Keywords

Introduction

The classic cars were much simpler, and so was the electronics in them. The components of a classic cars were discrete and unconnected to each other, they were more of a closed systems without much interaction with the external world. With advances in technology, the modern automotive systems have become more sophisticated, more software-intensive, more complex, and highly connected systems making them highly vulnerable to security attacks. A modern automobile can have up to 80 embedded microcontrollers on board running tens of millions of lines of code within them. The embedded ECU’s control almost every function of the car including safety-critical vehicle applications such as braking, engine control, steering, airbag functions, navigation systems etc. Therefore security attacks are not just limited to disclosure and loss of sensitive data but also affect the safety critical functions of the car.

Recent studies and Experiments conducted by Independent research organizations from EUROPE/US (Checkoway et al. 2015) have demonstrated that once a hackers gain access to the in-vehicle network of the car, could control everything; from controlling the acceleration, to applying/releasing brakes, playing songs of their choice, locking/unlocking the doors. These experiments have demonstrated that security plays an important role in automotive systems because security threats might not only cause nuisance and disclose of sensitive data but also affect the safety critical functions of the car. This mean without security there is no safety.

Security Threats in Connected Cars

A connected (or autonomous) car is a driverless car or self-driving car which is capable of sensing its environment and navigating without human input. Autonomous cars are fully connected vehicles that use a combination of wireless technologies (such as radar, lidar, GPS) and advanced sensors (stereo cameras and long- and short-range RADAR) for its operation. These cars are expected to have a permanent connection to the Internet and to the cloud for fetching various kinds of information such as current road situation, weather conditions, or the parking situation at the destination. Benefits of autonomous cars include zero accidents, reduced traffic violations, productive commute time, elimination of human errors, improved energy efficiency (Silberg and Wallace 2014).

In order to operate in real time, autonomous cars may use wireless technologies to communicate with the grid, the cloud, with other vehicles (V2V) and to infrastructure (V2I). An enormous amount of data will becomes available on the air. This essentially means that someone—a hacker, terrorists, and unauthorized parties can have means to capture data, alter records, instigate attacks on systems and track every movement of vehicle. The hackers can gain access to the vehicle sensors that control airbags, breaking systems, door lock operations and virtually control or disable the car. They could provide false information to drivers, use denial-of-service attacks to bring down the in-vehicle network, illicitly reprogram the ECUs with a malware and even can download incorrect navigation maps to mislead the driver. Therefore, system security will undoubtedly become a paramount issue which the automakers need to address before putting the autonomous cars on the road (Fig. 1).

Fig. 1
figure 1

Typical vehicle network of a modern vehicle

Full size image

The current automobiles today are not quite capable to detect and prevent hackers from gaining access to the vehicle network, detecting and rejecting malicious commands injected into the ECU (Barry and Philpot 2011).

Here are some of the security threats to modern automobiles:

  • Inducing forged traffic into the in-vehicle network

  • Downloading of malicious applications into the ECU

  • Gaining access to ECU resources by launching a brute force attack on the system

  • Illegal Odometer Tuning

  • Tuning/Manipulation protection

  • Attack on Tire Pressure Monitoring System (TPMS)

  • Inducing forged traffic into a navigation system

  • Breaking Antitheft systems such as central locking, immobilizers

  • Corruption of rewriteable flash memory

  • Execution of unauthorized commands

The security system inside autonomous vehicle shall ensure:

  • Technology in a self-driven car works 100 % of the time without compromising on the safety-critical functionality.

  • Internal as well as external communication interfaces are properly secured

  • Enable Secure software download

  • Detect and prevent malware from running on the ECU’s

  • Enable secure access to secret keys and confidential data

  • Electronic immobilizer;

  • Software and hardware integrity

  • Protection from theft and forgery

Realization of Security Solutions in Automotive Systems

In this section provides a general overview of some of the important automotive features, and discuss about possible security measures that can be applied to make the vehicle functions secure from cyber attacks (Fig. 2).

Fig. 2
figure 2

Security elements of interest

Full size image

Main Automotive Usecases

  • Target Authentication

    Target authentication involve authentication of entities and communication partners before allowing access to its internal resources. For ex, authentication of entities requesting read/write access to ECU internal data—ex, diagnosis testers, remote clients

  • Secure Communication

    The system shall ensure authenticity and integrity of the data communicated over internal/external interfaces. Ex: Secure OnBoard, Secure Off-Board communications

  • Secure Boot

    The objective of the secure boot is to ensure the integrity of code/software stored in the flash has not been compromised. Secure boot validates the flash contents by computing the digital signature of the flash software component and compare it with the pre-configured value. Popularly implemented with the help of hardware security peripheral

  • Secure Flashing

    Secure flashing helps to prevent malicious content from getting flashed on the ECU. Secure Software flash-loaders employ security mechanisms such as application authentication (using MAC, Digital Signatures), application integrity check (using CRC, hash) to ensure the authenticity and integrity of software being flashed into the ECU memory

  • Key management functions

    Key management is the management of security keys in a cryptosystem. This involves key generation, exchange, storage, use, update, deletion of keys. It includes technology, policies and procedures for managing all the cryptographic keys—symmetric and asymmetric

  • V2X Communication

    V2X (Vehicle-to-Vehicle or Infrastructure) communication involves exchange of information between vehicles, with the roadside infrastructure (ex traffic signals, warning signs), with remote systems such as e-call center, with the GPS systems etc. V2X plays an important role in the development of Intelligent Transport System (ITS) and connected cars.

