Safe and Secure Automotive Over-The-Air Updates Thomas Chowdhury 1() , Eric Lesiuta 1 , Kerianne Rikley 1 , Chung-Wei Lin 2 , Eunsuk Kang 2 , BaekGyu Kim 2 , Shinichi Shiraishi 3 , Mark Lawford 1 , and Alan Wassyng 1 1 McMaster Centre for Software Certification, Department of Computing and Software, McMaster University, Hamilton, ON, Canada {chowdt2,lesiutej,rikleykn,lawford,wassyng}@mcmaster.ca 2 Systems & Software Division, Toyota InfoTechnology Center U.S.A. Inc, Mountain View, CA, USA {cwlin,ekang,bkim}@us.toyota-itc.com 3 Software Systems Group, System Architecture Research Division, Toyota InfoTechnology Center Co., Ltd. {sshiraishi}@jp.toyota-itc.com Abstract. Over-the-air updates have been used for years in the soft- ware industry, allowing bug fixes and enhancements to desktop, laptop, and mobile operating systems and applications. Automotive vehicles now depend on software to the extent that manufacturers are turning to over- the-air updates for critical vehicle functionality. History shows that our software systems are most vulnerable to lapses in safety and depend- ability when they undergo change, and performing an update over a communication channel adds a significant security concern. This paper presents our ideas on assuring integrated safety and security of over-the- air updates through assurance case templates that comply with both ISO 26262 (functional safety) and SAE J3061 (cyber-security). Wisely, the authors of SAE J3061 structured the guidebook so that it meshes well with ISO 26262, and we have been able to use principles we de- veloped for deriving an assurance case template from ISO 26262, to help include compliance with SAE J3061 in the template. The paper also demonstrates how a specialization of the template helps guide us to pre-emptively mitigate against potential vulnerabilities in over-the-air update implementations. 1 Introduction The original motivation for over-the-air (OTA) updates to automotive software seems to have been a realization that customers view a trip to the dealership to install a software patch, as an avoidable waste of their time. This is true even when the patch introduces a new feature that they are pleased to install. An update can take place without the presence of the owner. Whether the update is installed automatically or needs approval before driving depends on the criti- cality of the update. For example, if the update is for parts of the infotainment system, perhaps it can be installed automatically. If the update is for a critical component of the vehicle then it may be necessary to have driver approval. In