The key to end-to-end security and privacy is to design it into autonomous vehicles and their software right from the start.
Connected Car

Putting the brakes on car hacking.

For a long time, cars remained one of the last bastions of analog living. Not anymore, though. Today’s cars are four-wheeled computers with Internet access. And that makes them targets for hackers. The automotive industry has spotted the threat and is strengthening its products against cyber attacks.
Author: Yvonne Nestler
Photo: Navid Baraty

The gas pedal didn’t stop working until Andy Greenberg got on the highway. Swearing, the WIRED journalist punched the flashers as his Jeep Cherokee shed speed and other cars roared past him. He was helpless – his car had been hacked. His two tormentors, Charlie Miller and Chris Valasek, crouched over a laptop ten miles away. They had taken control of the Jeep: first, the radio blared hip-hop, then wiper fluid covered the windshield in a blurry film – and now, Greenberg could no longer accelerate. Only after he turned the ignition off and then on again did the nightmare finally end.
Even though this was an experiment and Greenberg had been forewarned, the stunt caused quite a stir worldwide in July 2015. It had, for the first time, revealed the dark side of connected cars: without adequate protection, they are vulnerable to remote hacking and hijacking. In the past, hackers would have to fob off a music CD with viruses onto motorists or stay within a few meters in order to break in over an insecure Bluetooth connection. Today, however, many cars come standard with Internet access that can act as a backdoor for cyber criminals. In 2015, that included one-third of all new cars, according to Roland Berger, a consultancy. However, few drivers realize that they’re sitting behind the wheel of a mobile data center. A modern car bristles with over 100 small computers in the form of electronic control units, or ECUs.

Motives aplenty

Various things can motivate a cyber attack. One criminal may want to steal a car without having to break open doors or windows. Another may want to hijack a car’s SIM card to surf the Internet for free. And a third may hold vehicles hostage, remotely immobilizing certain car models until the manufacturer pays a ransom. Even intelligence services have begun scoping out cars. Wikileaks, a whistleblowing platform, published a document in early March 2017 indicating that the CIA considered infecting cars and trucks in October 2014. Perhaps it was to track the locations of targets or eavesdrop on conversations in cars. “Most troubling of all is the possibility that terrorists could hack into autonomous driving systems and cause accidents that kill a targeted individual or large numbers of people,” notes PricewaterhouseCoopers (PwC), a consulting firm, in its Connected Car Study 2015. Cyber calamities like these are still just theoretical. Most car vulnerabilities have been exploited by white or grey hat hackers in the name of improving technology or building a reputation. Nevertheless, personal safety is now inextricably bound up with cyber security.

Seeing the big picture

The message isn’t lost on the automotive industry, which is already strengthening its bulwarks against cybercrime. “When industry executives think about information security, they usually focus on in-car systems as the point of vulnerability,” warns PwC. “But threats extend well beyond the dashboard interface.” They also encompass automotive cellular links as well as backend systems operated by manufacturers and third-party service providers. That’s why T-Systems is developing security solutions for the entire IT and telecommunications infrastructure for connected cars – and has started implementing solutions with major car makers.
“The key to end-to-end security and privacy is to design it into new car models, components and software right from the start,” said Thomas Fischer from T-Systems. That goes not only for OEMs, but for Tier 1 and Tier 2 suppliers, too. These efforts can harden the perimeter, but hackers who break through can still hunt for vulnerabilities once they’re in the car’s network. Hence the need to establish a second line of defense beyond the perimeter: intrusion detection systems that act as “guard dogs” and sound an alarm if an attack is launched.

