Vehicles today come with an array of convenience and safety features driven by software. This means that the cybersecurity of these vehicles must now also be taken seriously. The threat of cyber-attacks has been a growing concern in connected vehicle technology, but there are measures that can be taken to protect a vehicle from malicious actors.
This article explores how cryptography and cybersecurity can help protect a connected car from potential attacks. We will also look at some common techniques used for protecting data in a connected car such as authentication, encryption, digital signatures, and access control mechanisms. Additionally, we'll explore which regulatory authorities have imposed certain standards for the automotive sector related to their cybersecurity protocols.
Cybersecurity challenges for vehicle manufacturers
Automotive manufacturers face a unique set of cybersecurity challenges due to the increasing connectivity of their products. With cars becoming more connected, they receive information from a range of sources including weather data, security updates, and the velocity of other traffic. This data must be secured at every point in its journey from the manufacturing floor to the road.
Manufacturers must ensure that all components are secure and that any vulnerabilities are patched quickly. They must also protect against malicious actors who may attempt to gain access to systems or manipulate data for their own gain. Additionally, manufacturers must ensure that customer data is kept safe and secure while still allowing customers to access their vehicles remotely. To do this, manufacturers need to implement strong authentication protocols and encryption technologies. Finally, they must stay up-to-date on emerging cybersecurity threats and develop strategies for responding quickly when an attack occurs.
Automotive security holes
The automotive industry is facing a major security crisis. With the rise of smart cars and connected car apps, manufacturers have failed to address cybersecurity risks. This has resulted in numerous recalls and safety hazards due to the lack of built-in security standards, regulations, and software updates. As a case in point, Nissan had to remove its application for the Leaf electric car after it was revealed as vulnerable to being hacked. Likewise, Fiat Chrysler Automobiles recalled approximately 1.4 million vehicles as a result of hackers having the ability to access cars electronically and manage brakes and acceleration functions via a security flaw in the software.
These issues are not only concerning but also dangerous; they put drivers at risk of being hacked while on the road. It is essential that automakers take steps to address these security holes as soon as possible in order to ensure the safety of drivers everywhere. This includes implementing better encryption protocols, establishing new regulations and laws, and providing regular software updates that fix any existing security issues.
Automotive cyber attack methods
Direct physical attacks are one of the most common methods used to gain access to a vehicle's systems. This could be while the car is being repaired at a shop or it has been broken into. In these cases, an attacker can use tools such as screwdrivers and soldering irons to gain access to the car's ECU and other components. Once they have gained access, they can then manipulate the system in order to take control of the car or its systems.
Another method that attackers use is exploiting vulnerabilities in the software that runs on the ECU. By finding and exploiting these vulnerabilities, attackers can gain access to sensitive data stored on the ECU or even take control of certain features of the car. Attackers may also be able to install malicious code onto the ECU, allowing them to control certain aspects of the car or its systems remotely. It is important for automakers and owners alike to be aware of these potential cyber attack methods and take steps to protect their vehicles from them.
Automotive cybersecurity and privacy regulations
The automotive industry is rapidly evolving, and with this evolution comes the need for new regulations to protect itself from cyber threats. The US Department of Transportation (USDOT) has developed the Automated Vehicles Comprehensive Plan to ensure that all connected vehicles are secure from malicious attacks. This plan outlines a number of measures that must be taken by automakers and other stakeholders in order to protect the safety and security of drivers, passengers, and pedestrians.
The Automated Vehicles Comprehensive Plan includes requirements for vehicle authentication, encryption, data protection, and secure communications protocols. It also requires manufacturers to develop systems that can detect and respond to cyber threats in real time. Additionally, it calls for regular testing of these systems to ensure they remain effective against potential attacks. By following these regulations, automakers can help ensure that their vehicles are secure from malicious actors who may try to gain access or control over them.
Compliance is a critical factor for businesses, as it can help them avoid hefty fines and potential lawsuits. In the automotive industry, this is especially true due to the increasing prevalence of cyber security and privacy regulations. The U.S. federal government has proposed several standards in recent years, such as the SPY Car Act of 2017 (S.2182) and the SELF DRIVE Act (H.R. 3388). The SPY Car Act requires automakers to get express consent from vehicle owners or lessees before collecting any personal driving information, while also mandating that they adhere to NIST's cybersecurity framework in order to protect critical infrastructure from threats. These regulations are essential for ensuring that consumers remain safe and their data remains secure when using connected vehicles.
Communication technologies used for connected vehicles
Connected vehicles are equipped with a variety of sensors and communication systems that allow them to interact with other vehicles, infrastructure, and the environment around them. This connectivity brings with it a number of benefits, such as improved safety, convenience, and efficiency; but it also provides new opportunities for malicious actors. To protect connected vehicles from cyber-attacks, automakers must use a variety of technologies, such as encryption, authentication protocols, and secure communication protocols.
Networked electronic control units (ECUs)
Networked electronic control units are a vital component of modern cars. They are responsible for controlling and monitoring the various systems within the vehicle, such as the engine, brakes, and transmission. ECUs can also be used to exchange data with other connected vehicles in order to prevent collisions. This is done by sending out signals that contain information about the car's speed and direction. The receiving vehicle then uses this data to adjust its own speed and direction accordingly.
However, the use of networked ECUs also presents a major security risk. Hackers can gain access to the vehicle’s systems and take control of them, potentially leading to dangerous situations. To prevent this from happening, automakers must ensure that their vehicles are equipped with strong cybersecurity measures.
