Automotive Security Areas and Attack Surfaces
Vehicles are some of the most complex technical products in everyday life. This complexity is increasing as more functionality is being realized by the vehicles. For instance, new cars add better safety like a Lane Assistant, Adaptive Cruise Control, or infotainment like navigation and road information. Often, much of this functionality is realized in software, since software has a tremendous flexibility to be programmed, altered, erased, etc.
The flexibility of software is boon and bane likewise. Limiting access to changing the functionality of a piece of software is hard. It is hard for IT systems like office computers, gaming consoles, smartphones, and now the same applies to vehicles, too. Cyber security aims to provide methods and mechanisms to prevent unauthorized manipulation of computer systems.
Recently, the cyber security of vehicles has gotten much attention in academia, industry, and public media likewise. This new vulnerability to cyber attacks is a direct consequence of this paradigm change in the automotive industry.
When talking about automotive security, we can distinguish several broad attack surfaces:
Security of communications:
- Interface to the internet, connection to backend services, e.g., in the cloud
- Connections to other vehicles and traffic infrastructure (Vehicle-to-Vehicle, Vehicle-to-Infrastructure)
- Intra-vehicular communication including the control networks (e.g., CAN bus)
Security of computations:
- Infotainment system
- Driver assistance system: Sensor data processing and storage,
- Electronic Control Units (ECU)
Each of these attack surfaces requires different countermeasures. Ideally, a security concept overarches all of these attack surfaces. A security architecture defines methods and mechanisms that can be applied in a concrete assemblage of components. Security architecture helps developers to define a coherent line of defense against attacks. In automotive security, a particular challenge is to engage with the complex functionality of the vehicle that is not limited to software, but also includes mechanics, chemistry, and physics.