Research Insights Volume 5 - Sector Focus: Automotive

Research Insights Volume 5 - Sector Focus: Automotive

INTRODUCTION

Driven by demands for cleaner emissions and increased vehicle safety for both drivers and pedestrians, the modern vehicle has become increasingly computerised, and now has more in common with an industrial control system than with a simple mechanicallycontrolled car from 30 years ago.

Modern vehicles consist of a multitude of different inter-connected process control systems which each govern or modulate a specific mechanical or environmental process. Control is gradually being taken away from the driver and placed under the supervision of embedded computerised control systems. These systems work together to automate the driving process in the pursuit of increased safety both for drivers and for other road users.

This automation is being achieved by integrating advanced driver assistance systems (ADAS) with the mechanical powertrain, to provide the vehicle with an increasing degree of awareness about its operational environment. The ADAS systems comprise individual components such as light detection and ranging (LIDAR) systems, laser range finders, forward-looking infra-red (FLIR) cameras, ultrasonic sensors, and stereoscopic vision systems, all of which are interconnected and communicate with other vehicle systems via the heart of the vehicle network, the controller area network bus (CAN-BUS).

We are now able to do more in our vehicles while on the move; modern in-vehicle infotainment (IVI) systems provide occupants with the ability to listen to audio and watch video from a variety of local and remote sources, and to make and receive phone calls, use satellite navigation, receive live traffic information, and even access the Internet. Due to the prevalence of these features and an industry push for standardisation, modern vehicle systems are becoming increasingly integrated with consumer mobile devices, and with publicly-accessible communications networks such as the Internet.

The use of telematics services to track vehicle movements and to collect performance and diagnostic data is now a widespread practice. These services are used both by vehicle manufacturers, in order to support warranty claims and regular vehicle maintenance, and by insurance companies, who are able to offer consumers lower insurance premiums in return for safe and responsible driving.

Vehicle owners can also use telematics services to interact with the vehicle remotely, for example using a phone app to activate climate control prior to starting a journey, activate the horn, or even unlock the doors. The prevalence of telematics in modern vehicles has enabled the European Commission to promote an initiative known as eCall (emergency call), which is intended to bring rapid assistance to motorists involved in a collision anywhere in the European Union. eCall will be standard feature of all new vehicles from 2018, with a follow-up system named Breakdown Call (bCall) following shortly after.

The integration of these technologies, services, and systems, together with the convergence of the vehicle environment with consumer mobile devices and the Internet, means that the attack surface of the modern vehicle is one of the largest for any single piece of transport infrastructure. In addition to this large attack surface, a vast quantity of data and metadata is generated, collected, and stored by manufacturers, telematics service providers (TSPs), emergency services, and various third-party companies on Internet-facing systems and back-end databases.

The interconnected nature of these different systems, services, and networks brings with it not only the concern that attacks upon automotive systems can have severe consequences from a public safety perspective, but also concerns surrounding big data such as consumer privacy, data ownership, and data retention. The obligation to protect consumer data from unauthorised access, both when stored and during transmission, has never been higher; but the demand for increased data sharing between organisations is also increasing, as is the ability for the security services to tap that data source to support operational intelligence,.

These facts, together with the sheer number of vehicles in use, mean that automotive systems are increasingly viewed as an attractive target by those with malicious intent. Because of this, the potential both for cyber-security weaknesses to exist and for those weaknesses to be exploited by threat actors is incredibly high.

Some of the security issues that specifically affect automotive systems include:

In-vehicle infotainment systems – IVI systems expose a large attack surface and connect directly to the heart of the vehicle network, meaning any vulnerability present may allow manipulation of critical vehicle functions if successfully exploited.

Telematics – Telematics services connect vehicles to Internetfacing systems, allowing operational data to be collected and limited remote control of vehicle functions, which can be exploited to compromise the security or safety of the vehicle.

Vehicle diagnostics and software – Software is easily obtainable and in some cases poorly developed. Software can be reverse engineered to uncover sensitive information, allowing legitimate diagnostic services to be exploited to compromise the security or safety of the vehicle.

Internal vehicle networks – Internal communications protocols used on-board the vehicle for communications between control modules are not secure and can easily be manipulated and used to control almost all critical vehicle functions.

Automotive secure development lifecycle – The automotive industry is largely unfamiliar with the principles of a secure development lifecycle, leading to vulnerabilities being introduced into automotive systems during the design and development phases.

Physical vehicle security – External access to internal vehicle network wiring allows attacks that compromise the security of the vehicle from outside.

Intelligent transportation systems – Future plans for a fully integrated intelligent transportation network allowing vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), and infrastructure-to-vehicle (I2V) communications need to be carefully considered and developed with the help of the cybersecurity industry.

Advanced driver assistance systems – The increased attack surface and interconnected nature of these systems means that deploying these new systems within modern vehicles can have unforeseen consequences, introducing new attack vectors into the vehicle network.

AUTOMOTIVE SECURITY

While it has been known for some time in the vehicle modification and security industries that electronic vehicle systems contain exploitable vulnerabilities, it is only recently that academics [1], government [2], vehicle manufacturers, and the cyber security research community [3] have begun to focus on automotive security from a cyber perspective, as opposed to the traditional viewpoint of vehicle theft.

With the cost of advanced electronic components decreasing, the equipment required to interface with both wired and wireless vehicle networks is no longer cost-prohibitive for the hobbyist or casual hacker, security professional, or small criminal organisation. As a result the automotive industry is facing increased interest in the security of their systems from threat actors different to those to which they are accustomed.

