Call Issued to White Hat Hackers: Find the Flaws in New Automotive Software Updater

NYU Tandon, the University of Michigan Transportation Research Institute, and Southwest Research Institute Develop an Open-Source Cybersecurity Framework for Auto Industry

Justin Cappos and Sam Lauzon panel

NYU Tandon Professor Justin Cappos (L) gives a brief background on security in cars. Co-panelist Sam Lauzon (R) is an automotive cybersecurity developer in University of Michigan's Transportation Research Institute's Engineering Systems Group.

A consortium of researchers today announced the development of a universal, free, and open-source framework to protect wireless software updates in vehicles. The team issued a challenge to security experts everywhere to try to find vulnerabilities before it is adopted by the automotive industry.

The new solution, called Uptane, evolves the widely used TUF (The Update Framework), developed by NYU Tandon School of Engineering Assistant Professor of Computer Science and Engineering Justin Cappos to secure software updates. Uptane is a collaboration of NYU Tandon, the University of Michigan Transport Research Institute (UMTRI), and the Southwest Research Institute (SwRI), and is supported by contracts from the U.S. Department of Homeland Security, Science and Technology Directorate.

Modern cars contain dozens of computers — called ECUs (Electronic Control Units) — that control everything from safety equipment (airbags, brakes, engine, and transmission, and more) to entertainment systems. The increasing complexity of modern cars accompanies an increasing likelihood of flaws in the software. To combat this, vehicle makers are equipping ECUs with a secure Software Over-The-Air (SOTA) update capability, allowing the software to be changed without visiting a service depot, resulting in fewer recalls and greater customer satisfaction. However, hackers can target these software update mechanisms to install malicious software, viruses, or even ransomware, the results of which could be catastrophic.

In 2013, a single attack, spread by software updates and configuration management systems in South Korea, cost banks and media companies an estimated three-quarters of a billion dollars. The notorious Target attack spread the same way. Experts agree: Cars and trucks are similarly vulnerable.

“Although widespread attacks are still difficult and expensive, they lie within the capabilities of nation-state cyber warriors, and it is time to begin securing the infrastructure, particularly as automotive electronics increase,” Cappos said.

Uptane goes beyond TUF in order to address the unique problems posed by automotive software. For example, it allows automakers to completely control critical software but to share control when appropriate — for example, when law enforcement needs to tune a vehicle for off-road conditions. It also helps automakers to quickly deploy secure fixes for a vulnerability exploited in an attack or to remotely (and inexpensively) update a car’s electronics.

In a meeting at UMTRI’s Ann Arbor, Michigan, headquarters yesterday with automakers representing more than three-quarters of the vehicles on U.S. roads, plus automotive suppliers and government agencies, the Uptane working group publicly released the Uptane design. The group has been holding regular design workgroups to develop a universal framework that could enhance the security mechanisms, protecting cars as soon as next year.

As is standard practice in open-source projects, the team called upon security experts everywhere to help them find flaws in the proposed framework so that a secure final version can be adopted.

The Uptane research is led by principal investigators Cappos at NYU Tandon, Sam Lauzon at UMTRI, and Cameron Mott at SwRI. The Uptane design and software is available at

About the NYU Tandon School of Engineering
The NYU Tandon School of Engineering dates to 1854, when the New York University School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, and entrepreneurship and dedicated to furthering technology in service to society. In addition to its main location in Brooklyn, NYU Tandon collaborates with other schools within the country’s largest private research university and is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai. It operates business incubators in downtown Manhattan and Brooklyn and an award-winning online graduate program. For more information, visit

About the University of Michigan Transportation Research Institute
The University of Michigan Transportation Research Institute is committed to advancing safe and sustainable transportation for a global society. Located in Ann Arbor, Michigan, the heart of the transportation industry, UMTRI partners with government and industry and draws on scholarly collaborations to deliver high-quality research and the deployment of solutions to critical transportation issues. Since 1965, UMTRI has conducted thousands or research projects, has collected hundreds of terabytes of data and is now the sixth largest research institute on the U-M campus in terms of research expenditures, bringing in over $20 million annually. UMTRI’s multidisciplinary research includes short- and long-term projects in areas involving accident-data collection and traffic-safety analysis, bioengineering, human factors, mechanical engineering, psychology, economics, and public policy.  For more information, visit

About Southwest Research Institute
SwRI is an independent, nonprofit, applied research and development organization based in San Antonio, Texas, with nearly 2,655 employees and an annual research volume of $559 million. Southwest Research Institute and SwRI are registered marks in the U.S. Patent and Trademark Office. For more information about Southwest Research Institute, please visit or