Car designers stress security at developers meeting

Technology News | October 21, 2016

By Christoph Hammerschmidt

Automotive

“Security has become such an important topic for automotive electronics, that it is unavoidable to discuss it publicly”, said Wolfgang Runge, chairman of the program committee and something like an elder statesman of automotive electronics in Germany. The event therefore started with a live hack demonstration – not of a car but of such a ubiquitous everyday object like a radio remote control for PCs, used to switch a projector forth and back. Security consultant Gerhard Klostermeier demonstrated how easy it is to manipulate the RF remote controller by a device that transmits malicious instructions, forcing the PC to download ransomware. “The more complex the communications between a car and its surroundings, the more attack vectors it offers”, Klostermeier said. “IT Security is an aspect that needs to be considered in any device that communicates with the outside world”, he said.

Also Lars Reger, CTO Automotive of NXP semiconductors, discussed the topic. “With vehicles being connected to the cloud or to some kind of backend IT infrastructure, attacks not only against single cars but instead against vehicle fleets are becoming possible”, Reger said. ”Everything connected to the internet can be hacked – and today everything is connected to the Internet.”

To fend off hacking attempts against vehicles, experts at the meeting – including Reger –suggest a layered security approach for the vehicle’s electronic guts. Elements are secure interfaces, a secure gateway inside the car that monitors and controls all internal communication processes, a secure network with authentication and distributed intrusion detection and security at the processing level, for instance by means of secure boot mechanisms.

Referring to numerous cases where thieves stole high end cars using replay attacks of radio-controlled keyless entry systems, Reger announced the development of key systems that make use of the ultra-wide band radio technology. This technology allows acquiring the time-of-flight of a radio signal and therefore the distance between key and car, blocking the way for replay attacks. In addition, the next generation of keyless entry systems will be equipped with MEMS sensors that detect if the key holder is moving – is the key is placed somewhere inside a house, it won’t be possible to activate it remotely.

Layered security model for cars – not only according to NXP

Also NXP competitor Infineon highlighted the security issue. At the small exhibition connected to the congress, Infineon introduced a new hardware security module that enables the development of secure data processing and communications inside the car. The company also announced a partnership with Israeli security company Argus Cyber Security Solutions. (see separate article ).

Marko Wolf, Head of Engineering at security company Escrypt GmbH. Escrypt, a subsidiary of ETAS which in turn is a subsidiary of Robert Bosch GmbH, introduced a collection of measures to establish state-of-the-art security in the car. “The protection must be effective at multiple hardware and software levels”, Wolf explained. A challenge for security developers is the fact, that in todays, and even more so, in tomorrow’s cars everything is somehow connected with each other. “The clean distinction between car domains we had a decade ago does not exist anymore”, Wolf said. A sweeping security approach therefore has to include elements that ensure authenticity, up-to-dateness and confidentiality of software and data by means of cryptography; access management through techniques like secure MMU, one-time-tokens and more; logical separation of software and data with different security classifications, and a secure boot process. In addition, security is not a task that is done as soon as the design process is finished. “Security instead is a mission for the entire life cycle of the car”, he said.

The topic of secure operation systems was discussed by Klaus Schneider from Bosch’s Automotive System Integration branch. Referring to the ongoing discussion whether open source is per se better in terms of security than proprietary systems, Schneider said “open source is not always the more secure solution – but open source is a good platform to develop such things”.