--- /dev/null
+---
+title: Update (Over The Air)
+---
+
+Updating applications and firmware is essential for the development of new
+features and even more to fix security bugs. However, if a malicious third party
+manages to alter the content during transport, it could alter the functioning of
+the system and/or applications. The security of the updates is therefore a
+critical point to evaluate in order to guarantee the integrity, the
+confidentiality and the legitimacy of the transmitted data.
+
+## Attack Vectors
+
+Updates Over The Air are one of the most common points where an attacker will
+penetrate. An OTA update mechanism is one of the highest threats in the system.
+If an attacker is able to install his own application or firmware on the system,
+he can get the same level of access that the original application or firmware
+had. From that point, the intruder can get unfettered access to the rest of the
+system, which might include making modifications, downloading other pieces of
+software, and stealing assets.
+
+### Man In The Middle (MITM)
+
+The man-in-the-middle attack is the most classic example of an attack, where an
+adversary inserts himself between two communicating entities and grabs whatever
+is being communicated. In the case of OTA attacks, the connection in the network
+may be intercepted:
+
+* On the internet, before the cloud back-end.
+* At the base station, 3G,4G,5G connection to the internet.
+* At the receiving antenna, connection to the car.
+* Between the receiving antenna and the gateway router (if present), connection
+ within the car.
+* Between the gateway router and the target component (IVI, In-Vehicle
+ Infotainment unit).
+
+There are many ways to mount a MITM attack. For example, proxy tools like Burp
+Proxy can be used to intercept web traffic as a man-in-the-middle. Under the
+guise of being a testing tool, the proxy server is often used in attack
+scenarios. It runs on a variety of platforms.
+
+As another example, false base station attacks are known to be fairly easy to
+set-up. The problem is apparently fairly prevalent in countries like China and
+in the UK. These fake base stations are sometimes just eavesdropping on the
+communication, but others have the potential to do serious harm.
+
+Defenses against MITM attacks include encrypted and signed data pipes.
+Furthermore, architects and developers are also recommended to encrypt and sign
+the payloads that are being passed over these pipes, to defend against perusal
+of the data.
+
+### Man At The End (MATE)
+
+The man-at-the-end attack is when an intruder analyzes the end-point of the
+communication when software is accessing the data communication. This is a more
+severe attack type where the attacker can:
+
+* Steal keys.
+ * For example, a simple debugging session in running software could reveal a
+ key used in memory.
+* Tamper software.
+ * For example, replacing just one function call in software with a NOP (i.e.
+ no operation) can drastically change the behavior of the program.
+* Jam branches of control.
+ * For example, making a program take one branch of control rather than the
+ intended branch can mean the difference between an authorized and a
+ non-authorized installation.
+* Modify important data.
+ * For example, if the data changed is a key or data leading to a control path,
+ then this attack can be severe.
+ * In the case of OTA updates, MATE attacks are particularly problematic for
+ the system. One of the consequences of MATE attacks can be installed
+ software that allows installation of any other software. For example, an
+ attacker might install remote access software to control any part of the
+ system.
+
+--------------------------------------------------------------------------------
+
+## Acronyms and Abbreviations
+
+The following table lists the terms utilized within this part of the document.
+
+Acronyms or Abbreviations | Description
+------------------------- | -------------------------------------------------------------------------
+_FOTA_ | **F**irmware **O**ver **T**he **A**ir
+_MATE_ | **M**an **A**t **T**he **E**nd
+_MITM_ | **M**an **I**n **T**he **M**iddle
+_OTA_ | **O**ver **T**he **A**ir
+_SOTA_ | **S**oftware **O**ver **T**he **A**ir
+_TUF_ | **T**he **U**pdate **F**ramework
+
+# Firmware Over The Air
+
+The firmware update is critical since its alteration back to compromise the
+entire system. It is therefore necessary to take appropriate protective
+measures.
+
+AGL includes the _meta-updater_ Yocto layer that enables OTA software updates
+via [Uptane](https://uptane.github.io), an automotive-specific extension to [The
+Update Framework](https://theupdateframework.github.io/). Uptane and TUF are
+open standards that define a secure protocol for delivering and verifying
+updates even when the servers and network--internet and car-internal--aren't
+fully trusted.
+
+_meta-updater_ includes the application
+[`aktualizr`](https://github.com/advancedtelematic/aktualizr), developed
+Advanced Telematic Systems (now part of HERE Technologies) that enables OTA for
+an ECU. `aktualizr` combined with Uptane is suitable for updating the firmware,
+software, and other packages on even functionally critical ECUs. `aktualizr` can
+be enabled with the free, open souce backend
+[`ota-community-edition`](https://github.com/advancedtelematic/ota-community-edition).
+
+This FOTA update mechanism can be enabled through the `agl-sota` feature.
+
+## Building
+
+To build an AGL image that uses `aktualizr`, the following can be used.
+
+```
+source meta-agl/scripts/aglsetup.sh -m <machine> agl-sota <other-features...>
+```
+
+During the build, _meta-updater_ will use credentials downloaded from
+`ota-community-edition` to sign metadata verifying the build as authentic. These
+signatures are part of the Uptane framework and are used to verify FOTA updates.
+
+## Atomic Upgrades with Rollbacks
+
+`aktualizr`'s primary method of updating firmware is to use `libostree` with
+binary diffs. The binary diffs use the least amout of bandwidth, and by it's
+nature `libostree` stores current and previous firmware versions on disk or in
+flash memory to allow for rollbacks.
+
+`libostree` is a content addressable object store much like `git`. Versions are
+specified via SHA2-256. These hashes are signed in the Uptane metadata and are
+robust against cryptographic compromise.
+
+# Software Over The Air
+
+Software updates in connected vehicles are a very useful feature, which can
+deliver significant benefits. If not implemented with security in mind, software
+updates can incur serious vulnerabilities. Any software update system must
+ensure that not only are the software updates to devices done in a secure way,
+but also that the repositories and servers hosting these updates are adequately
+protected. As the process of updating software migrates from a Dealership update
+model towards an **OTA** update model, securing these processes becomes a high
+priority.
+
+**SOTA** is made possible by **AppFw** (See Platform part). It will be possible
+to manage in a simple way the packets (i.g. Android like).
+
+Domain | Improvement
+------------- | -----------------
+Update-SOTA-1 | Part to complete.
\ No newline at end of file
Code Review / AGL / documentation.git / blobdiff