undefined | Better HN

0 pointsjandrese2y ago0 comments

Yeah, but how did the vehicle not just reject the wrong cert and refuse to flash the update?

0 comments

I've never worked in automotive but it's pretty easy to imagine how this might play out in a car, where a single update might bundle updates for several programmable devices.

It's easy to imagine a central SoC receiving the update, verifying its signature against a local key and then reprogramming some MCU over an internal interface. But then after resetting the MCU, you realize that the image you just flashed isn't compatible with the boot security keys burned into that MCU. It's not uncommon for a device performing the OTA update to not have access to the "source of truth" keys / certificates used to verify the updated image at boot time.

Not that this is a great excuse. If you add OTA updates to a product that has this design, you should really be confident in your recovery solution.

DannyBee2y ago

The firmware is probably not just a signed package but signed binaries in the package as well. One is probably signed with the wrong cert.

This would not cause the updater to fail unless it verified the certs of all the binaries in the package, which most don't

j / k navigate · click thread line to collapse