Protecting automotive systems against unauthorized access and tampering
The interfaces of digital storage media (CD, USB, MMC) provide a means to tamper with unprotected systems or to steal sensitive or licensed data. With hardware-based interfaces, attackers need to access the car’s interior. In contrast to this, wireless interfaces including Bluetooth, Wi-Fi, LTE, UMTS and internet provide many more opportunities for attackers who don’t even need get into the vehicle anymore. Theoretically, any internet access anywhere in the world can be used to attack a vehicle with an internet connection. Today, the infotainment system is the primary gateway used to attack a car. With their integrated telephone functions and smartphone connections, these systems can be used by attackers to access a lot of sensitive information including phone numbers, addresses and additional private data. Furthermore, on-board networks including CAN, FlexRay or Ethernet can be used as a means to access all the connected control units of a vehicle.
How strong is the motivation for hackers to access the on-board network of a vehicle to manipulate or even steal data?
Recent examples of hacked vehicles have demonstrated that it is relatively easy to compromise today’s conventional vehicles via the CAN bus. The risk is obvious even though this may entail a lot of effort and may not be very useful for hackers. In contrast, it is much more profitable to steal private data and licensing information from software, media data and navigation maps. As an additional aspect, licensed software should only be activated on a single control unit. Without tamper protection, the software could also be installed and used on a different infotainment system.
It is also important to link expensive pieces of equipment to a specific vehicle because infotainment units are frequently stolen from vehicles to be sold as replacement parts in other countries. It must be ensured that stolen components cannot be used in different vehicles.
In addition, odometer data is often manipulated in order to sell used cars for a higher price. The system must therefore include mechanisms preventing straightforward tampering.
‘Car-to-x’ and ‘car-to-car’ systems will become more important in the future. These systems, which are already being developed and tested in pilot trials, represent another milestone on the way to fully autonomous driving. The vehicles are equipped with an 802.11p-based Wi-Fi connection for communicating with other vehicles and road side units (RSUs) which are installed as transmit and receive units along the road. The vehicles send so-called ‘safety messages’ including speed, acceleration and deceleration data to other vehicles or receivers located close to the road. These data can be used to alert nearby drivers in case of an emergency brake. In addition, it is possible to determine the traffic flow, to issue congestion information, to control traffic lights or to alert other vehicles in case of any hazards including moving road works, icy roads etc. It is mandatory to authenticate these data in order to ensure that they can only be issued by authentic sources. Attackers could otherwise use these car-to-x systems to provoke accidents or to paralyze the traffic system in order to blackmail individual drivers or even entire communities or cities. Congestions could be generated or vehicle positions be monitored in order to use the intercepted data for criminal purposes.
The increasing pervasiveness of electronic payment functions meanwhile includes modern automobiles as well. Several smartphone manufacturers now offer NFC payment features that can be used at gas stations or highway tollbooths. In a vehicle environment, it might be an option to activate specific functions (including special convenience features) only for a limited time using the vehicle’s NFC and internet interfaces included in the infotainment system. Therefore, these must also be suitably protected against data theft and tampering.
Charging electric vehicles is another consideration. Directly billing the energy costs from the charging station via the user’s energy bill would be an attractive option. This requires a secure identification of the vehicle and the user. In addition, energy consumption data must be tamper proof, too. For a user-friendly implementation, this information could be exchanged immediately after connecting the charging cable without any further user intervention.
How Can the Vehicle’s Electronic Infrastructure Be Protected Against Unauthorized Tampering and Data Theft?
As mentioned above, the infotainment system provides the central interfaces that can be used to access the vehicle’s on-board electronic infrastructure.
Having an operating system, infotainment systems must be booted following a reset just like a PC. If the boot process is not authenticated, it is easy for attackers to start up the system with a different, compromised boot software to get access to the entire system infrastructure.
The JTAG debug port is another easily accessible system interface. Used for test and debug purposes, it also opens the door to the SoC (System-on-Chip). If this interface is left open, it is easy for hackers to enter the system.
Hackers can also use hardware interfaces or wireless ports to gain access to a system. Installed ‘malware’ can compromise the operating system in order to copy sensitive data or to install malicious software for this purpose.
The CAN interface has often been compromised in the context of the infotainment system and has been used by hackers for attacking vehicles. Many tools are available in the market for analyzing unencrypted CAN data. Although AES encryption can relieve this problem, it does not cover the aspect of recording data to replay it at a later time. Timestamping the encrypted data is required in order to solve this problem.
SoC-Based Security Mechanisms for Infotainment Systems
Basically, there are three means to protect electronic systems and data against unauthorized access:
2. Integrity Check
Authentication means that only software signed by the originator can be executed on a system.
Integrity ensures that the software has not been changed, i. e. that no code sections were removed, added or modified.
Encryption makes data readable only for persons having the suitable key.
All three of these basic methods are used in infotainment systems.
Infotainment systems are protected using an asymmetric security mechanism. A public key, which is stored in the SoC, is used as the basis for all safety-relevant actions.
Therefore, only software signed with the correct private key can be executed on the device. In addition to the authenticity check, programs are also checked for completeness and modifications.
The JTAG port, which can be used during the development phase, is fully disabled at the manufacturing stage. During development, it is possible to restrict the access privileges of the developer groups to the sections required for developing their programs.
From the MCU operating system, a specifically defined software API (Application Programming Interface) is required to access the MCU’s protected section (ARM TrustZone), where all safety-relevant tasks are executed.
Today’s highly integrated SoCs including TI’s DRA7XX-SoC family are available in two variants: a GP (General Purpose) and a HS (High Security) derivative.
The HS derivatives provide a comprehensive security infrastructure meeting the requirements outlined above.
Hardware accelerators including the AES accelerator (Advanced Encryption Standard), the RNG (Random Number Generator) and the PKA (Public Key Accelerator) provide support for encryption and decryption tasks in order to increase the CPU cores’ availability for application-related tasks.
The ARM TrustZone included in the two Cortex A15 cores has been enhanced by a security infrastructure providing a secure section. This includes ROM and RAM and an access to the secure hardware modules and the symmetric and asymmetric keys.
Using this comprehensive hardware infrastructure and the software components, it is possible to provide the infotainment system and the gateways with full state-of-the art protection against any unauthorized external access.
Automobiles are increasingly equipped with new functions and control units operating with sensitive data. Therefore, the security requirements to protect against unintended accesses and manipulations will become more widespread und developed.
Just as the ISO 26262 safety standard was created based on necessity, a new standard for cyber security can be expected to emerge in the near future. The definition of SHE (Secure Hardware Extension) and EVITA (E-safety Vehicle Intrusion Protected Applications) represent initial approaches in this field. Connected vehicles, car-to-x projects and autonomous driving will make security a high-priority issue in automotive E/E systems.
About the author
Dipl.-Ing. Ralf Eckhardt is System Application Engineer at Texas Instruments.