Value of automotive data increases, widening the attack surface.
BY: JOHN KOON
The auto industry is transforming itself toward a future in which the automobile increasingly will be connected using V2X and 5G. Driver assistance will improve, and ultimately cars will be guided by AI and machine learning. But all of this will be closely watched by hackers, looking for an opening and a potentially large and untraceable payout.
The replacement of mechanical functionality with electronics, and the rising amount of data that will move both in and out of vehicles, will have a big impact on security. The number of possible targets was already large, but it’s growing rapidly. Automotive designs of the future will include multiple electronic control units (ECUs), advanced driver-assistance systems (ADAS), machine learning CPUs, 5G and vehicle-to-everything (V2X) connections, multiple sensors, infotainment systems, in-cabin artificial intelligence, and remote engine starting.
So how exactly should the industry prepare for a potential onslaught of malware and hacking?
The auto industry has ambitious plans for self-driving cars, much of it based on a wide variety of chip technology, from advanced 5nm digital logic to analog sensors, sensor fusion, and complex communication schemes. That technology will be used to monitor what’s going on internally, but it also will be increasingly connected to the outside world using V2X and super-fast 5G connections. That’s the whole point of much of this new technology.
The technology roadmap for vehicles has been under development for some time. In fact, the National Highway Traffic Safety Administration (NHTSA), whose mission is to improve transportation safety and efficiency, has been planning this for the better part of a decade. A federally funded research program dating back to 2014 focused on vehicle-to-vehicle (V2V) communication.
Plans have expanded significantly since then. In cooperation with the U.S. Department of Transportation (DOT) and public sectors, including the automotive industry and academia, the NHTSA hopes to advance automotive V2V technology based on the 5.9 GHz spectrum, empowering vehicles to communicate among themselves. The idea behind V2V is to provide vehicles with relevant information ahead of time, even if those vehicles are not in the line of sight of an accident or some other situation that potentially could affect traffic or safety. So when does occur down the road, vehicles equipped with V2V will be prepared to slow down, thereby avoiding multi-vehicle pileups.
The V2V concept has evolved into vehicle-to-everything (V2X), including vehicle-to-infrastructure (V2I) and vehicle-to-pedestrian (V2P) communication. The next phase will be cellular-to-V2X (C-V2X), which will support 5G.
All of this technology is expected save lives and avoid accidents, but it also opens the door to a slew of potential cyberattack vectors and surfaces. The more wireless and remote-control features, and the more connected electronic content, the greater the opportunity for hackers.
Case in point: The infotainment system provides the convenience of a wireless connection through smart device apps such as Apple CarPlay and Android Auto, but these systems are connected to other systems in a vehicle that affect safety and vehicle control. Hackers can use these systems embed malware and demand payment to unlock systems and restore functionality.
The infotainment system is one target among many, but it has received a lot of scrutiny because it’s the interface for many over-the-air (OTA) updates. “How do you ensure that the data you’re transferring is secure?” asks Sandeep Krishnegowda, senior director of marketing and applications for memory solutions at Infineon. “There are new regulations for ISO 26262, and new cybersecurity standards in ISO 21434. You need a methodology for designing these devices, and you need processes in place to integrate security and safety outside and inside of memory, as well as the documentation to meet all the regulations.”
Nothing is perfect when it comes to updates, though. Last year’s SolarWinds attack, which serves as something of a benchmark in the security industry, was effective at breaching highly sensitive systems used by the U.S. government. So while OTA firmware updates provide great convenience for car owners — they happen in the background using machine-to-machine communication — it’s good to remember how often smartphone apps need to be updated.
The flood of updates will be compounded by a host of new technologies. “We’re seeing a shift in the entire automotive industry, essentially from mechanics to electronics being the core competence of the automotive industry,” said K. Charles Janac, chairman and CEO of Arteris IP. “This includes either influence on architectures or IP design, or maybe even doing entire SoCs, by the car companies and by the Tier 1s, because you need to control your architecture in order to enforce upgradability.”
While nearly all new cars sold today have remote door locks, automakers have begun offering additional remote-control types of features. For example, Kia is promoting remote start from as far as 500 feet away. Other features include controlling the air conditioning, as well as locking or unlocking the doors using smartphones. All these conveniences serve up more opportunities for hackers to gain access to the automotive functions. Security almost certainly will be added, but hackers can target any weaknesses that emerge, such as obtaining a security key within close proximity by using thermal profiling.
