OTA software updates, delivered over a cellular network, Wi-Fi, or other radio frequency- (RF-) based methods, provide vehicle manufacturers with a way to fix bugs as well as launch new or updated features and functions—without requiring a dealer visit. The current driver for OTA updates is currently related to security, but this will shift over time to support purchasing and other features.
OTA updates are relevant for all vehicles but, in particular, electric vehicles (EVs). In fact, EV manufacturers often tout their updates when they market their vehicles. According to Loup Ventures, a research-driven venture capital firm, Tesla, which in 2012 was the first car company to utilize OTA updates, stands well above legacy carmakers in its use of this technology. The firm gives Tesla an A grade for updates that impact key areas of vehicle performance, such as battery range, braking and acceleration, and autonomous systems. While Tesla has, from the very start, built into its vehicle systems its electrification, connectivity, and autonomous functions, other vehicle manufacturers are a few years behind, based on the Loup Ventures study. This kind of forward thinking allows EV makers like Tesla to tailor vehicle performance for regional markets, something that’s near impossible for a traditional vehicle.
As vehicles have evolved, carmakers employing software engineers is a fairly new trend. The automotive supply chain has always had a substantial software development requirement. To be sure, many carmakers continue to rely on off-the-shelf or third-party components and are just starting to ramp up their software staffs. A 2020 survey produced by Aurora Labs and Strategy Analytics finds that more automakers want to develop more of their software in-house. VW, for example, has a target for 60% in-house development via its Car.Software division.
Whether developed in house or within the supply chain, automotive software, as well as the channels through which software updates are made, have potentially multiple points carrying a high risk of being targeted, including:
- Wireless communication, such as Wi-Fi, Bluetooth, and other RF technologies
- Hardware, such as the components that manage and monitor RF communications
- Software, from the lower layers in the communication stacks to the upper layers in the application software; this also includes non-automotive-ready, open-source software, which is often used in communication stacks
- Custom code
- Unintended interactions
- Design issues or software defects in areas such as communication between the vehicle and backend support system
A cybersecurity breach might conjure images of hackers taking control of the vehicle (such as the well-documented episode involving a couple of ethical hackers and a Jeep in 2015), but that is just one aspect in a very complex solution. It’s also important to keep data privacy in mind – if a vulnerability is left unprotected, what happens with the data that is accessed? Will it get into the wrong hands? As updates are applied, can you ensure that personally identifiable information won’t get shared unintentionally?