Research On Secure FOTA Upgrade Method For In-vehicle Domain Controller Architecture

With the rapid development of automobiles in the direction of intelligence and networking,Firmware-Over-The-Air（FOTA）technology has been gradually applied to the automobile field due to its simplicity,ease of use,flexibility and downloadability.FOTA technology can realize remote repair and update of in-vehicle software systems,reduce vehicle maintenance costs,and create a new driving experience for users.At the same time,with the vigorous development of mobile communication technology and the increasing popularity of Intelligent Connected Vehicle（ICV）,the functional characteristics of automotive electronics and the number of automotive software have grown rapidly.This puts forward higher-level requirements for the distributed electronic and electrical architecture of automobiles currently used in large areas.The advent of the concept of Domain Controller Unit（DCU）has enabled vehicles to gradually move towards a domain-centralized or cross-domain centralized E/E architecture,and finally achieve collaborative control of vehicles and clouds,enabling future ICV.FOTA technology can help DCU continue to iteratively upgrade,enabling car companies to deploy new software at a faster speed,and continuously improve the functional characteristics of in-vehicle DCU.Since the number of system modules is less and the internal structure is more consistent,the FOTA upgrade of the car can be easily realized.The domain-centralized E/E architecture can integrate the Electronic Control Unit（ECU）scattered around the body into one DCU,and only need to perform a FOTA upgrade function on the DCU to upgrade all the ECUs on the vehicle side,reducing the workload of each ECU for authentication,decryption and tamper-proofing.Although the domain-centralized E/E architecture brings a lot of convenience to FOTA technology.However,due to the lack of an effective Ethernet encryption and authentication mechanism in the network communication architecture of the in-vehicle FOTA system,there are still some hidden dangers in information security when the FOTA technology is applied to the DCU software upgrade.Therefore,it is of certain research significance to discuss how to meet the security and real-time requirements in the FOTA upgrade process on the basis of the in-vehicle domain controller architecture.This paper first summarizes the in-vehicle DCU technology and the vehicle FOTA upgrade mechanism,and then summarizes the source of the security upgrade requirements for the in-vehicle domain controller architecture,and analyzes the information security risks and requirements of the vehicle FOTA upgrade and automotive Ethernet.Finally,a new DCU concept-"FOTA DCU" is proposed in the traditional in-vehicle FOTA system architecture,and a new type of in-vehicle FOTA upgrade system is built in combination with the "FOTA DCU".Aiming at the potential security risks caused by the lack of encryption and authentication mechanisms in the new in-vehicle FOTA system architecture,a set of national secret hybrid encryption algorithms are designed.The main research content of this paper roughly covers the following parts:（1）This paper proposes an in-vehicle FOTA system architecture based on "FOTA DCU",and expounds the specific flashing process of the ECU unit in the in-vehicle FOTA system.This paper proposes an Ethernet security communication strategy for in-vehicle DCU.This paper analyzes the security risks existing in the abovementioned new vehicle FOTA architecture,designs a secure FOTA upgrade method based on the in-vehicle domain controller architecture according to the national secret algorithm,and introduces the encryption,decryption process and Key periodic mechanism;（2）This paper analyzes the encryption principles of the national secret SM2,SM3 and SM4 algorithms used in the above-mentioned secure FOTA upgrade method for the in-vehicle domain controller architecture,and deeply analyzes the implementation process and principle of the national secret hybrid encryption algorithm designed in this paper.Starting from the flashing process of automotive ECU firmware,this paper analyzes in detail the security principle of the secure FOTA upgrade method for the in-vehicle domain controller architecture that incorporates the above cryptographic algorithms;（3）This paper builds a simulation experiment platform based on the iTOP-4412 development board and the STM32 F103ZET6 development board to test and analyze the secure FOTA upgrade method.The experimental results show that the security upgrade method correctly implements the encryption and decryption process of the update package,and can defend against eavesdropping attacks,tampering attacks and replay attacks initiated by third-party attack nodes under the premise of meeting the time complexity and space complexity of the automotive Ethernet.