Auto manufacturers cannot afford to penny-pinch on cyber security and should manage risk from the very beginning of the design process and across the software development lifecycle and supply chain. Cyber security affects our everyday lives, from the small-scale phishing emails you receive in your inbox to the ransomware attack that shut down the Colonial Pipeline earlier this year and caused panic and a run on fuel. And it’s not just fuel that can be affected by cybersecurity attacks, but also the vehicles themselves.
As cars and trucks become more connected and incorporate more “smart” capabilities, they are becoming increasingly dependent on software – software that enables features that make our vehicles safe, fun and more functional for us.
The systems and services these features rely on, such as over-the-air (OTA) software updates, infotainment systems, ECUs and communication over wireless interfaces all contribute to increased cybersecurity risks for smart and autonomous cars. Automotive manufacturers are attempting to address them.[1]
Why Are Vehicle Software Updates Vulnerable? OTA software updates, delivered over a cellular network, WiFi or other radio frequency (RF)-based methods, allow vehicle manufacturers to fix bugs as well as launch new or updated features and functions without requiring the vehicle’s owner to visit a dealer. However, while OTA software updates and in-vehicle apps give cars new capabilities, not to mention the implementation of important fixes, they also present potential security vulnerabilities that must be addressed. Whether developed in-house or within the supply chain, automotive software, as well as the channels through which software updates are made, have the potential for multiple attack points carrying a high risk of being targeted, including:
- Wireless communication, such as Wi-Fi, Bluetooth and other RF technologies
- Hardware (e.g., components that updates are destined for, ECU, MCU)
- Software
- Unintended interactions due to updates
ECUs: A Hacker’s Playground – Now let’s look at electronic control units (ECUs), the embedded systems in automotive electronics that control the electrical systems or subsystems in vehicles. Modern vehicles typically have more than 100 ECUs running functions such as fuel injection, temperature control, braking and object detection. Traditionally, ECUs were designed so that they simply accepted commands from and shared information with any entity on the same wiring bus. However, this creates a large vulnerability. These vulnerabilities, though a bit date, were demonstrated in a well-documented planned attack on a Jeep in 2015 executed by researchers. This controlled cyber attack against the Jeep was very alarming to but the auto industry and consumers alike. But did it really change anything?
In a driver’s understanding, the first the researchers exploited was a vulnerability in the software on a radio processor via the cellular network, then moved on to the infotainment system, and finally targeted the ECUs to affect braking and steering. That was enough to get the automotive industry to start paying more attention to cybersecurity.
Today, a common design is to have ECUs behind gateway(s), so that only those devices that ought to be talking to each other are doing so, which is a much better strategy than the alternative wide-open network in the vehicle.
The Exploitation of Infotainment Systems - In addition to ECUs, infotainment systems provide an overabundance of ways a hacker can access many different devices in a vehicle. These systems have access to cellular networks for activities such as firmware updates, location-based roadside assistance, remote vehicle diagnostic services and information sharing for driver safety. What might not be immediately obvious to many is that infotainment systems also tend to be connected to various critical vehicle systems to provide drivers with operational data, such as engine performance information, as well as to controls, ranging from climate control and navigation systems to those that could tie into or influence driving functions.
Given all the connections that exist in the above automobile systems and the vehicle dashboard itself (or what we like to now call the Digitial Cockpit) — not to mention the powerful, full-featured software on them that performs these functions — it is probable that hackers will find new vulnerabilities to hack into them.
Automotive Industry’s Cybersecurity Standards - Unfortunately, the automotive industry currently lacks a standardized means of verifying software updates. One original equipment manufacturer or ‘OEM,’ might have more than a dozen ways to confirm software updates for some of its components. However, overarching cybersecurity-related guidance is available from entities such as NHTSA, which recently updated its Cybersecurity Best Practices for Modern Vehicles report. Other standards, like ISO 26262, also provide guidance on how manufacturers can protect consumers from incidents in their vehicles by developing functionally safe components.
In a recent Executive Order (EO) US President Joe Biden penned the order on “Improving the Nation’s Cybersecurity,” signaling potentially increased regulatory oversight of cybersecurity laws and regulations. This EO provides guidance at a federal level that should influence how the automotive industry (and other mission-critical industries) should protect themselves and react to security threats.
Last but most importantly, is the upcoming release of ISO/SAE 21434 Road vehicles – Cybersecurity engineering which provides vehicle and component providers guidance on how to address cybersecurity in their environment. Developing secure OTA software updates and in-vehicle apps entails a number of measures, from risk and threat modeling to communications interface testing to the implementation of encryption and authentication.
Red Sky Alliance is in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the Alliance directly at 1-844-492-7225, or feedback@wapacklabs.com
[1] https://www.wardsauto.com/industry-news/autoline-daily-2021-top-industry-news-oct-26
Comments