|
|
Subscribe / Log in / New account

Automotive security and safety

By Nathan Willis
January 27, 2016

SCALE

The security of the software that runs in vehicles is a hot-button issue at the moment. At SCALE 14x, automotive-software engineer Alison Chaiken provided an insider look at the issue, including how software-development issues interact with regulatory agencies—and not always for the better.

Chaiken started off by explaining that she has been working on automotive software for the past several years (most recently at Mentor Graphics), but that the security landscape for automotive is so fast-changing that it is almost all she can do to keep up with the news. That is because the regulators (at the state and federal level) are busy trying to catch up with the security problems that the car manufacturers have wrought—while also making an effort to get ahead of the problem for autonomous vehicles.

Up until now, those regulators have had a decidedly mixed impact on automotive-software security. Chaiken cited the US National Highway Traffic Safety Administration (NHTSA) requirement that in-vehicle infotainment (IVI) head units show a rear-camera view, complete with lane overlays, two seconds after boot. This is a remarkably difficult metric to meet, and was rather arbitrary. Had the rule been three seconds instead of two, automotive-software makers could have saved countless hours and costs that could have been spent on safety and security issues instead.

The bad news

Automotive security has three main problem areas, she said: bad legacy designs, an unclear privacy situation, and the chilling effects of "digital rights management" (DRM). The insecure software found in many older cars is rife with security vulnerabilities, but it is a mistake to think that the industry's shift toward Linux is an automatic fix. In 2015, Charlie Miller and Chris Valasek found "five-ish" exploits in Jeep Cherokees. The most appalling was that anyone with a Sprint phone could get in range of a cell tower, scan for IP addresses in the range used by Jeep, and find D-Bus listening for connections on port 6667.

[Alison Chaiken at SCALE 14x]

To make matters worse, Jeep did not build in an over-the-air update system, so the only way these vehicles could be patched is by downloading a new firmware image onto a USB stick and plugging it into the car. Hopefully into one's own car, although Chaiken noted that the company web site asked users for no authentication or even an assertion of ownership before allowing them to download a firmware image. The images on the site, she said, were virtually identical to the ones reverse engineered by Miller and Valasek, and the cars do not perform authentication, either. Nevertheless, at least open-source projects like GENIVI and Automotive Grade Linux allow people to participate and allow the security-conscious to read the source code; the same cannot be said of most legacy OSes running in cars, such as QNX.

"On the other hand, Linus [Torvalds] can't solve everything," she said, particularly where privacy is concerned. Many automotive systems seem to be designed with a "one user per device" model in mind that was copied over wholesale from mobile phones, but surely does not apply. What happens when you pair your phone with a rental car, she asked, or leave your car overnight with a mechanic? No one would leave their smartphone or laptop overnight with a repair shop, but automotive computer systems are poised to collect just as much personal information as either of those devices. Chaiken has asked carmakers how they plan to reset or blank out the personal data they collect, and received vacant stares in reply.

The security and privacy concerns are important enough in their own right, but they get more complex when government regulators get involved. She cited two examples. First, NHTSA rules in 2012 required telematics "black boxes" to record 14 specific vehicle data streams that could be used to help determine the cause of an accident. But the regulation failed to state that the data could only be used for accident service, and drivers found themselves being monitored around the clock and denied warranty coverage if a sensor reading suggested that they had, for example, exceeded a "safe" engine speed. The Electronic Frontier Foundation (EFF) filed a complaint, although it has yet to succeed at having the rules amended or replaced.

The second example is the still-ongoing exploration of driver drowsiness detection. If would certainly save lives if cars would trigger alarms when a drowsy driver nodded off, but making such a feature possible likely requires capturing a constant video stream—which has serious privacy risks.

It is easy to dismiss such privacy concerns now, Chaiken said, but that is only because of the old adage that "the best way to avoid being attacked is to be poor and boring." And right now, there are few real-world car exploits being seen because cars do not yet store payment information. Thieves have always stolen radios out of cars; once those dash units also include personal information and credit card numbers, she said, you can expect the thieves to be right behind. She noted that Visa recently announced a "connected car" initiative, and urged developers to resist the temptation to store payment data in vehicles.

The good news

Despite all the doom and gloom, Chaiken also shared what she regards as promising news on several fronts. The first is that NHTSA is preparing its rules on vehicle-to-vehicle (V2V) networking, and is using public-key encryption (PKE) to secure it. PKE will make it drastically harder for an attacker to spoof an emergency vehicle, but it has beneficial side effects, too. For example, the scheme uses short-lived keys, which protects against replays, but also makes it hard to track a single vehicle over a long period of time.

