When greater vehicle safety ≠ greater cyber security

By: Andy Davis, Research Director, NCC Group.

In 2015 we saw unprecedented levels of publicly released cyber security research into vehicle systems; almost every month a new announcement was made by security researchers at hacker conferences about a different element of the connected car attack surface being targeted. I was part[1] of that wave of research, which is still accelerating at great pace. One of the most important, recurring themes highlighted in many of these research projects was the importance of segregation between infotainment and cyber-physical vehicle systems. The infotainment system that the vehicle occupants interact with either physically or via wireless networks, such as Wi-Fi and Bluetooth, presents a huge attack surface for the modern connected car due to the number of exposed interfaces and media codecs supported. Where telematics solutions interact with infotainment to provide services such as Internet access via the mobile network, that attack surface is sometimes exposed to malicious users anywhere on the planet. When inadequate segregation exists between these highly connected systems and vehicle control systems on the CAN bus, such as braking and steering, attackers who have successfully compromised a head unit can pivot their attacks toward these more sensitive systems, severely impacting vehicle safety. Therefore, the infotainment system and the cyber-physical systems should be highly segregated to ensure that vehicle safety cannot be affected by the compromise of the head unit.

Current segregation methods

As there are currently no public cyber security standards[2] that exist to guide OEMs and their suppliers as to the best way to design and configure vehicle systems in a secure manner, there are a whole range of different connectivity approaches that have been adopted by the automotive industry. These range from no segregation i.e. direct connectivity to the CAN bus from the infotainment system, to the use of a message bus systems such as D-Bus[3], through to “CAN Gateway” modules that are functionally equivalent to a network firewall.

The rise of ADAS

Over the years as vehicles have become more and more “aware” of their surroundings through the use of various sensor technologies, Advanced Driver Assistance Systems (ADAS) have leveraged these sensors to increase driver safety. ADAS functionality within a modern vehicle typically comprises some combination of the following:

• ACC – Adaptive Cruise Control
• AEB – Autonomous Emergency Braking
• BSM – Blind Spot Monitoring
• LDW – Lane Departure Warning

As more and more functionality (including ADAS) has been added to vehicles over time, the dashboard has become increasingly cluttered with buttons, which in turn has increased driver distraction, potentially impacting safety, so OEMs in recent years have tried to de-clutter the dashboard and integrate the control of as many features as possible into the infotainment system.

Below are some statistics provided by SBD[4] (an NCC Group partner company) about a selection of vehicles that constitute a representative sample of modern connected cars with ADAS features. The brands include a mix of prestige and standard vehicles from Europe, Asia and the US. The study investigated how ADAS features were controlled within each vehicle, by the use of physical buttons or via the infotainment system.

The study revealed that 42% of vehicles with ADAS features allow some form of control of them via the infotainment system e.g. ADAS features could be configured and/or activated and deactivated via the head unit.

 

33% of the head unit-controllable ADAS systems could control AEB, 50% could control BSM and 42% could control LDW. None of the vehicles investigated would allow ACC to be controlled by the head unit.

Conclusions

If ADAS features have been integrated into the infotainment system then functionality such as Autonomous Emergency Braking needs to be able to affect a cyber-physical system (the brakes) directly from the infotainment system. Therefore, if an attacker has managed to remotely gain unauthorised access to the infotainment system, even if rigorously implemented segregation prevents them from pivoting their attack to the CAN bus, because functions that control ADAS features exist on the head unit they just need to execute that functionality in order to e.g. disable AEB without the driver’s knowledge.

The security impact of design decisions such as the integration of ADAS into the head unit would be highlighted during the process of Threat Modelling, a core component of a Secure Development Lifecycle, or SDL[5]. There is widespread agreement amongst the cyber security community that the best approach to vehicle systems development is one that adopts the concepts of an SDL, which essentially considers cyber security at all stages throughout the development lifecycle of a product or system. This increases the overall security of the system and reduces the chances of a design-level security flaw being highlighted during testing after the system has been fully developed, which could result in either a costly re-design or a bolt-on security solution that may not be completely effective in mitigating the risks associated with the flaw.

