What’s the baseline for security and who’s responsible for seeing it gets implemented.
Not many days go by when there isn’t a news headline describing the latest hacking attempt — or success — of an automobile or automotive system.
Malicious hacking has been around almost since the dawn of connected electronics, but it’s happening with increasing sophistication in the automotive sector. Even high-end vehicles suffer security flaws that are too costly or not worthwhile to fix.
The result is that the automotive sector is scrambling to cover its bases, and they’re starting with the parts that are highest priority.
“Remote exploits and tampering with safety-critical firmware are among the most critical car security issues,” said Paul Kocher, president and chief scientist of Rambus’ Cryptography Research Division. “Solutions to these problems are technologically possible, but the car industry has a long way to go. The security and tamper-resistance technologies required for the tiny smart card chips used in credit cards are only slowly finding their way into the chips found in cars. Over the next few years, carmakers and their suppliers will face a rather bumpy ride since they don’t yet have the security expertise and capabilities to manage the risks in today’s cars. And even more complex security challenges are coming quickly as cars continue to become more complex.”
In the longer term, though, he and others are optimistic that the risks will gradually get brought under control again.
“Like any other system, if you put some time and effort into it, you can close off a lot of the obvious holes or, like they say about the lock industry—the locks are there to keep honest people honest,” said Joseph Hupcey, Questa product marketing manager at Mentor Graphics. “You can go a long way with certain design practices, and it’s not necessarily very expensive or hard to at least make the external attacks more limited or narrow the scope of the avenues of attack.”
The challenge right now is in the number of attack vectors, and the list grows every day as people think of clever side channel ways to attack something, Hupcey said. “An example there is just using an infrared camera to look at a chip, and when you’re accessing the chip through some encryption function to realize that part of the chip is actually involved in encryption and must have a secret key. That’s an example of an out-of-band attack. Another side-channel attack is when you listen to the variations in the power supply, and the data can be read by anybody who happens to have access to the thing. That can be encrypted.”
It’s the job of the chipmaker and the OEM to close off those channels as much as possible—making it either too costly or too difficult to expend the effort to hack. “There are no absolutes, but you can make it very expensive and difficult so at least the basic attacks can’t be done with very simple tools,” Hupcey said.
Cadence fellow Chris Rowen is definitive on the subject of whether cars can be hack-proof. “The emphatic answer is yes in the sense that we know perfectly well what the technical requirements are for building secure systems. This is really more of a human factor question in the course of engineering cars. Are we really going to deploy and test what we know are the best practices to ensure the security of communication? Certainly they are interesting because they are widely deployed and they are security critical systems. They’re not as security-critical as nuclear power plants, and so we may need some of the lessons learned from nuclear power plants — or the lessons at least I hope we’ve learned from nuclear power plants — to avoid malicious injection of commands or software.”
The question isn’t about whether technology exists to stop an attack, Rowen said. “It is a systems engineering process question where there are many levels of defense that you can mount, but you have to also strike some balances because people want the ease of upgrading to be at least as easy as installing a new app on your phone. You’d like to be able to say, ‘That looks like a cool feature. That’s a better way to park. Let’s install a new parking app and it will do certain things. And I want to be able to use a feature five minutes after deciding on it and in fact I want a huge third-party network of application developers all targeting my car so that I have the widest choice of things.’ Unfortunately, the security commands for something that weighs 2,000 kg probably has to be a lot higher than something that weighs 100 g. Something that can kill needs a level of vetting on the supplier and on the specific software installation and a whole lot of checks and balances to ensure nothing gets out of range.”
Rowen noted much of this can be built in from the beginning with suitable protections. He expects there will inevitably be some holes, but those will get filled pretty quickly after they get identified.
Ignore the problem and it will go away
One of the main approaches in use today is ‘security by obscurity.’ There are so many parts to an automotive system that figuring out how to attack a system is almost impossible. That’s the premise, at least. Not everyone buys into it, though.
“If some vulnerability is theoretically well hidden or unknown to people does that mean you are safe? The answer is probably no,” said Mentor’s Hupcey. “It’s just going to be a matter of time before someone does figure it out and figures out the right combination. The bottom line is when you really think it through, security by obscurity never works. To turn this around, the more you talk about these things, the more people working on finding the holes, and the better off you are in the end. So much the better the white hats find the holes first. It’s a hard thing for manufacturers to swallow because you see many manufacturers follow extremes when a flaw is identified.”
He noted that at the Black Hat Conference he has seen companies clam up and pretend a flaw didn’t exist, but when they come back to the conference several years later they are still embarrassed by the same problems. “Or they own up to it – like Tesla did – and challenge the Black Hat community to find more.”
In another example, United Airlines has kicked off a Bug Bounty Program with rewards paid in frequent flyer miles for finding security bugs.
