Car security has been a major challenge of an engineer in an automotive design. And with new threats emerging, the stakes are even getting higher.

With the amount of computing power in cars expected to increase by 100x between 2015 and 2020, hackers are finding ways to break into cars and control functions from radio to braking. Let’s look at some of the challenges in designing a secure car and what can be done to address them.

In the security world people talk about the attack surface of a system. A small surface means few opportunities to get in; a large one means lots of opportunities. In the old world the only way in was by attacking the wiring in the car, to slot yourself into the messages passing between the silver boxes of electronics (the “ECUs”) and create your own messages to hijack the car.

A great example is when criminals drill into the floor pan where they know a wire passes. They connect a probe onto the wiring and then use that to trick the doors to open and the immobiliser to disable. While this is an effective mechanism, it’s not something that scales. However quite a few expensive cars were (and still are) stolen that way!

More tech, more trouble?

When you look at modern cars and those currently being designed, they are distributed systems with miles of wire and many ways in if you can get physical access. That starts to tell you why the problem is a tricky one. The only embedded radio until recently was the one that gives you keyless entry and the car industry didn’t get off to a good start with that, as a number of examples showed how people could use signal boosters or mimicking.

People have even shown how it’s possible to confuse the IVI system through the FM RDS system. A fake radio source next to the car sends a corrupt RDS message that the software wasn’t expecting and it crashed the radio. Not a serious problem of course but it shows just how hard security is and that’s not specific to cars.

In summary it’s not difficult to see how adding lots of radio interfaces, combined with a lot more software, is a bit of a step change for the industry. While these are significant challenges, much work has been done to address this area and it continues to be central to a lot of people’s thoughts within the industry.

“Trust no one” is the mantra for security. When you think about it, the designer must make sure every hole is closed. A hacker can choose any point to attack from and only needs to find a single hole. Charlie Miller’s recent keynote at ARM TechCon highlighted just how many vehicles are susceptible to a hacker with enough technical knowledge and motivation.

 
Richard York hacker's-view (cr) Figure 1: Graphic image of Charlie Miller’s keynote at ARM TechCon.  

Benefits of FOTA

While on one hand it’s important to build cars with a strong security foundation, it’s also imperative to be able to fix problems when they occur, because they “will” occur. A car’s typical life is well over 10 years and it needs to be as secure then as it is now. The key is to accept that hackers do eventually find ways in, and to therefore build a system that can and will be fixed. Currently, virtually all car software upgrades are still done via a cable in a dealership or other authorised service agent, requiring appointments and labour cost. Everyone can see this is not a scalable solution.

That means firmware over the air (FOTA), sending out security patches for the car to automatically download within days or even hours after a problem is found, is vital to aim for. It’s quite frightening how many car owners don’t take their car in for a recall, even if the problem is serious.

 
Richard York software-related-recalls chart (cr) Figure 2: It’s quite frightening how many car owners don’t take their car in for a recall, even if the problem is serious.  

The key to a successful OTA software maintenance system is the ability to reliably establish the trustworthiness of automotive vehicle networks. A proper security foundation ensures that the upgrader is not actually communicating with a compromised system. A trusted system is one whose identity, integrity and manifest of software components can be authenticated. Automotive OTA systems will often attest these features of a system before authorising an upgrade.

A hardware-based root of trust can act as a strong foundation for FOTA, as it can measure a platform and securely communicate with the remote OTA system (run by the OEM or its proxy). There are real opportunities for software vendors to develop the framework for this OTA connection and provisioning.

Another method of preventing attacks is through reporting. In the same way that a loud car alarm is a deterrent for a thief attempting to enter a car, there are companies such as TowerSec (now part of Harman) working on systems that can detect a likely intrusion and flag a possible safety concern.

As one team

Due to the extended supply chain within the industry, building a secure car is a team effort. The goal is to minimise the amount of attack surface available to hackers, a concern that the smartphone industry has been addressing for quite some time now. Leveraging practices that have proved successful in this area will provide a good starting point for the ecosystem to collaborate on what the future of automotive security looks like. Automotive OEMs can help by specifying and using several software and hardware technologies including:

  • Hardware based Trusted Execution Environments (TEE)
  • A security microvisor in MCUs
  • Security subsystems that operate within a hardware security module (HSM). New standards are also emerging for management of the TEE with the recent announcement of the Open Trust Protocol. This uses a combination of PKI/CA and simplified TEE management to manage and ensure trust between all devices and service providers.

Mobile levels of security architecture are coming to low cost MCUs, providing a real opportunity for the automotive industry to build new layers of hardware based security for the first time.

The future of automotive brings with it many challenges, security chief amongst them, but there is time for the industry to get it right. Car makers are taking it seriously, with structural reorganisations to bring security expertise together into centres of excellence rather than it being spread out and ad hoc. ARM is working with partners across the supply chain to build up the standard of security knowledge and implementation, to make the next generation of cars even safer.

First seen on EE Times.

Richard York is responsible for the embedded segment marketing at ARM.