IEEE Computer Society: Automotive Cybersecurity

On the third Thursday of each month the IEEE Computer Society of Silicon Valley has a meeting. Very conveniently for me, it is held in the building 10 auditorium on the Cadence campus. This month's presentation was by Professor Fred Barez of San Jose State University on Automotive Cybersecurity: Challenges and Opportunities. He runs an electric and hybrid vehicle lab with sponsors such as Toyota and Honda.

A lot of security breaches seem to come about simply because people put together convenient systems and they don't consider that anyone might maliciously make use of them. For example, nothing to do with automotive, but customers in Target in Campbell last Thursday were surprised to have 15 minutes of porn broadcast over the store's public address system. It turns out that if you call Target and ask for a particular extension, then when you are connected you are actually on the public address. Clearly someone assumed that this was obscure enough to count as security, plus couldn't think of a reason anyone might want to breach the system. OK, that is more of a prank compared to stealing all the security clearances from the government OPM.

Another thing that happens is that systems that were created in isolation end up connected to the Internet without the basic architecture being rethought. A modern car is a computer on wheels with 70-100 electronic control units (ECUs) and more than 150 sensors. Everything is connected by an in-vehicle network, often several. The most important of these is usually a CAN bus (which stands for Controller Area Network) and usually links many of the most important functions. It runs at 1Mb/s. Every vehicle contains a CAN bus since it is reasonably high performance and can take a large number of ECUs on each bus. It was originally developed in 1983 and started to appear in cars in 1988. There are typically three networks, one for the powertrain (engine control, ABS braking, etc.), one for convenience (adjust mirrors, seats, etc.) and one for infotainment (turn up the volume, pick a radio station, etc.), but they are interconnected. Increasingly, the infotainment networks are connected to the Internet. As advanced driver assist systems (ADAS) get more powerful, this connectivity is likely to increase, since, at least in some architectures, vehicles are expected to communicate with each other so that they can form efficient multi-vehicle convoys with tight spacing. A vehicle like those from Tesla, designed from the ground up to have Internet and software updates, is probably a lot more secure than a vehicle that has been shipping for years and just has the incremental addition of Internet capability. It is simply easier to design a secure system than retrofit security. Manufacturers who just added Internet to their existing architecture are finding out the hard way.

Most demonstrated attacks on vehicles have happened through the CAN bus. The bad guy gets messages onto the CAN bus either by attaching hardware to a vehicle diagnostic port or through the Internet (or, perhaps, through adding a third-party add-on device such as a radio). One widely publicized hack was reported in WIRED Magazine a few months ago, Hackers Remotely Kill a Jeep on the Highway—With Me in It. Charlie Miller and Chris Valasek, two security researchers, took control of the vehicle remotely without attaching any hardware. They reported this at the Black Hat Conference later in the summer (and also to Fiat Chrysler so they could fix it). You can read the WIRED article or watch the video:

In the Q&A at the end, a number of people asked why vehicles needed to be attached to the Internet. One reason is for emergency services like OnStar to be notified when airbags deploy, for example. Another is to perform software updates over the air, as Tesla is famous for doing. This is actually one of the more secure activities since it is an obvious vulnerability if someone else can update the software, and so a lot of thought has been put into it. One person in the audience who worked at HP said that they have done millions of software updates to printers and the process has never been hacked.

Another area that seems to have some vulnerabilities are passenger airliners. The WiFi networks in modern Boeing and Airbus planes use the same underlying network as the avionics instead of being separated. "Air gap" is the standard term for this, meaning that there is no electrical connection between the two networks. Of course there are firewalls but there have already been rumors, not entirely credible, of passengers being able to make flight adjustments from a seat through the entertainment system network cables.

The well-publicized security problems, and not just in the automotive world, have two messages that I think are clear. The first is that security is multi-layered and the lowest layer has to involve hardware. We have much better techniques for ensuring hardware behaves as intended and doesn't behave as not intended. The cost of running a silicon prototype focuses the mind in a way that the cost of compiling and running some software does not. The second is that it is not enough to just prevent breaches. Something bad is almost certainly going to happen at some point. it is also necessary to have good detection and logging. It is obvious if someone takes over driving your car, but not so obvious who it is and how they did it. This aspect of security is as important as doing everything to prevent breaches in the first place.

At IEEE CS, Cadence seems to be taking over next month. There are two upcoming events. First, on November 4 at Stanford (under the auspices of the IEEE Stanford Student Chapter), Alberto Sangiovanni-Vincentelli (a founder of the fore-runner of Cadence and still on the board) will be speaking on A Tale of Two Worlds: Cyber Meets Physical. And the next "Third Thursday" meeting will be on November 17, where Chris Rowen, the IP group's CTO, will be talking about neural networks. Get more details at IEEE Silicon Valley CS's website.