Car security at IAA: No need to reinvent the wheel

September 17, 2015 // By Christoph Hammerschmidt
The recent spectacular hacks in the USA apparently startled the automotive industry – or at least some service providers and suppliers. In any case, security was a topic at the IAA. More than ever before, the s-word was present in many discussions and presentations. Here are a couple of examples.

“All hacks that recently went through the press were performed on telematics system that were not state of the art in terms of intrusion protection”, said Lars Reger, CTO of chipmaker NXP. He added that all the technology necessary to make a car secure is available in the commercial IT. “Carmakers do not need to reinvent the wheel”, he said. Besides using data encryption and authentication within the in-car networks, he recommended to establish a central gateway in the cars, located like border control station between the infotainment domain and the rest of the vehicle with all of its safety-critical functional units. “Such a gateway should subdivide the vehicle according to security classes. With reference to NXP’s existing product range in the security market he also said that after the planned merger with Freescale the latter would play “an absolutely important role” for the company’s related offerings.

Telecommunications provider Alcatel-Lucent participated at the IAA for the first time, a move that highlights the significance of secure data links for the connected car. “The recent hacking successes show that in automotive environments there is a lack of security-related base technologies”, said Jochen Apel, CTO of Alcatel Lucent in Central Europe. ”To make the connected car a success at the markets, secure data links between vehicle and backend servers are indispensible”. Apel pointed out that today’s cars typically are connected to the external world (including cloud and internet-based services) through a smartphone. The OEM however has no means to control this link and make it any more secure. For this reason, the OEMs keep to run the interconnection under their own control.

Like Reger, Apel said that the technology necessary to lock aout any unauthorised trespasser is available; in the commercial IT it is already well established. “The best practices in common use across the industry hitherto have not been applied to the car”, Apel said. “This includes automated software updates.”

In a car, every interface to the outside world is a potential entry point for hackers, he explained. For the sake of security, carmakers should scrutinise the respective potential of sa security threat for each interface. “Of all RF interfaces, Bluetooth is the least secure”, Apel judged. The reason: The authorisation mechanism is rather simple and does not support complex passwords. Nevertheless, Bluetooth is widely used to connect the user’s smartphone to the infotainment system. As an approach that tackles the security problem at its roots, Apel suggested to equip all cars with a dedicated connectivity interface. “The connection to the outside world should not be routed through the smartphone but instead through a dedicated car-integrated data link”, Apel said. This approach would give the OEMs the control over their entire services and data streams.

As a further measure to detect unauthorised access and intrusion attempts, Apel suggested to apply deep packet inspection. This would enable the OEMs and their data experts to detect unusual access patterns and thus prevent many malicious activities against the car. “This is not about controlling contents, for instance in social networks”, Apel said. “It is about detecting unusual data connections. For instance, if the sun roof controller tries to access the software for the brake system, all alarm bells should go off”.

Infotainment supplier Harman counters the problem at the product level. At the IAA, the company introduced a new layered security architecture for the connected car. The scalable framework bears the name 5+1 because the approach tackles the topic on five layers plus in one additional aspect, ensuring security in the data communication inside the vehicle as well as between the vehicle and the exterior world. “Connectivity, system security and occupant safety are going hand in hand”, explained Alon Atsmon, Harman Vice President for Technology Strategy. “Therefore, it is important to keep a vehicle’s electronic systems as secure as possible. Our multi-pronged approach and security model does take this aspect into account – and it is turning the OEM’s existing approach for the connected car upside down.”