Cybersecurity in the connected car: technology, industry, and future

Advanced connectivity, electronics and software are hallmarks of modern vehicles. A typical connected car contains up to 70 ECUs, and about 100 million lines of code. As vehicles expand in terms of technological complexity, they become an attractive target for cyber-criminals.

Security demonstrations such as the famous Miller and Valasek Jeep Cherokee example have provided enough evidence that connected cars should be viewed as a potential attack target. But how does an industry built around making and selling cars pivot to delivering secure software and services?

“Cybersecurity in the connected car: technology, industry, and future” examines the security implications of increasing connectivity and software complexity in connected & autonomous vehicles. It discusses the following elements of automotive cybersecurity:

• Attack surfaces in connected and autonomous vehicles
• Core vulnerabilities
• Regulations and policies (US, EU, China, Japan)
• Existing market solutions (OTA updates, IDPS, firewalls etc.)
• Emerging solutions (ECU Consolidation, app sandboxing, autonomous security)
• Security by design

Key questions addressed

The report addresses the following strategic questions, the answers to which will determine future of vehicle cybersecurity in the near foreseeable future:

1. What does the automotive cybersecurity landscape look like today?
2. What makes vehicles vulnerable?
3. What’s in it for the hackers?
4. What are the worst-case scenarios?
5. Where should automakers invest to cyber-proof connected vehicles?
6. Can the CAN bus be secured?
7. What is the relationship between security and privacy?
8. Is legislation the answer to raise the bar of security standards in modern vehicles?
9. What standards are being developed around vehicle cybersecurity?
10. Can security by design ever be a commercial reality?
11. What are the available market solutions and who are the key players?

Who is the report for? 

• Automotive OEMs and suppliers
• Cybersecurity solutions providers (IoT, automotive, mobile)
• Regulatory bodies
• Mobile Network Operators (MNOs)
• Independent Software Vendors (ISVs)
• System integrators and application developers
• Consortiums & alliances built around connected vehicles

Methodology

• Primary research and analysis: Original interviews and surveys of automotive executives, conference presentations at events throughout 2016, academic or commercially available literature
• Secondary research: researching and synthesizing of company data, technology initiatives, strategic analysis of leading companies in the sector

Table of Contents

Chapter 1: Introduction 4

Chapter 2: The problem 6

2.1 Research experiments and demonstrations 6
2.2 Early industry and media responses 8
2.3 Consumer concerns 8
2.4 Hackers’ motivation 10
2.4.1 Vehicle and property theft 11
2.4.2 Information and identity theft 12
2.4.3 Remotely taking control of a vehicle 13

Chapter 3: Connected car technology and its vulnerability 15

3.1 ECU proliferation 15
3.2 CAN and other bus systems 16
3.3 Code proliferation 19
3.4 Specific cyberattack surfaces 20
3.4.1 The on-board diagnostic (OBD-II) port 21
3.4.2 Infotainment head units 22
3.4.3 Bluetooth 22
3.4.4 USB/CD player/paired devices 23
3.4.5 In-car Wi-Fi hotspots 23
3.4.6 In-vehicle apps 24
3.4.7 Remote keyless entry systems 25
3.4.8 Tyre pressure monitoring systems (TPMS) 25
3.4.9 Dedicated short-range communication (DSRC) receivers 26
3.4.10 Electric vehicle charging port 27
3.4.11 Cyber-physical systems 27
3.5 Autonomous vehicles 28
3.6 Over-the-air (OTA) software updates 28
3.7 Supply chain security 29

Chapter 4: Industry responses 30

4.1 Justifying cybersecurity investments 30
4.2 Establishing cybersecurity departments 31
4.3 Collaboration with third-party security providers 31
4.3.1 Case study: Uber ‘bug bounty’ program 33
4.4 Software updating 34

Chapter 5: Legislation and standards 36

5.1 Government initiatives 37
5.1.1 The US NHTSA’s Vehicle Cybersecurity Research Program 37
5.1.2 The 2015 US SPY Car Act 39
5.1.3 The European Commission 39
5.1.4 Japan 40
5.1.5 China 41
5.2 Industry initiatives 41
5.2.1 SAE vehicle engineering and cybersecurity guidelines 42
5.2.2 Auto-ISAC 42

Chapter 6: Future directions 45

6.1 Security by design 46
6.2 Vehicle cybersecurity in layers 47
6.3 ECU consolidation 49
6.4 Increased specificity in requests for proposals from suppliers 50
6.5 Lessons from other industry sectors 51
6.6 Suggestions for the automotive industry 51

Appendix 1: High-quality automotive cybersecurity products and services 53

1 Harman 5+1 Cybersecurity Framework 53
2 Symantec Anomaly Detection for Automotive 54
3 NCC-SBD ‘V’ model: Automotive Secure Development Lifecycle (ASDL) 54
4 Argus Multi-layered Security Protocol 55
5 Security Innovation Aerolink 55
6 I AM THE CAVALRY Five Star Cybersecurity Ratings 56
7 Trillium SecureCAR 56
8 Karamba Autonomous Security 57
9 Rambus CryptoManager 58
10 Arxan Application Security 58

Table of Figures

Figure 1: Miller and Valasek remotely hacking the Jeep Cherokee 7
Figure 2: KPMG 2016 Consumer Loss Barometer Study 9
Figure 3: Consumer safety concerns while driving 10
Figure 4: A mystery device ‘relay’ attack 12
Figure 5: The main ECUs in a modern vehicle 15
Figure 6: Reduced wiring connections enabled by CAN bus 16
Figure 7: Reverse engineering the CAN bus 17
Figure 8: Trillium’s SecureCAR cybersecurity components 18
Figure 9: Software complexity in modern vehicles 19
Figure 10: Remote attack surfaces on a connected vehicle 20
Figure 11: The Zubie in-car device connected to the OBD-II port 22
Figure 12: Apple Lightning digital connector for media devices 23
Figure 13: Nissan Leaf Smartphone app for remote vehicle access 24
Figure 14: Samy Kamkar’s Rolljam device 25
Figure 15: TPMS sensors 26
Figure 16: A V2X ECU connected to ADAS ECUs 26
Figure 17: Sensor constellation on an autonomous vehicle prototype 27
Figure 18: Participants at a June 2014 Bosch ‘hackathon’ in Berlin 32
Figure 19: Automotive industry software recalls during 2015 34
Figure 20: Data privacy principles: US GAO and EC 37
Figure 21: US NHTSA budget request for vehicle safety and security research, FY 2016/17 38
Figure 22: NXP 4+1 cybersecurity framework 41
Figure 23: The Auto-ISAC task framework 43
Figure 24: US NHTSA information sensitivity levels 43
Figure 25: Automotive cybersecurity investment components 45
Figure 26: The security maturity curve 47
Figure 27: Security by domain separation 49
Figure 28: ECU consolidation via software integration 50
Figure 29: A favourable ecosystem for Tier-1 suppliers 51
Figure 30: Harman 5+1 Cybersecurity Framework 53
Figure 31: NCC-SBD Automotive Secure Development Lifecycle 55
Figure 32: Karamba Autonomous Security 57
Figure 33: Components of Arxan’s Application Security 59

Table of Tables

Table 1: Vehicle cyberattack types, motivations and attackers 11
Table 2: Common in-vehicle networking protocols 17
Table 3: Analysis of cyberattack surfaces 21
Table 4: Uber ‘bug bounty treasure map’ 33
Table 5: Auto-ISAC cybersecurity best practices overview 44
Table 6: Cybersecurity investment analysis 45
Table 7: A layered approach for securing connected vehicles 48