The long life cycle of cars and the ongoing cloudification of devices pose a huge security challenge for the automotive industry. In the future, cars will network more and more with other cars and their surroundings. The information sent from a car is accessible to all who have the technology to read it. In the most hair-raising scenarios security vulnerabilities could give a criminal the opportunity to access the car’s location data, breach the car’s driving systems, open the locks and turn off the engine. Security risks could be life-threatening at worst.
Security threats have to be anticipated up to 15 years ahead. We must be able to prevent car hacking today. In the coming years we also have to prepare for the breakthrough of quantum computing, which will revolutionize all of information security. It is therefore clear that the field could urgently use more muscles and collaboration between different operators in the automotive industry.
International automotive industry values Unikie’s information security expertise
On May 26, Unikie was invited to join the international standardized vehicle architecture developer AUTOSAR (Unikie Oy, Press release June 9, 2021). The reason for this choice was our vast expertise in the information security of autonomous devices and process control. Automation requires ensuring secure data traffic, which is the foundation of Unikie’s technology development.
AUTOSAR is an international coalition of vehicle manufacturers, suppliers, service providers, automotive electronics and software companies, that is developing a software standard for intelligent mobility and communication between car components and external cloud environments. Car manufacturers wish to, among other things, standardize the control messages used in the car’s CAN bus. The same component could be used easily, and cost-efficiently, in any vehicle utilizing the same standardized software and device frame.
The CAN bus (Controller Area Network) is an automation bus used in vehicles to control their electronics and accessories. For example, a push of the Start button sends several messages via the bus to various parts as you start the car. These messages could for example, open the locks, initiate emergency braking or even steer the car via the parking assist function.
Standardization offers possibilities – as well as security concerns
As standardization is implemented, certain details, such as how the car is controlled using the bus protocols, become public knowledge. So, standardization of the CAN bus control messages also means an increased security risk. Accessing a car’s CAN bus is possible from many internal and external sources, for example the M2M, V2x and BT systems, Wifi, or even a USB port. Without proper security precautions the entire car could be hijacked. To ensure information security all internal and external CAN bus messages should be either signed or encrypted.
Taking an example from outside the industry
We can look for working solutions outside the car industry as well. Mobile devices and payment systems offer several good examples of secure communication, downloads and signatures. The industry uses a public-key infrastructure (PKI) defined by the ITU-T X.509 standard, which ensures secure exchange of information when the user, for example, downloads an operating system update or makes purchases in an app store.
Utilizing the best parts of this model secure signatures and certificates would be possible to implement in a multi-sourcing automotive industry environment as well. It is interesting to see if the industry will adapt a standardized security solution, and will it replace the still widely used manufacturer specific solutions
The author is Unikie’s Chief Information Security Officer (CISO) Jari Mononen, who is head of the AUTOSAR information security team.