Safe and sound on the roads

Connected vehicles should improve road safety, but security issues need addressing

By Morand Fachot

Roads are becoming safer in industrialized countries, in spite of increased traffic volumes, thanks to improvements in vehicle electronics. The introduction of connectivity is likely to improve this record still further but raises concerns about security risks. Miscreants could hack into vehicles' networks, causing equipment to malfunction or accidents to occur, or resulting in vehicle theft. Existing and future International Standards are set to play an important role in addressing these security risks.

Ensuring car security Two IT security experts hacked a modern car to expose potential vulnerabilities (Photo: Forbes)

In search of road safety

More than 90% of auto-related crashes are attributable to human error, be it due to distraction, a mistake or drowsiness. A number of aids have been introduced over the years to make driving easier and reduce human errors. Cruise control was introduced as early as 1945, followed by automated transmission in the early 1950s and other systems such as antilock braking systems (ABS – 1970s), which relied initially mainly on hydraulic components and later on electro-hydraulic and electric systems.

 The search for safer and more efficient so-called intelligent traffic systems (ITS) has been the object of various initiatives such as the European Commission-funded Eureka Prometheus Project (1987-1995) and the US Automated Highway System (1994). In both, cars were to be guided by the road rather than by drivers, with sensors and communication devices linking roads and vehicles.

Additional aids for drivers

Other systems such as adaptive cruise control (ACC) and automatic braking have further improved road safety and depend on electrotechnology with no need for driver input. Both of these rely on sensors to adapt the vehicle speed so as to keep a safe distance from traffic ahead or prevent collisions with other vehicles, cyclists or pedestrians. Such so-called advanced driver assistance systems (ADAS) are found increasingly in a variety of new cars, no longer in top of the range vehicles alone. They rely on electronic control units (ECUs) that talk over Controller Area Networks (CANs). There could be around 100 of these units in luxury models.

Other systems based on sensors, such as automatic dusk-sensing headlights, automatic rain-sensing wipers, auto-dimming rear-view mirrors, seat-belt alarms or driver drowsiness detection, also contribute to making driving safer and more comfortable. They are being or have already been installed in most cars. As a result, electronic components currently account for around 50% of car production costs, and that percentage is increasing.

One issue that has significantly increased driver distraction has been the introduction of mobile communication devices in the automotive environment. This was certainly not foreseen years ago and is now reportedly behind a quarter of car crashes in the UK and the US. It is an issue that is here to stay but needs addressing if road safety is to improve further.

From assisted to automated driving

Automobiles are evolving from relying increasingly on assistance systems to becoming more autonomous, with the addition of extra electronic systems and increased connectivity.

Control of the steering and brake systems of these autonomous cars is, alongside that of other systems, based on information from roadside infrastructure as well as from car-mounted sensors, cameras and radars.

Frost & Sullivan reports that almost every car maker in the US has a connected telematics service that transmits information/alerts about safety, security, diagnostics, breakdown assistance, vehicle tracking, emergency assistance in case of accidents, etc. In the future, other services such as "pay-as-you-drive" insurance premiums, recall alerts and warranty data information may be added. These services represent "currently the first point of attack for hackers", according to Frost & Sullivan.

 Five top connectivity technologies have been identified:  

  • Connectivity with mobile devices via Wi-Fi
  • Connectivity to wearables via Bluetooth® Smart
  • Device pairing and car rental via Near Field Communication (NFC)
  • Real-time traffic updates and vehicle tracking via integrated global navigation satellite system (GNSS)
  • Secure, high performance connectivity via automotive Ethernet

A February 2015 report from the office of US Senator Edward J. Markey (D-MA), highlights the risks to US drivers of the gaps in security and privacy presented by increased car connectivity.

It accuses some of the biggest automakers in the market of having no idea how to prevent hackers from taking over cars. In 2011 computer scientists from two US universities demonstrated that hackers could remotely take over control of a car, including of its engine.

 The risk is likely to increase as more and more cars are connected, each one with an average of 5 networks. New cars may contain up to 100 million lines of software code for body electronics, ADAS, infotainment, chassis and safety, etc.

