Breaking News
News & Analysis

Do Automakers Still See Hackers as a Hoax?

10/27/2016 06:00 AM EDT
5 comments
NO RATINGS
Page 1 / 3 Next >
More Related Links
View Comments: Newest First | Oldest First | Threaded View
MWagner_MA
User Rank
Author
Re: Market demand or government mandate
MWagner_MA   10/31/2016 7:38:02 AM
NO RATINGS
You nailed it...cost.  Remember ther Mercedes incident a few years back?  Mercedes thought it was ok for a luxury car to have NO security on wireless updates, instead they focused on premium profits until the German government reigned them in.  No I doubt hackers have much to gain financially by hacking cars, but there are enough people out there that just like to mess with others causing problems to be of concern, therefore we need a strategy to protect against it.

pinaz
User Rank
Author
Re: misplaced priorities
pinaz   10/28/2016 10:29:15 AM
NO RATINGS
The article says "current CAN bus and OBD-II functionality are hindering progress toward making vehicles more secure", and I think that is misleading.

Yes, I've seen that vehicle makers have a distinct powertrain CAN.  However, all the extra devices between engine, transmission, and ESC get lumped in the general-purpose CAN.  There is a "Gateway" between the powertrain and general-purpose CAN buses, but the infotainment system may have a microcontroller that acts as gateway to this general-purpose CAN bus, but said microcontroller can be arbitrarily reprogrammed by the infotainment software.  The "Gateway" may protect the powertrain CAN, but there is plenty of havoc to be wreaked on the general-purpose bus.

CAN provides short (8 byte), low-latency messages that align well with real-time tasks.  Trying to add security credentials, encryption, protection against reply attacks, and cryptographic key leakage protection against similar/same messages being sent 10s or 100s of times a second seems like misplaced priorities.

Applying security to wireless and OTA, does, in contrast, seem a worthwhile venture.



KangarooCourt
User Rank
Rookie
Re: misplaced priorities
KangarooCourt   10/28/2016 12:16:10 AM
NO RATINGS
Typical vehicle architecture uses more than one CAN bus, and usually a "Gateway" style box between them.  All power-train modules will hang off one bus (engine controller, transmission controller, ABS, ESC, etc) while infotainment, seat controllers, door modules etc will hang off another.  There will also be another connection to the OBD port (where the mechanic plugs in a diagnostics computer) and this is also usually CAN.  So essentially the security mechanism between your infotainment unit, or the OBD computer port, and your safety-critical systems is the Gateway.  Depending on the vehicle maker this may have a relatively high level of security, or it may have essentially none.

But security needs to go further than that, especially with the idea of adding wireless connectivity and OTA updates into vehicles.  With the trend to higher levels of software constituting up to 80% of a vehicle's cost in the near future, car-makers must recognise that 80% of problems in a vehicle are likely to be software related.  The most effective way to combat this in the field is OTA updates - much cheaper than a recall - but this is surely going to also be the biggest security risk.

dt_hayden
User Rank
Author
Market demand or government mandate
dt_hayden   10/27/2016 4:17:20 PM
NO RATINGS
I don't think they see hackers as a hoax, but rather as increased cost and additional time to market, neither of which competitive markets tolerate.  Regarding vehicle cyber security, if there are no government mandates to gate sales, nor customer demands to produce sales, it won't happen on a wide scale basis.  Endpoint Authentication and Secure Boot are just not features that entice potential vehicle customers from glossy brochures. We'll know the automakers are seriously on board with vehicle cyber security when consumer friendly marketing buzzwords have been created and advertised (as in the ficticous Toyota HackSafeTM).

pinaz
User Rank
Author
misplaced priorities
pinaz   10/27/2016 1:10:33 PM
NO RATINGS
I'm an EE who is not in the automotive industry but I've taken apart some recent model automotive electronics for fun.  I think the recurring theme of blaming CAN as not being a suitable platform is misplaced.  IMHO, the automotive industry needs to segregate real-time systems (CAN) from non-critical (infotainment), not hang them all on one bus.  Keeping everything on a common hardened CAN bus and then blindly hoping this will solve the problem is a delusion IMHO.  If anything, it is an excuse to punt the issue far into the future instead of dealing with it now.

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
Like Us on Facebook
EE Times on Twitter
EE Times Twitter Feed