Automotive cyber-security: striving for better solutions

by donpedro

You might ask yourself what cyber-security has to do with cars. Think again. The two most emblematic examples to illustrate the need for in-vehicle security are real-life use cases known by many: engine tuning and odometer fraud.

Author: Fabrice Poulard, Automotive Business Group, Renesas Electronics Europe

Real risks, real threats
You might ask yourself what cyber-security has to do with cars. Think again. The two most emblematic examples to illustrate the need for in-vehicle security are real-life use cases known by many: engine tuning and odometer fraud.
It is not so difficult to boost an engine with more horsepower. What do carmakers think about this? Beyond the revenue losses they may suffer (because the customer thinks “why buy the 200HP model if I can tune the cheaper 150HP model?”), they can also face costs for engine repairs or replacements because it was badly managed by a modified EMS. And usually they are not able to prove that.
Carmakers may not care so much about odometer fraud, but would you not care when buying a second-hand car? How can you make sure this lovely affordable station wagon really has 60,000 km on the clock and not the double? In fact, you cannot. However, you may experience the difference… and finally blame the carmaker for poor quality. Would they care about this then?
What is security all about in a car? It is certainly about protecting its commercial value as a whole, not only from the carmakers’ perspective, but also for car owners and to a certain extent for system suppliers. Carmakers have an interest in protecting features from being used when they are not paid for, while ensuring that no additional warranty or maintenance costs due to illegal usage will reduce their profits even further. System suppliers have an interest in offering added-value protection systems, and they also have an interest in protecting their intellectual property. Owners feel more comfortable when they know their car is securely locked and protected when parked, and when their private data are kept confidential. Future owners would be happy to have a guarantee on used cars without having to pay for it.
Would that be all? Well, there is more to risk than money… How can a car protect against security attacks that would jeopardize the functioning of “mission critical” systems? Connection of mobile devices (phones, multimedia readers), connection to the Internet, connection to other cars and to the road infrastructure… the car is becoming part of a bigger IT system which offers access to more services and more value, but also opens up to more threats. Recent academic works [for example, see www.autosec.org/pubs/cars-usenixsec2011.pdf] have illustrated how the multiplication of attack vectors via external connections can potentially enable a criminal to take control of the brakes or the steering wheel. Safety is also at risk: connectivity to the car should come with the most stringent security requirements.

Intrinsic vs. exploited flaws
The electronic system of a car is distributed across a (growing) number of electronic control units (ECUs), each unit designed for a dedicated function (e.g. braking, steering, etc.) by means of a microprocessor, linking together with other ECUs in a partially closed in-vehicle network. Automotive ECUs are designed to interact with their environment in a rather simple processing pattern:

Intrinsic ECU flaws can lead to systematic malfunctions. These flaws relate to hardware and software bugs, to component malfunction linked to their characteristics (e.g. soft errors in microprocessors) or to component malfunction when used at functional limits (e.g. temperature, frequency, voltage).
Intrinsic flaws can be avoided whenever a state-of-the-art development methodology is in place. Each ECU function can then be guaranteed for a given range of environmental parameters. In addition, safety mechanisms ensure that such flaws do not harm the system, either by correcting recoverable errors or by putting the system into a fail-safe state. However, these mechanisms do not ensure that the messages transferring within or between ECUs are authentic.

Cyber-threats relate to exploiting system flaws not covered by a methodical development approach. Hardware and software modifications, environmental manipulations outside of the range for which the system has been designed (e.g. temperature, frequency, voltage), or injection of manipulated information can lead to intentional malfunctions. These in turn can be used by criminals to change the ECU behaviour in order to serve their personal interests.
Electronic hobbyists will try to find their “way in” to customize their car just for the fun of it, but they can also turn “on” features that they did not pay for originally. Labs or universities will hack into automotive systems in order to advertise their work to the public. Professionals (e.g. garages) can make money from system flaws by reselling illegal tuning mechanisms (engine tuning is the most popular). Carmakers and system suppliers can gain a lot of knowledge and technical expertise from their competitors by taking ECUs apart. Finally, criminal organizations can clone genuine ECUs into counterfeits sold on the black (or grey) market.

Threats
Manipulation within the ECU
Manipulation outside the ECU
ECU counterfeiting

Risks
Revenue loss
“Mission critical” ECUs unsafe
Brand / reputation damage

Secure ECUs
Since the design of the first engine control unit based on a microprocessor (more than 30 years ago), carmakers and system suppliers have developed security countermeasures to cyber-threats that have spread in various ECUs. Until recently, these countermeasures were either relatively ineffective because they were based on software-only security primitives, or too expensive because they used custom microprocessors.
The microprocessor is the security enabler that can effectively turn an ordinary ECU into a secure ECU. Nowadays, the semiconductor suppliers enable state-of-the-art ECU designs using security-enabled microprocessors, offering higher resistance to cyber-threats while being reasonably priced and certified for use in the automotive field.
This change enhances the standard ECU processing pattern with a pre-process and a post-process stage, first to ensure that the ECU processes genuine (and potentially safety critical) information, and second to deliver the result of the processing so that it cannot be forged by any other entity within the communication network. To ensure that the computation is not compromised or altered in any way, those security-capable microprocessors can enforce the authenticity and integrity of the software and data processed within the ECU.
This type of setup implies some adaptations to the way ECUs are developed and manufactured. Security is not only considered at ECU level, it also touches on the in-vehicle network and the ECU life-cycle management. This global scheme needs a holistic approach within the automotive industry to secure the supply chains and to implement specific IT systems for key provisioning, including the development of widely accepted standard components.

