Connected cars must be safe and secure, but what’s the difference?

Security is vital in order to stop hackers from being able to manipulate built-in safety protocols, learns Freddie Holmes

Computer viruses can be a real source of frustration, and in some cases, have serious implications. Privileged information can be leaked, money can be stolen and connected devices can be held to ransom. Today, all of these risks are relevant to the car, and the automotive industry is fighting to ensure that connected vehicles do not become a subject of interest for malicious cyber attackers.

This, however, is easier said than done. Not only do the car’s internet-connected systems need to be secure, but so too do the internal networks that run within the vehicle. These control basic functions such as the infotainment system, and for a growing number of vehicles, vital driving tasks such as steering, braking and acceleration. Under the control of a hacker, the potential for disaster is high.

Various automakers have been proactive in addressing this issue. Back in 2014, General Motors appointed its first dedicated cyber security officer, Jeffrey Massimilla. In August 2018, the company invited a handful of researchers – commonly dubbed ‘white hat’ hackers – to find loopholes in its vehicles in an effort to find and fix any insecurities. Those that successfully ‘break in’ will be rewarded. “We’ll show them the products, programmes and systems for which we plan to establish these Bug Bounties,” GM President Dan Ammann told The Detroit News. “Then we’ll put them in a comfortable environment — ply them with pizza and Red Bull or whatever they might need — and turn them loose.”

These Bug Bounty programmes are not new, however. Indeed, this was GM’s second round of the scheme, and other automakers have run similar initiatives. In July 2016, FCA spoke about assessing vulnerabilities found by researchers through ‘triage.’ The same year, Tesla offered between US$100 (€87.50) and US$10,000 for every bug found in its software, depending on the severity of the breach and its potential ramifications.

While this is a positive sign for how seriously the automotive industry is taking cyber security, many share a common concern: should we even consider launching automated vehicle technologies when there is a risk of hacking?

Bookends offer stability

To get around this issue, the industry is tackling both safety and security. In some languages, these words share the same meaning, and as such there is a degree of confusion as to how they differ in practice. However, as Chuck Brokish, Director of Automotive Business Development at Green Hills Software, explains, they are not the same thing, and serve different yet equally important purposes in protecting the vehicle. Brokish describes safety and security as the “bookends to a robust system.”

“Safety really defines what a system must do; if a screen needs to be updated 60 frames per second, that doesn’t mean it can occasionally be 59 frames per second. If a sensor input needs to be measured 100 times per second, that doesn’t mean occasionally it can be 99 times per second. It has to be done properly and precisely,” he says. “There are functional deadlines that must be met in real time. They define all of the things that must be done within a system to ensure that these safety goals are met.”

In the last couple of years, some of these exposed systems have really awakened the industry to the vulnerabilities out there

In essence, ‘safety’ dictates the operations that a system must carry out. Typically, hackers will look for vulnerabilities and try to find a way to do things that the system was not necessarily intended to be capable of doing. Even though the system may be operating as intended in a ‘safe’ manner, this is where the topic of security comes in to ensure that safety cannot be compromised. “I think of security as the other end of the bookshelf – it defines the limitations of what is accessible,” continues Brokish. “This is where mandatory access control becomes important, to provide access to only what is needed and nothing more.”

With this in mind, he suggests that cyber security should operate on the principle of ‘least privilege’, which dictates that a module must only be able to access the information required for its original purpose. “Put simply, a hacker may try to gain access to something, but they can’t because they’re not given access to it,” Brokish explains. “One end of the bookshelf consists of the safety features that define everything that must be done, and security is the other end of the bookshelf that defines the limits of what are possible. Those bookends create a well constrained, robust system that does everything it should and nothing more.”

Green Hills Software has developed a kernel called the INTEGRITY RTOS, which is certified at the highest possible level of safety and security, and features multiple layers of protection. Brokish likens this kernel to a jewellery safe that has been locked away at home. Despite various levels of security, such as a locked door and an alarm system, if an intruder manages to breach those initial defences the locked jewellery safe should remain impenetrable. “Starting with that ‘jewellery safe’, we build our critical tasks in separate address spaces to make sure that they are each guaranteed to operate in a safe manner, free from interference, so that other systems cannot mess with the operation,” he explains. “This ensures the security of the system, and enables multiple levels of security… We secure it from the inside out.”

