Connectivity and complexity are raising concerns about safety and reliability.
A shift is underway in the automotive industry to connect cars to each other and to a variety of communications infrastructure, adding many of the features that consumers now expect in mobile devices as well as some new ones that ultimately will lead to autonomous vehicles. But along with those changes are some nagging questions about just how safe that technology will be for consumers and others around them, and whether the whole system can be secured.
These questions have been asked ever since the introduction of infotainment systems in cars, but the volume is increasing as more critical systems are connected to in-car networks and as more wireless features are added into vehicles. In effect, every new car is now an IoT device, and like every connected device there are benefits and risks. But in the case of a two-ton object moving at high speed down a crowded highway, the risks are much more serious.
There are great benefits to this kind of connectivity. Software can be downloaded and updated, and cars can communicate with each other around blind curves or alert other cars that a tire has just blown out or there is a malfunction in the steering. But whether it can be secured sufficiently isn’t known at this point.
De Geus noted that Tier-1 and Tier-2 automakers are now talking about using finFETs. That increases the complexity of the chips, which in turn increases the security risk as well as the possibility that something can go wrong due to the initial design and implementation. There is an upside for EDA companies, of course. It is a potential bonanza because all IP and chips will have to be verified and debugged to much more stringent automotive standards.
“There are many more requirements for automotive applications,” said Frankwell Lin, CEO of Andes Technology. “You either meet the demanding standards and get certified, or you may limit what you can do. But you also have to make sure which standards you’re being certified for. When the design changes and you add more features, you need to make sure that it’s more reliable.”
Lin said that reliability increasingly means secure. “Low power is the top issue when everything is connected. Security is the second.”
The picture gets more interesting with autonomous vehicles, which depend on fully functional, extremely reliable and secure sensors, computers, and communication.
“If you think about computer vision, you have 20 sensors in cameras all doing 60 frames per second at 8k x 8k resolution,” said Sanjay Jha, CEO of GlobalFoundries. “These cars will have to make real-time decisions at 30 to 70 miles per hour.”
Jha said there will need to be GHz spectrum provided to cars, rather than the MHz spectrum that exists today, with speeds of up to 10 gigabits per second with less than 1 millisecond of latency. And that communication needs to be secure so that every car on the road at the same time is secure. In a connected world with autonomous vehicles, security involves more than a single car.
Given these challenges, a comprehensive security approach is needed, but is it reasonable to think about a solution in the context of the whole vehicle?
Simon Blake-Wilson, vice president of products and marketing at Rambus’ Cryptography Research division said, “We both struggle and resonate with the whole-vehicle security concept. We struggle in the sense that if you think about the security you apply to a mobile phone, it’s not like there is a magic bullet solution for mobile phone security. Similarly, everything about this from a car perspective must take into account the many different security aspects.”
However, this is largely unchartered territory. For example, to secure over-the-air firmware updates, there is a different set of security primitives compared to counterfeiting or other types of security tasks. These must be considered alongside connected systems within the vehicle, such as securing the bus within the car to try to prevent aftermarket-type refinements so communication between the different devices within the vehicle must be secured. In addition, it must be considered in light of protecting vehicle-to-vehicle communications.
“So we struggle with the idea of whole-vehicle security just in the sense that people often come away expecting a magic bullet that’s going to solve the problem,” said Blake-Wilson. “We see cars being like other Internet connected objects, except much worse.”
Adam Sherer, product management group director for automotive safety in the Systems Verification Group at Cadence, also does not believe it is possible to have a single, whole-vehicle security solution, because the breadth of thinking necessary for security is far beyond that.
“If we think about an autonomous vehicle, where are some of the security concerns? Certainly there are concerns about individual sensors for the autonomous-drive semiconductors,” said Sherer. “Then you can go to the software that’s associated with them and look at crossover between the infotainment system and the more secure systems. That barrier has got to be maintained. There are car-to-car communications, so that begins to bridge between multiple OEMs potentially, because the cars may not be from the same company. And then you have security concerns in the infrastructure. Because the cars have to recognize light controls, they’re going to recognize signs, so there is security associated with broad infrastructure that exists—municipal infrastructure that exists beyond the vehicle itself. So one supplier for all of that? I just don’t see it.”
