This article is part of the Technology Insight series, made possible with funding from Intel.
The kinetic energy of a 3,500-pound Toyota Camry barreling down the freeway at 75 miles per hour is roughly 200 times that of a 12-gauge shotgun blast, so the idea of a hacker compromising one of your car’s critical safety systems is disconcerting, to say the least.
Unfortunately, it’s not as far-fetched as you might think. Back in 2015, researchers Dr. Charlie Miller and Chris Valasek remotely gained access to and executed code on a Jeep Cherokee through its Uconnect infotainment system, demonstrating the ability to affect steering, braking, and acceleration (not to mention triggering a 1.4 million-vehicle recall).
According to Information is Beautiful, an average high-end car uses more than 100 million lines of code across its various computers. That’s double the codebase of Windows Vista. And do you think the automotive industry is more diligent about security than Microsoft? Not according to a 2018 study conducted by the Ponemon Institute. Of 593 surveyed professionals responsible for contributing to or assessing the security of automotive components, 63% of them stated that they test less than half of the hardware, software, and other technologies for vulnerabilities.
The need for better cybersecurity practices in the automotive industry is only going to become more urgent as we accelerate into a world populated by advanced driver-assistance systems.
Compromising the network
“Modern vehicles are made up of several different subnetworks that allow certain components to communicate with each other and ensure that others are isolated from one another,” said Art Dahnert, automotive practice lead for the Synopsys software integrity group. “There are standard interfaces and protocols that can be deployed for any specific feature. For example, Controller Area Network (CAN) bus technologies have been used from the 1980s and are a well-known way to communicate with components in an older architecture.”
Read through enough examples of car hacks, and you’ll start seeing a pattern: Most of them rely on weaknesses within an in-vehicle network that’s more than 30 years old.
The CAN bus was designed to reduce wiring costs, complexity, and weight in cars with lots of interconnected sensors and controllers. Every device on the network can see the messages broadcast by other devices and decide whether they’re relevant. Data flows constantly, although message size, frequency, and priority all vary.
While the CAN bus offers many benefits, security is not one of them. Electronic control units (ECUs) operate side by side on the same network, creating potential bridges between systems that really shouldn’t be linked. They broadcast unencrypted messages that can be sniffed and reverse-engineered. And because authentication isn’t part of the architecture, attackers can turn around and inject CAN data frames onto the bus for neighboring ECUs to act upon.
To be fair, back when Bosch developed it, there was no way to know the CAN bus would be compromised through those inherent vulnerabilities. But a lot has changed since then. Advanced driver-assistance systems, designed to make our cars safer and more convenient to operate, now require coordination between multiple sensors to keep you in your lane or automatically adjust your cruise control. That means ECUs need to talk to each other, which has them exchange commands on the same network to control steering, braking, and acceleration.
What’s more, Bluetooth, Wi-Fi, and cellular radios keep wireless devices in and around your car connected to the internet. “Together, these two design changes enabled the end-to-end hacking that landed us in the security conundrum we find ourselves in today,” according to “A hacker’s guide to fixing automotive security,” written by Charlie Miller himself.
The days when automakers could rely on security through obscurity, banking on the proprietary nature of their systems to keep us all safe, are over. Even the National Institute of Standards and Technology (NIST) agrees, stating, “System security should not depend on the secrecy of the implementation or its components.”
It’s time to get serious about security on the road
Fortunately, the word is out that tomorrow’s connected vehicles require a revamped approach to security. Back in 2016, SAE International released its SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, which defined the world’s first automotive cybersecurity standard. This standard establishes a risk-based approach to get the industry rethinking the way it prioritizes potential vulnerabilities.
What does that even mean, and how is it supposed to work?
“The simplest way to describe a risk-based approach is to identify what risk might look like,” said Synopsys’ Dahnert. “In the case of a vehicle, this would most likely be a risk ranking of its various subcomponents. Think of it as a list of the more important components to secure ranked by some criteria. This might start with safety items like braking and steering, followed by cabin security and engine control. Risk can also be identified by the likelihood of a malicious attack or by its potential impact, which may be a crash due to brake failure. The criteria and ranking are subjective for each automaker, and they’ll be different across the industry. This ranking occurs at the beginning of a project, where it is less expensive to identify and fix vulnerabilities.”
Believe it or not, addressing security during the requirements and design phase is the exception, rather than the rule, since most OEMs currently wait until the post-release phase (or later) to assess automotive technology components for vulnerabilities. Dahnert continued, “Fixing security weaknesses at this point can become expensive, especially if hardware needs to be redesigned. Additionally, this type of assessment may only uncover implemented vulnerabilities but not be able to detect design flaws that might linger in a product for years before they are uncovered. This has happened in a remote keyless entry feature recently.”
