A Generic System for Automotive Software Over the Air (SOTA) Updates Allowing Efficient Variant and Release Management Houssem Guissouma ( ✉ ) , Axel Diewald, and Eric Sax Karlsruhe Institute of Technology, Engesserstr. 5, 76131 Karlsruhe, Germany {houssem.guissouma,axel.diewald,eric.sax}@kit.edu Abstract. The introduction of Software Over The Air (SOTA) Updates in the automotive industry offers both the Original Equipment Manufacturer and the driver many advantages such as cost savings through inexpensive over the air bug fixes. Furthermore, it enables enhancing the capabilities of future vehicles throughout their life-cycle. However, before making SOTA a reality for safety- critical automotive functions, major challenges must be deeply studied and resolved: namely the related security risks and the required high system safety. The security concerns are primarily related to the attack and manipulation threats of wireless connected and update-capable cars. The functional safety require‐ ments must be fulfilled despite the agility needed by some software updates and the typically high variants numbers. We studied the state of the art and developed a generic SOTA updates system based on a Server-Client architecture and covering main security and safety aspects including a rollback capability. The proposed system offers release and variant management, which is the main novelty of this work. The proof of concept implementation with a server running on a host PC and an exemplary Electric/ Electronic network showed the feasibility and the benefits of SOTA updates. Keywords: Connected vehicles · SOTA updates · Variant management · Security Safety · Release management · Electronic control unit 1 Introduction Electric/Electronic (E/E) architectures include nowadays up to 150 ECUs with various safety and real-time demands and over 100 million lines of code [1]. The increasing integration of electronics and software in modern vehicles in form of embedded systems raises the error probability of ECU’s code. These errors cause the program to perform in a way that produces an unintended outcome [2], which can lead to system failures needing to be fixed by an adequate software update. A lot of efforts are spent to detect these errors before the final production [3]. But more and more often errors occur during use. In this case, updates are urgent and the Original Equipment Manufacturer (OEM) must develop a bug fix, which is usually updated during global recall campaigns. In 2020, 75% of cars shipped globally are expected to have wireless connectivity [4]. One key benefit of the rising vehicle communication is the deployment of software or © Springer Nature Switzerland AG 2019 L. Borzemski et al. (Eds.): ISAT 2018, AISC 852, pp. 78–89, 2019. https://doi.org/10.1007/978-3-319-99981-4_8