Vehicle-to-Infrastructure (V2I) communication
V2I communication enables vehicles to communicate with the surrounding environment and provides vehicles with access to vital global or local data, such as traffic flow or road conditions, to assist with navigation to their destinations. V2I technology typically uses a wireless connection from a significant range to collect data remotely. The security of V2I is paramount for its success and reliability. This ensures that the data gathered by V2I is accurate and reliable, allowing drivers to trust the information they receive from their vehicles. Additionally, secure V2I also helps protect drivers’ privacy by preventing malicious actors from accessing sensitive data stored on their vehicles.
Vehicle-to-Vehicle (V2V) communication
V2V communication is a type of wireless technology that allows vehicles to communicate with each other. It occurs when two or more vehicles are in close range and can establish an ad-hoc network. Through this network, they can share information such as speed, position, and direction, which is necessary for autonomous driving. V2V networks are open networks, meaning that anyone can join them. This makes it important to have encryption and data protection in place so that drivers don’t accidentally share malicious software code.
Vehicle-to-Device (V2D) communication
Vehicle-to-Device communication is a technology that enables unsecured mobile devices to connect with connected cars for remote monitoring and access. It provides drivers with a convenient way to monitor and access their vehicles remotely, using certificate-based mutual authentication through their smartphones. However, it has also increased the risk of cyberattacks on connected vehicles, as the vehicles are now connected to the internet, making them vulnerable to malicious actors gaining access to electronic systems and data. To protect against such cyberattacks, automakers have implemented various cybersecurity and cryptography measures.
Building security into connected vehicles
For optimal connected vehicle security, it is essential to incorporate appropriate solutions and authenticate communication by identifying who is interacting with the car and preventing communication from unauthorized sources. Additionally, automotive cyber security should cover secure data storage, secure data transmission, and secure authentication protocols for all connected vehicles. By implementing these measures, automakers can ensure that their vehicles are safe from malicious attacks and other forms of cybercrime. It's essential for automakers to stay up-to-date on the latest security trends in order to keep their vehicles safe from potential threats.
PKI, digital certificates, and key management
Public Key Infrastructure (PKI) is a key management and digital certificate service that provides secure communication and authentication for businesses. PKI enables organizations to securely exchange data over the internet, authenticate users, and protect sensitive information. It uses cryptography and digital certificates to verify the identity of users and encrypt data as it travels between two points. PKI also ensures that only authorized individuals can access confidential information, thus providing an extra layer of security.
In addition to PKI, there are other key management services available that provide similar benefits. These include certificate authorities (CAs), which issue digital certificates; key escrow services, which store encryption keys; and hardware security modules (HSMs), which are used to securely store cryptographic keys. All of these services help businesses protect their data from unauthorized access and ensure that only authorized personnel have access to sensitive information. Furthermore, with the emergence of connected vehicles, companies can make use of advanced key lifecycle management for over-the-air rotation in order to further secure their vehicles and enable revenue-generating practices such as tracking vehicle rentals or facilitating remote purchase upgrades.
Private PKI for vehicle cybersecurity
When it comes to vehicle cybersecurity, the use of private PKI is essential. This type of certificate is different from the public/private key pairs used for SSL/TLS certificates, which are typically used for websites. Private PKI certificates are purpose-built for IoT vendors and are used in both private and shared ecosystems across multiple vendors. These certificates help to validate software for secure boots and updates, ensuring that only authorized code is running on a vehicle’s systems.
Private PKI also helps to ensure that vehicles remain secure even when they are connected to other networks or devices. By using these certificates, manufacturers can be sure that their vehicles will remain safe from malicious actors who may try to access them remotely or through other means. Furthermore, private PKI can help protect against data breaches by preventing unauthorized access to sensitive information stored on a vehicle’s systems. Ultimately, private PKI provides an extra layer of security that helps keep vehicles safe from cyber threats.
Facilitating secure firmware updates
Over-the-air (OTA) firmware updates and secure boot are essential for connected vehicles to remain secure and up-to-date. OTA updates provide a convenient way of delivering operational and security software and firmware updates without the need for a physical connection to the vehicle. Secure boot is an important factor when it comes to facilitating firmware updates as it ensures that only authorized code can be executed on the device, preventing malicious code from being installed or running on the device. This helps protect against malicious attacks and unauthorized access to the vehicle’s systems. By combining OTA updates with secure boot, manufacturers can ensure their vehicles remain safe and up-to-date while also realizing cost savings.
Code signing
Code signing is a process that involves digitally signing software code with a cryptographic signature. This signature verifies the authenticity of the code and ensures that it has not been tampered with or modified by malicious actors. Code signing helps to ensure that only authorized software is running on a vehicle, reducing the risk of malicious code being installed on the system. In conjunction with other security measures such as encryption, authentication, and access control, code signing can be used to provide an additional layer of protection for connected vehicles. By verifying the integrity of the code before it is installed on a vehicle, manufacturers can reduce the risk of malicious actors gaining access to sensitive data or control systems. The use of code signing is becoming increasingly important for vehicle manufacturers as they strive to protect their connected vehicles from cyberattacks.
In summary
Modern cars contain more complex and interconnected systems than ever before. This means that the need for secure cryptography and cybersecurity is a must to protect anyone who owns one. It's important to understand the principles behind these technologies, such as encryption, code signing, and authentication, so that you can be sure your vehicle is protected against any cyber threats.
Cryptomathic has a wealth of experience in securing data and devices for more than three decades and supports the automotive sector through its range of best-in-class cryptographic solutions.
Get in touch with our experts to hear how we can help with protecting your data.