The connected car has already become a reality. It is a subject not just electrifying customers and manufacturers but also security researchers and IT experts. And in a worst-case scenario, criminal hackers as well. For years, security experts have observed the fact that the desktop PC is not the only target of digital attacks anymore. A large part of the malware is now customized to hit mobile devices. It would be negligent to believe that this development would leave the connected car unmolested.
So far, attacks of criminal hackers on vehicles and their systems have been very rare exceptions. But the pivotal importance of security for connected cars has clearly become apparent to the OEMs. When the vehicle becomes a personal mobile device used by its owner for communication, and possibly personalized by apps, this setup provides would-be assailants with multiple potential manipulations.
But how can the automotive industry protect itself and its customers against digital attacks? Ruling out all air interfaces — a concept long favored by parts of the auto industry — is not in the interest of the customer. The need of a data exchange connection is also evident with innovative V2V or V2I services that will be developed including their relation to autonomous driving. So, for the future, there is no way to entirely avoid Bluetooth, WLAN, or cellular in the vehicle.
On the other hand, the classical approach — using call-backs and remedial work in repair shops — will not provide timely success in safeguarding vehicles against digital assailants either. In addition, recall campaigns cause tremendous expenses and damage the reputation of the car manufacturer. The race against car hackers cannot be won in this fashion. After all, it takes months before all jeopardized vehicles will have received a patch this way. In the meantime, hackers would continue their mischief. But such a time frame to ward off the danger is unacceptable because a manipulated vehicle can pose an enormous risk to the driver as well as his environment. Moreover, in many cases, it is possible to identify further weaknesses in the vehicle software during such a period, making the patch already obsolete at the time of its installation.
Let’s take a look at the world of mobile devices to find an indication of the alternative to repair recalls. The suppliers of apps and smartphone operating systems constantly deliver up-to-date versions of their products to terminal devices. Sometimes it is a matter of small patches to address weak spots while in other cases, new versions, including new functions, are launched into the market.
Such updates of software and firmware are delivered “over the air (OTA)” i.e. by way of air interfaces. As soon as these updates have been transmitted to the device, they are extracted and installed automatically.
Firmware over the air (FOTA) is an answer to the challenges of swiftly equipping a multitude of devices with the latest updates. The update procedure provides the potential of swift and continuous remedy of weak spots with appropriate patches while at the same time integrating new functions and modernizing cryptographic methods to secure, for example, the control units.
To make sure that a large number of control units can be updated by FOTA, the gateway method is employed. Between the backend and the control units to be updated, one control unit equipped with a mobile radio interface assumes the role of an intermediary. It receives all software packages through the air interface and distributes these to the destination devices via CAN bus systems or more performant communication channels such as Ethernet. In addition, the gateway electronic control unit (ECU) has the master function in controlling and coordinating the whole updating process. If an error occurs, rollback mechanisms may have to be initiated.
A Paradigm Change
Apart from the possibility of closing security gaps by FOTA, many other technical measures are necessary on the device side such as cryptographical safeguarding of all ECU interfaces, especially the wireless accesses for mobile communications, Bluetooth, and WLAN. In addition, the organization and the development processes will also need to be adapted to the new circumstances; for example, end-to-end risk analyses are not the rule but by now, they should be a mandatory part of the requirements asserted by manufacturers toward their suppliers.
In this endeavor, possible scenarios of attack upon any and all components of the chain would be scrutinized including their effects on security and ultimately on functional safety. Based on the results, adequate protective measures can be taken. Any success in this approach would only be guaranteed if the OEM, the supplier of the backend solution, and the control unit manufacturers cooperate from an early stage of development forward.
This approach requires turning away from the black-box development of control units to embrace a holistic approach to security. Moreover, measures to generate and maintain security must not be terminated after production has begun. Security analyses, security-oriented testing, and the remedy of security gaps by FOTA must be kept up continuously throughout the lifespan of any product.
Organizational measures concerning secure development and production include, for example, controlling the means of access to confidential data, such as keys and certificates, as well as development specifications related to components relevant to security. Such data and documents must be stored in an encrypted form on safeguarded servers — access to which is limited to very few persons by means of authentication.
Special importance must also be assigned to security-oriented testing. Penetration tests, in particular, make it possible to pinpoint security gaps. Using the means and methods of hackers, the tester will deliberately try to intrude into the system. The results indicate the current level of security and will inform the development of counter-measures to seal off critical weak spots.