Following recent conversations with our customers, we have learned that both Hardware Security Modules [HSMs] and Trusted Execution Environments [TEEs] are hot topics in automotive cybersecurity.
HSMs, and other similar hardware key-stores such as SHE, SHE+ and EVITA, have served as a reliable security component in automotive architectures for many years. They have provided countless connected devices with robust key management and cryptographic functionality, and protected assets against the threat of cyberattacks. However, with statistics showing that the number of cyberattacks committed in 2022 rose by 38% compared with 2021, the sophistication and ubiquity of attacks are growing exponentially.
As the threat that attacks pose continues to rise, automakers must ensure that a) the very best security is present within their connected vehicles, and b) drivers can rest assured that both their personal data and safety have not been compromised. And while HSMs have long served the automotive industry, the security needs of original equipment manufacturers [OEMs] now go well beyond the capabilities a HSM can offer.
On top of this, it can be extremely complex for OEMs to simultaneously manage multiple HSMs from different suppliers, and to customize the logic of how each HSM works for their specific purposes.
Trusted Execution Environments [TEEs] present the perfect solution to automakers looking to strengthen the security architecture of their connected vehicles. Having grown considerably over the course of the last decade, TEEs provide an environment for executing code, within which those executing the code can have high levels of trust in the surrounding environment, seeing that it can ignore threats from the rest of the device. As such, TEEs stand as the best-in-class hardware backed security technology for connected vehicles in today’s ever-changing security landscape.
Despite this, we recognize that many OEMs have grown accustomed to the use of HSMs, and don’t want to stop using them. This is because they excel at their primary function of key storage and are well understood and mature technology. As such, they remain a popular source of security among OEMs.
However, rather than automakers giving up their use of HSMs, the Trustonic TEE can be interworked with them to provide OEMs with enhanced security and an even greater level of control.
Why use TEEs?
TEEs can be used in place of an HSM. In an Android mobile device, for example, the role of key management is entirely handled by a Trusted Application [TA] within the TEE, implementing KeyMint functionality and an Android-specific REE stack. With other Operating Systems [OS], as might be found in a vehicle’s Electronic Control Unit [ECU], a TA providing key-management capabilities may offer a different API better suited to vehicle applications, such as PKCS#11.
TEEs have the ability to go much further. As a TEE can execute arbitrary code, complex applications can be hosted in the TEE, providing security services a HSM could not hope to offer.
Moreover, TEEs on a correctly designed System-on-a-Chip [SoC] can securely interface to peripherals, whereas HSMs can’t. This allows for the creation of secure sensors and actuators managed by the TEE, which can be used to bolster the security of critical tasks significantly.
Bringing HSMs and TEEs together
This is not to suggest that HSMs don’t provide considerable benefits to vehicle security, but rather that TEEs have the capacity to complement HSMs when the two are brought together. It stands to reason that connected devices will face more malware than their non-connected counterparts, and many of the risks posed are beyond the capabilities of HSMs. This is because malware is capable of bypassing HSM security by appearing legitimate, enabling attackers to gain access and steal code or other sensitive assets.
By treating the HSM as a secure peripheral only accessible via TEE, OEMs can ensure that malware and the bad actors behind it cannot abuse access; effectively acting as a bouncer at the door. The TEE forms a protective ring around the HSM, strengthening the overall security architecture of the device, thereby greatly minimizing the risk of a successful attack.
As a TEE can analyze software clients communicating with it, taking into account their authorization and approvals, connected vehicles operating with HSMs can benefit from an additional layer of security. This brings its capabilities up to speed with the ever-evolving risk of cyberattacks. As such, the interworking of the TEE enables OEMs to gain much-needed flexibility without having to sacrifice the use of an HSM, which holds much value as a source of key storage.
Another key benefit that the integration of TEEs can bring is the ability to securely update a vehicle’s security software. Conventional HSMs can only be updated via an authorized service center, or on a production line because they must be connected to specific management and update tools. TEEs are unfettered by these restraints, giving OEMs the freedom to remotely update software over the air [SOTA]. This may avoid the requirement to recall vehicles for issues purely related to software. For example, deploying a new cryptographic algorithm into the TEE. This avoids the inconvenience for the customer, and allows OEMs to make significant cost savings.
Not only this, but with the cybersecurity regulations that automakers are expected to meet evolving all the time, the presence of the TEE can empower OEMs to ensure that they remain compliant. By providing SOTA updates to vehicles, a TEE can help manufacturers to update their security and continue to meet regulations that require them to guarantee the level of protection remains strong throughout the vehicle’s entire lifecycle.
The solution
At Trustonic, we understand that it can be difficult to let go of processes and technologies that have historically proven highly dependable for OEMs. As such, encouraging automakers to completely abandon the use of HSMs in favor of TEEs may be a tall order. That is why our recommendation is for OEMs to embrace the benefits of both by implementing a combined TEE hosted virtual HSM solution.
By taking such an approach to the security architecture of their connected vehicles, OEMs can ensure that the highest possible level of protection is in place, and that this is maintained over time. In shifting from a physical to a virtual HSM solution via the TEE, automakers can not only receive a broad range of benefits at launch, but also extend security updates throughout the lifecycle of the vehicle.
This delivers the double benefit of providing a better user experience by removing the need to recall vehicles, while allowing OEMs to make significant cost savings through the implementation of SOTA updates. Furthermore, these updates enable automakers to ensure compliance with the latest cybersecurity regulations, which can be complex and difficult to adhere to when controlling multiple HSMs.
To prepare for the next generation of vehicle architecture, OEMs must consider what they stand to gain by adopting the best-of-both-worlds approach that a combined HSM-TEE solution offers.
