In 2010, researchers from two universities investigating the security in modern automobiles disabled a moving car's engine and brakes by hacking through an on-board diagnostics port. This is a sobering example of how safety assurance in automobiles is faced with a formidable set of challenges, including legacy components not designed for security and a supply chain approach that has arguably reached scalability limits.
Also in 2010, U.S. carmakers introduced a feature to enable car owners to manipulate the locks and start the engine from anywhere on the planet using a smartphone. This connectivity piggybacks on the car's remote telematics system, which has become standard in many models.
Connecting the automobile to wide-area networks is the trigger that brings in the threat of sophisticated attackers. A single flaw may allow a remote attacker to perpetrate damage to an entire fleet of vehicles. Communications may include car to service centre or other OEM infrastructure, car to multimedia provider, car-to-car, car to power grid (electric vehicles), car to smartphone or even car to bank. Figure 3 shows some examples of long-range radio connections in next generation vehicles.
Figure 3 - examples of next-generation extra-vehicular communications
Unlike high-end data centres, the car is unlikely to be outfitted with a full complement of IDS, IPS, firewalls, and UTMs. Regardless, recent intrusions at Sony, Citigroup, Amazon, Google, Sony, and RSA starkly demonstrate that these defence mechanisms are Swiss cheese against sophisticated attackers.
When the Stuxnet attack came to light in 2010, US DoD CYBERCOM chief General Keith Alexander suggested that the U.S.'s critical infrastructure ought to be isolated on its own secure network, distinct from the Internet. While this may seem heavy-handed, it is precisely the kind of thinking needed. The car's critical systems must be strongly isolated from ECUs and networks not critical for safe operation.
While physical network isolation is desirable, touch points will inevitably exist. For example, the car's navigation system, in some markets, must be disabled while the car is in motion, implying communication between systems of widely differing safety criticality. These connections increase the risk of software-borne threats such as privilege escalation due to operating system vulnerabilities, side-channel attacks on cryptography, and denials of service.
Next generation infotainment system architecture must address these important emerging security threats from the ground up. Interactions between critical and non-critical systems and networks must be justified at the highest management levels, rigorously controlled at run-time, and analysed and certified devoid of vulnerabilities at the highest assurance levels.
Part 2 of this 2-part article will describe software techniques and strategies that allow car electronics architects that harden the vehicle's internal IT against hacking attempts.
This article originally appeared on EE Times Europe.
For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the biweekly Embedded Internet newsletter (free registration).