Security in the automotive domain has gained increased importance through several factors. Third party services, Internet and the connected vehicle, to mention a few innovations, made the vehicle (at least partly) exposed and "visible" to the outer world which requires a higher level of security. Future technological projections clearly show convergence between automotive electronics and personal computers or consumer electronics technology together with usage of IT standards and protocols. This leads to higher connectivity including "always online," and therefore requires more security.
The following examples illustrate the need for security features in the automobile:
- It is necessary to secure the programming of ECUs. Only authorized entities shall be able to program ECUs, so that the programming is only possible with original OEM approved software. The application (in the boot-loader) uses standard cryptographic routines and services, e.g. hash, signature verification, and public key encryption (asymmetric encryption).
- An electronic immobilizer shall protect the vehicle from any unauthorized driving. Technical details are totally OEM dependent but the immobilizer application always uses a specific set of cryptographic routines and services.
- As a means of efficient variant handling, ECU software often contains multiple functions or variants of them, but only a specific subset shall be enabled for regular usage of the car (e.g. because of national legal restrictions in the country the car is sold to, or due to what the customer has ordered). Typically this is based on special data structures with cryptographic signatures.
- To secure diagnosis, only dedicated entities are allowed to use certain diagnostic services.
With respect to security AUTOSAR has established the framework to embed a crypto module into the basic software which is called Crypto Service Manager (CSM). This module exposes an interface for security applications to allow for a generic access to standardized cryptographic routines, which provide means to restrict the access to certain functions or their usage to authorized users or callers, and to detect the unauthorized usage or access. It is located within the system services of the service layer. The CSM is configurable and has common access to cryptographic methods. Optionally there is support for cryptographic hardware.
The crypto module is embedded in the AUTOSAR software architecture
Summary and outlook
With Release 4.0, AUTOSAR has introduced a set of safety- and security-related features into the standard specifications. They provide standardized means which significantly support developers in achieving the desired Automotive Safety Integrity Level (ASIL) according to ISO DIS 26262.
The availability of such standardized means will simplify the development of automotive E/E systems that require functional safety and security, but they do not turn this into a trivial task. Achieving the appropriate level of functional safety and security still is a major design task on system level that can right now benefit from the mechanisms provided by AUTOSAR Release 4.0.
While the already existing AUTOSAR releases are going to remain under maintenance, the development partnership is already working to selectively enhance the standard. About 50 new technical concepts are jointly worked out and will be implemented in AUTOSAR Release 4.1 by end of 2012.
Stefan Bunzel is spokesperson for AUTOSAR.