An upcoming generation of cars armed with cellular vehicle-to-everything (C-V2X) communications will add more connectivity to support cool new features like platooning.
So, even if automakers are more diligent about developing with security in mind, they’re going to have to face a new breed of attacks from a longer list of attack vectors. Light detection and ranging (lidar), radar, cameras, ultrasonic presence detection, and GPS are all controlled by software that might be targeted over next-gen wireless technologies in a remote attack.
Today, automakers can use gateways to isolate internet-connected devices from safety-critical networks. Gateways are also used to bridge the many protocols modern vehicles rely on, including the low-speed local interconnect network (LIN), the CAN bus, FlexRay, and Ethernet. Like the routers in our business networks, an automotive gateway may be tasked with inbound and outbound traffic filtering, intrusion detection, secure processing of certificates, and over-the-air (OTA) firmware updates.
Fiat Chrysler Automobiles started implementing its own Secure Gateway Module (SGM) in much of its 2018 product line. The SGM creates a firewall between the data link connector, the telematics system, and all the other ECUs, which are considered private. Without authenticating through Chrysler’s network, you wouldn’t be able to program an ECU or clear diagnostic codes. A presentation by Abe Garza, a research engineer at the Southwest Research Institute, suggests that gateways will continue to serve an important purpose in a future rife with connected vehicles.
The same presentation also lists strong standards like the Security Credential Management System (SCMS), validation, and encryption as defensive strategies for securing connected and self-driving vehicles. Miller and Valasek shared some of the same suggestions. Their own risk-based approach identifies remote attacks that threaten the safety of passengers as top priority. Beyond dropping a gateway module between networked devices that need to be segregated, they set forth a list of best practices to minimize attack surfaces, improve trust levels through cryptographic verification, and sniff out anomalies with threat detection.
Simplifying for safety
Intel’s approach to those challenges involves consolidating the complex web of ECUs in a modern automobile to a smaller number of higher-performance processors that execute the functions of multiple systems. It costs less to design and test them compared to a myriad of disparate chips that must interoperate securely. They’re more future-proof, thanks to support for software-based upgrades, and they present a smaller attack footprint.
For the automotive ECUs that can’t be easily condensed, Intel is exploring ways to scale down its security technology, isolating computing tasks to safeguard the most critical hardware and software subsystems.
The company is also working with industry leaders in autonomous driving to build frameworks for designing, developing, verifying, and validating safe automated vehicles. Its Responsibility-Sensitive Safety (RSS) model was recently expanded in a paper titled “Safety First for Automated Driving,” which establishes 12 guiding principles that safe autonomous vehicles must support and the steps necessary for realizing them. As part of this more macro vision of safety, Intel’s RSS applies real math to common sense driving, establishing a safety envelope around an AV’s decision-making capabilities.
Facing the challenges ahead
From archaic in-vehicle networking technologies to modern wireless communications, today’s cars seem like a mishmash of security nightmares packed into a metal frame propelled at high speeds. Are we seriously willing to take our hands off the steering wheel and ride in the back seat as computers make important decisions?
Fortunately, yesterday’s vulnerabilities are inspiring tomorrow’s security decisions, not defining them. Automakers are painfully aware that security is an expectation, not a feature, and they’re building up their own cybersecurity teams. Companies like Synopsys are augmenting those efforts by helping develop, implement, and verify security initiatives.
This isn’t a matter of reinventing the wheel, either. “[S]ecuring a self-driving car is not significantly different than securing any other computer network,” said researchers Miller and Valasek. “We use the same techniques as we would to secure a very small enterprise network, or more precisely, a small industrial control network. For the most part, we don’t need to invent new ways to secure things. We only need to carefully apply industry best practices to this particular problem.”
Best of all, there’s precedent for what the automotive industry is facing. In an email to VentureBeat, the Southwest Research Institute’s Garza said, “Vehicles are not the only safety-critical systems that have had to be hardened against cyber-attacks. The power (power plants, smart grid, oil and gas) and healthcare industries also rely on safety-critical systems to function. As you’ve probably heard in recent years, those industries have also seen an increase in awareness on cyberthreats and are addressing those threats in a way that best fits their needs. While automotive may be one of the farthest-reaching industries, there are still lessons that can be learned from other industries that have faced similar challenges.”
UPDATED Oct. 15, 2019