Infineon Technologies: Layered design and trusted security ensure the safety of intelligent connected cars

Global Automotive News According to foreign media reports, in 2015, the cyber threats faced by the automotive industry attracted public attention. A "white hat" research and development team remotely issued commands to control the electronic components of the target vehicle while the vehicle was driving on the highway.

The team then released a detailed report stating that it had identified multiple discrete weaknesses (vulnerabilities) that its researchers used to launch a cyberattack on the vehicle. This approach demonstrated to cybersecurity researchers a concept that is well known in the industry: creating trustworthy systems requires a layered defense mechanism that anticipates and takes protective measures to respond to external cyberattacks while protecting the weak links between systems.

This layered design approach is becoming increasingly important as technology evolution, driven by electronics, is reshaping the automotive industry.

Electric vehicles, automated driving assistance systems/automated driving systems, and intelligent networking functions have made vehicle systems more complex and connected than ever before. As vehicles become more intelligent and connected, all aspects of the vehicle are potential attack points (Figure 1), making cybersecurity architecture an important factor to consider in vehicle design.

At the same time, companies working on autonomous driving capabilities told us that reliance on these in-vehicle systems to improve consumer comfort is key to their long-term commercial success.

This requires the "reliable system" mentioned by Infineon. Car owners must trust the in-vehicle system in all situations and be sure that the driving safety and network security performance of the vehicle are guaranteed when the vehicle is running. Due to the existence of the above-mentioned remote hacking attacks, it is extremely important to ensure that the functions of electronic components are functioning normally, which helps to build trust with consumers.

(Bluetooth Electric vehicle charging In-vehicle infotainment system Cellular network keyless entry V2X-dedicated short-range communication Radar Tire pressure monitoring system USB On-board diagnostics Wireless charging Wireless network) Figure 1: Every connected function in the car is a potential attack point

Changing vehicle architecture

The trend in car design is to reduce the number of individual electronic control units (ECUs) that control various vehicle functions. Today, the average car has 30-50 ECUs, which in itself can become a weak point.

The future trend of automotive architecture is to have very few electronic control units, but to improve the integration of functional domains or functional areas through the geographical location of the vehicle. Even so, there are dozens of such systems that need to be protected, ranging from domain controllers responsible for running multiple virtual machines simultaneously to modules responsible for sensor fusion, braking, steering, clusters, in-vehicle infotainment systems, in-vehicle telecommunications systems, and body control (Figure 2).

All of these controllers and modules will be upgradeable over the air, providing unprecedented flexibility in features and functionality, but also creating greater security risks.

Different safety levels required in future vehicle architectures

(Secure platform Secure in-vehicle communications Secure network separation Secure external communications) Figure 2: Semiconductors are critical to providing a security layer for future vehicle architectures

Centralized and regional designs will improve data sharing, simplify the entire network and support service-oriented architecture, thereby improving vehicle operation and reducing the number of repairs during the vehicle's life cycle. Each control module is composed of three elements - computing, storage and networking. The risks associated with each element and the identification method will help ensure its correct use.

Automakers are forced to think carefully: How will such modules be used? How to prevent such modules from being misused? How to protect such modules?

To provide a guide, a standard awaiting final approval is ISO 21434: Road vehicles — Cybersecurity engineering, which provides processes and methods to support new designs in the automotive industry.

The standard defines cybersecurity engineering design practices for all in-vehicle electronic systems, vehicle components, in-vehicle software, and external networks. Let's see how such practices are applied to protect the security of important hardware components.

Ensure proper authorization

Today, the latest domain control modules combine specialized computing engines (such as graphics processors, neuron processors) with "rugged" (workhorse) microcontrollers, such as Infineon AURIX. Designed specifically for dependable computing, this multi-core processor family is designed to ensure the security and reliability of computing with a fully centralized Hardware Security Module (HSM).