Digital guard dog in the car

T-Systems has developed just such a solution: ESLOCKS (Embedded Security Locks). This digital bloodhound sits in the gateway between the vehicle buses. Here, at the heart of the car’s electrical system, it checks all messages for anomalies such as setting an airbag to deploy at full speed. Once it finds one, it takes an action that T-Systems and the car maker have defined in advance – for example, warning the driver or disabling hijacked functions. Anomalies are reported to a backend system that analyzes the data with modern machine learning algorithms. The findings are shared with the systems in all the vehicles. 
T-Systems’ second guard dog watches over cars’ cellular communications. “Additionally securing the cellular interface between vehicles and vehicle backends is an important part of any end-to-end security solution,” said Christian Olt from T-Systems. Cellular connections are ripe targets for criminals specializing in “fraud attacks:” illegally piggybacking on an automobile’s SIM card to call phone numbers not normally accessed by connected cars. These incidents are a big red flag. Cars don’t have a phone dialing pad, after all, so someone must have tampered with the system. To head off the threat, T-Systems is currently working on a fraud detection solution for vehicles.

82% der US-Amerikaner würden nur zögernd oder sogar nie bei einem Autohersteller kaufen, der gehackt wurde.
Security for blabbermouths

The security experts first identify vulnerabilities for each car maker and find ways to detect corresponding exploits. T-Systems then modifies its solution accordingly. The fraud detection system scans the vehicle’s communications data for events that qualify as “unusual” based on predefined rules. If an automobile calls an unknown phone number, for example, a notification is automatically sent to the manufacturer. The incident also appears on an online portal at the same time, giving the manufacturer’s service technician all the information he or she needs to select the right countermeasure. That could include alerting the car owner, blocking the SIM card or taking legal action, for example. The Deutsche Telekom Security team, working closely with the manufacturer and Deutsche Telekom’s Data Protection department, determines what data the automotive companies are legally allowed to use in this “fraud detection as a service” package.
Connected cars are blabbermouths. They talk to backend systems, other vehicles, smart homes, traffic infrastructure, content providers, smartphones and tablets – not to mention all the communications between ECUs inside the vehicle. This list gets longer every day, too, especially as smart charging infrastructure is built for electric vehicles. Much of this communication is critical, and so it has to be encrypted and the communicators have to be authenticated. That requires a digital identity for the car, or to be more precise, its ECUs. This identity consists of two mathematically related keys – one public and the other private. If a backend system wants to send data to a car, it uses its private key to generate a digital signature (essentially its ID) that the car can validate with the backend system’s public key. That guarantees that the data really came from a trusted source, and not from a hacker.

Quantum computers: tomorrow’s threat?

This approach gives hackers two points of attack. One: the mathematical relationship between the keys. If attackers know how the keys are related, they can generate the private key from its public counterpart. To prevent this, the automotive industry has to keep a close eye on current technology developments and try to anticipate future cyber attacks in a market that has three-to-five year development cycles and vehicle service lives of 15 to 30 years. A daunting challenge, to be sure. It will get even more daunting, though, once quantum computers arrive. These new supercomputers can crack previously impervious cryptographic schemes such as RSA and elliptical curves.
Two: forged keys. Luckily, car makers’ public key infrastructure (PKI) protects drivers from these kinds of attacks. The auto manufacturer uses its own digital identity to validate the vehicle’s public keys.

Can I trust you?

1,13 Mio. Deutsche besaßen 2016 einen Pkw mit einer fest eingebauten Internetverbindung.
An entirely new challenge arises when vehicles talk to traffic lights, railroad crossing gates and other makers of cars. To do that, the communicators have to agree on a shared, vendor-independent trust center to authenticate their digital identities so they can communicate securely. “Deutsche Telekom has had a trust center accredited by the German Federal Network Agency since 1994,” said Mark Großer from Detecon. “It’s where we operate public key infrastructures for customers such as manufacturers, government agencies and state governments.”
According to Gartner Inc., “the production of new automobiles equipped with data connectivity, either through a built-in communications module or by a tether to a mobile device, is forecast to increase to 61 million in 2020.” The automotive industry has already made IT security a top priority. Among other things, it has launched initiatives such as AUTOSAR and EVITA to develop standards for ECU software and secure electrical systems and started paying “bug bounties” for reports of security vulnerabilities.