Understanding the Need for Cyber-Security Image Sensors for ADAS and Cabin Monitoring Systems

It’s not easy to make people realize the importance of automotive cybersecurity. As cars transition to semi-autonomous driving, automotive original equipment manufacturers (OEMs) are paying more and more attention to automotive cybersecurity. The reason for implementing controls on vehicle networks is obvious, the purpose is to ensure that no one can control the vehicle except the driver (or a driving system that replaces the driver under specific and constrained conditions). In 2021, the United Nations Economic Commission for Europe (UNECE) working group published UN-R155, a cybersecurity regulation for OEMs to address the growing cyber threat. From July 2022, this regulation is binding for the approval of new car models produced in UNECE member countries. This means that automotive suppliers must comply with ISO 21434 to ensure that all their cybersecurity-related components comply with the standard. Of course, sourcing parts that meet cybersecurity standards does not guarantee that OEMs will comply with UNECE standards. However, it is an important step in this direction and puts OEMs in a better position to achieve this goal. This article explores cybersecurity issues from the perspective of image sensors used in advanced driver assistance systems (ADAS) and cabin monitoring applications.

1 Why image sensors need to be secure

In a car, there are some obvious places where cybersecurity should be implemented, including gateways, interconnects, infotainment systems, or any other car subsystem connected via a network. However, one might wonder why image sensors also need cybersecurity. With today’s emphasis on safety and driver assistance, image sensors are the “eyes” of the vehicle. They are used in a variety of ADAS features, such as lane departure warning, pedestrian detection, and automatic emergency braking (AEB). They assess the environment around the car and provide input to the fusion system to make decisions. In the future, they will help identify and authenticate the user of the car and monitor the user’s vital signs. If the driver is incapacitated, the onboard computer will be able to take over control. In these cases, automotive image sensors must perform well (high dynamic range, low light capabilities, color discrimination, etc.) and remain functional, especially in the most extreme situations that the vehicle may encounter. As the safety of the car will increasingly rely on image sensors, the car’s central computer needs authorized and genuine parts to interact with it. It must also ensure that any image frames transmitted have not been tampered with and that all frames are generated by genuine image sensors. In addition, image sensors should only accept configuration changes from the car system and not from any other party. The following use cases illustrate why the automotive industry cannot ignore the threat posed by the use of counterfeit image sensors that are susceptible to third-party tampering.

2 Threat 1: Image sensors replaced with counterfeit parts

AEB systems rely on image sensors behind the windshield to detect objects or pedestrians in front of the car. If the driver does not react in time, the system can decide to apply the brakes to prevent a collision. AEB systems operate on the assumption that their image sensors have specific characteristics (such as high dynamic range, low-light performance, etc.) and that the system has been calibrated to these specifications. If the original image sensor is replaced with a non-genuine or counterfeit part, the system performance may be impaired. Although the replacement part may look exactly like the original, its performance and characteristics may be very different. Since the AEB system is optimized for the original image sensor, the different characteristics of the replacement part will change the system's performance. This means that the system may not detect an object or pedestrian in front of the car until it is several meters away, leaving the system no time to react appropriately, which can lead to tragic consequences. Replacing the original image sensor with a counterfeit one is like allowing a driver with poor eyesight to drive without glasses.

Figure 1: The consequences of replacing genuine image sensors with counterfeit products

3 Threat 2: Image sensor settings modified

The vehicle system is calibrated and programmed to optimally configure the image sensors to always present the scene in front of the vehicle as realistically as possible. However, if someone (or something) modifies the image sensor configuration, its performance will be affected to the point where the vehicle system may no longer be able to correctly, completely or optimally perceive the scene the vehicle is facing. This is the equivalent of throwing dust in the eyes of a human driver.

Figure 2: Consequences of tampering with image sensor settings

4 Threat 3: Image sensor bypass

Image sensors provide raw video data to image processors, which then use that data to extract key information about obstacles ahead so that the car can respond appropriately. For example, an image processor can detect an approaching vehicle and then make a safety-first choice to brake or steer the car away from danger. However, if an unauthorized party attempts to tamper with the system by modifying or bypassing the image sensor, the image processor no longer has access to raw video data that reflects the true scene. In this case, the system may no longer be able to detect approaching objects. Instead, the image processing element may only receive a looping image of a clear road with no obstacles, which could be as unacceptable as a human driver taking their eyes off the road entirely.

Figure 3 Consequences of image sensor bypass

5 Onsemi's image sensors meet cybersecurity standards

ON Semiconductor began adding cybersecurity features to its image sensors in 2018, even before the ISO 21434 cybersecurity standard was released. Initially, this was done to meet the needs of early customers, but it has gradually evolved into valuable cybersecurity expertise. As a result, ON Semiconductor's image sensors are ready for cybersecurity. One key feature is authentication, which allows them to prove to the host that they are authentic, using a certificate chain and pre-shared keys. Another important feature is that they can ensure the integrity of the video data, proving that the video data stream between the sensor and the system has not been tampered with. This integrity is provided by a message authentication code (MAC). In addition, the use of MACs on the embedded data video lines through specific key registers prevents sensor control and configuration data from being tampered with.

6. Cybersecurity components are the first step to achieve automotive cybersecurity

Cybersecurity compliance is a must for automotive image sensors to prevent them from becoming a Trojan Horse for outsiders to intrude into complex automotive electronic systems. For OEMs, ensuring cybersecurity compliance requires more than just adding cybersecurity control circuits to image sensors, but they are critical to achieving comprehensive cybersecurity compliance for ADAS and cabin monitoring systems.