Public exploits

To date, mainstream hacks from research teams have shown that critical vehicle functions can be accessed through seemingly simple means, and have forced automakers to either make recalls or issue software updates.

In February 2016, a UK-based Nissan Leaf was accessed remotely all the way from Australia. The hacker in question cited that the vulnerability came from the NissanConnect smartphone app, which only requires a car’s vehicle identification number (VIN) to take control. The heating and ventilation system could be adjusted remotely – potentially draining the battery without the user knowing – and private GPS data could be accessed.

In June that year, a Mitsubishi Outlander PHEV also fell prey to a research project. Some vulnerabilities were “funny,” whilst others were “really quite nasty,” according to Ken Munro, a Consultant at UK-based security research firm Pen Test Partners at the time. For example, the alarm could be deactivated by decoding the password for the Wi-Fi connection used by the car’s smartphone app, which also allows remote control of other functions such as air conditioning and headlights.

Then there are the well-publicised exploits of FCA’s Uconnect system back in 2015, which saw Wired journalist Andy Greenberg stranded on a St. Louis highway after the brakes and steering had been hacked remotely by two researchers. Those researchers now work in GM’s Cruise Automation unit, having previously spent time at Uber’s Advanced Technology Centre in Pittsburgh.

Security defines the limitations of what is accessible. This is where mandatory access control becomes important, to provide access to only what is needed and nothing more

These are just some events that may have forced the hand of automakers to accelerate plans. As a result, the industry has had to come to terms with cyber security – and fast. “In the last couple of years, some of these exposed systems have really awakened the industry to the vulnerabilities out there,” says Brokish. “The industry is taking security quite seriously in implementing at least some minimal functions of security like authenticated boot or secure communications channels, for example.”

However, there is some disparity in how cyber security solutions are being deployed, primarily because there is no set standard to work to. In July 2016, The Auto-ISAC (Information Sharing and Analysis Centre) released a document that laid out several key principles to developing a secure connected car. Adherence to these best practices is not enforced, however, a stark contrast to the obligatory ISO 26262 functional safety standard. There are also standardised automotive safety integrity level (ASIL) ratings for functional safety, but cyber security is yet to gain a standardised approach. Brokish suggests that while this may potentially have a negative impact, the greater degree of freedom could see solutions implemented more rapidly.

When does it become worth the effort?

The threat of a cyber attack is mitigated today by a handful of factors. No fully autonomous vehicle is on the market yet, and those that do feature semi-automated functions account for a relatively small fraction of new car sales. Most cars currently on sale may well be connected to the internet in some way, but it is the ability to remotely control critical vehicle functions that carries the most potential for harm.

There is also a wide variation in software, which can make life hard for potential hackers. Because there are so many different solutions used from car to car, hackers are faced with a non-uniform target base; one hack cannot necessarily take down numerous types of vehicle. Given the current disparity in software solutions, and the limited number of highly autonomous vehicles today, Brokish suggests that it has not been worth a hacker’s time, effort or money to plan a cyber attack on even the most advanced cars on the market, yet.

“Frankly, the payback is not big enough yet,” explains Brokish. “Hackers need to have enough vehicles that they can hold to ransom, or disrupt, to make it worth the effort.” A small number of vehicles with diverse software means many hacks are required; once the volumes of these cars increase and software becomes more standardised it will become easier to get a greater return on a hack.”

In future, those vehicles with the highest level of autonomous driving capability will likely become the most attractive targets, as they present a compelling opportunity for disruption, financial gain or worse. It is not a matter of ‘if’ such hacks will occur, it’s simply a matter of ‘when.’ Brokish concludes that efforts must be made to put the necessary defences in place to avoid hacks wherever possible, and to limit the impact everywhere else.

This article appeared in the Q4 2018 issue of M:bility | Magazine. Follow this link to download the full issue