  • Secure Storage

    Secure storage of confidential data such as secret seeds, keys, keying material, security logs, and configuration/calibration data

In order to secure the vehicles from cyber-attacks, the system shall implement appropriate security mechanisms based on software and hardware cryptography. The security system must ensure that data is protected during its transit, while it is stored & accessed, and have mechanism in place to ensure both unauthorized (malicious hackers) and unintended modifications do not go undetected.

Here are some of the crypto services that help in realization of security solutions in automotive systems:

  • Digital Signature generation/verification

  • Message Digest generation/validation

  • MAC generation/verification

  • Random Number generators

  • Data Encryption/Decryption based on Symmetric and Asymmetric keys

  • Secure Hash

Security Solutions can be Realized by Both Hardware and Software Crypto Mechanisms

In order to harden ECUs against security attacks, security mechanisms (to prevent successful manipulation of software, data, keys and keying material) must be rooted in hardware (Fig. 3).

Fig. 3
figure 3

Security solutions broadly level classification

Full size image

Hardware security solutions are realized with the help of hardware security peripherals such as HSM (Hardware Security Module) based on EVITA, and SHE (Secure Hardware Extension) based on SHE specifications. EVITA and SHE are major security initiatives in the auto industry that define security standards, EVITA specification targets both Hardware & Software solutions

Introduction to SHE/HSM

SHE/HSM are on-chip security peripherals embedded within an automotive MCU. HSM/SHE are dedicated security modules specifically developed and designed for security use-cases. They are designed to move cryptographic functions from SW to HW domain (The Evita Project) (Fig. 4).

Fig. 4
figure 4

Simplified logical structure of a hardware security peripheral

Full size image

SHE/HSM usually provides a fixed set of cryptographic services to the application layer. The basic cryptographic services can be used to realize complex automotive security use-cases

Main Features/Functions:

  • Symmetric key Encryption based on AES-128

  • CMAC generation & verification

  • Random number generation for secure generation of cryptographic keys

  • Application/Boot loader verification

  • Secure storage of secrets keys and keying material

  • On-chip Flash/ROM read-out protection against unauthorized access

Advantages of SHE/HSM:

  • Onboard secure cryptographic key generation

  • Onboard secure cryptographic key storage and management

  • Offloading application servers for complete asymmetric and symmetric cryptography.

  • Hardware acceleration

A Sample Case Study

In this section we look at practical use case of a Secure Bootloader in the automotive context and see how security concepts can be applied to make the software download more secure (Fig. 5).

Fig. 5
figure 5

Secure bootloader architecture

Full size image

Main features of a Secure Flash loader:

  • Application Authentication: To ensure the authenticity of data downloaded to the ECU (verify that software originated from known source)

  • SW Integrity check—Verify that the SW has not been altered during transit

  • Secure Boot: Software authenticity verification during ECU start-up

  • Secure Access: Ensures that only authorized Testers can unlock the ECU to perform critical tasks such as application flashing, vehicle diagnostics etc.

  • Secure Storage: For secure storage of ECU confidential data such as secret seed/keys, keying material (Fig. 6).

    Fig. 6
    figure 6

    Application authentication example

    Full size image

Illustration of Application Authentication

To enable application authentication and integrity check, signature of the application software is computed (ex, using CMAC, RSA-2048) and attach to the software that is downloaded.

ECU Side:

  • ECU re-computes the signature of the downloaded software: S’

  • Compares computed signature(S’) with the attached signature(S)

  • If S = S’ → application is authentic

The above example illustrations demonstrates how security concepts can be applied to verify the authenticity and integrity of software before flashing them into the ECU.

Conclusions

With modern automotive systems getting connected to the internet, the security is no more an optional feature. In the last decade, the automobile industry has been focusing more on improving safety aspects of the car and this decade the focus would be to build more secure and safer vehicles. As the security threats can endanger life of the passengers designing more secure products is an absolute necessity.

Building secure products cannot happen overnight, it should start from the early days of software development life cycle. Security should be built into the design and into the code. Developers should start designing and implementing security based on threat analysis results of their systems, address the vulnerabilities (security holes) in a phase wise manner. Lastly consider industry standards such as NIST (National Institute of Standards and Technology), ENISA(European Union Agency for Network and Information Security), FIPS(Federal Information Processing Standards), EVITA, SHE, in building crypto/security solutions rather than going with proprietary security mechanisms

Currently many organizations are involved in doing research related to security in connected cars. Most of the research has focused on identifying the security problems and only to a lesser extent towards presenting solutions. Much remains to be done. One of the greatest challenges in adding security to the connected car would be to adapt the security solutions to the very high safety requirements, under the constraints of very limited hardware, software and power resources.