Keeping the Connected Car Safe from Today’s Most Malicious Cyber Breaches: the Attacks and Defense OEMs Need to Know

Featured article by Alon Atsmon, VP of Technology Strategy at HARMAN

The demand to stay connected while driving is steadily growing and car manufacturers are keen to provide better and more innovative connected services to differentiate their brands and stay ahead of the competition. This is a global phenomenon, especially with Gen-Y car buyers who are used to a digitally connected lifestyle. In fact, some research indicates that a quarter billion of cars will be connected to the internet by 2020 (source: Gartner).

This direction toward more connectivity in the vehicle enables features like cloud connected services, downloadable apps, integration with personal devices of consumers, vehicle data analytics, driving pattern analytics, Internet enabled entertainment, vehicle-to-vehicle or vehicle-to-infrastructure communication. However, increased connectivity has its downsides and complexities as well. For software complexity alone, the code base, the foundation to many connected solutions and services, is expected to increase many folds from hundreds of thousands of lines of code in the not so distant past to tens of millions of lines in the near future.

Connected cars are becoming exponentially complex

This increased code base leads to a rise in the Trusted Computing Base (TCB) and thus higher security vulnerabilities and multiple security threats. The figure below shows a sample set of potential security threats and attack vectors that may be used to mount a cyber attack on a connected car.

For OEMs, it’s important to understand how cyber criminals distribute attacks and the defense mechanisms OEMs can use to prevent them. Here are several variants of attacks and how OEMs can proactively protect their vehicles before a hacker strikes:

System Availability – Denial of Service attack

Denial of Service attacks can be mounted by blocking the system’s resources (CPU, Memory, I/O) and directly or indirectly disabling certain functionality through remote software modification or unauthorized, high network traffic on system network interfaces like Wi-Fi, Bluetooth, or USBs.

To protect against Denial of Service (DoS) attacks, all network communications with external entities need to be secured through mutual authentication and authorization of communicating parties, encryption of communication messages, verification of compliance to network protocols and white-listed firewalls to ensure that only authenticated and authorized communications take place with the system.

System Integrity – Malfunctioning related attack

In malfunctioning related attacks, attackers attempt to make the system behave differently from the way the system is expected to behave. This can happen if unauthorized entities gain control over the system and are able to modify the software and / or data in the system or inject malware) into the system.

Protection mechanisms similar to the ones against DoS attacks can be effective here as well. It requires verification, so only legitimate software can be installed and executed in the system using authentication and a mechanism called “Chain of Trust,” where all stages of the software are authenticated before execution, starting from the Bootloader.
The systems should also have mechanisms to detect an attack of this nature, and if possible, partially shut down affected parts safely rather than allowing the malfunction to continue, which can have a much bigger and more adverse impact. Creating different system partitions, where a particular partition can shut down when affected while others continue to run, can be an effective way to achieve this.

Theft of assets / sensitive data

One of the more common variations of attack is theft of private company assets or sensitive data. Types of assets or data include patented software code running in the system, personal user data, program information outlining functions of a unique feature, log data capturing system behavior and performance, system configuration data, communication messages / data exchanged between the system and external entities.

To protect against this type of theft, the system should provide secure storage, secure deletion and strict access control mechanisms for memory, files, database, peripherals and communication stacks through hardware and software mechanisms.

Unauthorized use of the system

In unauthorized use of systems, the attacker can gain unsanctioned access into the system, remove certain restrictions to gain access to new features or functionalities, or masquerade as a valid user and use paid services free of cost. To mount this sort of an attack would require knowledge of an “insider specialist.”

To protect against these types of attacks, the system should not only support the protection mechanisms described above but also hardware-based tamper-proofed storage and encryption codes for PIN numbers, passwords, authentication data, certificates and configuration data to prevent system access to the unauthorized user.

With the growing number of interest and threats against connected cars, it is imperative for OEMs to arm themselves with effective protection, such as a multi-layer security framework architecture that makes system violations more difficult at every stage the hacker attempts to breach the vehicle. To learn more about this framework, view this video here.

Alon Atsmon  

VP of Technology Strategy at HARMAN

Alon heads HARMAN’s strategic technology focusing on safety and security initiatives at HARMAN (NYSE:HAR), the market leader in connected car and audio equipment. Prior to that, he led HARMAN’s automotive cloud and map services. Alon joined the company as part of the acquisition of iOnRoad, which he had founded and ran. As iOnRoad’s CEO, Alon led it from inception to its successful acquisition by HARMAN. iOnRoad improves driving in real-time using the power of modern computer vision algorithms and smart-phone cameras. iOnRoad’s innovation and market leadership has been recognized by numerous industry awards including the 2012 CTIA E-Tech Award, CES 2012 award, and Qualcomm QPrize of 2013. Alon is the proud inventor of 30 utility patents and has won numerous industry prizes.