What is cybersecurity?
In a world where profound reliance on the internet or safeguarding valuable assets is paramount, a comprehensive grasp of the term “cybersecurity” becomes imperative. Security, stemming from the concept of cybersecurity, is the protective shield fortifying our financial resources and assets, especially in the realm of the internet, where the safeguarding of our most significant asset, data, is paramount. Given that every business thrives on extensive data, its importance fluctuates from person to person and over time. This escalating dependence has driven individuals to fervently pursue data from legitimate sources, inadvertently exposing vulnerabilities. Recognising the critical need for safeguarding, a multitude of standards, policies, and frameworks, such as ISO/IEC 27001, the NIST Cybersecurity Framework, COBIT, PCI DSS, GDPR, and more, have been established to fortify the security of data and assets.
Enter the automotive domain, and the resonance of the term “hacked” becomes increasingly familiar. The trajectory toward incorporating highly complex features in automobiles is a collective aspiration shared by both consumers and automakers alike. Envision features such as owner recognition, driverless journeys, automatic upgrades, self-diagnostics, and more—all of which are enriching for users with advanced electronics and intricate software. In essence, cars have transcended mere vehicles; they are now sophisticated entities akin to high-speed robots powered by software.
Vulnerabilities in automotive and threat vectors
In the past, vehicle access was primarily confined to the OBD port. However, the incorporation of smart features has significantly broadened the spectrum of threat vectors. Over-the-air (OTA) updates and advancements in vehicle-to-vehicle (V2V) and vehicle-to-everything (V2X) communication introduce potential vulnerabilities through remote and API attacks. The in-vehicle multimedia system, equipped with Bluetooth, Wi-Fi, and cellular ports, becomes a gateway for unauthorised access. Furthermore, advanced driver assistance systems (ADAS) and highly automated driving (HAD) functionalities pose risks of attacks or malfunctions by manipulating external sensors. The proliferation of gateway controllers and zonal controllers further facilitates access to the vehicle network via the internet, underscoring the expanding list of potential threats.
In-vehicle network vulnerabilities
Imagine the frustration of losing control of your car, with the dashboard incessantly chiming and rebooting while you are driving. A harrowing scenario, indeed.
This disconcerting possibility came to light as we sought to explore the vehicle system through various ports surrounding the control unit. During our recent research and penetration testing, we unearthed a potential vulnerability in the vehicle engine control system, manifesting as a persistent resetting issue even when the vehicle is in motion. Our experimentation involved fuzzing through diagnostic frames with diverse values and injecting malicious packets, resulting in the erratic behaviour of the cluster and subsequent reboots of the control unit.
Despite the manufacturers’ conscientious efforts to fortify the network by implementing a high-cost gateway to segregate the vehicle CAN network via OBD, our research demonstrated that the network could still be accessed via diagnostics from telematics, inducing system reactions. In essence, the security measures in place, though costly, proved insufficient and lacked the sophistication needed to thwart such intrusions effectively.
Vehicle-to-external-network vulnerabilities
Consider the following scenarios, each presenting a disconcerting glimpse into the potential risks:
- Imagine someone illicitly extracting and utilising your credentials for cloud application subscriptions, with the extraction orchestrated from your private car’s infotainment or dashboard at regular intervals.
- Imagine a situation where your car remains deprived of crucial updates through over-the-air flashing due to a malicious entity pushing outdated software consistently using MQTT and TCP IP in a man-in-the-middle attack.
- Imagine an unsettling scenario where your infotainment system abruptly ceases to function, triggered by unknown disturbances emanating from tyre pressure monitoring sensors.
- Consider the unsettling notion of a third party eavesdropping on your in-vehicle cellular communications through the infotainment system.
The realisation of these possibilities is not far-fetched; indeed, they are plausible if the security of car infotainment and telematics is not diligently safeguarded.
The standards in automotive cybersecurity
Recognising the escalating risks, standard bodies have taken a decisive stance, mandating automotive suppliers and original equipment manufacturers (OEMs) to integrate cybersecurity standards into vehicles manufactured from June 2024 onwards. Notably, the ISO/SAE 21434:2021 standard, titled “Road Vehicles: Cybersecurity Engineering,” serves as a pivotal guideline. This standard aims to ensure that vehicles are not just engineered but also manufactured and maintained with cybersecurity at the forefront. By doing so, it addresses the imperative of mitigating cybersecurity risks associated with the progressively connected and software-driven nature of modern vehicles.
Furthermore, the UNECE WP.29 Regulations play a pivotal role in this domain. Regulation No. 155 establishes criteria for cybersecurity management systems, setting the foundation for robust cybersecurity practices. Simultaneously, Regulation No. 156 focuses on software updates, especially those transmitted over the air. This regulation is designed to address the cybersecurity aspects of software management systems, crucial in an era where features such as over-the-air updates are prevalent. Specifically, UN R155 places emphasis on ensuring the integrity and security of software updates, aiming to prevent malicious interference that could compromise vehicle safety or data privacy. These standards collectively contribute to fortifying the automotive industry against the ever-evolving landscape of cybersecurity threats.
Are we prepared for the future of automotive cybersecurity?
As automotive technology advances at a rapid pace, the imperative for robust cybersecurity measures becomes increasingly pronounced. Industry stakeholders find themselves in a perpetual quest, necessitating a continuous effort to stay ahead of emerging threats and adapt defences accordingly.
With a heightened focus on software-defined vehicles and the implementation of zonal-based architectures that facilitate cutting-edge features, the challenge lies in cultivating expertise to conduct thorough threat analyses and risk assessments. This proficiency not only aligns with regulatory approvals such as UN R155 but also serves as a safeguard for OEMs as well as Tier 1 & Tier 2 entities deeply embedded in the automotive ecosystem. The security journey begins at the inception, from code writing and component booting, where various players offer security features capable of efficiently neutralising vulnerabilities. For instance, Elektrobit’s EB Zentur presents a state-of-the-art firmware stack with a hardware security module designed to resist hardware attacks.
Additionally, innovative solutions such as Argus’s Intrusion Detection and Prevention System for Controller Area Network (CAN) networks play a crucial role. This system diligently monitors traffic, identifies threats and anomalies, and provides preventive mechanisms against common attack methods such as denial of service and brute force. Embracing evolving techniques such as secure boot, secure key management, secure flash, secure on-board communication, core isolation, and hardware secure modules further enhances system security at its core. The question persists: Are we equipped with the knowledge, tools, and practices to navigate the intricate landscape of automotive cybersecurity and secure the future of connected vehicles?
Ensuring a secure automotive future: the role of expertise in cybersecurity implementation
In steering towards the establishment of a robust cybersecurity management system, OEMs are well-advised to seek guidance and support from cybersecurity trailblazers and vendors possessing specialised expertise in the field. At the forefront of this endeavour is our collaboration with cybersecurity partner Argus Cyber Security Ltd., where we harness its wealth of knowledge to fortify our automotive cybersecurity framework comprehensively. Our collaborative efforts result in mature solutions that safeguard communication channels encompassing hardware, software, networks, and platforms. This technology seamlessly integrates into our software platforms and automotive network products, presenting a unified and cohesive offering. We are dedicated to diligent research, implementation, and the provision of products, software platforms, services, and consulting encompassing both onboard and off-board domains. Utilising our intelligent proprietary tool sets, we ensure thorough validation and verification for in-vehicle operating systems, secure communication, and vehicle security monitoring systems. This holistic approach establishes a secure ecosystem for automotive cybersecurity, emphasising the pivotal role of expertise and guidance in safeguarding the automotive future.