“If you give the good guys motivation to help you, they probably will and will close off those avenues that some of them were secretly relying on,” Hupcey added. “The good news is that there is a lot of precedent from aviation, the security industry, and from mil/aero in general as far as how to secure things. That’s carrying on in the automotive industry, where they are realizing there’s a whole additional layer of complexity and cost we need to add that nobody had budgeted for. The automotive industry is coming to the realization that yes, this is truly a problem, kind of like the five stages of grief (denial, anger, bargaining, depression and acceptance). They are still at the bargaining stage before they are going to acceptance and implementation.”
Verification becomes a major priority for automakers
Zibi Zalewski, general manager of the hardware division at Aldec, Inc., pointed to the constantly increasing processor power in the SoCs used in modern cars. That, in turn, enables more software layers and interfaces, which in turn increases the security challenges.
“The more software doors, the easier it is for hackers to get in and the more work for security-oriented verification and validation,” Zalewski said. “The overall integration of devices and IoT trend makes the car more integrated with our common-day devices, but also more accessible by unwanted entities. Because hacking attacks usually are software-based, using wireless interfaces in case of the car attacks, verification of those areas becomes one of major priorities for the automotive EDA technologies.”
A modern verification methodology, including hybrid verification technology that mimics the electronic platforms in the car and extends testing capabilities for software teams, is one way to approach this, Zalewski explained. “Typical simulations are not enough. Hybrid emulation platforms enable much wider possibility of testing with shorter execution times and early access in the project cycle. Such methodologies and security-oriented tests are becoming common to keep up with hackers who are only waiting for new opportunities. Our car becomes part of our daily life network, and just as with regular computers, these mobile devices are becoming exposed to hacking attacks. Hack-proof efforts for the car should be as important as constant research into more efficient batteries, for example. Is it even possible to have 100% protection covered? Probably not, but driving the car every day convinces me that we should endeavor to reach such levels by all means possible, and not just in the automotive industry.”
Dave Kelf, vice president of marketing at OneSpin Solutions, has seen this firsthand with automotive companies. “In terms of verification, they have to do what everyone else is doing—but much better. Everyone else can say they can get away with 90% to 95% coverage of the design. These guys have to do 100%, no mucking about. That means that it’s the usual story around verification, but it’s more rigorous.”
Verifying how a chip in the field will operate under varying design conditions with a number of potential faults is a difficult verification problem, he stressed. To this end, OneSpin has been working with other tool providers to determine the best way to build a tool that allows for fault insertion into the design — which cannot be changed — whereby the fault must be inserted on top of the design as it stands, and to see the effect of that on the rest of the design as the fault propagates. “That is a huge EDA problem. So as you find all these unusual design issues you find opportunities for EDA to help figure out solutions for those—on top of the verification guys within the companies are already doing. Security is another one of those.”
In the inevitable event of a failure of security breach, the fault must lie with one party or the other. Kocher said from a brand reputation and regulatory perspective, carmakers will bear most of the brunt of most security problems that arise. “In terms of engineering, however, suppliers will need to work quickly to get ahead of security risks and to ensure their chips and other components are ready from a security perspective. Chipmakers that already have significant security expertise, such as NXP and Infineon, will have a natural advantage. Carmakers will also need to play an active role because many security architecture choices will involve many components and will therefore be outside the control of any single supplier.”
Hupcey said what he has seen in aviation is that if the aircraft is on autopilot, it is still the pilot who is immediately liable. In the same way, the automobile driver is liable. “Just like they are today, they’re usually the first line of liability. Will there be a day where there’s absolutely no controls in your car whatsoever? Then yes, the immediate manufacturer will be liable. Then, in a second line of liability, if a flaw was traced to a specific component or a specific piece of software, did that manufacturer take reasonable steps or were they negligent? It will go through the same thing as with safety critical vehicles or medical devices today. Security does herald a new generation in design thinking and designing for security that automakers are starting to come to terms with.”
There is no clear agreement here. “Somebody’s got to be responsible,” Rowen asserted, “and it is up to the car manufacturer to create that set of protections and make decisions about what the software upgrade policy is going to be such that they can get a handle on it. There will be some missteps along the way but we will find that cars start out being fairly safe and get safer over time. Everything else about cars get safer over time, and this will be one of them. The whole idea of autonomous driving is going to be such a step function, and the overall safety that it will bring will probably overshadow the degradation and auto safety that comes specifically from residual holes in the software environment, because there will be some.”
Further, Rowen said that as the pace of electronic content innovation goes up, there will be a lot more work done on the hardware-software interface. “People generally do understand that they are going to be able to innovate more rapidly if the areas of innovation are in software, so people will tend to push more into software. That very nicely brings us full circle back to all the questions of security because certainly you can move things from hardware into software, you can make it much easier to upgrade, but you’re then also going to have to now deal with the fact that it is easier to hack when it’s full of software. Software can be changed remotely and it’s really hard to change the hardware remotely.”
So where do automakers begin? “It’s less about sheet metal and exhaust systems and casting engine blocks and doing upholstery, and it’s much more about display resolution and deep learning, automatic recognition visual systems and frame rates and teraops per milliwatt,” Rowen concluded.