Systematic threat assessment and security testing of automotive over-the-air (OTA) updates

Modern cars host numerous special-purpose computing and connectivity devices facilitating the correct functioning of various in-vehicle systems. These devices host complex software systems with over 100-million lines of code, requiring regular and timely updates for functional and security improvements. Addressing the shortcomings of the legacy update system, over-the-air (OTA) software update system has emerged as an efficient, cost-effective, and convenient solution for delivering updates to automobiles remotely. While OTA offers several benefits, it introduces new security challenges requiring immediate attention, as attackers can abuse these update systems to undermine the vehicle security and safety. There are numerous studies investigating various aspects of the automotive cybersecurity; however, security testing of automotive OTA has not been covered adequately, with most of the prior work primarily focusing on proposing improved techniques for securing automotive OTA updates. In order to ensure these update systems are effectively secure, thorough security assessment needs to be performed. To the best of our knowledge, there is currently no study that proposes or employs a systematic security testing approach for evaluating the security of automotive OTA update systems. This study closes this gap by presenting an in-depth security evaluation of Uptane framework, by employing a structured threat analysis approach to constructing attack trees and applying a model-based security testing approach for generating effective security test cases. We implement a software tool that generates the security test cases by analysing the structure of the attack trees and ultimately executing those test cases against the target system. We carry out several experimental attacks on the Uptane reference implementation. While many of the experimental results showed that the reference implementation is secure against different threats and cyberattacks, some findings suggest that the implementation is vulnerable to the denial-of-service and eavesdropping attacks.