Renesas product offering
To foster the availability of secure ECUs in the long term, Renesas has developed a comprehensive security concept that integrates many of its automotive chips.
The concept establishes the existence, within the processor (the host), of a secure domain aside from the application domain.
The application domain senses, communicates and actuates. The secure domain processes the security services that maintain the system in a secure state, while off-loading these additional tasks from the host.
The secure domain combines four essential components:
• An intelligence that processes the security services as requested by the application domain
• A set of cryptographic accelerators for high processing throughput
• Dedicated interfaces within its hosts (i.e. the processor) with slave and master capabilities
• An exclusive non-volatile memory area to store the secret material used by the security services

Three types of secure domains are available in Renesas’ offering to scale with the type of host where it is integrated:
• Cost-effective: offering the security services as defined in the HIS SHE specification
• Flexible: allowing carmakers and/or system providers to implement any kind of security services required by the application domain
• High performance: combining flexibility of use, high performance and specific cryptographic functions, such as media stream ciphers

The Renesas Intelligent Cryptographic Unit concept (ICU) is the foundation of the cost-effective (ICU S) and flexible (ICU M) secure domains in its automotive microcontroller offering with embedded Flash, based on the RH850 32-bit CPU. Both secure domains allow the implementation of a wide range of security services, such as verifying the secure boot at microcontroller start-up, encryption/decryption of incoming/outgoing data, or authenticating CAN frames within the in-vehicle network. While the ICU-S intelligence is a size-optimized finite state machine (FSM) implementing a fixed set of services, the ICU-M integrates an RH850 CPU core that can run custom (user defined) services, either when the host triggers it (e.g. on-demand ciphering operation) or autonomously (e.g. background memory check). They both incorporate a true random seed and an AES-128 cryptographic accelerator with simple (ICU-S) and complex (ICU-M) block ciphering modes. The size of the secure embedded Flash varies depending on the service needs.

The ARM®-based Flash-less system-on-chip R-CAR is no slacker when it comes to security. It integrates a high-performance security module named CryptoCell, targeting high-end multimedia applications and advanced driver assistance systems (ADAS). In combination with the ARM® TrustZone® technology, it supports the operation of Trusted Applications (TA) within a Trusted Execution Environment aside from the Real-Time Execution Environment.
The R-CAR’s CryptoCell integrates a digital source of randomness and a comprehensive set of cryptographic accelerators (AES supporting all key sizes, DES and 3DES, standard hash functions, public key accelerator for RSA and ECC operations). It provides fast security services demanded by the application, such as stream ciphering of multimedia content. Although the system operates without embedded non-volatile memory, a chip-dependent root-of-trust, initialized during manufacturing, enables the protection of the externally stored code and data.

Renesas support to the industry
All Renesas secure domains come with dedicated software stacks and examples to facilitate integration within the different application domains. In addition, engineering teams with dedicated security expertise support customers with development worldwide. Renesas is collaborating with leading software suppliers to further expand its security eco-system. In a recent announcement, Renesas has announced the short-term availability of the Escrypt CycurHSM for its RH850 microcontroller products. Renesas contributes to the establishment of automotive security standards through its involvement and active participation in dedicated working groups, such as in AUTOSAR or in the European Car to Car Communication Consortium. And it is already extensively supporting the HIS SHE specification endorsed by many carmakers worldwide, as well as the EVITA HSM concept proposed by the EVITA project.
Thanks to its strong experience within the smart card industry, Renesas offers key injection services within a trusted environment for its automotive products. It also plans the extension toward an extensive key provisioning system supporting various security schemes tailored to carmaker needs.

Towards an affordable root-of-trust
The security assurance delivered by the on-chip addition of a secure domain aside from the application domain suffices for most automotive use cases. A very high security assurance level is only required in a few applications where the demand for privacy and authenticity exceeds by far the standards (e.g. for car to car communications). It is also required to fight against ECU counterfeiting, where the need for a secure root-of-trust is paramount.
The possibilities offered today by the industry to cover those requirements are limited to the use of security-certified microprocessor. Besides the integration hassle, the cost of such chips (including the cost of certification) and for the secure infrastructure that comes with it (supply chain, key provisioning) heavily impacts the overall ECU cost.
As a new alternative, Renesas plans to roll out a disruptive security technology that creates a whole new kind of root of trust. It is secure by design, at a reduced cost, and does not require secure production sites, screened personnel or similar precautions. This innovative root of trust allows carmakers and system suppliers to combine their software with Renesas microprocessors based on chip-dependent, non-initialized and unalterable hardware functions, eliminating the risk of software manipulation and ECU counterfeiting.

Conclusion
More comfort, safer roads, efficient driving… in-vehicle electronic systems are delivering the promise. But the evolution of these systems, in particular towards higher over-the-air (OTA) connectivity and forthcoming services such as OTA reprogramming, is generating new threats to the value of the car and to “mission critical” ECUs.
Cyber-threats can take many forms. The only limit is the imagination, the skills and the motivation of the criminal. To limit the impact of a multi-million dollar attack while rendering low-cost attacks ineffective, carmakers have adapted their requirements by implementing state-of-the-art security services using security-enabled microprocessors. Moreover, instead of looking at security at the ECU level independently of other ECUs, they are starting to look at the security of the entire in-vehicle network, and of the entire ECU life-cycle management.
The challenge of this approach is that it has a significant impact in terms of development efforts and cost, and it will take time until it becomes standardized throughout the entire automotive industry. Renesas is striving to support this change with tailored and cost-optimized solutions: its security-enabled microprocessors fit all kinds of security services and automotive ECU types. In addition, its worldwide support structure makes the system integration easier.
Finally, Renesas is preparing the ground for a security innovation that can help eradicate the risk of counterfeiting on all kind of electronic devices, including automotive ECUs ■

Renesas Electronics Europe
www.renesas.com

Related Articles

Leave a Comment