Credit: AIT
The trend towards connected vehicles brings new threat scenarios. These range from car theft by manipulating electronic locking systems, through to complete remote control with potentially fatal consequences. New directives are putting pressure on manufacturers and suppliers to take action to enhance cybersecurity.
From July 2022, all new type-approved vehicles must consider the relevant cybersecurity risks from the initial development stage if they are to be authorised for sale in the EU or Japan, explained Willibald Krenn from the AIT Austrian Institute of Technology when speaking to APA-Science. The standardisation bodies and regulators took this step to respond to the clear rise in the number of cybersecurity threats and growing public awareness of the vulnerabilities.
More areas of vulnerability
There certainly seems to be a need to act. “Today’s vehicles have many wireless features, and when cars communicate with other road users or infrastructure such as traffic lights this connectivity will increase significantly. These are the areas of vulnerability we need to think about,” the expert says. Attacks could also happen in conventional ways using online methods: a smartphone app which can control certain vehicle functions could potentially enable a criminal to find his way into the car.
According to Willibald Krenn, hackers have already closely “looked at” on-board computers. “They found a SIM card inside, built it into a laptop, and used this telematic link to infiltrate the provider.” In India, thousands of vehicles were stolen after attackers discovered a vulnerability in the control system. This allowed them to unlock each car, start the engine and drive off. The IT expert is convinced that cybersecurity is becoming the overriding issue for the industry.
Danger to life from tampered brakes
Lives can be put in danger when vehicles are remotely controlled, or important functions disabled. “For example, researchers have discovered that in-built driver assistance systems, frequently camera-based, can be manipulated. By projecting a virtual traffic sign in the camera’s ‘field of vision’, the vehicle registers a stop sign. This is definitely a serious problem on a motorway,” explained the expert from the Center for Digital Safety & Security. Theoretically, hackers could steer the car into oncoming traffic or surprise the vehicle behind by making a sudden emergency stop.
New European safety standards oblige manufacturers to carry out verifiable checks on their vehicle systems’ cybersecurity as a condition of approval. A risk assessment must be conducted to identify and document potential threats and known problems resolved as early as the design stage. A tool called THREATGET, developed by AIT jointly with LieberLieber Software, was created for just his purpose. “This management tool is incorporated into the engineering lifecycle and helps devise a cyber-secure design,” said Willibald Krenn.
Security starts on the drawing board
When a vehicle or subsystem is designed on the drawing board, the individual components can be modelled and their security features specified. “For example, a computer is linked to the brakes, a camera, and a specific data exchange system. When the design is complete, the tool carries out a cybersecurity analysis and compares the model with known vulnerabilities and inadequate designs,” explained the expert. The system, already in use by automotive specialists msg Plaut Austria in projects with automotive suppliers, indicates potential threats and offers recommendations for possible improvements.
“The problematic areas will then have to be analysed and redesigned or the security settings tightened, for example by using encryption for data transfer, rather than a checksum. These changes can be easily switched on and off in the model, with the effect immediately evident.”, says Willibald Krenn. As soon as new vulnerabilities become known they are entered into a threat database. The database is partly filled manually by specialists, but also using artificial intelligence which extracts new information from existing sources. “This is currently the strategic thrust of our research in THREATGET,” the expert concludes. Then the next round starts: the model is analysed afresh and updated, because ultimately security always comes first.
(Translated from Original Article, Author: APA-Science / 19.04.2021, 11:28)