MADISON, Wis. -- It's not hard to imagine cars in the future literally becoming "smart cards on wheels" especially if Freescale Semiconductor has its way.
Undoubtedly, cars will be programmed to store more information -- well beyond the driver's identity, whereabouts, credit card numbers, and confidential emails he or she might be reading in the car.
Picture yourself going to a drive-through McDonalds or a gas station.
Ronald McDonald already knows your car and credit card number, and he's eager to make the transaction easy for you. No need to wrestle a wallet out of your hip pocket or the bottom of a handbag.
Somehow, your car has revealed your credit card numbers to Ronald, but how does the car know? You never told the car.
You didn't have to. The car sucked that information out of your iPhone the first time you slipped it into your car's iPhone dock. "Remember, your iPhone has an Apple ID, and that Apple ID has your credit number," explained Davide Santo, Freescale's safety and chassis segment manager based in Munich.
Santo was merely suggesting what's technically feasible. He was neither saying this has been already commonly done nor endorsing the idea of cars doubling as credit cards.
But it is a fact that private or confidential driver information stored in the high-tech dashboard of the very near future could be exposed, extracted, and exploited -- without the driver's knowledge -- if the automaker fails to take proper security measures.
Richard Soja, distinguished member of the technical staff at Freescale Semiconductor, explained that the purpose of automotive security is manifold. It involves safety, reliability, protecting financial assets, and preventing the extraction of confidential information.
Hackers vs. engineers
While the automotive industry is becoming more aware of security issues, the potential security holes inside a car could be many. The problem is that it's hard to spot those holes in advance.
"To protect against attacks, you need to think like attackers," said Soja, in a recent interview with EE Times.
And there's the rub. You could call it the "hacker vs. engineer" gap. These are two different technology types who do not think alike.
Soja, who has been working on Freescale's 32-bit automotive SoC architecture, noted: "Engineers, by nature, are good at creating positive things and coming up with new ideas." But the idea of destroying their beautiful, brand-new ideas doesn't come naturally to engineers. Asking engineers to think like a hacker is a tall order, Soja explained.
One fundamental security advance developed by the auto industry is an industry spec called SHE (Secure Hardware Extension). As long as automotive microcontrollers are compliant to the spec, regardless of which chip vendors developed them, different microcontrollers used in different ECUs inside a car should be able to securely communicate among themselves.
Soja explained that the basic security functions necessary in automotive electronics include: a) to be able to detect and authenticate, if a code has been modified; b) to be able to take action against hacked code. The worst case is a malicious code makes the operating system in an ECU deviate unexpectedly from its normal, anticipated functions.
Freescale's CSE and secure-boot process provide a chain-on-trust for vehicle security applications
Integrating a hardware secure module (HSM) inside an automotive SoC and separating the two by a firewall enables the HSM to operate in a secure environment. This has become a standard approach to which both Freescale and Infineon subscribe.
In Freescale's case, a device called a "cryptographic services engine (CSE)" is the HSM. The CSE has its own processor core - in this case, Freescale's Coldfire. The SoC is SHE-compliant, said Soja.
After a period of some skepticism, US car makers' interest in automotive security appears to be rising.
At the request of Freescale's North American automotive customers, Soja said, "In some instances, we had already gone inside the core, reprogrammed it in order to add powerful enhancements to it." Such upgrades include providing hardware support for running RSA Asymmetric algorithms.
Freescale's Qorivva MPC5777M MCU, introduced late last year and billed as "the world's most advanced powertrain microcontroller" by the company, was designed to advance the security features. While it's built on the same basic CSE architecture, the quad-core Qorivva MPC5777M MCU (based on Power architecture), manufactured by using a 55nm process, is integrated with "a number of additional hardware interfaces in the microcontroller," according to Soja. Compared to competitors' solutions, he claimed that extra security features are added on the chip level. "For example, tamper-detection is now embedded in hardware," he noted, to record any unauthorized reprogramming of flash.
Another important feature of MPC5777M is "security life-cycle management system," Soja said. From the moment a chip comes out of a wafer fab to its installation and testing inside a vehicle, to its eventual delivery to a customer, the chip "increases its security state" as it moves up the food chain. More important, "it is irreversible," Soja said. You can't go back to lighter security.
For example, fresh out of a fab, the chip has no code and no confidentiality. The security necessary to protect it is low. But once the chip is deployed in a vehicle, then tested, the chip is exposed to a number of security risks.
Freescale's experience in flash memory
Soja took issue with competitors who have characterized Freescale as weak in smart card background. Soja explained that the privacy/confidential information in a "smartcards on wheels" is stored in flash memory -- embedded inside the microcontroller of an ECU. "Freescale has a long history of flash memory, and we know how to protect [confidential information] in secure memory behind firewalls," he stressed.
Further, the flash memory embedded in a microcontroller is "of automotive quality," Soja said, meaning "it has to last a much longer period of time -- 20 to 50 years."
Before Freescale was spun out of Motorola, the company had a smart card business unit serving the banking and financial market. Motorola also dealt with smart cards for set-top boxes. Freescale today is leveraging that history and applying it in networking, smart metering and automotive, he said.
The automotive industry's efforts to foster security have only begun recently.
When asked about the challenges ahead, Soja talked of the upcoming Intelligent Transport System (ITS) and vehicle-to-vehicle (V2V) communication.
"There have been to a lot of workshops and consortiums" on these topics, said Soja. "But we really need to understand how all these new things work, and how they are set up to interact with a vehicle's communication system."
With a goal to create "smarter" use of transport networks, ITS, for example, is believed to offer traffic management and other useful services, by linking a vehicle's communications with sources on the road -- like signage.
Similarly, V2V communication will play an important role, on the theory that non-human communication between cars can prevent collisions.
But more communication with the external world poses more potential for security risks.
Those who architect automotive electronics -- in long development cycles -- need to understand the new systems and their architectures better in order to make next-gen automotive SoCs more secure, even if they might not prove to be entirely hacker-proof.