Automotive cybersecurity: defending the trust boundary

  • Nov. 15, 2016
  • Jules Breuer

Many new vehicles nowadays are connected cars. That means they are connected via a wireless internet connection to the cloud, through which manufacturers can supply various data and services. Now that more and more vehicles are being equipped with such a service connection, it unavoidably draws the attention of hackers. These hackers could use such service connections to gather personal information about the vehicle’s owner, or even gain control of the vehicle’s functions.

An earlier BRACE blog already brought this topic up:

As is turns out, this is not a hypothetical situation; hackers can actually do this. A while ago, a video emerged on the internet that shows hackers successfully gaining remote control of a Jeep Cherokee. Jeep’s parent company FCA has had to respond with an extensive recall and a software update. At BRACE Automotive, we are studying solutions that OEMs could use to protect cars and their owners from hacking attacks. In this blog article, we will investigate how hackers are able to gain control of vehicles like the Jeep Cherokee, and we will show a method that could be used to prevent such hacks. To explain how the hackers gained access to the inner workings of a connected car, first we have to explain such a vehicle’s network architecture. Unfortunately (or fortunately, if you’re a hacker) the Jeep Cherokee’s network architecture is typical for modern connected cars. Under the hood of the car, all of the powertrain and chassis components (e.g. power steering, engine, brakes) are connected as ‘nodes’ in a Controller Area Network (CAN) called the CAN bus. On this CAN bus, each of the nodes can broadcast any data to all other nodes, so that every node receives all data transmitted on the bus. In the car’s interior domain, the infotainment system has a wireless internet connection to the cloud, just like a smartphone has. However, the infotainment also needs some information about what’s going on under the hood, such as the vehicle speed and current fuel economy. For that reason, the infotainment system also has its own node on the car’s CAN bus that it uses to receive this data.

There are two assumptions that underlie the security of this system, which are usually called ‘trust boundaries’. The ‘inner’ trust boundary is that all CAN nodes are assumed to be well-behaved. That means that they should not abuse their rights to transmit data on the CAN bus, and they should not interpret any data that’s not intended for them. The ‘outer’ trust boundary is that the connection to the cloud is assumed to be well-behaved. That means that any information that the car receives through its wireless internet connection should originate from a trusted source (i.e. the OEM). When these trust boundaries are broken, the security and safety of the system fail. In the Jeep Cherokee, the hackers indeed broke both of these trust boundaries. Firstly, they were able to wirelessly connect to the car, effectively by pretending to be the OEM, breaking the outer trust boundary. How they achieved this is beyond the scope of this blog article, but the result was that they now had full access to the car’s interior domain system, including potentially personal information stored within the infotainment system, such as location history or phone details. The hackers had shown that the security of the vehicle could be breached. But they went further than that. Their second step was to exploit a weakness in the design of the infotainment system. This weakness allowed the hackers to change the behaviour of the infotainment system’s CAN node such that they could make it transmit and interpret data on the CAN bus, thereby breaking the inner trust boundary. Once the hackers had taken control of this node on the CAN bus, they were able to use it to control many of the powertrain and chassis components. If the hackers would have wanted to, they could now have caused very unsafe situations. Clearly, connected cars have the potential to be very vulnerable to hacking attempts. FCA’s recall and updates have repaired some weaknesses in the infotainment system that made this specific method of hacking possible. However, that doesn’t mean that connected cars are now unhackable. What can OEMs do to make connected cars safer and more secure? In the case of the Jeep Cherokee, we could see that the security of the system was breached when the outer trust boundary was broken, and that the safety of the system came under threat when the inner trust boundary was broken. To prevent these situations, OEMs should focus on defending those trust boundaries.

To do that, they must create two ‘walls’ within the system. To protect the outer trust boundary, OEMs must secure all external connections (e.g. the cloud, shop tools, mobile phones) to the interior domain systems (e.g. the infotainment system) using a ‘security wall’. This security wall should ensure that hackers can’t gain access to the interior domain systems, while allowing communications from trusted sources. In a later blog article, we will demonstrate a method that could enable the security wall to make the distinction between trusted and not trusted: digital signatures. To protect the inner trust boundary and the system’s safety, OEMs must separate the powertrain and chassis systems from the interior domain systems using a ‘safety wall’. This safety wall should ensure that if the security wall is breached and the interior domain systems are compromised, that the powertrain and chassis systems continue to function safely. The easiest way to achieve this would be to simply disconnect the infotainment system from the CAN bus. However, some information will still need to be shared across the safety wall. A better way would be to place a ‘gateway’ node between the infotainment system and the CAN bus. Such a gateway could allow specific data to be shared across the safety wall, while blocking all unexpected data. However, just placing a gateway between the infotainment system and the CAN bus may not be enough. A hacker could potentially use any exposed system as an entry point, not necessarily just the infotainment system. Therefore, the safety wall should defend the inner trust boundary on all CAN nodes, and in both directions. That means the safety wall should protect each CAN node from outside attacks, as well as defending its component against attacks from within the CAN bus itself. One way to achieve that could be to make CAN nodes ‘suspicious’ of each other. Ideally, a protocol layered on top of the CAN protocol could ensure that a transmitting node uniquely identifies itself, and only the intended recipient node can interpret the data. Such a protocol would effectively force all CAN nodes to be well-behaved, thereby defending the trust boundary from within. There are many more ways that hackers could use to gain access to connected cars, and we don’t claim that connected cars can ever be 100% safe and secure. Thanks to the efforts put in by OEMs, as well as upcoming standards for cybersecurity, the automotive industry is certainly making steps toward that goal. At BRACE Automotive, we are trying to do our part too.