Another welcome change is the increased use of virtualization. Future car systems will not boot directly into Linux or QNX, but into a hypervisor. That will enable better separation of functionality, making it harder, for instance, for an attacker to get to the engine-control unit via the IVI unit. And automakers have already begun implementing watchdog timers to reboot stalled virtual machines, which will also make attacks more difficult.

There has also been a shift away from outdated network buses like Controller Area Network (CAN) to more robust alternatives like Ethernet Audio Video Bridging (AVB). And although Chaiken did not go into depth on the problems of DRM in the "bad news" section of the talk (referring the audience, instead, to Cory Doctorow's thorough keynote on the topic), she cited the automotive exemption to the Digital Millennium Copyright Act's DRM provision as an important win by the EFF.

Finally, she said, it is important to remember that big carmakers are no longer the sole creators of vehicles. There are several new start-ups, most notably OSVehicle (OSV) and Local Motors that are working on making a home-made, "white box" car. OSV, she said, wants to be the Gateway Computer of the automotive market. Whoever succeeds at that task, consumers will win.

In closing, Chaiken cautioned that the push to make cars more high tech can all too easily make them less safe. The regulations are still being written—even today, the California Department of Transportation is debating autonomous vehicle regulations. "If we keep getting rules about boot speed instead of about security," she said, "then we're not heading for a good place." Nevertheless, there is now a lot of open-source code involved in the process, so the security lessons understood by the Linux community all apply to this new problem space.

Index entries for this article
SecurityAutomotive
ConferenceSouthern California Linux Expo/2016


to post comments

Automotive security and safety

Posted Jan 29, 2016 14:18 UTC (Fri) by xav (guest, #18536) [Link]

No one would leave their smartphone or laptop overnight with a repair shop
Think again. I know plenty of people doing precisely this, because they don't (want to) know anything about computers or phones.

Automotive security and safety

Posted Feb 1, 2016 22:22 UTC (Mon) by mb (subscriber, #50428) [Link]

>To make matters worse, Jeep did not build in an over-the-air update system

I don't think this makes things worse. Quite the opposite.

Automotive security and safety

Posted Feb 3, 2016 21:49 UTC (Wed) by robbe (guest, #16131) [Link] (16 responses)

> the US National Highway Traffic Safety Administration (NHTSA) requirement that
> in-vehicle infotainment (IVI) head units show a rear-camera view, complete with lane
> overlays, two seconds after boot.

This requirement was mentioned before in these parts. Is it just the poster-boy for silly technocratism, or is there a coherent story behind it?

Automotive security and safety

Posted Feb 3, 2016 22:21 UTC (Wed) by pizza (subscriber, #46) [Link] (15 responses)

Just speaking anectdotally, the first thing I do after starting my car is to put it in reverse, usually within a couple of seconds.

Automotive security and safety

Posted Feb 4, 2016 12:36 UTC (Thu) by Wol (subscriber, #4433) [Link] (14 responses)

In Europe, I thought "infotainment" was banned, at least in the sense that an information screen was not allowed to show entertainment. afaik video is banned in the front seats (obviously not carcams, as that's "driver assist" technology).

oh - and I don't immediately go into reverse - I normally reverse-park on my drive, and most business car-parks I visit ban forward parking.

Cheers,
Wol

Automotive security and safety

Posted Feb 4, 2016 21:55 UTC (Thu) by Pc5Y9sbv (guest, #41328) [Link] (13 responses)

There is a new US federal requirement for reverse cameras in all new vehicles to address what is seen as a rash of children being backed over by large SUVs, pickup trucks, etc. For this regulation to be effective, it does make sense that the reverse camera needs to begin functioning very soon after starting the vehicle. At least that seems logically consistent, even if one questions the original requirement.

And to Wol's comment, in many places in the US, "tail-in" parking is banned either by law or by property owners. Thus, reversing immediately after starting a vehicle is a much more common occurrence. I suggest we not debate here the possible causes for this difference in regulations, but instead recognize that there is a use case motivating certain real-time guarantees for vehicle information systems.

Automotive security and safety

Posted Feb 5, 2016 9:46 UTC (Fri) by jezuch (subscriber, #52988) [Link] (8 responses)

> to address what is seen as a rash of children being backed over by large SUVs, pickup trucks, etc.

