Can Trillium, which has solved the problem of CAN bus encryption, become a good tool for automobile safety protection?

    Technology products in the field of automotive safety are becoming very popular. A large number of startups are pouring in, focusing on technology development while expecting to become the next target of acquisition by large companies. Last summer, white hat hacker Charlie Miller and his old partner Chris Valasek hacked into a Jeep Cherokee. Almost at the same time, General Motors OnStar's RemoteLink system was exposed to security vulnerabilities. Hackers can use the system gateway to remotely control the unlocking of car doors and the start and stop of the engine. The following figure shows the 15 most vulnerable attack surfaces currently exposed on connected cars announced by Intel.

    Therefore, according to the current situation, the more energy automakers and suppliers invest in smart connected and self-driving cars, the more they value security, and network security plays a vital role in the development of the automotive industry towards intelligence and automation.

    In last year's article "CES Preview: These Seven "Small Companies" Are the Trendsetters of Automotive Technology in 2016", Cheyunjun introduced the Japanese startup Trillium and briefly explained its automotive safety protection tool "SecureCAN". Nowadays, the development of Internet of Vehicles and autonomous driving is booming. As a startup focusing on automotive safety, how does Trillium view the security issues of smart connected cars? How competitive are its products? What technical development path will it take in the future? Don't worry, we talked to David M. Uze, CEO of Trillium, and you will definitely find the answers you want below.

Hi, this is Trillium

    Trillium was founded by David Uze, former president of Freescale Japan, and is headquartered in Nagoya, Japan. Last fall, Trillium "broke into" the automotive security field with its "SecureCAN" technology. This automotive security tool, called "SecureCAN", can encrypt the CAN bus while also performing key management, protecting the system's payload to no more than 8 bytes. The key to this technology is that SecureCAN can process data within the "8-byte" range, and does not use the 128-bit encryption bit required by the AES encryption algorithm Rijndael.

    Uze believes that due to the lack of security solutions for ECU networks, and the fact that CAN is a native unencrypted bus in the car system and does not undergo any security processing, hackers can completely obtain the authority to control the car's steering, braking and other functions through the CAN bus. Because of this, the CAN bus has become a "paradise" for many hackers to wreak havoc. In addition, the protection gap in the local area interconnect network LIN is usually used to control rearview mirrors, windows or sunroofs, and it is very likely to become a "backdoor" for hackers to invade the CAN bus.

    For a long time, almost the entire automotive industry has reached a consensus: the CAN bus cannot be protected. There are two reasons. First, the ECU's computing power is insufficient; second, the bandwidth of the vehicle network is limited . Some LIN buses use 16-bit or 8-bit MCUs, but the encryption algorithm used by AES can only process data in 16-byte blocks, which means that the LIN bus is often in a "naked" state.

    David Uze said in an interview that SecureCAN can encrypt CAN and LIN bus information in real time due to the use of ultra-lightweight block encryptors. It is worth mentioning that the symmetric block encryptor and key management system enable SecureCAN to complete the "encryption, transmission and decryption" process within a threshold of 1 millisecond. This is crucial for the real-time encryption and decryption of the automotive CAN bus.

    Since launching the SecureCAN sample last fall, Trillium has been continuously improving this security tool this year. Although the initial SecureCAN sample used the ARM Cortex M4 processor, due to chip supply problems, Trillium had to choose the ARM Cortex M0/M01. However, it was a big challenge for Trillium to achieve the functions preset by SecureCAN without floating-point operations.

    According to Cheyunjun, the latest test version of SecureCAN has added public key technology, using the Diffie-Hellman key exchange algorithm to generate keys. The following figure shows the root of the trust chain of SecureCAN. 

SecureCAN is just the first step

    Obviously, Trillium's "SecureCAN" technology has solved the problem that was previously considered "impossible". However, David Uze also foresaw higher requirements from OEMs and Tier 1 suppliers. They hope to get a complete set of security protection technology solutions, not just the vehicle network, but also V2V/V2I communication, OTA upgrade system, smart firewall, etc. can be strictly protected.

    On June 30, 2016, Trillium received a $5 million Series A funding round, and naturally its product goals also "rose with the tide." In addition to the CAN bus, Trillium is also working to incorporate the protection of FlexRay and LIN buses into the entire vehicle network protection system. In addition, Uze said that Trillium used this investment to integrate existing engineering resources to ensure that all projects can operate in parallel, including the development of intrusion detection and protection systems (IDS/IPS) and OTA software upgrade solutions.

    According to the goal set by Uze for Trillium, Trillium will provide a series of automotive safety technologies developed based on "same platform and unified API port" in the future. SecureCAN will start real-car testing this month. A Japanese car (Uze declined to disclose the brand and model) will be equipped with Trillium's SecureCAN/Ethernet technology. In January next year, Trillium will start testing SecureFlexRay/LIN technology in the car. (FlexRay bus is usually used to transmit data related to ADAS sensors). In addition, according to Trillium's plan, intrusion detection and protection system (IDS/IPS) and OTA air upgrade technology testing will begin at the end of 2017 at the latest. 

Three major areas of automotive cybersecurity

Multiple Offensive and Defense Battles in Automotive Information Security 

    However, Uze also said that " protecting the CAN bus is not the only good way for the automotive industry to deal with network security issues ." He believes that for future connected cars, a variety of different security protection measures should be taken.

    Earlier, when asked about his opinion on "CAN bus encryption", Timo van Roermund, security architect of NXP Automotive Division, said, " Key management is the most important part, especially when it is used to protect information between ECUs . However, Roermund also pointed out that different OEMs may choose different in-vehicle network architecture management solutions, and there is no so-called "standard method" for key management.

    Below are some of the more mainstream network security protection measures currently taken by OEMs and suppliers, compiled by Cheyunjun.

• 1. Use a firewall to isolate the in-vehicle electronic system from the external interface;

• 2. Use a stricter access control mechanism, and only open or semi-open access to the in-vehicle system to known or trusted sources;

• 3. Further transform the in-vehicle network and place systems with the same critical values ​​in independent networks. It is best to isolate some critical systems involving safety.

• 4. Use cryptographic systems (authentication or coding encryption) to protect data circulated in the vehicle system;

• 5. Use intrusion detection/prevention system (IPS/IDS) to detect and warn potential hacker attacks;

• 6. Protect ECUs (microcontrollers and other software) using secure boot, upgrades, and other measures.