Hackers are finding increasingly sophisticated ways to break into cars and control functions from radio to braking. Do carmakers have time to get it right?
Car security has been something that has periodically appeared in the public eye over many years, mostly with respect to either car theft or “chipping” of engine control. Those stories have shown a slightly patchy record for engineering solidly secure vehicle systems, but with new threats emerging the stakes are being raised.
With the amount of compute power in cars expected to increase by 100x between 2015 and 2020, hackers are finding increasingly sophisticated ways to break into cars and control functions from radio to braking. Let’s look at some of the challenges in designing a secure car, and what can be done to address them.
In the security world people talk about the attack surface of a system. A small surface means few opportunities to get in; a large one means lots of opportunities. In the old world the only way in was by attacking the wiring in the car, to slot yourself into the messages passing between the silver boxes of electronics (the “ECUs”) and create your own messages to hijack the car.
A great example is when criminals drill into the floor pan where they know a wire passes. They connect a probe onto the wiring and then use that to trick the doors to open and the immobiliser to disable. While this is an effective mechanism, it’s not something that scales. However quite a few expensive cars were (and still are) stolen that way!
More technology means an increased attack surface
When you look at modern cars, and those currently being designed, they are distributed systems with miles of wire, and many ways in if you can get physical access. That starts to tell you why the problem is a tricky one. The only embedded radio until recently was the one that gives you keyless entry and the car industry didn’t get off to a good start with that, as a number of examples showed how people could use signal boosters or mimicking.
People have even shown how it’s possible to confuse the IVI system through the FM RDS system. A fake radio source next to the car sends a corrupt RDS message that the software wasn’t expecting and it crashed the radio. Not a serious problem of course but it shows just how hard security is, and that’s not specific to cars.
In summary it’s not difficult to see how adding lots of radio interfaces, combined with a LOT more software, is a bit of a step change for the industry. While these are significant challenges, much work has been done to address this area and it continues to be central to a lot of people’s thoughts within the industry.
“Trust no one” is the mantra for security. When you think about it, the designer must make sure EVERY hole is closed. A hacker can choose any point to attack from, and only needs to find a single hole. Charlie Miller’s recent keynote at ARM TechCon highlighted just how many vehicles are susceptible to a hacker with enough technical knowledge and motivation.
A graphic rendering of Charlie Miller’s keynote at ARM TechCon
Over the air security
While on one hand it’s important to build cars with a strong security foundation, it’s also imperative to be able to fix problems when they occur, because they WILL occur. A car’s typical life is well over ten years and it needs to be as secure then as it is now. The key is to accept that hackers do eventually find ways in, and to therefore build a system that can and will be fixed. Currently, virtually all car software upgrades are still done via a cable in a dealership or other authorized service agent, requiring appointments and labour cost. Everyone can see this is not a scalable solution.
That means firmware over the air (FOTA), sending out security patches for the car to automatically download within days or even hours after a problem is found, is vital to aim for. It’s quite frightening how many car owners don’t take their car in for a recall, even if the problem is serious.
(Source:J.D. Power SafetyIQ and NHTSA's Safecar.gov)
To scale, automotive software issues need to be fixed over the air
The key to a successful OTA software maintenance system is the ability to reliably establish the trustworthiness of automotive vehicle networks. A proper security foundation ensures that the upgrader is not actually communicating with a compromised system. A trusted system is one whose identity, integrity and manifest of software components can be authenticated. Automotive OTA systems will often attest these features of a system before authorizing an upgrade.
A hardware-based root of trust can act as a strong foundation for FOTA, as it can measure a platform and securely communicate with the remote OTA system (run by the OEM or its proxy). There are real opportunities for software vendors to develop the framework for this OTA connection and provisioning.
Another method of preventing attacks is through reporting. In the same way that a loud car alarm is a deterrent for a thief attempting to enter a car, there are companies such as TowerSec (now part of Harman) working on systems that can detect a likely intrusion and flag a possible safety concern.
Automotive security requires input from all stakeholders
Due to the extended supply chain within the industry, building a secure car is a team effort. The goal is to minimize the amount of attack surface available to hackers, a concern that the smartphone industry has been addressing for quite some time now. Leveraging practices that have proved successful in this area will provide a good starting point for the ecosystem to collaborate on what the future of automotive security looks like. Automotive OEMs can help by specifying and using several software and hardware technologies including:
- Hardware based Trusted Execution Environments (TEE)
- A security microvisor in MCUs
- Security subsystems that operate within a hardware security module (HSM). New standards are also emerging for management of the TEE with the recent announcement of the Open Trust Protocol. This uses a combination of PKI/CA and simplified TEE management to manage and ensure trust between all devices and service providers.
Mobile levels of security architecture are coming to low cost MCUs, providing a real opportunity for the automotive industry to build new layers of hardware based security for the first time.
The future of automotive brings with it many challenges, security chief amongst them, but there is time for the industry to get it right. Car makers are taking it seriously, with structural reorganizations to bring security expertise together into centres of excellence rather than it being spread out and ad hoc. ARM is working with partners across the supply chain to build up the standard of security knowledge and implementation, to make the next generation of cars even safer.
-- Richard York is responsible for the embedded segment marketing at ARM