The obvious solution to ban large SUVs (also on the grounds that they are horribly inefficient) didn't occur to them, obviously ;)

Automotive security and safety

Posted Feb 5, 2016 23:20 UTC (Fri) by zlynx (guest, #2285) [Link] (7 responses)

Even on a small sedan or mini-Cooper small children and pets are still invisible behind the rear bumper because they can be very short. And the camera has a 180° view from the back so that you can see cars coming from the sides when backing out from between two larger vehicles.

So you can see that a backup camera is very useful.

An aside:

I wish people would stop trying to ban things. If everyone got to ban everything else that annoyed them, no one would ever do anything. Or what would actually happen is no one at all would take laws seriously and everything anyone wanted to do would still get done but in the most corrupt manner possible. I can just see all the banned SUVs still driving around, as official "police vehicles", for a small donation to the local police chief or sheriff. And efficiency is already handled by market forces, because efficiency is cheaper.

Automotive security and safety

Posted Feb 6, 2016 6:18 UTC (Sat) by spaetz (guest, #32870) [Link] (1 responses)

> And efficiency is already handled by market forces, because efficiency is cheaper.

Ahh no, if that were the case there would only be a handful of car models around. And Porsche et al could immediately close down. Sorry, just not the case.

Automotive security and safety

Posted Feb 6, 2016 6:53 UTC (Sat) by zlynx (guest, #2285) [Link]

It IS the case. Efficiency is not the only driver there is. For a Porsche the buyer wants fun and is willing to pay for it. Why is this a problem? Must everyone always be focused on the good of all society, grim and joyless, toiling away in solidarity with his fellow man?

Nearly all entertainment is a waste of energy and resources. So we should come home from our 12 hour work shifts, eat our tasteless beans and lentils under the light of a single 10W LED, huddled around our one tiny gas heater for warmth, for the sake of efficiency. . .

No, there has to be room for fun, convenience.

Notice that car makers could barely GIVE electric vehicles away until Tesla made them fun. All of the ones I noticed before that were efficiency driven golf carts and less fun to drive than a 4 cylinder Geo Metro.

Automotive security and safety

Posted Feb 8, 2016 12:11 UTC (Mon) by jezuch (subscriber, #52988) [Link] (4 responses)

> And efficiency is already handled by market forces, because efficiency is cheaper.

It depends. If the source material (e.g. fuel) is cheap enough, it will be more expensive to modify your processes/products to use less of it than you/users would gain from the price difference. That's why we needed the oil crisis to turn our attention to fuel efficiency. (And then the prices went back down and the lesson was mostly forgotten.)

Also it's more "efficient" (cheaper) to dump your toxic waste into the nearby river (or air, in case of cars), so companies (or their products) always did that instead of treating the waste. How do market forces fix *that*?

Automotive security and safety

Posted Feb 8, 2016 15:31 UTC (Mon) by nybble41 (subscriber, #55106) [Link] (3 responses)

> > And efficiency is already handled by market forces, because efficiency is cheaper.
> It depends. If the source material (e.g. fuel) is cheap enough, it will be more expensive to modify your processes/products to use less of it than you/users would gain from the price difference.

In that case efficiency is best served by preserving your current processes/products. A narrow focus on fuel efficiency would be a false economy, resulting in more waste overall. Economic calculation is concerned with the optimal use of *all* our resources, including but not limited to natural resources.

> Also it's more "efficient" (cheaper) to dump your toxic waste into the nearby river (or air, in case of cars), so companies (or their products) always did that instead of treating the waste. How do market forces fix *that*?

If dumping waste into the rivers/air causes harm to others and/or their property, that is a tort. Market forces include paying compensation when your actions infringe on others' property rights. If your actions show a deliberate or reckless disregard for others' property rights you also open yourself up to entirely justifiable reciprocal damage to your own property (typically formalized through fines).

Automotive security and safety

Posted Feb 8, 2016 16:30 UTC (Mon) by raven667 (subscriber, #5198) [Link] (2 responses)

This is getting pretty far off-topic, maybe this kind of discussion should be better had elsewhere?

> If dumping waste into the rivers/air causes harm to others and/or their property, that is a tort. Market forces include paying compensation ...

