News & Updates

SOTA Security – lessons learned from IT and mobile

By Terry Hughes / January 12, 2016

(This article was featured in Smart Automotive Magazine's Jan-Feb Edition.)

Section 1. The case for the secure connected car

It is inevitable that cars will be connected to the internet, whether it’s via built-in cellular modems or companion smartphones. In 2015, over 20% of all cars sold worldwide had embedded connectivity and forecasts predict around 200 million internet-connected vehicles within 5 years. Many industries, including banking and defense, were initially reticent about being connected to the internet but they overcame those concerns by applying layers of security and protection. Almost every business you can think of these days is online, so when we hear the automotive industry express concerns about their cars being routinely connected and updated over the air, are those concerns valid and what can they do to ensure safety and security?

In defense of the connected car and SOTA (software over the air) updates, the Volkswagen emissions scandal will result in a mass recall of millions of vehicles at tremendous cost to VW, and many owners won’t bother going back to their dealer to get the update so they will be driving around with out-of-date software. Therefore, it’s easy to see how much better it would have been for VW if every car was connected.

In defense of the automotive industry’s concerns about being connected, although smartphones have been connected from day one and are routinely updated over the air, the car industry has three unique and genuine concerns:

1. The average car weighs 4,000 lbs so a hacker could theoretically take over a car and turn it into a weapon capable of causing death and destruction
2. A hacker or a rogue software update to a vehicle could theoretically “brick” the vehicle rendering it useless thereby forcing the owner to return it to the dealer to be re-flashed, assuming it was even capable of being driven there. If that happened on a large scale, the financial and logistical impact to the automotive industry would be massive
3. Cars that drive more autonomously are being rolled out and self-driving cars are under development, and by their very nature they will be hyper-connected (that’s one of the reasons Google and Apple are so interested in this space). Now is the time to develop security models that can extend to these new use cases in the years to come

Consumers are demanding that their next vehicles are connected, so that they can enjoy advanced In-Vehicle Infotainment and in-car WiFi, and the manufacturers totally understand the ROI of being able to update and diagnose vehicles remotely. Therefore the connected car is inevitable so the industry’s attention is turning to how to do this, just as securely as the banks and defense sector has done before them.

Section 2. Is the car just like a PC or smartphone?

My company AppCarousel has been providing app stores and software management solutions across various sectors for 15 years, all the way back to when smartphones were a twinkle in BlackBerry’s eye. We have watched the antivirus and malware protection companies like Kaspersky, Bitdefender and Avast firstly enter the PC market, then the smartphone market, and now the IoT (Internet of Things) market. So I figured that if there was a genuine connected car security risk these antivirus companies would have solutions in place or at the very least they would be making lots of noise, therefore I decided to look at arguably the two biggest and best known of them all; Symantec (a public company) and McAfee (acquired by Intel in 2010 and now part of the Intel Security division).

What’s interesting about Intel and their subsidiary Wind River is that they are heavily into supplying connected car silicon and hardware to Hyundai (driver information system), BMW (navigation system), Infiniti (in-vehicle infotainment system), and Kia (in-vehicle entertainment system). Their acquisition of McAfee is paying dividends in their ability to provide end-to-end protection, importantly by using the essential combination of hardware and software techniques. In September 2015 Intel Security launched the Automotive Security Review Board (ASRB) to stimulate automakers and electronics companies to come together to enhance the physical system security of vehicles.

In a white paper, Intel Security discusses many techniques for protecting the connected car infrastructure, including secure boot-up loaders that check the digital signatures of all software about to be run on each ECU (electronic control unit), active memory protection to protect against overflow conditions that malicious code can exploit, and virtualization using software containers in which downloaded code is run. Regarding SOTA, Intel’s paper talks about the need to protect both the cloud end and the in-vehicle end of the link including encrypted communications, threat intelligence exchanges and databases (as are commonplace in PC protection) and credential management where everyone in the SOTA value chain is authenticated via federated identities using cryptographic keys.