In fact, whole-vehicle security may be like trying to find a single health solution or a single solution for a computer system, said Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group. “The computer system is in essence an electronic living being and very much operates much like the body or biological systems. You have to consider that because it is designed that way. It’s susceptible to the same sort of maladies and malaise as a biological system, only on a digital level. That being said, much like you cannot have one solution for your health, and the only thing you can do is figure out ways to better manage your health — it’s the same approach you have to look at with security. How do you manage the health of the cyber security of a system?”
This is a totally different way of looking at cybersecurity. “We have all of the technologies we need to effectively manage cyber security,” said Ahmadi, but breaches still occur with increasing frequency. “In some systems it’s actually very well-managed and we continue to learn how to do that. We are really dealing with a policy issue—trying to get everyone on the same page. What [automotive OEMs are] having a hard time with is figuring out how to drive this through the entire supply chain, which is huge and extended.”
To this end, Synopsys is working with Underwriters Laboratories on a cybersecurity assurance program (UL CAP), described as an international certification program that provides independent third-party security assessment of network‐connectable devices. The program runs in accordance UL 2900, a series of cybersecurity standards developed with input from a large group of stakeholders, including the U.S. Department of Homeland Security, Synopsys and other members of the security industry.
Cadence’s Sherer agreed there will need to be some levels of testing and validation to know that a particular component of the overall vehicle infrastructure is secure. “It will be layered, so we need to know that not only are individual elements of the infrastructure secure, but concepts of security pervade. For example, there is one aspect of maintaining secure keys – you could have public key encryption, but we need to make sure that the human side of that is also accounted for. If there are people who have higher access, that can undo all of the electronic software hardware security that is maintained if a human can be used to bypass the security.” Clearly, there are infrastructure, overall solution pieces, as well as the individual technology elements that need to be worked out.
Andrew Patterson, director of automotive business development at Mentor Graphics, said many carmakers are very concerned about whole-vehicle security because they realize their solution is only as strong as the weakest link in any of their supply chains. Moreover, the supply chain is long, and long-lived.
“Obviously when you sell a car, it’s expected to run for many years, so whatever is implemented has to survive a long time,” Patterson said. “And it’s not just the technical features. Disgruntled employees who have access to secure records can leave, which could cause a compromise in vehicle security. In the old days, when vehicles were [fully] mechanical, the only thing someone could do was physically break into your car, start the engine and take it. ODB2 (on-board diagnostic) connectors, which are available on all cars now, still require physical access, so you’ve got to plug in a diagnostics port. While normally the connector is in a locked part of the car — either under the hood or under the passenger footwell — a new layer of concerns over has emerged over the last 12 to 18 months about the wireless access points.”
There are at least five or six wireless access points that all vehicles will contain over the next decade or so, that must be secured, including WiFi; Dedicated Short Range Communications so that cars can communicate with each other and with infrastructure; and other wireless technologies such as LiDAR for collision warnings, radios, satellites, Bluetooth links from tire pressure monitors and Bluetooth audio. All of these are potential access points, he said, and the carmakers want to make sure that even if a hacker is able to connect to a car through one of those wireless or wired access points, that damage could not be done to the car. Mentor has become involved on the software and software architecture side to make sure that the electronic control units (ECUs) in the car are protected.
Today, carmakers are designing architectures in their vehicles that separate out those ECUs so some can be grouped together as a very secure group/secure domain — perhaps with their own gateway or master ECU — where only that master can talk to the secure ECUs, and only the master would be authorized to update them if it itself had the appropriate command and authentication, Patterson said.
