undefined | Better HN

0 pointsDannyBee2y ago0 comments

Sure, but it could also be signed binaries inside the OTA, a variant of what you are talking about.

IE OTA is a signed package, inside package are also signed binaries. OTA itself is properly signed, a single binary (infotainment) is signed with wrong key.

While most OTA verifiers will verify the OTA signature (which this would pass), most don't verify the individual inside-package binary signatures at install time, only at runtime.

0 comments

AlotOfReading2y ago

That's not how I've ever implemented OTA, but I'll grant that it's possible if it was designed by someone with no idea what they were doing. Certainly not a good OTA process though, for this among many other reasons.

mlyle2y ago

It makes sense for each component to check signatures of its code to prevent various kinds of attacks -- e.g. someone coming and reflashing just infotainment or motor controllers with something malicious.

So, OTA update comes in, containing a bundle of software for different subsystems. It's sent to different subsystems. Then, those subsystems check integrity at startup, but one subsystem's bootloader isn't happy because the firmware looks to be invalid.

You can only prevent this if the OTA knows how to do equivalent verification for every subsystem in the car that checks integrity. (And, of course, even if you do this, there's other ways you can go wrong that aren't specific to integrity checks).

DannyBeeOP2y ago

Uh, this is a perfectly normal ota process when dealing with multiple embedded systems.

It seems silly to off the cuff assert that it is a bad process or only done by those who have no idea what they are doing.

j / k navigate · click thread line to collapse