[1] https://www.nccgroup.trust/uk/about-us/resources/black-hat-usa-2015-whitepaper-broadcasting-your-attack–dab-security/

[2] Some cyber security guidance such as SAE J3061 is currently in development, but the scope is still small

[3] https://en.wikipedia.org/wiki/D-Bus

[4] http://www.sbd.co.uk/

[5] https://www.nccgroup.trust/globalassets/landing-pages/automotive/asdl-automotive-secure-development-lifecyclepdf

Reading the future: Aric Dromi from Volvo and the impact of connected cars

Aric Dromi is Chief Futurologist for Volvo Car Group. He will be speaking at Apps World Germany on the future of connected cars and potential cyber security threats they might present.

Aric, can you tell us a little bit about what being a ‘futurologist’ involves?

I often joke that a futurologist convinces mortals that immortality is possible! They need someone to help look behind corners. In a business sense, we take people beyond their comfort zones. A futurologist doesn’t predict the future per se – if only I could do that! Instead we help decision-makers navigate the future.

What kind of research is involved in predicting trends?

I consume something like 400-500 headlines a day. From that I choose 40 – 100, depending on the topic of the day. I used to have a folder on my computer called ‘I told you so’. A friend advised I needed to change it to ‘I showed you so’ and that is the truth. A lot of my work is conceptualising but I need to deliver at the end of the day.

How did you move into the car industry?

Because I hate cars! That’s 80% of why I do what I do. I hate the stodgy, old school car which just moves us from one point to another. I love the idea of this wonderfully immersive, connected technology which will push us into a different realm altogether.

What specialised challenges does the automotive sector present in terms of predicting trends?

There’s a quote I like: ‘the current generation of politicians are forcing us to underutilise the potential of technology’. In the same way, in the traditional car industry, there can be a fixation on horsepower or infotainment, whereas the future is the massive potential of connected technology. There are definitely exceptions to this, e.g. the attitudes taken by Tesla or BMW.

The connected cars space is a fast growing area. Is there anything in particular coming out that you’re excited about?

It’s exciting to me that ‘user personality’ will be powering the car. The user smartphone that is based in the middle of the steering wheel be driving the technology.

 As car connectivity becomes more complex, what are the main cyber security concerns that carmakers need to address?

Carmakers have an old-fashioned approach to security – which is that EVERYTHING needs to be secure. Privacy died when the internet was born. They need to start thinking about how to deal with the openness of connectivity.

 What do you think will be the main focus of cyber security measures for developers over the next few years?

For developers, they need to start thinking less about applications and more about service on demand. Code won’t develop in a silo – it is and will be part of an ecosystem.  OEMs need to provide developers with a well-defined set of APIs.

As well as being a futurologist and a digital philosopher, you’re a self-described ‘professional trouble-maker’. In what way does it pay to push against the status quo?

Being a futurologist can be an incredibly lonely job. You will be ridiculed and dismissed. It takes a lot of strength to stand by your opinions when they are against the status quo. But what IS fun is to see the look in people’s eyes when they realise that you are speaking the truth! THAT is rewarding.

Integrating the ability of vehicles to talk to each other and to infrastructure into ADAS and infotainment systems

by Thomas Willatt

Interview with Bernd Luebben, VP of Business Development, Cohda Wireless Europe GmbH.

The ability of cars to directly communicate with one another and with infrastructure, without the need for conscious control by the driver, is a key element of integrating the vehicle into the wider internet of things. This allows cars to gather and transmit information that will lead to fewer accidents, less traffic and greater fuel efficiency.

Cohda Wireless has been a leader and innovator in this space. Connected Cars World had the chance to sit down with Bernd Luebben to discuss the opportunities and challenges being faced by this key element in the development of truly connected cars.

How has the perception of Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication technology changed?

I think that the industry has moved away from the perception of V2X as a stand-alone sensor technology. It is now viewed as a sensor which can be fused into the existing ADAS systems to be integrated with lidar, radar and camera systems. This is the trend and OEMs have recognized there is this migration going on.