The human factor
Interestingly, this affects the human component as well as the technology, given that it’s accepted now by all carmakers that software in the vehicle will have to change over the life of the car. “People will expect functionality upgrades and security patches, so there needs to be a very secure way of doing that, and you can’t necessarily trust even your own dealer with all of that authentication authority,” he noted. “The carmakers want to keep that in-house with their own secure infrastructure.”
This will be achieved using public and private key matches for the software. “The idea is that every ECU will have an encrypted key with it, and the encryption has to match a private key held by the carmaker before any software is allowed to pass down to that ECU. So there is effectively a secure handshake that happens between the electronics in the vehicle and the actual carmaker through an electronic link before any exchange of software can take place. That allows the carmaker to keep control over what software is downloaded, and they can also control that it actually goes to a piece of electronics it was intended for because only that piece of electronics will have the right public key that matches. You could have a million cars with a door-lock ECU, for example, and they would have this same encrypted public key. But they would have knowledge of the vehicles it was installed on, and only when the right private key spoke to it from the vehicle manufacturer would the software update be allowed,” Patterson explained.
This gives the carmaker some confidence that only they will have the ability to update software. The update mechanism may be triggered by a service bay, but the service bay won’t be able to see the software or influence it and anyway because it is encrypted by the matching keys. This is the software layer that is pretty accepted as a mechanism going forward, he said.
At the silicon layer, silicon foundries are putting encryption algorithms into silicon. They are using technologies like ARM’s TrustZone or Rambus’ Crypto Manager so that software is downloaded into a secure area in the silicon that other parts of the software can’t see.
Rambus’ Blake-Wilson explained that a root of trust is the goal with any such security technology. The company’s CryptoManager technology acts as a foundational component that can power lots of different security solutions. “For example, when you provision over-the-air updates, typically you sign those updates using a cryptographic mechanism called a digital signature scheme, which is where there is a private key and a public key. You sign it with the private key, and the person that checks the signature has to have the right public key to verify it. The kind of thing you would do with that kind of hardware root of trust is manage the keys that you need to have, that they are securely in the right place to power the different kind of security solutions. Once you’ve got the key in the right place you go to the next step and actually use the key to check the signature. In the same way, if you think about securing the bus with in the vehicle, underlying all that is this is a need to provision keys and apply security effectively to that link. Whether it is our solution or another solution like it from a semiconductor perspective, getting a root of trust into the chip going into the vehicles is going to be the key as we go forward.”
Looking at the automotive security space as it stands, he observed that it appears that the industry is cobbling together what they can in the short-term to address problems. But given that the scale and scope of the problems are still becoming clear, whole-vehicle security will be addressed more thoroughly in the next wave through concepts like this. “There will be a number of different applications or services that need security for the chipmakers. One key will be putting the right foundational capabilities into the chips that can be used by the variety of different applications.”
Other technologies will be a part of the automobile future as well, given automakers yet another way to put their unique stamp on vehicles. Jen-Tai Hsu, vice president of engineering at Kilopass, pointed out that inside the automobile there has been a lot of discussion about one-time programmable memory versus flash. “One of the reasons the market is adopting OTP is that it will support a 155-degree temperature limit. OTP is able to withstand higher temperatures than embedded flash. A second factor is that it has to be secure, and OTP is more secure.”
Unlike flash, OTP uses oxides to break down for 1s and 0s, which makes it very difficult to hack. But the fact that this kind of decision is now inside of cars is worrisome to a lot of people. The good news is that carmakers are taking safety and security very seriously. There is a lot of energy, time, and money going into devising and implementing security systems, Mentor’s Patterson said.
“While there is a time constant in the market from idea to implementation to mass production, many of these techniques are already in place, with many more in the process of rolling out into production as we speak. Certainly within the next 12 to 18 months I would say all OEMs will have secured databases and means of updating their vehicles, either through USB sticks, wirelessly over the air, or through existing ODB2 diagnostic ports,” he said.
Time will tell if all of that is enough.