Secure Software Flashing 2009-01-0272

An increasing number of vehicular electronic control units (ECU) are equipped with reprogrammable flash memory. The software program in the flash memory determines the behavior of the ECU. The program code usually can be updated via a bootloader, e.g., for a firmware update, a bug fix, or an update enabling additional functionality. The download might be performed over a diagnostic channel or in the future increasingly through wireless channels, e.g. Bluetooth or GSM connection. Once such communication channels are opened to the outside world for downloading software, the authenticity of the software must be ensured. An example of a malicious software download is the replacement of firmware by an unauthorized party, e.g., as is done on a large scale through chip tuning in vehicles.

In order to control software updates, digital signatures play a central role. Here, a digital signature is generated in a secure back end, e.g. by the automobile manufacturer, and then attached to the new firmware as a cryptographic checksum. The ECU is now able to verify the authenticity of the new firmware by checking the authenticity of the signature. Only if the verification is successful is the new firmware actually run by the device. A proper signature verification algorithm is RSA with a short exponent that can be executed in a few milliseconds on an ARM-class CPU if implemented carefully. Provision of a digital signature algorithm itself is often not the main problem, but its integration into the ECU and adapting the organizational processes are. Certainly a secure software download is only useful if there are neither hidden access points to the firmware (e.g., an enabled debug interface) nor a flawed implementation that allows illegal access. Hence a very careful design and implementation phase has to be performed in addition to the secure software download to make sure that only the defined access path is given.