In order to become fully autonomous, vehicles need to connect with the world around them to transmit and receive data relevant to their journeys. However, the very act of connecting them can make them vulnerable to malicious attacks from anyone with a computer, anywhere in the world. IT security is being strengthened in many sectors to combat an increasing number of threats and, in this article, Richard Ward, semiconductor marketing manager, Rutronik and Martin Motz, graduate engineer, Rutronik looks at some of the issues behind automotive IT security
Modern consumers are very demanding, and this extends to their vehicles also where they expect highly functional touch screens and GPS systems that will navigate them quickly to their destination, avoiding traffic and other delays. In addition, consumers expect that they can be fully ‘connected’ in their vehicles, just as they are at home.
Any connected vehicle is potentially susceptible to a cyber attack and the consequences can be very serious as taking over the functions of a vehicle in motion could be catastrophic. Therefore, secure key-based cryptographic communications will need to form part of the vehicle systems – especially any ASIL (ISO26262) based functionally safe areas.
At one level, encryption is quite simple – a private key is used to encode the transmission and then used again to decode the cipher at the receiving end. Storing these keys securely during manufacture and then for the lifetime of the vehicle is essential to maintaining this security and this presents a challenge for automakers who will need to adapt their supply chains and other processes. The consequences of a breach could be serious for motorists and also for the automakers who would face severe penalties and a huge loss of reputation.
Trust anchors, if suitably protected themselves, can protect archived encryption keys – provided that only authorised access is granted to the encryption process. Often, they provide a secure environment by being embedded in the operating system of a microcontroller, although recent successful attacks have shown that hardware based security is far stronger than software alone.
To address this, SHE (Security Hardware Extension) modules and HSMs (Hardware Security Modules) can be integrated into microcontrollers, such as the Infineon AURIX devices. Their integrated HSM support advanced features such as asymmetric cryptography that uses public and private keys.
HSM is a popular choice for in-vehicle comms due to the high level of computing power needed. One forthcoming open standard is EVITA that aims to design, verify and prototype an architecture for on-board automotive networks where security-relevant components are protected against tampering and sensitive data is protected from being compromised during transfer.
Infineon is taking a leading position in this initiative with its second-generation of AURIX family, TC3xx series is compliant with EVITA Full.
Standards deliver efficient protection
The nature of the data and the duration of the key’s life (whether just for a session or for longer) determine the level of protection required for the keys. Developing these protection algorithms can be a significant effort and so manufacturers are looking to established standards such as AES, RSA, and ECC, not least due to some negative experiences with in-house developed algorithms. The security surrounding chipcards is well established and in widespread use.
However, vehicles are a unique and somewhat challenging environment so existing technologies have to be adapted to offer extended temperature ranges and greater vibration resilience. For example, solderable SIM cards are one way of meeting the high quality requirements for vehicles, including such standards as AEC-Q100.
Many keys will need to be protected for the lifetime for the vehicle – and even during the disposal process, meaning that many processes – especially production where keys are transmitted as plain text – will need to be re-engineered. This becomes more complex as some of these processes may be performed by third parties.
Semiconductor manufacturers provide personalised security controllers that are protected from hardware attacks. The personal key is stored during a secure and certified manufacturing process, ensuring it cannot be exposed.
Long term protection also demands a high degree of flexibility. This so-called “crypto agility” allows for legacy and modern algorithms to be used together as well as ensuring there are enough hardware resources to accommodate modern techniques that were not invented when the vehicle was designed or built.
Given the complexity of modern vehicles, software updates are required to address issues – as well as to allow carmakers to add functionality. Known as software-over-the-air (SOTA), secure communication allows this to be done conveniently without visiting a service facility, saving time and hassle for the vehicle owner as well as the carmaker.
Once the software update is sent, it is securely authorized and each code block is decompressed and decrypted before being written to flash memory in the appropriate vehicle module. Once the HSM in the AURIX module is satisfied that everything is genuine, the module is rebooted and the new code is in place.
IT security in vehicles is a new and necessary area that will impact all areas of vehicle design, manufacture, use and disposal. However, there are some challenges in porting existing technologies and processes to the automotive environment. Using established standards as well as microcontrollers with integrated security including HSM, such as Infineon’s AURIX devices will make the process of delivering high levels of vehicle security much simpler and faster.