V2X is not in competition to traditional Line-of-sight (LOS) ADAS sensors but really complimentary because it offers features which conventional ADAS systems cannot. For example, it can look around the corner (None-line-of-sight NLOS) and it can work when it’s raining, snowy or icy. It works in very rough conditions, where other sensors like camera systems and radar systems have their disadvantages.

GM is the only carmaker today that has officially announced that they will launch with V2X, using DSRC. They are going to be using Delphi as a Tier-1 supplier and Cohda as a V2X Software supplier for that project.

In talking with auto OEMs, they are all keen to launch with V2X but many want to wait for the US Department of Transport (DOT) to announce their mandate on the issue. at least in North America. That mandate is vital because they know that other cars need to be equipped for their cars to have any benefit.

Standardization and a well understood regulatory environment for this technology is vital. Do you think that regulatory bodies around the world are keeping pace?

When V2V and V2I communication was first conceptualized, it was the US DOT brought the car makers into the discussion so that they could be involved in developing the standards. The challenge, in North America at least, is that there is no pending mandate to force states and municipalities to implement this. The US DOT is looking at other ways to arrive at the right place on the infrastructure side.

The mandate will make a big difference not only in the US but in other regions. I think we will see different trends in different regions. In Europe it is a bit of patchwork. We don’t expect to see a mandate across the European Union from the European Commission, but we see lot activities in several countries like UK, France, The Netherlands, Germany, Austria, and Czech Republic, to mention only a few.

In Asia Pacific \ we see a lot activity across the regions. China is pushing very hard on V2X. Japan and Korea have already started doing big field trials with thousands of cars. All of the OEMs that are looking to sell cars into the US will have to offer this technology sooner or later.

Is Cohda actively engaging with infrastructure builders?

Absolutely, but it is a different industry and a different process to working within the auto sector. It comes with its own challenges. In the US for example, there are a number of engineering services firms that do all of the design and development for the state DOTs but then the DOTs are the ones that are sourcing the product. Kind of like the auto OEM/Tier-1 relationship where you need to work both sides of the angle.

The state DOTs are now investing heavily to expand and renovate their infrastructure and in Europe the ITS corridor infrastructure project is advancing. In Asia-Pacific there are other major infrastructure projects being deployed. Infrastructure improvement is going to be a vital part of V2X success.

We are working with major infrastructure vendors, such as an agreement with Siemens. This allows us better understanding and access to that sector. It is very positive to see such levels of activity and desire from both sides of the equation.

On the automotive side, is your priority to be working with Tier-1s or Auto OEMs?

Really it is both, because carmakers are looking at V2X from a slightly different perspective from Tier-1s.

We work very hard to stay in front of the OEMs, even though we are essentially a Tier-2 supplier. We need them to understand the benefits that Cohda brings over our competition.

We don’t want them to look at V2X as a standard product. The way that we implement this technology is very different to our competitors and we want the industry to see that.

What opportunities do your relationship with NXP Cisco offer?

NXP and Cisco Systems are strategic investors for Cohda Wireless. We have a very close relationship which has allowed us to co-develop elements of our offering, leveraging the strengths of these partners. However, we also maintain independence to use outside suppliers where it makes sense in order to ensure that we are offering turn-key solutions based on the most reliable hardware and software.

What are the challenges that carmakers are facing in order to achieve widespread adoption of V2X?

The challenge right now for OEMs is the question of how are they going to roll this out within their production schedules. Is it a stand-alone box? is it an integrated box? If it is integrated, is it integrated with the ADAS system or with an infotainment system?

Those types of architectural issues are really more what the OEMs are focused on, rather than are we going to do it or not do it. They have been involved for the past fifteen years. They know this is coming. It is now a matter of how.

Where do you think we’ll be in five to ten years?

Compared to five years ago, a lot of things have happened. In the next five years, I expect that these technologies will make a big impact on the automotive industry and the driving environment. I think it’s going to be a very different world.