Cars are increasingly capable and complex, making time on the road easier and more pleasurable; but with these new features also come new security risks for connected vehicles. Giving our vehicles more navigation control also requires vigilance against cyberattacks, personal data infringement, over-the-air malware, and counterfeit attempts. This article examines automotive cybersecurity concerns and highlights potential solutions to these risks.
What is automotive cybersecurity?
Automotive cybersecurity is a blanket term for protecting the communication flow to and from your vehicle. In automotive applications, this information takes several forms:
- Network security: Many modern vehicles connect to communication networks between the car, the owner, the manufacturer, systems within the car, and the world around the vehicle. These networks enable functionality like over-the-air updates and the ability to see your tire pressure or engine temperature via smartphone remotely. However, these networks require protection from attacks that may inject or extrapolate information that could compromise the vehicle or its user.
- Data security: Today’s vehicles collect environmental data and information about driver behaviour. Protecting this potentially private data may be essential to the manufacturer or the user. For example, if a hacker were to gain access to vehicle camera data, they could track user behaviour and private information such as their home address.
- Control algorithms and electronic systems: Automotive electronics systems control vehicle safety systems, the drivetrain, multimedia systems, advanced driver assistance systems, and much more. Malicious cyber-attacks could interfere with these systems and compromise the user’s safety and the vehicle’s operability. For example, if a hacker accessed a vehicle’s lane assist feature, they could inadvertently steer a car into harm.
Real-world examples of connected car security exploitation
While many automotive cybersecurity concerns seem hypothetical, hackers already have a history of gaining compromising access to vehicles.
In 2015, security researchers at the Keen Security Lab remotely hacked into a Jeep Cherokee infotainment system, allowing them to take control of the vehicle’s steering, brakes, and transmission. This wireless hack led to a recall of 1.4 million cars and led to massive vehicle security standardization efforts globally.
The following year, a group of Chinese researchers took control of a Tesla Model S’s brakes, door locks, and dashboard computer from 12 miles away. Tesla quickly issued a software update to address the vulnerability, but the same functionality that enabled this over-the-air update likely enabled the hack.
In 2018, the Keen Security Lab team discovered fourteen vulnerabilities in BMW cars that allowed access to a vehicle’s head unit computer, the telematics control unit, and the CAN bus, ultimately leading to control over brakes and steering. This report was responsibly shared with BMW, and many of the technical details in this hack were excluded from the public announcement to avoid potential abuse.
Connected car cybersecurity is a burgeoning field of research. Competitions simulate real-world attacks to identify potentially unknown vulnerabilities in automotive systems. Pwn2Own (Canada), Cyber Grand Challenge (DARPA sponsored, United States), Car Hacking Village (DEF CON conference, United States), and ESCAR (EU, Asia, NA) are the most famous conferences around the globe, each of which are sponsored by OEMs. Often, these competitions result in OEMs facing previously unknown security challenges that require solving, recall, or future design accommodation.
Current automotive cybersecurity solutions
Many hardware and software security solutions are actively used in vehicles sold today. While each automotive system’s design requirements vary, these devices are common across automakers.
- Secure microcontrollers: These MCUs provide tamper detection, end-to-end encryption, and secure boot. Specialized microcontrollers such as the MAX32510 protect sensitive private information and prevent unauthorized access.
- Secure Trusted Platform Module (TPM): Specialized crypto-processors like the SLI 9670 provide hardware-based security and a secure environment for storing cryptographic keys, passwords, and other sensitive data. In addition to being used for cryptographic key management, TPMs attest to a system’s integrity by affirming that the system has not been compromised and is generally tamper resistant.
- Cryptographic Accelerators: When secure network communication and data protection is needed, cryptographic accelerators (such as NCJ38A) can accelerate encryption and decryption algorithms and run digital signature verification. These specialized processors are optimized to run specific cryptographic algorithms much faster than general-purpose processors. Automotive systems often use them to protect sensitive data, provide authentication, and secure communications for over-the-air updates and other applications where data integrity is paramount.
- Secure Gateways: Automotive IoT networks rely on large amounts of communication that opens them up to network vulnerabilities. Secure gateways control and monitor traffic to prevent unauthorized access within the network. A secure gateway like the S32G-VNP-GLDBOX is a subsystem of an automobile and can be used in various network applications within automotive security.
The Future of connected vehicle security
Automotive cybersecurity is paramount in the era of connected cars. New technologies specifically combat unwanted attacks and keep vehicles safe. Automotive security breaches can result in, at minimum, unwanted data sharing and, at worst, behaviour that can be life-threatening to a user. Automotive security devices are optimized to prevent attacks of all kinds and keep modern vehicles and their OEMs safe, secure, and functional.