In-Vehicle Infotainment

The IVI system typically represents the component with the largest attack surface within the vehicle network. The IVI system provides occupants with the ability to access telephony, audio, video, satellite navigation, live traffic information, and sometimes even provides Internet access. As a result of the IVI system being multifunctional there exist numerous wired and wireless interfaces to the system, some of which can be accessed by the occupants of the vehicle. These include the human-machine interface (HMI), USB ports, disk drives, auxiliary audio connectors, and Bluetooth or Wi-Fi wireless communications channels (which can also be targeted from outside the vehicle).

An IVI system is typically based around a system-on-chip or fieldprogrammable gate array (FPGA) that features an ARM or x86 microprocessor supported by numerous smaller systems, which each contain specialised microcontrollers and firmware required to support their primary function. The software component of the IVI system is usually an operating system (OS) designed specifically for an automotive application, but could be based on either an open source OS such as Linux or a proprietary OS such as Microsoft Windows or QNX. In either case the OS and supporting systems will contain large amounts of code required to process data in many different forms, such as media parsing libraries, wired and wireless communication stacks, and user interface frameworks. Use of unmanaged languages such as C is common; these languages require skilled developers familiar with writing secure code, and subsequent thorough review, in order to ensure vulnerabilities are not introduced through the use of unsafe memory management functions.

Individual IVI system components may be designed and manufactured by different third-party companies, each of which may have different standards of quality when it comes to developing and testing secure code. As a result, the probability of security vulnerabilities being present in the software or firmware of any part of the IVI system is high. This represents a significant risk to the security profile of the vehicle, since there exists a logical network path, starting wirelessly from outside the vehicle, to the internal CAN-BUS network. Any vulnerability which could be exploited to gain control of the IVI system and send frames onto the internal CAN-BUS network could have catastrophic consequences for the safety or security of the vehicle.

It is also possible for malicious code to be deployed to the IVI system without the user’s consent, if the user browses unsafe websites that attempt to exploit connecting systems. Such websites could inject malicious code into the web page which is in turn rendered by the browser. Malicious applications masquerading as an official application could also be unwittingly installed on a user’s smartphone or onto the IVI itself.

Telematics

While in the past they were deployed only on large commercial fleets and heavy goods vehicles, wireless telematics services are now widely used throughout the private vehicle market. Telematics services allow the vehicle to collect and transmit operational data to the manufacturer’s head-end telematics systems, and to receive data from manufacturer systems or other third-party service providers.

The bulk of the information collected and transmitted by the vehicle under normal operations consists of location information, timestamps, and data describing the status and condition of critical vehicle components; this data is used to support ongoing service schedules and warranty claims, and to provide real-world performance data for subsequent analysis. Data sent to the vehicle includes live traffic and navigational data, service alerts, and even over-the-air software upgrades. Some manufacturers’ telematics services provide the vehicle owner with the ability to interact with the vehicle remotely via a phone app, allowing the owner to remotely activate climate control prior to beginning a journey, upload maps and navigational information to the IVI system, locate the vehicle using GPS, activate vehicle horn and lights, or even remotely unlock the doors to the vehicle.

The on-board telematics system is connected to multiple critical vehicle subsystems via the CAN-BUS network and consists of numerous smaller electronic systems. Wireless communication takes place over 2G, 3G, and even 4G networks (depending upon availability), and is provided by both a cellular modem and SIM card, or by a custom machine-to-machine module with the modem and SIM card electronics integrated into a single device. Some of the underlying telecommunications technologies used by telematics services, such as 2G and 3G, are inherently insecure due to their support for plain-text data transmission or weak encryption and lack of mutual authentication between the mobile device and the cellular base station.

This means that some poorly-implemented telematics solutions are vulnerable to attack by fooling the vehicle into connecting to a malicious cellular base station and then injecting NGTP (next generation telematics protocol) messages. This is due to the telematics solution provider relying solely upon the theoretical security provided by the underlying telecommunications network and not adding any further authentication or encryption to the communications protocol. Issues like this can present a risk not just to a single vehicle, but to an entire fleet or model range, if encryption keys that normally secure the wireless communications between the vehicle and telematics head-end systems are not guaranteed to be unique per vehicle or consist of predictable information such as the vehicle VIN which can be obtained through other techniques.

The European Commission has been promoting a telematicsbased system known as Emergency Call (eCall), which aims to provide emergency assistance to motorists involved in a vehicle collision anywhere in the European Union. When vehicle systems detect a crash event has occurred, the vehicle automatically places the occupants in contact with the emergency services via the nearest public-safety answering point, and transmits critical sensitive data via a separate communication channel. This data includes information such as vehicle location, direction, status, vehicle identification number, vehicle propulsion storage type, and whether the call was triggered automatically or manually. eCall will be a standard feature of all new vehicles from 2018, with a followup system named Breakdown Call (bCall) following shortly after.

As with many complex vehicle systems, each component of an end-to-end telematics solution will be developed by different thirdparty manufacturers and telematics service providers (TSPs), all with different approaches to system security and secure software and firmware development. It is vital that not only the on-board electronics comprising the vehicle telematics system, but also the Internet-facing head-end systems of the TSP, are penetration tested and evaluated. If a TSP environment was compromised, it could potentially allow an attacker to launch attacks against thousands of vehicles at once, with disastrous consequences.

Similarly any application that is designed to be deployed on a mobile device should be subjected to rigorous analysis and code review, as it communicates with the head-end telematics servers of the TSP. It is therefore important that the application does not reveal sensitive data such as encryption keys, or other information relating to the head-end server systems that could aid attackers in compromising the TSP. Read More....