At the Black Hat security conference in August 2017, Keen Security Labs presented details of how it had remotely hacked a Tesla Model S. By exploiting a string of vulnerabilities, it ultimately gained access to the Model S’s Electronic Control Unit, allowing the group to control the vehicle remotely while it was in operation.
Although Tesla responded admirably, patching the vulnerabilities within 10 days, the larger issue remains: In a world of increasingly connected automobiles, how can we ensure protection against remote attacks?
Connected Cars: A Cause for Concern
According to a recent whitepaper from security company Entrust Datacard, connected automobiles will account for more than 82 percent of cars sold by 2021. Of course, this is just one face of the larger trend of connectivity dubbed the Internet of Things (IoT), which is expanding at an enormous rate.
But, as regular readers will recognize, increased connectivity goes hand in hand with increased security concerns. Many of these concerns are shared with every connected device: data privacy, secure financial transactions and the like. But with the IoT comes an entirely new sort of security concern: one of public safety.
“The ability to cause public safety risks while you’re hacking a car or power plant or even a medical device is a completely different spectrum from hacking a mobile phone,” said Ranjeet Khanna, director of product management for IoT security at Entrust Datacard.“If a mobile gets hacked, you’re talking about a financial loss, whereas if a fusion pump gets hacked, you’re talking about a patient’s life.”
Connected cars are exemplary of the risk of potential IoT threats, as a hacked car could be a danger to multiple lives. For example, with an increasing number of terrorist attacks using automobiles as a weapon of choice, it’s not hard to imagine how the ability to hack a car remotely could be dangerous for public safety.
How to Ensure Automotive Security
Any security solution for automotive IoT is necessarily encumbered by the fact that automakers can’t go at it alone—there’s an entire supply chain of potential vulnerabilities that must be addressed.
“In an IoT environment, and specifically the automotive example, you really can’t say that your infrastructure or environment is a trusted ecosystem unless you have an authoritative way of saying that your entire supply chain is secure,” explained Khanna.
“So what that means is that automobile security doesn't start in the assembly line or manufacturing line,” he continued. “It actually starts with the semiconductor chips and modules being consumed by the tier-one automotive suppliers and then getting consumed into a product that goes out of all these assembly lines in the shape and form of a car.”
In Khanna’s view, semiconductor manufacturers are responsible for establishing a trust anchoring into their products. If their chips and modules can’t be trusted, then none of the downstream products that incorporate them can be trusted either. Khanna believes this trust anchoring can be implemented with a scheme involving what he refers to as birth certificates.
“As and when each semiconductor module gets manufactured, it has to be issued a birth certificate that someone can authoritatively verify—'yes, this is so-and-so module’s birth certificate,’” he explained. “Then that birth certificate has to be cryptographically stored on that particular module, so when that module goes into a device, it can issue a manufacturer identity to establish a chain of trust.”
This scheme must continue down the supply chain, so that each component that builds upon a previous one can be trusted as well.
“When this process is completely maintained, you have a chain of trust,” Khanna said. “At every given point of time, you know the authoritative source of identity of that particular component or subcomponent, and then that is cryptographically protected. Building in IoT security at the operational stage, auto manufacturers can use managed identity to maintain — internally and externally — a secure domain that can deliver services on top of the product, whether that is OTA firmware, software updates, or some additional services.”
Maturing Security Technology
According to Khanna, the number of electronic components in vehicles will nearly double in the next five years. Used in electronic control units, telemetric control units, entertainment systems and more, electronic components will increase from 20 percent to over 30 percent of the entire bill of materials for manufacturing a car.Without Khanna’s proposed chain of trust, each of these components presents another vulnerability to automotive security.
“When the car rolls out of the assembly line, we have to have the ability to authoritatively say that each and every component that makes it into the car can be uniquely identified, authenticated and authorized,” said Khanna. “If we can not make that assurance authoritatively, then there’s a gap in that ecosystem.”
Ultimately, automotive IoT security still needs to mature, not only to protect the financial and personal interests of users, but also to help ensure public safety. The entire supply chain of IoT solutions must unite in the interest of security, starting with the chip makers (who have recently had their own share of security woes).
“In the IoT space, security has to start from a technology provider, from semiconductor module or chip manufacturers, who have a responsibility to establish a trust anchoring to their products that will further get consumed into upstream products,” said Khanna. While these upstream products are cars today, we may think differently of them in the years to come.
“As we move forward, automotives will not just be automotive,” said Khanna. “They will pretty much be a very-high-speed, sophisticated compute environment on four wheels.”