In part 1 of the series, we talked about how smart cars are trending, and how companies are scrambling to get in on the action. But today, let’s talk about the often conveniently-omitted issue of car security. As automobiles are using the network and cloud more and more to provide online services, there’s a growing concern for the field smart car security.
When “smart car security” is mentioned, many will first think of the Jeep Cherokee that was hacked last year. Even before the terminology of “connected and smart cars” was widespread, “telematics” was used by vehicles. Telematics is the branch of IT dealing with long-distance transmission of computerized information. In the case of the Jeep Cherokee, the telematics was hacked in order to take control of the car.
Our electronic devices like smartphones or PCs have a standardized set of protocols and a key management system so that they can safely secure their systems. But this is a stark contrast from automobile companies, who each have their own “secret protocol” for their services. However, most lack a firewall or a way to detect trespassers in their systems. Companies may claim that they’ve analyzed their protocol in terms of access to their external network channels. Unfortunately, the reality is that unauthorized access to the internal network of vehicles is still a possibility. If your vehicle’s speed and direction can be controlled – that’s a major problem.
Inside Car Security
Let’s explore a bit inside the vehicle. Within the vehicle there are several ECUs (Electronic control units). The ECUs will communicate with each other and hence the vehicle is able to fulfill a variety of functions. The ECU network is basically a miniature version of a corporate network. Within the corporation there are servers set to handle important tasks and then there are some individual computers that hold less significant roles as well. Within the servers, there are those that will handle external communication and then servers that have no access to the external system, only internal. So in order to manage and protect the multiple methods and devices that are required for communication, corporations long ago set up firewalls as a security measure.
In computer security, between the external and internal firewall, a DMZ (demilitarized zone, or sometimes referred to as a perimeter network) is set up. This allows for a zone/sub-network that adds an extra layer of security.
Now, this is also necessary within an automobile’s network for car security. Any units responsible for communicating with external systems as well as the internal network’s ECU should be placed within the DMZ so that it can have that extra layer of protection. If this had been the case, incidents like the Jeep Cherokee hack could have been avoided. Even if the external channel had been hacked and the external firewall had been incapacitated, it would have had an extra layer of protection within the internal firewall.
Up to the Application Layer
But it’s not enough to simply put a firewall within the internal system. A firewall that operates on the network level will give access depending on the client or the server side’s port. It’s not as easy to create policies. Hence creating loopholes for hackers to get around is becoming easier. Because of this, companies like Argus Cyber Security, Symantec, and Penta Security have developed technology to analyze up to the application layer in order to detect possible intrusions and attacks.
These companies take an extra step. They don’t simply stop at deciding which ports to allow and which to block. They go further into analyzing the influx of traffic to see whether an attacker is trying to get into the automobile’s system or not. Through systems like IDS/IPS and even a WAF (Web Application Firewall), companies agree that these extra security measures are necessary.
If the evolution of connected cars continues as it has, then the different connections within the system will also change. And this will give further opportunities for hackers to find a crack within the system. Hence, overseas as well as domestically here in Korea, a V2X (Vehicle-to-Anything) testbed is underway. Utilizing V2V (Vehicle-to-Vehicle) and V2I (Vehicle-to-Infrastructure) communications to come up with different scenarios, with elliptic curve cryptography (the next generation of public key cryptography) they seek for methods to protect any V2V and V2I communication.
The conclusion is this: to protect cars from the threat of hackers and attacks, priority needs to be placed on installing a firewall. This will protect the internal network of the car, especially the application level of the network. The firewall needs to have the ability to detect and analyze the attacks.
Preparing for a New Era of Security
This idea not only applies to car security but to the wider scope of IT security. Simply applying one or two security measures to a device or a server does not mean that everything is secure. Far from it. IT is always changing and adapting to fit the needs of the current era, so automobile technology and automobile security will continue to become increasingly complicated.
Therefore, it’s extremely crucial that we prepare from preparing a car security system all the way from preparation to installation to keep the smart vehicles safe on the road.
This blog post was adapted from an article written by Dr. Sang Gyoo Sim at Penta Security’s IoT Convergence Lab regarding the security issues in smart cars. Find the original article in Korean here.