Automotive Security: Deterministic protection of connected vehicles
Many car OEMs have realized that they must manufacture and sell connected cars in order to stay competitive. GM was one of the industry’s pioneers, selling connected cars equipped with the OnStar TCU in 1997. Data-only telematics was introduced in 2003 and were gradually adapted to by global OEMs. Nowadays even the late adapters (without mentioning names) offer built-in connectivity in their vehicles.
However, connectivity comes with a price. To date, all connected technology products are trailed by hacking attempts, for financial or terrorist motivations.
In March of this year, Tencent Keen Security Lab published a security blog post on how they gained full control over a new generation of in-vehicle infotainment units and TCUs, sent malicious CAN commands to different electronic control units (ECUs) and caused the car to perform unexpected physical – and sometimes safety-critical – actions. This accompanied similar attacks on Tesla, BMW, and other OEMs’ cars. All in all, a recent study by MarketsAndMarkets has revealed that the global automotive cybersecurity market size is projected to grow from USD 1.9 billion in 2020 to USD 4.0 billion by 2025, at a CAGR of 16.5%. In addition to risks to human life, the industry is confronted with direct financial losses, legal liability, and harmed reputation.
Automotive systems are complex, and are designed for the long term
The average passenger car life expectancy is between 10 and 12 years. Even if the way cars operate remains the same, cybercriminals are constantly changing their attack strategies. Even if manufacturers or customers quickly identify an exploited vulnerability, closing the vulnerability on all devices often takes too long, leaving attackers plenty of time to spread their malice. Traditional security solutions, as known from IT, cannot be transferred to the vehicles’ ECUs as-is, in any case. Conventional IT systems rely heavily on daily anti-virus and malware signature updates in order to fend off attacks. Such frequent updates are not possible with vehicles. Even with over-the-air updates, the typical frequency of software updates is expected to be once or twice per quarter, leaving hackers wide time windows in which to exploit reported vulnerabilities.
The pressure on manufacturers is increasing
In addition to the threat of damage to their reputation in the event of a known vulnerability, Tier-1 suppliers and OEMs of connected cars are increasingly exposed to pressure from the public and from regulatory authorities. More and more regulations are being enacted worldwide to force manufacturers to secure connected devices such as automotive ECUs. Examples are the UN ECE WP. 29, ISO standard 21434 and NHTSA Cybersecurity Guidelines. Those regulations put the security burden on manufacturers, whose R&D organizations require the adoption of cybersecurity methods, such as implementing secured design and security validations, which are foreign to those organizations, disrupt finely tuned processes, and will introduce time-to-market delays.
Deterministic Security: Embedded Seamlessly to R&D
When choosing a security solution, companies should therefore make sure that the work of their software developers does not become even more difficult. Companies can benefit from the unique feature of embedded systems: their deterministic nature. ECUs, FPGAs and other embedded controllers are designed to execute only certain commands, and they must not be changed by the end user. Taking advantage of the connected ECUs’ immutable nature, embedded security solutions can form a deterministic security approach.
Deterministic cybersecurity solutions harden the ECU against unauthorized changes, and rely on the concept of Control Flow Integrity (CFI): The trustworthiness of function calls and function returns can be automatically checked against a “known good state“ of the ECU software’s function-calling graph. If a deviation from the graph is detected, it is deterministically prevented and reported. In this way, the ECU is self-protected, and the system detects and blocks the change (i.e., the attack attempt) without relying on malware updates and before the ECU is hacked and the vehicle is infiltrated by adversaries.
Such a deterministic approach is not new; Tech giants, such as Google for example, have implemented it on its Android mobile OS (which is another type of immutable software). The deterministic nature of CFI enables protecting safety-critical ECUs, such as gateways (ASIL-B level) and ADAS (ASIL-D level). TCUs are currently the main connectivity path to the car and, as such, they represent a prime target for cyber criminals. Protecting TCUs against cyberattacks, and hardening them deterministically, is paramount – with the goal of ensuring consumers’ safety as well as their data privacy.
Author:
Eli has been leading the innovation at Karamba Security since 2017. He is also the chairman of the Israeli Mirror Committee of the SAE/ISO 21434 automotive cybersecurity standard. Before Karamba Security, Eli served in various technology leading positions at HP Software, HP Labs, and Mercury Interactive. Eli has more than 30 years of experience in the technology world.
Published in Telematics Wire