Writing for Payment Expert, Alois Kilner, VP of Automotive and IoT Manufacturing at Utimaco, explores how new ‘software-defined vehicles’ (SDVs) are strengthening protections against security attacks, as well as expressing the need for a digital birth certificate to transform our handling of them.
Modern vehicles are composed of thousands of OEM components, and each of these needs to be secure against electronic intrusion.
A new generation of SDVs merges physical hardware with digital capabilities: drivers can download apps that unlock new functionality for their vehicle just as they can with phones.
Updates can be downloaded that make the vehicle more efficient, safer and more secure. Premium vehicles today can have up to 150 million lines of code across hundreds of electronic control units.
With thousands of digital components, one vulnerability could be catastrophic. Researchers have known that potentially fatal cyberattacks on vehicles have been possible for years.
While a breach of security on a person’s phone or laptop is extremely damaging, an attack on a vehicle could disable its brakes on a highway or take over the steering. If a driver’s card details were stored in the vehicle – to automatically pay at toll booths for example – then this could also be taken.
With so many OEM components and third-party pieces of software in an SDV, the potential for problems to increase exponentially, even when compared with current-generation connected vehicles. What is needed is a way for vehicle manufacturers to be able to have a top-down view of what components, physical and digital, are on the road.
If, for example, a vulnerability was found in the code of an app that enables heated seating then a manufacturer would need to be able to push a fix to every affected component. That means that every component needs its own ‘birth certificate’, identifying it both individually and as part of a larger group of components.
With this in mind, let’s take a look at the specific digital threats to SDVs and what can be done to secure them.
Threats to Software-defined Vehicles
There are two ways that malicious code can enter a software-defined vehicle, digitally and physically.
Unlike desktop computers and smartphones, SDVs aren’t general-purpose computers that are connected to the wider internet. You can’t accidentally download a keylogging program or open a malware-infected email on the ‘walled garden’ interfaces of SDVs, so bad actors would have to take different approaches.
For example, they could replace one of the many software updates that is sent to the vehicle with code that includes a ‘backdoor’, allowing them greater access to the vehicle. This would be much more difficult than phishing scams, but is possible.
5G connectivity gives both manufacturers more bandwidth with which to introduce new updates and bad actors, a greater number of connections and digital ‘traffic’ going into a vehicle in which they can hide malware or extract data. Compared to the amount of data traffic in vehicles just a few years ago, today’s modern SDVs exchange as much data as homes or even offices. That can be both an asset and a liability.
A similar technique could also be applied to the hardware used in vehicles. An original component from the manufacturer could be replaced by an OEM component that could either purposefully be infected with malware or have vulnerabilities.
Most will be familiar with how many western governments have banned phones from Huawei and ZTE because of similar fears, which may or may not be unfounded, and there could be similar threats from manufacturers of OEM components if they aren’t carefully regulated and monitored.
As an aside, modern digital assets, both in and outside of vehicles, are secured by public key infrastructure (PKIs) and there are serious risks on the horizon that could make all existing public keys obsolete. This means that existing vehicles will need to be updated in the near future to be secure against quantum threats, and that means that millions of vehicles currently on the road will have to have each of their digital components enumerated so that nothing slips through the net.
A digital ‘birth certificate’
Each of us has a birth certificate that identifies our full name, the place and date of our birth and our parents.
Later in life we will receive various other documents like passports and identity documents that perform the same function: they are something that can only belong to us and they serve the additional function of letting our governments know how many people are living in their territory. Without them it would be possible for anyone to travel wherever and for anyone to change their identity.
A similar system can be used to secure the digital and physical components in SDVs. Each component can have a cryptographically secure identity given to it on its ‘birth’ in a factory and continuing throughout its life. This would allow manufacturers to know what components they have on the roads and for anyone performing maintenance to know that they are using authentic components.
It would also prevent the creation of unauthorised components, whether they are digital or physical. Just as no two people can share the same passport number, no two components would share the same cryptographic ID.
Components can also be given decommission dates. This would allow out-of-date, insecure components to be swapped out for newer, more secure components when they reach the end of their lifecycle.
Typically, vehicles have a lifetime of around twelve years, and it is possible that several of their components could prove to be digitally insecure during their long lifetimes. Although it would be difficult to persuade drivers to pay for new ECUs to be installed every few years, it would be more user-friendly to use this functionality to schedule digital updates.
Implementing this would require extremely secure key injection – if it was compromised in any way then thousands of vehicles may no longer be secure.
This is something that Utimaco has extensive experience in, and fortunately it is not something in which manufacturers need to go it alone. As with many aspects of digital life, ‘as a service’ models mean that companies can quickly and flexibly introduce new capabilities into their workflow, in this case ‘trust as a service’.