The hardware security module fully complies with the E-safety Vehicle Intrusion Protection Application (EVITA) standard, which is now widely used in vehicles to provide maximum security for engine control, chassis and safety-critical systems.

As another Infineon processor family product, TraveoII supports body control applications with enhanced Secure Hardware Extension (eSHE) modules and One Time Programmable fuses.

The network of centrally controlled and regionally controlled ECUs flows through secure microcontroller units, while integrated security functions also support changes to authorization scenarios, designed to prevent the hacker attack that occurred in 2015.

If there is any requirement to upgrade the system software, the target ECU will receive a hashed command and software update package. Before security and use, check the digital signature and confirm that it has passed the authorization authentication.

Similar checks are also performed on the vehicle communication network, including Ethernet and the controller area network (CAN-FD), before the bus information is effective. This measure is intended to protect the controller and network from unauthorized commands, replay attacks, or malicious information from unauthorized sources.

In vision systems and sensor fusion systems, flash memory containing boot code and calibration data will become an attack point or a "honey pot" for malicious code to be embedded. Infineon's Semper Secure NOR Flash products will bring a trusted hardware architecture to memory devices. (Figure 3)

Following the Trusted Group Device Identifier specification, the Unique Device Secret ensures that the code remains inviolable and can only be upgraded through the specified computing engine. If any code error is detected, the secure boot mode will be triggered and the entire memory device will be resistant to side channel attacks.

Dynamic Random Access Memory (DRAM) Application code and data Embedded Multimedia Card/File Management System (eMMC/UFS)

Images, sensors, cameras

Multi-point interface/ Message Passing Interface (MPI) Vision and sensor fusion (System on Chip, SoC) Redundant SoC boot code and calibration data Computing processor 5G LTE modem

Ultrasonic sensor LiDAR Radar sensor Safety auxiliary chip Boot code and data Boot code and note memory

Figure 3: In-depth measures taken to implement SemerSecure NOR Flash, a centralized ADAS system with 5G network functions

Security updates beyond ECUs

The security points highlighted in Figure 2 can be viewed in a binary way: one is a security point that is large enough to contain a hardware security module; the other is a security point that does not contain a hardware security module.

To truly achieve this, it is imperative to scale up the size of system safety components. Larger devices such as electric units with microcontrollers and microprocessors are already used in vehicle networks, controlling airbags, steering, braking, radio, clusters, and advanced driver assistance systems (ADAS), and these system devices need to be large enough to accommodate hardware security modules.

For small devices that are not interconnected to the main network bus (such as window actuators), it is not practical to fully configure the safety module due to cost factors.

In contrast, flash technologies that are used only to enable device upgrades or technologies that require a password essentially convert the device into read-only memory (ROM), making the code update process unchanged and ensuring runtime security.

Protection of the human-machine interface

At a hacker conference in 2015, the white hat team pointed out for the first time that their attack point (breakthrough) was the target vehicle's in-vehicle infotainment system.

Although the system was fundamentally isolated from other critical systems, the hackers found a way to penetrate the control unit, which happened to exchange data with the front end, which provided the team with the final data needed to launch the hacking attack.

As such in-vehicle infotainment and telematics systems become increasingly important in the human-machine interface of modern vehicles, they are destined to become potential attack surfaces for malicious hackers to attack in-vehicle systems.

In terms of protection, Infineon has designed multiple layers of redundant protection for its wireless and Bluetooth network connection products to delay and interrupt network attacks.

Each subsystem is independently protected, with authenticated internal system communications and a memory protection unit (MPU) enabled to block code injection, while a TrustZone CPU provides support for a trusted execution environment.

supply chain

As vehicle electrification and autonomous driving technology advance in tandem, autonomous vehicles are becoming more attractive targets for malicious hackers, making the industry a potential attack point as it grows.

It is important to ensure cyber security throughout the entire supply chain. Each control module and millions of lines of code need to be validated for security, from the initial manufacture of the control module to its installation in the vehicle.