Everyone has a role to play in connected vehicle security: NCC Group
The security research community is now engaged in investigating just how insecure some of these vehicle systems are, which traditionally have been isolated, embedded systems, designed with the mind-set that they would never be connected to the Internet or exposed to remote attackers.
Andy Davis, Research Director & Automotive Security Expert| NCC Group
The profile of connected car security has risen dramatically over the last couple of years. As the complexity of vehicle systems, which are adopting more and more sensor and data processing technologies, increases, so does the attack surface – the number of potential entry points that cyber criminals can attack.
The security research community is now engaged in investigating just how insecure some of these vehicle systems are, which traditionally have been isolated, embedded systems, designed with the mind-set that they would never be connected to the Internet or exposed to remote attackers.
An example from earlier this year of such research is the DARPA-funded examination of the General Motors “OnStar” telematics solution, which resulted in a demonstration of a cyberattack that would enable remote attackers to control cyber-physical functions, such as steering or braking, within a target vehicle. The prospect of malicious remote attacks against vehicle systems in future is therefore a very real threat.
How big a concern is the security of connected vehicles?
Before discussing how an attacker might try to compromise a vehicle, let’s first discuss why they might want to; cyberattacks require technical capability, time and potentially expensive resources, so if the Return on Investment for an attack is too low, attackers will look for a cheaper, alternative approach.
Traditionally, attacks against vehicles have all been about theft of a vehicle or the contents of a vehicle, however, with cyberattacks there are many more possibilities. These are outlined in the table below:
How might an attacker try to compromise a vehicle?
Modern connected vehicles have many different interfaces that enable them to communicate with other systems – some require physical connectivity, such as USB (used for transferring music files to the vehicle) or the vehicle diagnostics port (used at dealerships to diagnose faults).
Other interfaces use short-range wireless communications; these include Bluetooth (for mobile phone hands-free usage), Tyre Pressure Monitoring Systems that communicate the pressure, temperature and rotational speed of the tyres to an on-board receiver and Remote Keyless Entry systems that enable the car to be unlocked if the key fob is within range of the vehicle.
Finally, we have longer-range wireless interfaces such as WiFi, Digital Radio (DAB) and connectivity to mobile networks for telematics communications.
The most likely systems to be attacked in a vehicle (as they contain the most interfaces) are the Telematics Control Unit (TCU) and the Infotainment system. The impact to the vehicle of attacks against these systems will largely depend on the vehicle’s network architecture. For example, if an Infotainment system has a direct connection to the CAN bus, which in turn is connected to an ECU that controls automatic parking then an attacker who has successfully compromised the infotainment system (e.g. via WiFi) can pivot their attack toward the ECU and send malicious CAN commands to control the vehicle’s steering. Therefore, as with more conventional IT systems, cyber security in vehicles not only concerns the design and configuration of discrete systems, but also how they are connected and appropriately segregated.
Who is best positioned to secure the connected vehicle?
Everyone who deals with connected vehicles has a part to play; from OEMs, who need to design more secure vehicle architectures and mandate to their suppliers that security needs to be there by default on ECUs, to the suppliers, who need to need to move away from the “embedded design mind-set” which includes outdated approaches such as “security through obscurity”, to dealerships that connect via diagnostics ports to cars and handle vehicle firmware updates.
Many people within the automotive industry are seeking security standards to assist them with this process and there are standards currently in development, such as J3061 “Cybersecurity Guidebook for Cyber-Physical Automotive Systems” from the SAE (Society of Automotive Engineers).
However, it is important that the industry does not confuse cyber security standards with their well-established safety standards. Research published at last year’s European escar conference compared the CERT C coding standard to the MISRA-C safety standard (that some vendors are now claiming to be a security standard). Their findings were that 43% of the CERT security standard was missing from MISRA and that 1% of the standards actually contradicted each other.
Questions from politicians and lawyers
In the US the security of connected vehicles has caught the interest of politicians, such as Senator Ed Markey, who issued a report claiming that “OEMs haven’t done their part to secure the vehicle”. In another move, Dallas-based trial attorney Marc R. Stanley filed a class action lawsuit against Toyota, Ford and General Motors for “failing to address a defect that allows cars to be hacked and control wrested away from the driver”. Only time will tell how the industry reacts to such approaches.
How can vehicle systems be secured?
At NCC Group, along with our automotive partner, SBD, we are actively engaging with members of the automotive industry, to encourage them to safeguard their vehicles from attack by implementing secure development practices within their organizations. These practices include thorough threat modelling of individual vehicle components and entire end-to-end solutions, training developers in secure code development, code review for software and firmware developed in house and by third parties, regular penetration testing of supporting infrastructure, and white and black-box security assessments of vehicles and vehicle subsystems, both in isolation and when deployed in a final end-to-end solution.
The ASDL (Automotive Secure Development Lifecycle) is a hardware and software engineering approach to cyber security assurance, covering the entire development lifecycle within the automotive world. The model is intended to provide security assurance at each stage in the development lifecycle of vehicles and vehicle components.