Today’s automobile is a smart device that has more than 100 microprocessors, 50 electronic control units, and 100 million lines of software code.
That is 50 times more lines of code than the F-22 Raptor, one of the most high-tech military aircraft now in use.
Automobiles are also connected mobile devices: Bluetooth links the car with cell phones, and some have built-in cellular communication and Wi-Fi capabilities. This connectivity enables remote start and other features and will increase with the addition of smart infrastructure in which the road, signals and other components communicate with the vehicle and wider adoption of self-driving vehicles.
This technology and connectively also makes cars targets for hackers who potentially could compromise a vehicle’s control and safety systems. Features such as automatic braking and remote start would take on a very different character if they were under the control of a remote adversary.
While there never has been a confirmed malicious attack of an automobile, whitehat hackers have proven automobiles are vulnerable to cyberattacks. On top of that, the same researchers know it is not if, but when hackers will exploit cyber vulnerabilities to remotely access connected vehicles.
This reality has made cybersecurity a major concern for the auto industry as well as the government, including the Department of Homeland Security (DHS) Science and Technology Directorate’s (S&T) Cyber Security Division’s (CSD) Cyber Physical Systems Security (CPSSEC) project.
Key CPSSEC program focuses include working collaboratively with automakers and leading researchers to increase vehicle cybersecurity, funding research projects to enhance auto cybersecurity, and helping prepare the federal government’s fleet of automobiles for a coming important deadline.
“The leaps we have made in automobile technology require solutions that ensure the cybersecurity and safety of this indispensable part of our lives,” said Dr. Daniel Massey, S&T’s CPSSEC program manager. “Our objective is to identify key cybersecurity challenges and find solutions that will reduce the risk of cyberattacks.”
Among its work is a joint research project with New York University (NYU), the University of Michigan Transportation Research Institute (UMTRI) and Southwest Research Institute (SwRI) to secure vehicle software updates. Like computers and cell phones, vehicle software requires updates to correct errors in safety-critical systems or remove vulnerabilities that could allow hackers to remotely affect vehicle systems.
The ability to update vehicle software is essential to safety and security, but it also could be a key attack vector for adversaries.
If attackers can gain access to the software update system, they can insert malicious code. Attackers have exploited flaws in the software update processes for traditional information technology systems (e.g., applications, operating systems) and cell phones to insert malware. This CPSSEC project works to ensure these flaws are not repeated in vehicle software updates.
The NYU, UMTRI, and SwRI teams have created a voluntary group that includes more than 40 leading automotive-related companies — from original equipment manufacturers and tier 1 suppliers to startup companies — with relevant vehicle technology. The team is making rapid progress on a design document and reference implementation that will help ensure vehicle software update systems are safe and secure.
Separately, an HRL Laboratories-led team is using a novel side-channels approach to improve vehicle cybersecurity both during updates and normal operations. Without modifying the vehicle, the observation “side channels” potentially can identify malicious behavior. For example, activity by the vehicle generates noise and heat. While attackers may modify code in a vehicle, they cannot prevent physical actions from generating noise or heat as a result of the code modification. If we understand the normal patterns of side channels, we potentially could identify and neutralize a hack.
DHS S&T also is working to secure the federal government’s large fleet of vehicles from cyber threats.
Telematics systems, required in government vehicles by March 2017, track location, performance, and other behaviors and can improve management of the government’s vehicle fleet by reducing fuel costs, lowering carbon emissions, and identifying maintenance issues.
However, if telematics are not secure, an adversary could exploit these same benefits. For example, we do not want an adversary to know the location of every government vehicle, so the race is on to ensure the government’s fleet is not cyber vulnerable.