Exploring an overlooked opportunity to make connected car security airtight
With 75% of new cars expected to come equipped with wireless connectivity by 2020 according to BI Intelligence, these vehicles will ultimately become integral components of our digital world. More specifically, they will have a dominant role in the Internet of Things (IoT), with the potential to transform the driving experience.
This opportunity does not come without considerable risk, especially as connectivity expands to include untrusted networks and embedded automotive operating systems become more open. With passenger lives on the line, auto makers enter an expanding group of IoT stakeholders that must prioritiSe security at all costs, when it comes to identifying potential risks.
Security solutions adopted by the automotive industry thus far represent a strong start, but lack detailed specification and a matured, standardized framework. In reality, today’s connected car is an evolution of patchwork systems that were not designed with cyber security as a priority. But it’s still early days and there is ample time to start retool strategies. The automotive sector can make fundamental adjustments without having to reinvent the wheel entirely. The criticality is to protect the stored data and the data in motion that is associated with control units which can ultimately lead to a car’s physical manipulation. Additionally, connected cars should be re-architected with modularized software and control units with Role Based Access Control (RBAC) and proactive measures for software updates and rapid fixes using an over-the-air (OTA) system.
Moving at the speed of air
Today’s connected car security initiatives comprise in-house solutions being built under wraps by the auto makers, a range of vendor solutions and larger industry initiatives that have yet to develop an end-to-end security solution. No security system will ever be ironclad, it will need to constantly evolve as threats and vulnerabilities are discovered, making it critical that there is a way to patch those gaps rapidly. Therefore, the speed at which OTA fixes can be implemented when a vulnerability is exposed represents a major overlooked opportunity in automotive security.
OTA can be used for managing automotive firmware and software, such as core Electronic Control Units (ECUs), navigation maps, infotainment and telematics, while providing OEMs and car dealerships with significant cost savings. The security opportunity for OTA comes as the car industry’s adoption of the technology is growing in all major software segments. The worldwide total OEM cost savings from OTA software update events is forecasted to grow from $ 2.7 billion in 2015 (primarily from savings related to updating telematics systems) to more than $ 35 billion in 2022, with telematics and infotainment system updates comprising most of the savings.
Further, there are regulatory requirements outlined in the SPY Car Act of 2015 that direct the National Highway Transportation Safety Board (NHTSB) to work with the Federal Trade Commission, creating cyber-security guidelines for OEM manufacturers. As new rules and regulations are enacted, OEMs could use efficient, OTA-based methods to update software in vehicles that are already in service. One of the main reasons for OEMs to pursue an OTA strategy is to address the increasing software-driven recalls, which analysts predict represents as much as half of total recalls. Moreover, a robust OTA platform can fundamentally transform sales and customer retention models by enabling new revenue generation opportunities based on value added security offerings.
Closing the front door
Connected car security must be robust, assisted by hardware and distributed within multiple layers of defense. The layered model has proven successful in other industries, taking a modular SW design approach that incorporates security from the ground up with special attention given to protecting the integrated car control and steering system. After all, the safety of passengers cannot be assured without a well-architected security solution that incorporates hardware isolation for critical blocks, OS-level virtualization and sandboxed application execution environment. These need to be designed with hardware-assisted blocks, and tightened integration with embedded system security infrastructure and enablers. This approach (see figure 2) isolates and limits security-attack damages, while allowing for quick fixes via OTA.
Putting OTA into play
A robust OTA platform gives automakers the flexibility to remotely upgrade the ECU and other components and pushing security patches in an unobtrusive fashion. OTA campaigns can be managed intelligently using a rules engine to identify interdependencies and operational requirements (e.g., time of day, car state, etc.). Key considerations of a good OTA platform to support OTA for connected cars include:
- Robust client-server security architecture (beyond OMA-DM) that includes strong authentication, air-tight mechanism for protecting package integrity and authenticity and end-end encryption for data privacy
- Implementation of hardware assisted secure boot and run time tamper detection for core elements of OTA system e.g. OTA Manager and Update Installer
- Security hardened pre-installed, mobile and 3rd party apps by implementing various techniques such as code obfuscation, anti-debug, checksum, etc. to enhance protection against malware and dedicated attacks
- Network Discovery and Authentication: Secure SIM based authentication and seamless handovers between cellular and Wi-Fi networks using Access Network Discovery and Selection Function (ANDSF)
Ability to update software at component level (e.g. ECU) and provision for strong mechanism for reversion to basic factory software in case of OTA update failure
- Delta generator: Dynamically compare two versions of the firmware and create a delta file to minimize network bandwidth utilization
- OTA Manager: OTA management to accurately track all client revisions on the road to determine the lifecycle of the software versions
- Reliable Transport: Reliably secure data transfer end-to-end with an inbuilt resilience-layer for handling network interruptions, no coverage areas and minimizing data retransmission
However robust a connected car security architecture may be, it could still have vulnerabilities that leave it open to security attacks that could put the passenger’s life in danger. As the connected car industry matures, it will be imperative to create a proactive system that can monitor for real-time threats and help automakers mitigate the impact. To this end, it is paramount that the OTA system works in harmony with the real time scanning vulnerabilities detector, analytics, cloud and smart SW patch generator. IBB Consulting proposes a tightly-integrated threat intelligence and agile OTA system (see figure 3).
An automaker’s cloud infrastructure can support active threat analysis and profiling using the car’s bidirectional communication channel. For all threats, the backend platform can securely create the threat definition, and update threat templates profiles and packages that must be pushed to the car. This smart OTA system proactively pushes updates to quarantine the attacked module while providing fixes that close backdoors that could result in future vulnerabilities.
As automakers enter the digital economy, it is imperative to re-architect core automotive systems with cyber security built into its safety model to be as critically basic as having good brakes. Most importantly, the industry should collectively progress into the digital world to establish an ecosystem that can proactively guard against emerging cyber-attacks. Including smart OTA capabilities into robust security designs would represent a significant step forward as intelligent threat-addressing systems evolve to ensure passenger safety.