“Most hackers get in through stack overflows, or other mechanisms,” said David Fritz, senior director for autonomous and ADAS SoCs at Siemens EDA. “Those are easy to shut off. That doesn’t prevent them from finding something that nobody considered. But if there’s physically no link between the outside world and that proprietary information, then I don’t care how much they hack because they’re never going to get to it.”
The problem is that more of the vehicle is being connected, and the value of hacking into car data is rising on multiple fronts. It’s no longer just about hacking into a car to steal the vehicle. Now, the potential rewards can include a ransomware attack against a deep-pocketed OEM. That raises the stakes, and it attracts much more sophisticated hackers.
“Who is the adversary who is hacking it? If you take into consideration the worst case condition — a nation state with unlimited resources, unlimited funding, unlimited motivation, with close physical access to the part — that becomes a very, very challenging problem to solve,” said Jason Moore, senior director of engineering at Xilinx. “And interestingly enough, when we talk to our customers, more and more of them describe their adversary as a nation state.”
A common theme among security experts is that security is an arms race. But for the automotive industry, this is a particularly thorny challenge, because unlike many other kinds of electronics, vehicles are expected to be in use for a couple decades or more. So it’s not enough to wait for the next product release. What goes into a car needs to be resilient enough to withstand attacks throughout its lifetime, or at least the period for which the carmaker is liable.
Supply chain security
Modern automotive design involves a variety of components developed across a complex and global supply chain. Managing the entire supply chain is not a trivial task. It takes a clear understanding and bill of materials (BOM) control to ensure every level of the supply chain meets the required security standards defined by the automotive standard bodies. (See Figure 1, below.)
The automotive safety standard ISO 26262 defines the functional safety of road vehicles as Automotive Safety Integrity Levels (ASIL) in various classifications. Multiple suppliers are involved in various classifications. This complicates supply chain management. Automakers therefore need to manage the entire supply chain to ensure automotive quality, safety, and security.
Fig. 1: ISO 26262 defines the functional safety of road vehicles as Automotive Safety Integrity Levels (ASIL) in various classifications. Source: Siemens EDA
The main goal of automotive security is to stop hackers from gaining unauthorized access to the automotive electronics systems, and there are many opportunities for that. As the supply chain becomes more complex, that becomes more difficult.
Figure 2 (below) shows five areas in an automobile that require attention to cybersecurity. They include electronic control units, gateways, autonomous driving, infotainment systems, and any areas with remote connectivity such as remote boot, V2X, and 5G.
Fig. 2: Areas in an automobile that require attention for cybersecurity. Source: Rambus
Each one of those areas presents an opportunity for attacks. In addition to secure systems, secure methodologies and processes need to be implemented and regularly updated. In effect, trust no one, question everything, and constantly check and re-check.
“I always think you should have more discipline in processes,” said John Hallman, product manager for trust and security at OneSpin Solutions. “With SolarWinds, they should have caught it sooner. It’s part of the processes that should have been in place. They could have done better jobs checking earlier on. They could have looked for these types of vulnerabilities earlier. The way they infiltrated the supply chain was interesting, but it’s not necessarily new.”
Root of trust
One of the fundamental pieces of security in any electronic system is a root of trust. When an electronic system boots, it should be in a known state, meaning an operational condition intended by the designer. When a system is compromised, it may boot up with malware in control. The source of that malware can come from within the supply chain, as it did with the SolarWinds attack, or it can be external.
Depending on the boot ROM design, some malware has been able to exploit the vulnerability of the component with a roll back. By changing the date code to an older version, hackers were able to exploit the previously fixed vulnerability.
With a root of trust, the content of the boot ROM design, once programmed, theoretically cannot be tampered or altered by a third party. Therefore, the system boot should be safe and secure. That’s not always the case, though.
“The whole point of that is you have a secure part of your chip,” said Jason Oberg, CTO at Tortuga Logic. “That’s where your over-the-air update goes. It’s where your keys are stored that will authenticate the image. It says, ‘This was signed by the source, so validate it. Everything looks good. Decrypt it and load it.’ But there are a lot of issues that can happen at the hardware level, depending upon how that’s managed. And if it’s subverted, you can load the update and, depending upon that setup, you might be able to get access to the private key that signed it and maybe even spoof updates.”
