Skip to main content

Secure Over-The-Air Updates For Autonomous Fleets

· 4 min read
Kajsa Lampa
Kajsa Lampa
Software Engineer

This blog post explains why Over-The-Air (OTA) updates are essential for autonomous vehicles; enabling remote software improvements and accelerating innovation. It details Einride's security-focused OTA solution, which ensures secure software delivery, robust rollbacks, and seamless management of the evolving vehicle environment, including OS agility and ADS stack evolution.

ota-updates

To unlock the full potential of autonomous vehicles, Over-The-Air (OTA) updates are essential. They enable remote deployments of improved software during the entire lifetime of the vehicle, which both accelerates engineering velocity and reduces customer wait times for new capabilities. Having navigated the complexities of OTA implementation as a software provider, vehicle manufacturer, and fleet operator, we decided to build our own robust, cyber-security-centric OTA update solution using state-of-the-art technologies.

A Multi-Layered Security Approach

The OTA update mechanism presents several security challenges that require careful consideration at each stage. To guarantee fully secure updates, a holistic approach to security is crucial throughout the entire process.

Secure Software Delivery

As a software provider and fleet operator, Einride must ensure that authentic software updates are delivered securely to the correct vehicle. This starts with cryptographically signing all software components and uploading them to a central software registry. Deployments are scheduled in our fleet management system, where we use fine-grained authorization to ensure users are authenticated and permitted to create specific vehicle deployments. To prevent man-in-the-middle attacks, the update server's identity is verified by the vehicle, before update packets are delivered via an encrypted communication channel. As a final step, software components are cryptographically verified on the vehicle to ensure that the software is authentic and has not been tampered with. To strengthen our cryptographic key management, we automate key generation and key rotation and adhere to the principle that private keys and certificates never leave their designated machines.

Robust and Resilient Rollbacks

To ensure reliable and fail-safe OTA updates of the operating system, we use A/B system updates. A/B updates use two system partitions referred to as A and B: an active partition currently in use and an inactive one ready for updates. When a new update is available, it's applied to the inactive partition, leaving the active partition undisturbed to ensure vehicle operation is uninterrupted during the download and installation phase. At the following reboot, the bootloader switches to the updated partition, and validation checks run to ensure that the system is operational. Should any failure occur, the system performs a rollback to the stable partition. The rollback mechanism ensures operations can continue without intervention even in the rare case that an update should fail.

The Evolving Vehicle Environment

An autonomous vehicle is a complex environment, consisting of a wide range of computers, sensors and ECUs that all require recurring firmware, software and configuration updates. As a vehicle fleet may span multiple generations of hardware and software, the importance of orchestrating updates of all components becomes a corner-stone of a solid update strategy.

Operating System Agility

At Einride, we build a custom embedded Linux distribution. The base image is compatible with a variety of computer models and CPU architectures, with the possibility of overlaying feature-specific functionality on top. This allows a small team to support a wide range of hardware that can take on a wide range of roles in the vehicle. It also enables adaptations to tailor the networking setup for private and secure communication, centralizing application-level functions like telemetry, connectivity, and authentication and performing additional system hardening to comply with our extensive security framework. OTA updates enable us to distribute an OS tailored to the needs of our vehicles, and instantly perform security patches when needed.

Intelligent ADS Stack Evolution

At Einride, we have developed a custom Automated Driving System stack that utilizes machine-learning algorithms and incorporates applications for perception, motion control, and localization. The stack also includes configurations and calibrations for peripheral devices that are automatically applied at runtime, reducing tedious and time-consuming work. Through OTA updates, Einride can implement incremental changes to continuously optimize performance, enhance capabilities, and expand our operational design domain.

Summary

Secure and robust OTA-updates implemented at all levels is crucial to be able to operate at the forefront of automated driving technology. Einride Autonomous has software technology at its core, leveraging the latest technology to provide a secure, extendable, maintainable platform for both RnD engineers, operators and customers.