Vehicle cybersecurity: Better but still not nearly good enough

Our vehicles are still a long way from autonomous. But they are connected — very connected. Everything from the brakes to the accelerator to infotainment to safety features like lane assist, adaptive cruise control, airbags, and backup cameras depend on software. The modern vehicle relies on more than 100 million lines of code, much of which send and receive data from the internet. Hence the label that is not so new anymore: smartphones on wheels.

That means the quality, use, and control of all that code has major implications for our safety, security, and privacy.

In this, the second in a series on those three issues, Chris Clark, automotive software and security solutions architect with Synopsys, helps illuminate how software security, or lack of it, affects vehicle security, and what the industry and government are doing to address the ongoing challenges.

***

As we all know, there is a downside to bells and whistles. While they may dazzle us and make a product more exciting, interesting, and convenient, the more of them there are the more likely that one or more of them will malfunction, possibly compromising the whole product.

That’s true of software as well. The more lines of code, the greater the so-called “attack surface” for hackers looking to exploit vulnerabilities that can enable damages ranging from theft of money and identity to physical safety risks.

In a vehicle, that can be an existential risk — if a hacker can exploit software defects to take control of a vehicle’s steering, acceleration, or brakes, the result could easily be injury or death.

That’s one of the major reasons the dream of autonomous vehicles is not a reality yet. The software isn’t reliable enough to trust with your life.

Or even to keep your car from being stolen. In the U.K., the National Crime Agency (NCA) recently reported that thefts of luxury vehicles increased by 19% last year due to so-called controller area network (CAN) injection attacks that enable criminals to hack into what’s considered the “nervous system” of a car and drive it off without having to steal the keys.

Ars Technica reported in April on a London cybersecurity researcher named Ian Tabor whose Toyota RAV4 was stolen. In researching crime forums on the dark web, he came across ads for “emergency start” devices, presumably designed for legitimate use by vehicle owners or locksmiths when no key is available, but that are now also being used by car thieves. They’re available online or on the encrypted message service Telegram starting at $1,600.

This hack bypasses keyless fobs, which car manufacturers made more secure after thieves targeted them in recent years.

Ominous evolution

And that illustrates an ominous reality: Criminal hackers are forever evolving, and the explosion of electronics run by software in vehicles makes them easier to steal, not harder.

It’s enough to prompt some experts to long for a simpler and safer, if less convenient, time. “It’s enough to make you want to buy a car that is not internet-connected. Unfortunately, that seems to be impossible,” wrote Bruce Schneier, chief of security architecture at Inrupt and a self-described public interest technologist, in a blog post earlier this year.

Indeed, the automotive version of “that ship has sailed” is the reality: Connected cars aren’t going away. They will be more connected every year, expanding the attack surface.

So the task of the industry, and its software suppliers, is to make the defenses of that attack surface more robust by building electronic components that are more secure, resilient, and safer to update.

Chris Clark says that is happening in several ways.

Know what you’re using

First, he said the automotive industry is “in learning mode” on tracking the software it is using — who made it, where it came from, what it does, what other software it depends on, and more. Tracking that supply chain is known in cybersecurity as a Software Bill of Materials (SBOM).

The auto industry has long tracked its supply chain of physical components. If a defect is discovered in a part, it can be addressed quickly because a bill of materials identifies who the supplier is and which batch needs to be repaired or replaced.

But in software, until recently — not so much. If a software component in the supply chain had a vulnerability, a company was unlikely to know it need to patch it since it didn’t know it was using it.

“It’s always been a challenge for the industry to manage software, exacerbated by the number of participants in the software supply chain,” Clark said. “The complexity of that supply chain is enormous, and it will take a while to find the proper best practices.”

But the effort is under way, with guidance and pressure both from within the industry and from government. The International Organization for Standardization (ISO) has added requirements for vehicle makers to create and maintain SBOMs in its ISO/SAE 21434:2021 standard. Also, President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity calls for SBOMs for all software products, a directive that the federal Cybersecurity and Infrastructure Security Agency and Office of Management and Budget have now codified.

Faster, safer updates

Second is the move toward improving the ease, speed, and safety of software updates. As recently as 2019, experts were noting that one of the biggest barriers to better cybersecurity in vehicles was the difficulty of patching known vulnerabilities in embedded systems that were meant to last for 7 to 10 years.

Clark said that problem “is rapidly being phased out in favor of remote-friendly hardware” that will accept over-the-air (OTA) software updates. “The age of OTA is here and gaining speed across all transportation industries and will only grow in scope,” he said.

That, of course, creates its own set of security risks — any data traveling over the internet is a potential target for hackers. And given the reality that software, made by imperfect humans, will never be perfect, security of the OTA update system will have to come down to setting priorities: What is most important to protect?

“We’ll have to ask, what is the risk profile for a device that yesterday did not have remote update capability?” Clark said. “Is it worth updating, or is it so small in terms of storage and computing power that there would be no value to an attacker in compromising it?”

For the consumer, the hope is that the future will be a bit like setting your laptop or smartphone on “auto-update,” so updates will be installed as soon as they’re ready without you needing to do anything.

“What will be more prevalent is that applications and capabilities will appear without user intervention,” Clark said. “As OTA becomes more capable, services will become easily added to today’s vehicles and even more to the next generation.”

Separation anxiety

Third is to ensure that the hundreds of electronic components in modern cars don’t “talk” to one another any more than necessary. This concept has several names, including “least privilege” and “zero trust.” But the idea is to make sure that if hackers can compromise one component, they can’t compromise everything. Especially in the new era of what are called “software-defined vehicles” (SDV), which as a post in Ars Technica noted, involves consolidation. Instead of hundreds of controllers and sensors scattered throughout a vehicle, “engineers and designers are […] taking advantage of much more powerful hardware to consolidate all those discrete functions into a small number of domain controllers.”

That sounds like the opposite of least privilege. But Clark said the move to SDVs “reinforces the need for segmented systems. The way the segmentation occurs may be different, but the level of segmentation and control of communications is also segmented and controlled much more tightly. We really are looking at a data center on wheels.”

All of which means that while the modern car you are driving is likely more secure than those even five years ago, it still needs to be much more secure. And that road to better security will likely be bumpy.

Noting the ease with which thieves can steal cars using CAN injection attacks, Clark said that “with access to physical systems and online connectivity, this will be a cat-and-mouse game for the foreseeable future. Until systems can be more dynamic (not updateable by OTA) in feature and functionality, this will not change.”

And change will take a while, he said. “The best method is going to be a PKI [public key infrastructure] solution that validates valid devices and components. If an attacker finds a method to bypass the key system, system segmentation with a robust action and path activity monitor would be an option, but to be honest, the infrastructure and systems do not exist.”

“The industry is in a challenging place,” he added. “The choices are to invest time and resources to come up with solutions for hundreds of thousands, if not millions, of vehicles that are already on the market. Or to invest in future technologies.”

And until vehicle security gets closer to perfect, experts recommend that owners with an online account for their vehicle use a unique password and employ two-factor authentication. Also, if you’ve bought a used car, it’s worth it to take it to a dealership and make sure the previous owner doesn’t have access to any of the systems.

In short, it’s still very much a world where zero trust can help.