Part 1: Identity as a Basis to Mitigate Risk
Connected Cars: Trend Towards Innovation
Cars are purchased to meet people’s transportation needs, to get from point A to point B, but consumers are increasingly expecting to have a driving experience that integrates with their connected lives. Daily interaction with smart phones and other consumer electronic technologies have fostered consumer expectation that their cars will seamlessly allow them to use infotainment services such as media and navigation.
The cockpit experience is a competitive battleground for automotive brands. To remain competitive, automotive OEMs implement connectivity technologies such as WiFi and Bluetooth, as well as driver facing operating systems and applications. Automotive OEMs are not only providing a transportation solution, but also a digital service delivery platform. The opportunities and risks of automotive companies becoming digital businesses will be discussed in Part 2 of this blog.
The Challenge: Innovation Brings Complexity, Risk
The internal domain of an automobile consists of many electronic components from the Transmission Contro Unit (TCU) at the power train to Electronic Control Units (ECUs) controlling engine management to the head unit that informs and interacts with the driver. Adaptive cruise control, parallel park assist and other advanced driver assistance systems (ADAS) are implemented by internal ECUs that require networked access to sensors and the driver interface. These critical computer systems should ideally be isolated from consumer connectivity technology, but the complexity of the automotive system as a whole has become a risk surface. Competition will continue to bring further innovation, but the increasing risk needs mitigation.
Wired connectivity within a car has its own risks. The on board diagnostics port (OBDII) not only gives access to information about the engine light codes, but it has the potential to allow a connected device to issue commands to critical automotive functions. Because the port is not protected with authentication, the automobile is compelled to accept commands from anything that can physically connect to it and issue commands in the correct format. Attackers need physical access to the port in order to execute malicious commands; which limits the attack potential, however, there is a trend towards connecting the OBDII port to a module that includes wireless technology. Usage based insurance is an example of a consumer use case that wirelessly connects data from the OBDII port. This technology brings privacy and safety risks that need mitigation. We have already seen implementations of this technology that completely lacked authentication or data encryption, leaving users of this technology highly vulnerable.
Remote attacks on automotive systems are most worrisome. The Chrysler Jeep demonstration attack from 2015 was an early example of a remote automotive attack that could have led to a catastrophe. The targeted automobiles could be remotely controlled via wireless technology because the critical internal automotive systems were not sufficiently protected from consumer facing technology. Commands to invoke brakes or move the steering wheel should come from control units that are authenticated and authorized to do so.
A recent demonstration attack on the Tesla Model S showed how the firmware of an electronic control unit could be maliciously modified. Assuring the integrity of automotive firmware and software is critical to ensure that the car works as intended.
Automobile manufacturers and their supply chain need to implement security to protect the critical internal domain of the car.
A Trusted Ecosystem within the Automobile
The safety and privacy risks associated with this enhanced connectivity between critical systems and consumer facing technology can be mitigated by ensuring a trusted ecosystem within the automobile. This approach requires critical components to be able to uniquely identify each other, know what commands are acceptable and ensure the integrity of messaging. This is accomplished by issuing identities to automotive devices and managing their lifecycle. The managed lifecycle of secure identity starts at the manufacturing stage. When trust is extended from pre-manufactured product components to the car being sold, trust can then be further extended to the new car owner. The result is data flow security that not only mitigates risk, but also enables services.
Automobiles bring unique constraints to how identity based security can be implemented. The Controller Area Network or CAN Bus has limited bandwidth and electronic control units have limited computing power. Automotive security designs need to take into account capability constraints and cost sensitivities. Standards work by HIS (Evita) and TCG have identified levels of security and a need for identity lifecycle at various points in the car based on threat models.
Modern automotive components are increasingly utilizing security technologies such as hardware secure elements, secure boot, firmware signing, hypervisors and app isolation. These technologies provide a trustworthy environment to securely store and manage a trust anchor. Advanced technologies such as network access control and CAN Bus monitoring are also going to provide important layers of security, but secure digital identities are not susceptible to false negative and false positive monitoring logic. Knowing the identity and privilege of the origin of commands and ensuring the integrity of data creates a secure device ecosystem.
Automotive predictive maintenance, car ownership change, ride sharing, fleet management and driver experience customizations are services that can be consumed only if they can be offered securely. Identity plays a large part in enabling these use cases. Extending trust between entities and across third parties is something that identity based security has been doing for two decades. We will further discuss the enablement of services offered by a trusted automotive ecosystem in Part 2 of this blog.
