From Black Box to White-box, a Broad Proposal for Security in the Connected Car

There has been a lot of excitement around the “connected car.” As the use of digital electronics in cars grows, there are numerous opportunities that arise when combined with Internet connectivity. However, as we noted in a blog post earlier, this excitement is tempered with increasing concern about the security implications of this trend.

Of course, concerns about software security within the car don’t have to wait until many cars are connected to the Internet. As noted by the IEEE (Institute of Electrical and Electronics Engineers), the US government body NHTSA (National Highway Traffic Safety Agency) is moving towards mandating the installation of EDRs (event data recorder – also known as “black boxes”) in automobiles manufactured after September 1st, 2014, apparently without requiring mechanisms to protect the sensitive data contained within these devices (see article). To help keep this data safe, the IEEE suggests that a standard the organization created in 2010 called IEEE P1616a should be adopted as well.

At Cryptanium, we applaud the IEEE’s efforts in creating this standard and lobbying for its adoption. While we hope that the appropriate authorities move quickly to address the IEEE’s call, we would like to call attention to a 2010 proposal to the IEEE made by our partners at Intertrust, which would greatly broaden the reach of security and privacy protection for automobiles.

First, a bit of explanation: EDRs collect data from a car’s electronic systems and store it in the cloud via a network connection. The data can include a car’s speed, braking behavior, air bag deployment status, etc. This data can be used for a number of things, but obviously one of the more common use cases is reconstructing what happened when a car is involved in an accident.

Typically, information from the EDR can be accessed through a vehicle interface port called the OBDII port. At this point, there is no mandated mechanism for securing access to the EDR data through the OBDII port. To alleviate this situation, the IEEE is proposing the adoption of IEEE P1616a standard which, according the IEEE, sets “specifications to protect the (OBDII port) connector against unauthorized access.” According to the IEEE P1616a web site, this is done via a “connector lockout apparatus.” An example of what this could mean in an actual product is the AUTOcyb Cyber Lock being marketed by an engineer heading up the IEEE P1616a working group. From the website, essentially the Cyber Lock is a physical key based lock which is attached to the OBDII port. When the owner of the car installs the Cyber Lock and locks it, only parties who have that key can gain access to the EDR and any information sent over the network the EDR is running on.

If the Cyber Lock is a typical example of an IEEE P1616a compliant device, it is an important and necessary first step for automotive cybersecurity. However, the electronics of modern cars are increasingly capable of being accessed through a number of interfaces beyond the OBDII port. These include Bluetooth, Wi-Fi, wireless modems and mobile phones connected to the automobile. These interfaces enable access to the automotive networks from the Internet and other external networks, increasing the number of available attack points beyond the OBDII port.

Given the broad security implications of the modern connected car, Intertrust’s proposal to the IEEE recommends the establishment of an all-encompassing automotive “trust management and security framework.” At this point, Intertrust is not specifying the exact technologies to be used in this framework, but the white paper notes that “The networked vehicle community is essentially in a place similar to IT systems 20 years ago as they first connected to the Web.” We now have over 20 years of experience in security technology and architecture work that can be leveraged for use in the connected car.

As a company with long and deep experience in securing data and user privacy in connected Consumer Electronics and mobile products, Intertrust believes a key step is to create an ecosystem that identifies all stakeholders involved in the connected car, including automotive microprocessors and other components, networked services, their manufacturers and providers of these, the vehicle driver, repair personnel, etc.

Once this ecosystem develops, we can take steps to protect privacy and ensure security within the ecosystem. Intertrust recommends steps such as the establishment of a chief security architect and IT security organization within automobile and automobile related manufacturers. These would be responsible for the security processes, testing and other procedures needed to implement the necessary security frameworks and the proper test and updating methodologies. For more details, we highly recommend reading the whitepaper. Suffice to say, we’re excited the IEEE continues to engage both the automobile industry and regulators in the important field of automotive cyber security and look forward to working with them to come up with full-fledged broad and standards based solutions in this area.