Every car needs cybersecurity – even if it doesn’t drive itself
A classic car may be considered technologically basic in so far as it ran on petrol and had little need for electricity, save for headlights and indicators. At the opposite end of the scale, we have cars like Tesla. Really more computer than car, this is the epitome of a smart car with − to an extent − the ability to drive itself.
However, the majority of us are driving something in between. How smart are these cars? An often quoted figure is that the ‘modern car’ has 100 (or 200 or 300) computers in it. Really? How can that be true? Take something like a side window. In a classic car, there may be a mechanism to raise and lower the glass using a crank and a handle. As early as the 1940s, electric windows were an option, but they have become increasingly common place. Essentially, these comprise of a motor on the window, an electricity supply, and a switch to connect the two. Or at least that is how it used to be.
Wire is heavy
As cars began to include electric gadgets, more and more cabling was required to control them – but cables are heavy (=fuel) and assembling complex wiring looms takes time (=money). Automakers, with renowned mechanical prowess, started to become the butt of jokes about dodgy wiring (and yes I once owned, and loved, an Alfa Romeo). Computers are not sexy – but they enable the automakers to focus on the mechanics.
Today a modern, (but still relatively low-tech) car doesn’t have separate wiring for each window motor going to each window switch. Instead, the window motors and window switch are all basic computers (microprocessors) on a computer network. When you push the window button, a message is sent across the network and the corresponding window motor leaps into action. This, and countless similar scenarios, is why the modern car has hundreds of (albeit very tiny) computers, but still needs a human brain to make it go.
This evolution is a good thing – it makes our cars lighter, simpler (in terms of wiring) and easier to build and maintain. Yes, a new window switch may cost a ridiculous amount of money – but they always did, and the computer inside it adds only a few cents. A Boeing 787 jet has about 6.5 million lines of code, while a standard connected car has about 100 million, according to a USWITCH study on Data Security in connected vehicles. At CES 2021, Bosch highlighted that their autonomous systems are getting closer to 500 million.
The evolution is not complete though – or at least I hope it isn’t.
One of the downsides to this approach, is that many components that used to have their own wiring, now share a common network. Automakers try and limit the risk this poses by having several separate networks within the car − one for the functional safety parts, one for the entertainment system etc. – but in practice separation is difficult to achieve. The ‘secure’ networks are all too easy for an attacker to access – either physically (pop out a parking sensor or remove a wing mirror) or wirelessly as more components have radio interfaces that can be compromised. Separate networks also mean separate physical wires – and wires mean money.
In the broader IT industry, the concept of ‘perimeter-less networks’ and ‘zero trust’ have been taking hold over recent decades. Proponents argue that securing a network with a firewall is never enough and that instead you should distrust the network implicitly and require that every message on it is authenticated. Those arguments make sense for vehicles and would mitigate the risks introduced by shared network cabling.
Other technical innovations can help too. Now that components are smart(er) and have their own mini-computers, there is no reason that they cannot attest their identity – proving to the recipient of the data they produce that they are indeed genuine components and that the message sent is legitimate. Consider a simple attack involving physical access to the network to fake the pressing of a window switch to give a thief access to a vehicle. Today the dice are loaded in favour of the attacker. Authenticated messages, however, would make this virtually impossible.
Earlier generations of MCUs did not support this sort of application as they had neither verifiable identities nor the processing power to sign or encrypt messages. Automakers saw them as replacements for dumb switches so did not focus on these aspects (and of course attackers did not have the same access to portable compute power that they have today). However, this is beginning to change. Modern MCUs, such as those based on the ARM M23/M33 architecture, support TrustZone™, allowing a small security kernel to run alongside the main ‘application’. Manufacturing processes now include things like device unique keys and attestation tokens, enabling cars to recognize legitimate parts, rather than fake ones, and to individually identify components so that an attacker cannot swap out or fake the window switch to gain entry. Industry bodies are also creating standards to ensure these technologies are sufficient and are applied appropriately.
Much like the internet itself, the first generation of car networks did not focus on security, but that is beginning to change, and the approach of smart(er) components on a shared network can offer the possibility of far more security than physical wires. And, the relatively low cost of adaptation means that more significant innovations – such as higher levels of autonomy – can be applied to a secure base.