it made an impression on me.
At the exhibitions mentioned before, we demonstrated the system in its totality by connecting what respective divisions and affiliated companies created. The entire system was constructed nicely and operated well. The customers showed tangible things that actually operated, and gave us good feedback. This was particularly pleasing for me.
IDEGUCHIFor one, the technology must ensure security through the lifecycle of vehicles. A vehicle is designed, manufactured at a plant, driven for 10 to 20 years, and is finally abolished or resold to be used in its second cycle. Security must be controlled for such a long span of time. If security is broken at any one point, it will pose a great danger. Therefore, it is important to manage the encryption key and other security data that are used for communications through the lifecycle of a vehicle.
Moreover, if a vehicle is actually cyber-attacked, countermeasures against the attack must be taken as quickly as possible. Technologies to do so are also needed. Hitachi already has such technologies and know-how in the information systems for public services and financial industries. I would like to customize such technologies and know-how for automotive application, and develop new technologies needed for the customization.
IDEGUCHIAs I already said, vehicles were actually hacked and it made news. As such, security and OTA are hot topics indeed. Looking back, I had often been involved in what is classified as basic research. But now, in the era of significant changes, I feel I am engaged in technologies related to such changes. What I research will be practically applied in the next step immediately ahead. That's what I really feel.
TERAOKAIn order to realize practical application of the OTA Software Update Technology, I hope to continue discussions with respective divisions and affiliate companies as well as people from vehicle manufacturers, so that we can make the entire system even better.