The paper also discusses why hackers might want to get into the car’s systems in the first place, including malicious attacks to take over the vehicle, mischievous attacks just to prove it can be done (as was recently seen when a Jeep was hacked while doing 70 mph on a freeway), and fraudsters that want to steal the driver’s personal information including addresses stored in the navigation system and information stored on the connected mobile phone. When you add to that the fact that today’s car can be penetrated via cellular, satellite, WiFi, Bluetooth, USB, OBD II and wireless remote keys, Intel recommends a holistic approach where it’s not enough just to firewall the SOTA cloud from the car but also to have on-board protection for those attacks where one of the non-SOTA entry points are used.

Symantec have also released a white paper on vehicle security, which focuses on protecting the various layers of the connected car architecture, from the cloud-based layer, through the radio layer, to the single-board computer (SBC), body control module (BCM) and various ECUs, down to the smaller sensor modules, the chips driving those modules, and the bus protocols connecting them all together including the commonly used Controller Area Network bus (CAN bus). Symantec’s paper discusses the fact that it will take many years to truly secure all aspects of the connected car but that an essential starting point should be to lock down the “head unit” which is often the most powerful SBC in the vehicle (and nearly always the most connected module today), then to use that head unit as a beachhead for managing and updating the rest of the car. Symantec’s techniques include whitelisting of good code that is pre-approved along with controlling how that code is permitted to behave, running code in sandboxes, and monitoring code and activity across the CAN bus, over the air and within the modules to detect and deal with anomalous behaviour.

Section 3. Lessons learned

Both McAfee and Symantec carved out successful businesses because the world of PCs is full of hardware, software and cloud services made by thousands of different vendors that have to interact, and hackers like to exploit gaps and vulnerabilities between those interactions including weak APIs and poorly designed interfaces. That’s why almost all PCs today have deep and total protection from the likes of Intel Security and Symantec. Contrast that with today’s car; it does have those same characteristics as the afore-mentioned PC, but without that deep end-to-end holistic protection. AppCarousel therefore recommends that automotive manufacturers should:

1. Secure their value chain of suppliers, by only buying from trusted vendors and by auditing every aspect of their design and security policies to ensure that those components are as secure as they can be, not only in isolation but when connected to other parts of the car. Car companies should design and implement top-down end-to-end hardware and software security models and then ensure that their value chains adopt them
2. Carefully and slowly open up the car’s connections to the wider world, firstly by securing the connections to the networks and internet, then only allowing a small set of curated and trusted partners to provide apps, software and data to the vehicle, followed by a rigorous and secure set of highly policed APIs and interface points between partners and the connected car cloud.

In summary, the connected car doesn’t need to – and therefore shouldn’t – be as open as the PC and the smartphone. Because the car is unique among connected IoT devices due to the expensive and dangerous risks of being hacked, a different approach to securing the car is needed. I believe that one day the car will be just like a PC, but the road to securing it like a PC is long, with many lessons to be learned from how other connected devices are being secured along the way.
AppCarousel is a tier 1 vendor of secure cloud solutions and curated walled garden app and partner programs to companies including Jaguar Land Rover, and as such AppCarousel is working within the connected car industry to secure vehicles while enhancing driver experiences today and into the future.

Terry Hughes, Managing Director and SVP, AppCarousel.com

The full article in Smart Automotive Magazine can be read at: http://telematicswire.net/mag/2016/JanFeb/index.html#/15

Works Cited
Intel Security McAfee. (2015). Automotive Security Best Practices. Retrieved from http://www.mcafee.com/ca/resources/white-papers/wp-automotive-security.pdf
Symantec. (2015). Building Comprehensive Security Into Cars. Retrieved from Symantec.com: http://www.symantec.com/content/en/us/enterprise/other_resources/building-security-into-cars-iot_en-us.pdf