Big changes in the new decade of intelligent networking: from functional safety to network security

Starting from 2020, the proportion of connected cars in the world will enter a rapid growth channel. The huge risk brought about by this is that cybersecurity will become the main focus of automakers and software providers.

Hackers have revealed they have found a way to mass-activate the brakes of connected cars, putting them at risk of being stranded on motorways. Once a vulnerability is found, hackers can remotely start the vehicles over the internet.

At present, most vehicles on the road are not connected to the Internet, and certainly not autonomous, but the industry is taking us in the direction of intelligence and networking. In 20 years, more than a quarter of the cars on the road will have autonomous driving capabilities (some automakers have even configured the vehicle with OTA, which can be upgraded to a high level of autonomous driving at any time).

This means that the automotive industry has a responsibility to ensure that vehicles are protected from cyber attacks.

More and more vehicles with the ability to collect data upload data to servers using the cellular networks available in the area, which have proven to be vulnerable to intrusion. Many experts say that the CAN bus, which is common in current cars, can be easily hacked.

A recent study by a foreign agency shows that hackers can paralyze an entire city by simply shutting down a small number of vehicles. Such an attack threat alone could lead to road accidents of unprecedented scale and significant economic losses.

As we enter a new decade of development for connected vehicles, potential attacks like this one are likely to become more common.

Some automakers have already started taking action.

GM's new generation of electronic architecture platform launched at the end of last year took into account possible future hacker attacks. "Network security issues have been considered from the beginning," said the company's head, such as using message authentication between car components to ensure that the communications sent or received are from legitimate servers. The company is using more internal testing and white hat hackers to monitor vulnerabilities in the network.

Toyota is using the same tools as hackers. The company has developed PASTA (Portable Adaptable Automotive Security Testbed), a system that allows anyone—even the owner—to inspect a connected vehicle's ECU and search for vulnerabilities.

Whether the measures taken by manufacturers are sufficient remains to be seen, but it is clear that cybersecurity must become an absolute priority starting in 2020 to detect problems before hackers and prevent them from exploiting these vulnerabilities. Considering the advent of the software-defined car era, the amount of code carried by the entire vehicle is growing exponentially, and there will be more and more hidden vulnerabilities.

The California-based consumer watchdog group released a report urging automakers to install "kill switches" that allow cars to be manually disconnected from the internet, highlighting a number of previous incidents of remote vehicle hacking, such as a 2015 incident in which a Cherokee was hacked on a highway, prompting FCA to recall 1.4 million vulnerable vehicles.

"Millions of cars running the same software means that a single vulnerability can affect millions of cars simultaneously." The organization warned that potential security vulnerabilities are increasing due to the growing number of such vehicles on the road.

Experts agree that connecting safety-critical components to the internet via complex infotainment devices is a security flaw that could allow hackers to control vehicle operations and take over data communications.

The report specifically points out that automakers are increasingly adopting wireless update (OTA) technology, which provides the ability to update software online, which may fix vulnerabilities and make the system more secure, but the feature may also introduce new vulnerabilities. This wireless update also provides a way to avoid notifying regulators of problems, instead of the traditional recall reporting system.

Currently, several automakers, including Tesla, Daimler, Ford, General Motors and BMW, have disclosed cyber risks to investors.

For example, Mercedes-Benz plans to launch a security-focused "Bug Bounty" project in 2020, which aims to help and encourage relevant research teams to assist Mercedes-Benz in improving its connected security services.

Previously, Mercedes-Benz researchers worked with the Sky-Go team of the 360 ​​Intelligent Connected Vehicle Security Lab to fix 19 potential vulnerabilities related to connected cars. Subsequently, the two parties announced a partnership to jointly improve the information security capabilities of cars through the security brain.

Auto-ISAC was established by automakers in 2015 to promote cooperation between suppliers and automakers on automotive cybersecurity issues. Its focus is to promote global cooperation to reduce the risk of cyber attacks and create a secure, efficient and flexible global connected car ecosystem.

