Authors: Kenny Sahr - Content & Digital Marketing Manager,
Uzi Mishan - Argus senior Technical Project Manager
Securing autonomous vehicles is a major task for the automotive industry. The more connectivity added to a vehicle, the larger the attack surface. Autonomous vehicles have a much larger attack surface due to the increased amount of data (and therefore connectivity) that they are constantly sending and receiving. In cybersecurity, the bigger the attack surface, the bigger the potential threat from cyber attacks.
Not only do autonomous vehicles have an enlarged attack surface, but it is also a unique attack surface that no other vehicle or IoT device possesses. This is because autonomous vehicles require a much wider interface of communication in order to provide more detailed information on the vehicle, as well as receive more environment inputs and updates. In addition, autonomous vehicles have a bigger safety risk, as more systems are controlled by software and are under less supervision by an operator/driver
Autonomous Vehicles' Attack Surface
Unlike most standard vehicles, autonomous vehicles communicate with other connected IoT platforms and components. Eventually, autonomous vehicles will communicate with traffic lights to know when to stop, slow down and go. They will eventually communicate with one another while on the road, essentially saying to one another, "I am at xyz location, driving at a speed of x kph/mph.."
The data logs of an autonomous vehicle are exponentially larger than that of regular people-driven vehicles. Autonomous vehicles are always sending that data to the OEM's VSOC (Vehicle Security Operations Center)
Law Enforcement and Autonomous Vehicles
Then there is the huge Pandora's box of law enforcement and autonomous vehicles. Will legislators allow police to commandeer autonomous vehicles for official use? And if so, by what standards - only empty vehicles, vehicles without children inside? Will the police gain access to GPS logs of stolen vehicles?
It may sound like sci-fi, but in the future, car thieves may be able to take control of autonomous vehicles and instruct them to drive to a hidden compound. Yes, they will need to disrupt the GPS and data feed to the OEM, otherwise, the car will be notifying authorities of their location in real-time.
The larger the attack surface, the larger the real-life challenges due to the possibility of cyber crime.
The Vehicle is the Achilles' Heel of the IoT Ecosystem
When a vulnerability in an operating system is discovered, updates are issued for Windows, iOS, and Android. Within hours, the percentage of updated systems begins to climb. Now imagine what it takes to update vehicle software. Today, updating a vehicles' software is a massive undertaking - akin to a recall. We can sum it up as "expensive and slow."
Furthermore, when a vulnerability patch is issued, many vehicles are driving from one place to another, often in locations without access to cell towers. These challenges are compounded when it comes to autonomous vehicles. A vulnerability patch may be critical for safety.
Put in other words, there are no international standards for updating vehicle software.
Let's add another guarantee to the challenges of security autonomous vehicles: Every attack surface that can be compromised has been compromised.
The history of cybercrime is an excellent guide for the present and future. The recent wave of ransomware crimes is a hint of the future of physical asset cybercrime. Hackers are learning
the value of attacking real-world assets as opposed to "mere computer data."
Another potential area of vulnerability for autonomous vehicles is supply chain. Readers might recall the recent SolarWinds cyber attack. In this case, hackers breached a well-used piece of software and made lateral movements to their targets. Imagine a successful attack on vehicle components. Distracting a driver would be enough to cause trouble for everyone involved - driver, passengers, and pedestrians.
Proactive Solutions to Protect Autonomous Vehicles
Protecting autonomous vehicles requires a proactive, and not reactive, approach.
The first type of solution to protect autonomous vehicles is those that deal with logic vulnerabilities. Intrusion Detection and Prevention Systems (IDPS) are designed to recognize irregular and illegitimate instructions and report them to the VSOC. Another example is Connected Endpoint Protection (CEP), which monitors permissions, escalations, etc.
The second involves vulnerabilities in the actual software, such as buffer overflows, and can be mitigated by Control Flow Integrity (CFI) solutions. CFIs verify that software code hasn't been manipulated.
Third, autonomous vehicles demand a massive backend infrastructure. A VSOC/fleet protection mechanism will be run by the OEM on a 24/7 basis and will give them full visibility into the cyber health of the fleet. Over-the-air software updates will be normalized, just as they are with mobile devices.
The autonomous vehicle is poised to become a major part of the IoT ecosystem. The challenge for OEMs and Tier 1s are to keep safety-critical autonomous vehicles secure from cyber attacks and to develop an agile standard for software updates. When updating autonomous vehicles will be as easy as updating a smartphone, you will be able to drink your morning coffee as your car takes you to work.
nIoVe approach is to collect comprehensive data related to security, such as camera feed, lidar information, in-vehicle network traffic, anomalies detected by onboard security solutions such as IDPS, and combine all of those in a smart off-board analysis platform to identify attacks in real-time and provide tools for a response.
Argus participates in the nIoVe project to define a complete end-to-end concept and architecture for protecting CAV infrastructure. Argus has developed tools that collect any available sensor data that exist in a vehicle and share this data to be processed and analyzed for any possible attack in which a proper reaction will take place according to the severity of the attack as well as the risk it may put the CAV that is actually in operation mode. The reaction may be critical especially when we are talking about an autonomous vehicle, thus the analysis should be made as fast as possible to select an immediate reaction when danger may be observed.
About Argus Cyber Security
Argus Cyber Security products and services help protect against cyber-attacks targeting vehicle components, networks, or post-production fleets. Argus is already securing 65 million vehicles across 14 production projects and 10 manufacturers. Argus helps its customers to reduce cyber security costs and complexity with reusable software and direct vehicle manufacturer engagement. Argus' years of research have led to cyber security products that are platform agnostic and easy for vehicle manufacturers to integrate.