The automotive industry has seen a fundamental shift due to the rapid evolution of connectivity. Carbon fiber and computer chips have now replaced steel and pistons. The ‘Connected Car’ is not a distant sci-fi dream anymore, it is the present, and it is now. The most sophisticated mobile device in the IoT landscape is undoubtedly the connected car- fuelled by customer demand.
A car that drives itself- the ultimate feature of a connected world, would be 10% hardware and 90% software. The connected car would be connected to the driver, to other vehicles in the network, and to the cloud. At present, cars from Tesla, Nissan and Audi are “connected cars”, comprising in-built wireless connectivity. Today’s connected cars have embedded or tethered connections to facilitate connection between cars and smart phones. The connected future comes with a set of risks, and security is the key to improvements in the space.
The Black Hat conference last year proved that any car with a CAN bus can be hacked with a laptop and some basic off-the-shelf hacking software. The consequences of this kind of an attack is multi-faceted, from something innocuous like displaying wrong telemetry on the dashboard, or dangerous like applying brakes or remotely taking control of the car. Anything with an IP address is vulnerable to attack. Ford Chrysler recalled 1.4 million cars after it was revealed that vehicles equipped with certain radios were vulnerable to attack through remote manipulation.
An increasing number of car manufacturers are now marketing their car as connected vehicles equipped with on-board Wi-Fi, and apps that could open doors, and even start the car. These “cool” features undoubtedly increase the novelty quotient, but whether these features are equipped to deal with situations like loss of smartphone is a point of concern. If a hacker can successfully compromise a sensor that monitors operating temperature of a piece of equipment, it can severely hamper the safety of passengers.
The following are common attack patterns in automotive IoT
- Telematics service impersonation
- Firmware update manipulation
- Jailbreaks through third party apps
- Controlling ECU decision making by CANbus instrumentation
- Sensor data impersonation
- Abuse of security certificate
The issues listed above can be tackled through various approaches.
- Using a trusted computing base
A TCB is a collection of policies and procedures that enforce application based tokens, based on which a platform’s trustworthiness can be determined. A sound TCB can eliminate cloning and spoofing. The use of a TCB can promote the use of authentic components within a service, as well as increase interoperability between different components of a service.
- Secure Network Communications
In a secure communication network, all components must be able to authenticate one another, in an open and confidential manner, as and when applicable. Most IoT products currently use PAN, Bluetooth Low Energy, Zigbee and Thread. However, these cryptographic algorithms do not guarantee security and data confidentiality. The security of network communications is a crucial aspect of IoT security.
- Application Restriction
Application security, particularly related to third party apps should be isolated in jails, virtual machines, containers, or another abstraction in order to ensure that they cannot elevate their privileges to admin level or gain access to low-level drivers.
It is crucial to ensure that applications do not have permission to write or read from memory of other applications.
Uber, Intel and IoT provider Aeris have formed a coalition, inviting automakers to pool resources and bolster vehicle architecture components with cybersecurity features.
A multi-layered security approach will help preserve data and device integrity. The coalition will include OEMs, transportation network companies, automotive supply chain providers, self driving vehicle specialists, chip providers, hardware and software suppliers, academics, researchers and hackers.