In the case of the SolarWinds attack, the update that caused the breach was actually verified by the company. “It’s really hard to prevent this at the source, because it is an authentic update,” Oberg said. “In this case it was legitimate.”
Most security experts agree that security needs to be layered. No one security measure is sufficient. The goal is to make it so hard for hackers to move forward that they abandon their efforts.
This is where standards fit in, and they are expected to play an increasing role in automotive security. ISO 21434 is designed specifically around security in automotive applications.
“Automotive standard adoption will help achieve cybersecurity,” said Chris Clark, senior manager in Synopsys’ Automotive Group. “That is why it is important to pay attention to these standards — including the ones that are being developed, such as ISO 21434, which will focus entirely on cybersecurity.”
Still, a standard is only as good as its oversight and updates. Security measures need to be checked and re-checked, and processes need to be constantly re-evaluated.
“Somebody is going to have to pick up the task of becoming automotive security and safety certification lab,” said Helena Handschuh, security technologies fellow at Rambus. “On the safety side, you already have that. Security might be a little less obvious. It exists for other market segments, but not necessarily automotive. The banking sector has it, and many others as well. But automotive certainly would benefit from having professionals take a look at all the implementations and everything that was put together to make sure that all the pieces fit together, and then put some kind of a stamp on your release.”
ISO 21434 intends to cover various aspects of cybersecurity, including security management, continued cybersecurity activities, risk assessment, and cybersecurity when the vehicles are on the road. When the standard is released, it is expected to impact the supply chain, product development, and the manufacturing process in relation to cybersecurity in a positive manner.
Additionally, the United Nations Economic Commission for Europe (UNECE) is moving forward with R155 and R156 (accompanied by ISO 24089). These new regulations, currently being defined, will require automotive OEMs to have legal responsibility for automotive cybersecurity. Over time, these new standards will add cybersecurity protection to the automotive industry.
Shifting left on security
Both design verification and security testing are key to building a security fortress against cyber threats. But finding a security bug after the silicon has been fabricated is something to be avoided at all costs. That means security needs to be addressed much further forward in the design flow so it can be verified and debugged as part of the normal design cycle.
“Proper functionality of SoCs and ASICs as specified is a primary requirement in achieving security,” said Frank Schirrmeister, senior group director, solutions and ecosystem, Cadence, a provider of solutions for computational software and intelligent system design. “Security verification needs to consider hardware, software and its interaction, and it extends to aspects of power and thermal analysis, as these can become attack surfaces. To effectively implement security verification, users apply formal verification and dynamic execution in simulation, emulation, FPGA-based and virtual prototyping, all of which effectively serve as digital twins during the pre-silicon development phase. While security aspects need to be verified, validated, and confirmed throughout the overall project flow, it is often cheaper to do the tests at the pre-silicon stage, effectively ‘shifting-left’ verification and integration.”
Automotive chips also can be tested against known vulnerabilities, many of which are listed in the Common Weakness Enumeration (CWE), which identifies bugs, flaws, faults or other errors in software or hardware implementation.
But on a positive note, carmakers are well aware of the growing security threat, and that is beginning to ripple through the supply chain.
“This is part of the revolution that’s happening now, which is the realization that to handle all of the safety, security, reliability, along with the extra sensing, the object fusion — rather than sensor fusion — it isn’t practical to be done simply by incremental changes. This is driving OEMs back to the drawing board. Considering what we understand now with the computational requirements of what kind of bandwidth we need on the network, and how safety, security, and reliability are all optimized, we need to go back and redesign this.”
The vision of the auto industry is that automobiles will be autonomous and connected using V2X and the super-fast 5G. SAE International J3016 “Levels of Driving Automation” has classified autonomous driving into six different levels, from level 0 (no automation) to level 5 (fully autonomous). The auto industry is halfway there, and it may stay there for some time. At the very least, though, most new vehicles being sold are equipped with advanced driver-assistance systems (ADAS) and many other electronics-based features.
As automotive innovation grows, cybersecurity becomes a real concern. The more connected an automobile is, the higher the probability of being hacked. Achieving automotive cybersecurity will be an ongoing battle, and the more the chip industry gets involved in automotive, the more the burden for stopping it will fall on them.