As consumers, we are constantly expecting new features in our cars.
Over the years the automotive industry has continuously responded to this demand, and electronics has played a key role in enabling these new features.
Today, vehicles include complex interconnected electronic modules executing a very large amount of embedded software. This growth of electronic content in vehicles is expected to continue for many years to come as the demand for functionality such as safety systems, better fuel consumption, autonomous driving, and connectivity continues to grow.
However it does not come without challenges. Safety has always been a key concern for automotive companies, and safety specifically related to electronic systems has been a strong focus for semiconductor, Tier 1, and OEM companies in the past decade. ISO 26262 represents an example of the industry’s willingness to address the safety challenge.
In addition to safety concerns, electronic components have introduced a new set of concerns and challenges associated with security. Automotive cyber security has recently gained rapid attention. Networks and interfaces to access electronic modules are opening the door to vulnerabilities that could have significant consequences on the customer experience and reliability of the vehicle.
Let’s explore some examples highlighted in research and industry publications.
1. Access to the controller area network
CAN is an internal vehicle network used for communication among multiple electronic control units (ECUs). In order to perform self-diagnostic and reporting capability, an interface to the CAN network needs to be available. This is achieved through the on-board diagnostics (OBD) systems, which give the vehicle owner or repair technician access to the status of the various vehicle subsystems. These systems include software running on laptops that directly connect and interface with the internal vehicle CAN network and ECUs. As with any access point to the internal working of a vehicle, it represents a security vulnerability.
An example of exploiting such vulnerability has already presented itself when a disgruntled employee hacked into a vehicle’s computer and remotely activated the vehicle immobilization systems, triggering the horn and disabling the ignition systems in more than 100 vehicles.
2. Sensor interfaces
The ODB system is not the only example of open interfaces allowing access to vehicle information. A simple sensor interface can also be used. Tire pressure monitors are wireless sensors used in new automobiles in the US since 2008.
A study from Rutgers University and the University of South Carolina highlights the vulnerability represented by these sensors, which can be used to track vehicles or feed corrupted data to the ECU, causing them to malfunction. Body control functionality can also provide an access point of vulnerability, such as a keyless entry system.
3. Simple CD or USB interface to wireless interfaces
With the growing consumer demand for consumer functionality and "infotainment," a wide range of entry points that could be used to maliciously attack or control a vehicle are also present. Just a few years ago, a study by the University of Washington and the University of California, San Diego highlighted a broad range of vehicle vulnerabilities starting from a simple CD or USB interface to wireless interfaces, including short-range wireless access via Bluetooth, RFID, or 802.11, as well as long-range wireless access for GPS, satellite radios, remote telematics systems, etc.
With autonomous driving on the horizon, Vehicle to Vehicle and Vehicle to Infrastructure are also expected to become access points of vulnerability.
Security vulnerability can have multiple consequences ranging from a simple annoyance (raising the sound level on a radio) to life-threatening attack (taking control of the vehicle) and intellectual property protection (downloading and reverse engineering control algorithms).
The automotive industry is coming together to address these challenges. Effective solutions will require processes, embedded technology, and development tools that allow for efficient testing.
When it comes to software development, testing for security is a critical requirement. It must begin as early as possible, and Tier 1 and OEM companies need to have access to tools and methodologies that allow them to perform these tasks early and efficiently.
Virtual prototype-based environments representing the hardware, software, and the environment around the electronics can be used for such purpose.
An application example is the injection of an unusual CAN message that represents an attack on an automotive system. A virtual environment allows for easy injection of CAN messages and analysis of the software behavior so that it can detect such an attack and respond to it, while the vehicle continues to operate safely.
Safety and security are key concerns in the automotive industry, driving supplier and OEM companies to ensure the reliability and safety of private and commercial vehicles. Sharing best-practices and experiences when it comes to security will be essential to making the future of vehicle security a success.
— Marc Serughetti is director of business development, system-level solutions, at Synopsys. He drives the development and deployment of virtual prototyping technologies.