 Navigant Research estimates that 100% of cars will be connected by 2025 and that 75% of cars on the road will be autonomous by 2035.

Weaknesses identified

As greater numbers of connected cars get onto the roads, ill-intentioned individuals may start targeting them for criminal or other purposes. Cases of cyber-attacks are reported every day, targeting financial institutions, companies, government websites and individuals for the purposes of stealing money, corporate information or trade secrets or to disrupt websites through distributed denial-of-service (DDoS) or other actions. It is only a question of time before vehicles are targeted, as weaknesses have been identified in many cars. The motor and IT industries have been warning of the risk of cyberattacks on automated cars in the future and of the threats they pose to road safety.

 Some weaknesses that expose the fragility of the vehicle connectivity architecture have been identified. They include the capability to infiltrate virtually any ECU through wireless access points and to create extremely unsafe conditions.  

 Since ECUs control devices and functions including ACC, door access control, force feedback accelerator pedals, electronic brake systems, seatbelt pretensioners, airbag control units and closing velocity sensors, the potential for carrying out dangerous malicious attacks on connected cars and attacking road safety in general is huge.

A number of companies are already developing software and hardware defences for the motor industry to prevent disruption being caused by hacking and intrusion to communications systems. Some companies started providing embedded software solutions for the industry, capable of turning any ECU into a real time threat intrusion and prevention system and any gateway ECU into a smart firewall. They can also offer aftermarket software or hardware solutions that protect connected vehicles and their telematics systems against cyber-attacks.

Mitigating risks with International Standards

Fortunately some security issues can be addressed now by implementing International Standards already prepared by the IEC and jointly by the IEC and the International Organization for Standardization (ISO) through various Subcommittees (SCs) of their Joint Technical Committee (ISO/IEC JTC 1).

 The IEC is no stranger to developing International Standards that address safety and security issues in a number of domains. These include: the IEC 61508 series on functional safety; Standards in the IEC 60601 series for medical electrical equipment and IEC 61513:2011, IEC 62138:2004 and IEC 62645:2014 for the safety of nuclear power plants, the last one developed specifically to prevent, detect and react to cyber-attacks.

ISO/IEC JTC 1/SC 6: Telecommunications and information exchange between systems, has developed two International Standards for NFC security: ISO/IEC 13157-1:2014 and ISO/IEC 13157-2:2010, on near field communication security (NFC-SEC) services and protocols, and on the NFC-SEC cryptography standard using Elliptic Curve Diffie-Hellman (ECDH) protocol and Advanced Encryption Standard (AES) algorithm, respectively. These International Standards are also relevant for connected/automated cars since NFC is one of the connectivity technologies used in these vehicles.

Adding lightweight cryptograpy

Lightweight cryptography is also seen as central to the future security of connected cars.
 Addressing the Symposium on The Future Networked Car on the fringe of the 2015 Geneva Motor Show, Koji Nakao, an expert with ISO/IEC JTC 1/SC 27: IT Security techniques, advocated the introduction of lightweight cryptography for vehicles, based on the ISO/IEC 29192 series of International Standards.

 Nakao stressed that real-time response is crucial in ADAS and that lightweight cryptography offers low latency. Furthermore, he said, it is tailored for implementation in constrained environments, and since a modern vehicle contains 50-100 or more ECUs which are a collection of embedded constrained devices, lightweight cryptography is particularly suitable for the connected car environment.

 Pointing out that some lightweight algorithms are mature and already standardized in ISO/IEC 29192, Nakao said it was high time to standardize practical standards for connected cars and ITS and stressed that collaboration with the automotive industry is necessary.

Given the emerging security risks faced by connected and automated cars, it is safe to assume that International Standards developed by several ISO/IEC JTC 1 SCs in particular will play a central role in improving road safety and protecting from cyber-attacks.

Volvo tests self-driving cars on public roads (Photo: Volvo Car Group)
Ensuring car security Two IT security experts hacked a modern car to expose potential vulnerabilities (Photo: Forbes)
Bosch ecu big Modern cars have dozens of electronic control units that can be compromised by hackers (Photo: Robert Bosch GmbH)