An important action of Auto-ISAC is to publish a best practices guide for automotive cybersecurity, covering organizational and technical aspects of automotive cybersecurity. In addition to network vulnerabilities, as technology continues to advance, more and more personal data will be stored in cars, which creates another security risk - personal privacy.

Based on user information, networking, payment, navigation, positioning and other data, in the future, automobile manufacturers or cloud service providers may know where you live, where you work, where your children go to school, and where you like to have breakfast on weekends. The record storage of this key information will become more and more common.

While users are enjoying the convenience, they are already in a situation where their personal privacy is being stolen. The danger is that many people don’t realize how much data a car may have about them.

A survey conducted by Auto-ISAC last year showed that more than half of the nearly 400 models of cars from 12 automakers stored personal information, and these vehicles eventually flowed into the used car market. Another privacy leakage risk comes from car networking data and positioning service providers, especially as more and more new cars begin to use user registration systems similar to mobile phones, and user information is increasingly closely associated with data from daily service usage.

For example, Google recently announced that it has joined Auto-ISAC to seek more cybersecurity support for its Android Auto™ and Android Automotive OS, which serve the automotive industry. Considering that some of the world's well-known car companies have begun to use Android Automotive OS, ensuring data protection is a top priority.

As an old Chinese saying goes: A thousand-mile embankment is destroyed by an ant hole. So, are the security risks of connected cars alarmist?

The 2020 Automotive Cybersecurity Report released last month by Upstream Security, a cloud-based automotive cybersecurity solution provider, shares in-depth analysis and statistics on 367 publicly reported automotive cyber incidents in the past decade, as well as new vulnerabilities discovered in 2019.

"With attacks on connected cars increasing rapidly, automakers and service providers need to deploy properly designed connected security architectures as soon as possible." Oded Yarkoni, vice president of marketing at Upstream Security, said the security threats facing the entire industry are real and becoming increasingly common.

1. Connected cars have begun to occupy the mainstream market. Currently, there are 330 million cars in the world that are connected to the Internet (including 3G and 4G), and most automakers have announced that only connected cars will be sold on the market by 2020. This alone will multiply the potential damage of each attack.

2. The number of automotive cybersecurity incidents has increased significantly. Since 2016, the number of automotive cybersecurity incidents has increased by 605%, and more than doubled in the past year alone.

3. One-third of security incidents involved keyless entry attacks. The top three attack vectors in the past decade were keyless entry systems (30%), backend servers (27%), and mobile applications (13%).

4. One-third of incidents resulted in a stolen car, with car theft (31%), car system control (27%) and data/privacy breach (23%) being the top three impacts over the past decade.

5. The vast majority of security incidents in 2019 involved remote attacks, with up to 82% of incidents involving short-range or long-range attacks, which do not require physical access to the vehicle and can be carried out from anywhere in the world.

6. As more and more automakers adopt bug bounties as a way to find vulnerabilities. In addition, government authorities and consumers are demanding the formulation of relevant networked car security regulations to protect against attacks and personal privacy leaks.

At the same time, artificial intelligence, machine learning, the Internet of Things, cloud-based platforms and smart devices have increased the complexity of connectivity and provided catalysts for cyberattacks. Especially as self-driving cars flood the market in the next 5 to 10 years, the biggest issue that manufacturers and operators must address will be vehicle safety.

For example, in the famous Jeep Cherokee out-of-control incident, the windshield wipers were turned on, network transmission was interrupted, and the acceleration and braking failed, all of which happened within a few minutes. Fortunately, this hacker attack was just an experiment.

Because self-driving cars rely on software and network connectivity, they are vulnerable to the simplest hacks. Autonomous technology is still in its infancy.

Therefore, there is not enough data to quantify the impact of large-scale hacker attacks. If consumers' concerns about self-driving cars in the past decade came from whether they were able to reach or even exceed the driving level of human drivers, in the next decade, concerns will gradually evolve into whether they can be easily controlled by hackers.