Improving automotive cyber security

You might ask yourself what cyber-security has to do with cars. Think again. The two most emblematic examples to illustrate the need for in-vehicle security are real-life use cases known by many: engine tuning and odometer fraud.

It is not so difficult to boost an engine with more horsepower. What do carmakers think about this? Beyond the revenue losses they may suffer (because the customer thinks "why buy the 200HP model if I can tune the cheaper 150HP model?"), they can also face costs for engine repairs or replacements because it was badly managed by a modified EMS. And usually they are not able to prove that.

Carmakers may not care so much about odometer fraud, but would you not care when buying a second-hand car? How can you make sure this lovely affordable station wagon really has 60,000 km on the clock and not the double? In fact, you cannot. However, you may experience the difference... and finally blame the carmaker for poor quality. Would they care about this then?

What is security all about in a car? It is certainly about protecting its commercial value as a whole, not only from the carmakers' perspective, but also for car owners and to a certain extent for system suppliers. Carmakers have an interest in protecting features from being used when they are not paid for, while ensuring that no additional warranty or maintenance costs due to illegal usage will reduce their profits even further. System suppliers have an interest in offering added-value protection systems, and they also have an interest in protecting their intellectual property. Owners feel more comfortable when they know their car is securely locked and protected when parked, and when their private data are kept confidential. Future owners would be happy to have a guarantee on used cars without having to pay for it.

Would that be all? Well, there is more to risk than money... How can a car protect against security attacks that would jeopardise the functioning of "mission critical" systems? Connection of mobile devices (phones, multimedia readers), connection to the Internet, connection to other cars and to the road infrastructure... the car is becoming part of a bigger IT system which offers access to more services and more value, but also opens up to more threats. Recent academic works [for example, see http://www.autosec.org/pubs/cars-usenixsec2011.pdf] have illustrated how the multiplication of attack vectors via external connections can potentially enable a criminal to take control of the brakes or the steering wheel. Safety is also at risk: connectivity to the car should come with the most stringent security requirements.

Intrinsic vs. exploited flaws
The electronic system of a car is distributed across a (growing) number of electronic control units (ECUs), each unit designed for a dedicated function (e.g. braking, steering, etc.) by means of a microprocessor, linking together with other ECUs in a partially closed in-vehicle network. Automotive ECUs are designed to interact with their environment in a rather simple processing pattern (figure 1).

Intrinsic ECU flaws can lead to systematic malfunctions. These flaws relate to hardware and software bugs, to component malfunction linked to their characteristics (e.g. soft errors in microprocessors) or to component malfunction when used at functional limits (e.g. temperature, frequency, voltage).

Intrinsic flaws can be avoided whenever a state-of-the-art development methodology is in place. Each ECU function can then be guaranteed for a given range of environmental parameters. In addition, safety mechanisms ensure that such flaws do not harm the system, either by correcting recoverable errors or by putting the system into a fail-safe state. However, these mechanisms do not ensure that the messages transferring within or between ECUs are authentic.

Cyber-threats relate to exploiting system flaws not covered by a methodical development approach. Hardware and software modifications, environmental manipulations outside of the range for which the system has been designed (e.g. temperature, frequency, voltage), or injection of manipulated information can lead to intentional malfunctions. These in turn can be used by criminals to change the ECU behaviour in order to serve their personal interests.