We can test the effectiveness of this approach because we have actual experience with it, in many countries and many time periods, which shows that like command economies, it doesn't work in practice. This approach to environmentalism puts most of the cost on the victims, and its not as if given a choice the polluters will choose to most strongly affect the wealthy who could cause the most trouble for them, they pollute in out of the way places with little economic activity so the people they most strongly affect don't have the resources to put up a spirited defense, they may even be beholden to the polluter for the most basic necessities of life.

We can also see that when damages via tort are awarded they are much much lower than the full cost of the actual damage done, or the profits gained from doing the damage in the first place, because the courts are loath to bankrupt companies due to all the other effect this causes (layoffs, inability to pay due to lack of income, etc.). In addition, money can't buy everything, you can't un-ring a bell no matter how much money you throw at it, you can't re-grow and old-growth-forest overnight or replace an extinct species or whatever, even trying to repair environmental damage often costs far far far more than the industry doing the polluting can bear, they often write environmental checks that bounce.

I understand the symmetry and simplicity of a theory that you could find balance using property ownership and money, like you balance a budget, that you could find some natural equilibrium if you just let things play out but in the real world thats not how it works, without a pretty strong opposing force the polluting party will use their money and influence to make sure that the system is never in equilibrium but tilted in every possible way to their favor, so an appeal to "market forces" in practice is an appeal for the strong to crush the weak and to take away any tool that the weak can use to band together to challenge the power of the strong.

Automotive security and safety

Posted Feb 8, 2016 19:32 UTC (Mon) by nybble41 (subscriber, #55106) [Link] (1 responses)

> We can also see that when damages via tort are awarded they are much much lower than the full cost of the actual damage done, or the profits gained from doing the damage in the first place, because the courts are loath to bankrupt companies...

So either make the courts do their jobs properly, and/or get out of the way and let the victims organize their own (proportional) response which actually will compensate them for the full damage done. What you are complaining about, in essence, is that the government is protecting the polluters, refusing to hold them accountable when there is demonstrable harm from their actions; and your solution is that the same government should turn around and punish both polluters and innocent third-parties with over-broad regulations not justified by any actual evidence of harm. Just fix the original problem; don't add to it!

Automotive security and safety

Posted Feb 8, 2016 21:28 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> let the victims organize their own (proportional) response which actually will compensate them for the full damage done

In a democratic society, the government _is_ a group of people self-organizing to compensate and hold accountable the individual members and groups that those members create, like corporations, for the harm they do to other members, so saying both that government should "get out of the way" and that people should organize to hold polluters accountable and responsible for the problems they cause are fundamentally contradictory statements. "The Government" wasn't created by aliens from Mars and imposed upon us, it is what we created, or failed to create due to lack of attention, and it works as well or as poorly as we allow it to, but any structure which provides the services you describe is a government.

Automotive security and safety

Posted Feb 11, 2016 12:13 UTC (Thu) by robbe (guest, #16131) [Link] (3 responses)

Thanks to you and pizza for the perspective on why the immediate back-view would be useful. I’m not clear why a lane overview is strictly necessary to prevent most accidents, though.

My naive engineering solutions would be to boot the IVI system once the car is unlocked – if you are going from opening the door to turning wheels in less than five seconds you are probably missing a lot in the diligence department…

Automotive security and safety

Posted Feb 12, 2016 13:16 UTC (Fri) by pizza (subscriber, #46) [Link] (2 responses)

>My naive engineering solutions would be to boot the IVI system once the car is unlocked – if you are going from opening the door to turning wheels in less than five seconds you are probably missing a lot in the diligence department…

Or even more naive -- boot the IVI system as soon as the battery is hooked up, and leave it in a low-power/suspended state when the ignition is off. Either way that would mean disabling the fancy animated boot splash/logo that seems to be the norm on modern IVI systems.

As far as lane overviews are concerned, it's more to do with denoting the car's actual width, especially as those reverse cameras are so wide-angle that they tend to distort perspective.

Automotive security and safety

Posted Feb 23, 2016 15:47 UTC (Tue) by steffen780 (guest, #68142) [Link] (1 responses)

Or how about making the restriction sensible? For safety it is entirely irrelevant how long after boot the camera comes on. For safety it matters that the camera is on BEFORE the car accelerates beyond a speed of 0. So simply don't activate the gas pedal until the camera has been on for, say, 3 seconds. That way any delays are an issue of an irrelevant delay of a few seconds and not dead kids under your car...

Automotive security and safety

Posted Feb 23, 2016 19:52 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

A brilliant idea, sure. A camera craps out (a loose cable or something) and the car is undriveable.


Copyright © 2016, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy