Category: Blog

24 January, 2022 . 4 mins read

Infographic: Potential Cyberattacks in Connected Cars and Mobility

Cyberattacks in connected cars are becoming an increasing threat. A modern connected car has a highly sophisticated electrical/electronic (E/E) architecture that contains up to 100 electronic control units (ECU) linked through multiple Controller Area Network (CAN) buses. Moreover, vehicle and driving data generated from the internal system are exchanged and shared with outside parties–including the OEM cloud, third-party clouds, smartphones, and other road users–through various forms of connectivity protocols, from satellite and Bluetooth to Wi-Fi and cellular. As a result, the modern vehicle contains a lot of endpoints that may be vulnerable to attackers. To secure a connected vehicle, it is crucial to consider all potential attack vectors that attackers could use, from man-in-the-middle (MitM) attacks to message spoofing.

The below infographic illustrates some of the most common entry points and how they must be secured.

potential cyberattacks in connected cars and mobility infographic 1/3
potential cyberattacks in connected cars and mobility infographic 2/3
potential cyberattacks in connected cars and mobility infographic 3/3

Download PDF

(Accessibility version below)

Entry Point I. Head Unit

The vehicle’s head unit is the closest entry point to its internal system, often containing a mainboard ECU that serves the infotainment system, and a gateway ECU that directs application requests to the CAN bus. If a hacker gains access to the head unit, they are only one step away from gaining control of the CAN buses and ECUs, potentially taking over the vehicle.

Risks? Vehicle hijacking, vehicle takeover

By who? Criminals

Solution?

AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)
  • ECU protection
  • Vehicle security operations center (vSOC)

Entry Point II. V2X Messages

In the C-ITS environment, V2X messages are transmitted between road participants like vehicles, infrastructure, and pedestrians in real-time. Attackers can attempt to spoof the V2X messages broadcasted from these participants, leading to wrong judgments and even potentially controlling the targeted vehicles. They could also sniff the messages to steal data.

Risks? Vehicle hijacking, vehicle takeover, theft, terrorism, data breach

By who? Nation-states, criminals, thieves

Solution?

AutoCrypt V2X

  • Message encryption
  • User verification via Security Credential Management System (SCMS)
  • Integrated certificate management

Entry Point III. EV Charging Station

When an EV is plugged into a public charging station, the charging operator collects the owner’s membership and payment card information for transaction processing. An attacker can target the Plug&Charge (PnC) system to steal membership credentials and credit card details, or potentially attack the power grid.

Risks? Data breach, payment card fraud

By who? Nation-states, criminals

Solution?

AutoCrypt PnC

  • PKI-based Plug&Charge user verification
  • Message encryption
  • OCPP support

Entry Point IV. OBD-II Port

Onboard diagnostics (OBD) tracks a vehicle’s condition and driving behaviour. Such information is used by fleet operators and technicians for management and maintenance. The OBD-II port provides access to information on the powertrain, emission control systems, Vehicle Identification Number (VIN), and all kinds of driving information. When targeting the OBD-II port, an attacker could gain access to these sensitive data and possibly even inject malicious code into the CAN bus.

Risks? Vehicle hijacking, data breach

By who? Nation-states, criminals

Solution?

AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)

AutoCrypt FMS

  • Secure fleet management through machine learning and AI
  • Proprietary OBD-II units

Entry Point V. Smart Key

Smart keys unlock a vehicle with electronic signals. Unlike keys with buttons, smart keys continuously release signals to allow keyless entry. Thieves could hack the smart key and redirect the signals to unlock and even turn on a car.

Risks? Vehicle theft

By who? Thieves

Solution?

AutoCrypt Digital Key

  • PKI-based certification and user verification
  • Carsharing and restriction settings

Entry Point VI. Telematics Control Unit

The TCU facilitates all wireless communications between the vehicle and the outside world, normally containing an eSIM, radio data system (RDS), Bluetooth, Wi-Fi, and a V2X connectivity unit. When the attacker access the telematics of a vehicle, possibly by injecting malware through a malicious app on a connected smartphone, they could attack the head unit directly.

Risks? Vehicle hijacking, vehicle takeover

By who? Criminals

Solution?

AutoCrypt IVS

  • Intrusion detection and protection system (IDPS)

AutoCrypt V2X

  • User verification via Security Credential Management System (SCMS)
14 January, 2022 . 9 mins read

6 Trending Technologies in the New Age of Automobile and Mobility

Mobility is one of the most vibrant industries today with tremendous room for technological and market growth. As we get accustomed to having smart devices and internet connectivity on hand wherever we go, it becomes inevitable to integrate computing power and connectivity into the automotive and mobility environment.

The focus of the mobility industry is to make the experience of road users enjoyable and the mobility ecosystem efficient and sustainable. To achieve these goals, businesses across diverse fields have been pouring investments and resources into the industry, including automotive, transportation, electronics, energy, ICT, semiconductors, computing, and software. By now, there is no doubt that the next innovation boom will encompass the automotive and mobility industry.

What are the key technologies driving this innovation boom? By examining every aspect of the mobility ecosystem, we observed six trending deep technologies that will rule our roads in the coming years.

Trend 1: Artificial Intelligence

Artificial intelligence (AI) is a crucial technology that drives a wide range of mobility innovations, especially autonomous driving. First, there are the ADAS (Advanced Driver-Assistance Systems), which many refer to as Autopilot. Even though we often say that ADAS are based on cameras and sensors, the underlying computations are powered by AI. The cameras only capture the imagery, while the built-in AI identifies the captured objects based on their shapes and movement patterns, then instructs the vehicle to react appropriately using intelligent modeling.

Next, there is V2X (vehicle-to-everything) communication, which serves as the bridge towards Vehicle-Infrastructure Cooperated Autonomous Driving (VICAD), a set of necessary features for higher levels of driving automation. V2X is a wireless communication technology that enables vehicles to transmit messages in real-time with other vehicles (V2V), road infrastructure (V2I), and pedestrians (V2P). Again, these messages are read and processed by AI, allowing every road user to respond and cooperate in real-time.

Besides AI’s role in autonomous driving, it is used to enhance the user experience for a wide range of mobility services, including carsharing, ridesharing, and ride-hailing platforms, where algorithms help match demand and supply at the right time and location.

Trend 2: Big Data

If data is the new oil, then the mobility ecosystem is the oil reserve. At any given moment, data are generated by hundreds of millions of vehicles and mobility services around the world. These include panel data with information on vehicle condition, driving behavior, location, traffic load, service usage, and many more. Moreover, the number of connected vehicles in use worldwide is forecasted to reach 120 million in 2025 and 700 million by 2030. These connected vehicles will contribute to a tremendous volume of big data that will be used for two main purposes: automation and optimization.

Big data is the fuel that powers AI and autonomous driving. Even though it is quite easy for an autonomous vehicle to learn how to drive by the rules, on the road, there are countless situations where rules are broken by unusual situations and environments. To ensure that vehicles can respond to every unusual situation safely, a massive quantity of data must be fed into the machine learning process. Researchers at the University of Michigan claimed in their research that 17.7 billion kilometers of autonomous driving data must be collected to prove that driverless vehicles can operate safely at an 80% confidence interval. To put it in perspective, this is 118 times the distance from the Earth to the Sun.

Another use of big data is product and service optimization. Many automotive OEMs, including the BMW Group, collect vehicle data from their vehicle fleets under their customers’ consent. This allows them to improve vehicle quality and maintenance services, as well as to make feature enhancements based on the customers’ behavioral feedback. For instance, by tracking mileage and usage data, customers will be notified whenever periodic maintenance is needed. Also, by analyzing data on the number of times a feature is activated, the OEM can prioritize enhancing certain features and phase out some unused features. In the case of BMW, the company also shares its fleet data with other businesses in the European Economic Area (EEA) who wish to use the data for innovative business models, such as pay-as-you-drive insurance policies. Other service providers like Mobility-as-a-Service (MaaS) operators can learn from the usage data generated from their platforms to establish more efficient and responsive ride services.

Trend 3: Next-Generation Communication

As mentioned earlier, the wireless connections used for autonomous driving are generally referred to as V2X, which forms the vehicular ad-hoc network (VANET), a mobile network that facilitates both direct and indirect transmission of messages. V2X can be facilitated by several different communication protocols, utilizing Wi-Fi, LTE, and 5G standards. The Wi-Fi-based protocol was established by the Institute of Electrical and Electronics Engineers (IEEE) and first introduced in its IEEE 802.11p release, widely referred to as DSRC (dedicated short-range communication) or WAVE (wireless access in vehicular environments), allowing vehicles to communicate directly with other OBUs and RSUs on the road using Wi-Fi technology.

The LTE and 5G-based protocols were developed by the 3GPP, collectively known as C-V2X (cellular V2X). This can be further broken down into direct C-V2X, which utilizes the PC5 interface; and indirect C-V2X, utilizing the Uu interface. Like WAVE, The PC5 interface allows road users to communicate directly with other vehicles and infrastructure nearby using embedded LTE and 5G connectivity. On the other hand, the Uu interface connects road users to the cellular network, allowing all participants to connect indirectly with the Internet as a medium. Such indirect C-V2X is sometimes called V2N (vehicle-to-network).

Whereas 3G and 4G LTE standards were developed primarily for smartphones and mobile communications, next-generation communication standards like 5G and 6G emphasize serving the needs of IoT and vehicular communications. Therefore, we will continue to see faster and more reliable ICT technologies in the future, driving innovations for a seamless and safe mobility experience.

Trend 4: Embedded Hardware/Software

The E/E (electrical/electronic) architecture of vehicles is undergoing continuous experimentations and improvements. Traditionally, the computing power of a typical vehicle is entirely contributed by microcontrollers called electronic control units (ECU) – typically up to 100 of them – each of which serves a particular function; some control the mechanical components while others control the infotainment system. However, the computing power of these ECUs is becoming increasingly insufficient for the new software-defined computer-like vehicles. Consequently, OEMs are introducing more creative ways of arranging the in-vehicle system by adopting a more centralized architecture. Many are experimenting with embedding one or two CPUs into the system so that dozens of functions can be controlled by one central computer. These changes have pushed the need for more chipsets and software modules with greater computing capability and functionality. Even though automotive chips and components were once considered an unattractive business for many semiconductor firms due to small purchase quantities and low profit margins, this growing need for more sophisticated components is driving more chipmakers and software suppliers into the mobility game.

Trend 5: Next-Generation Powertrain

Electrification is revolutionizing the vehicle powertrain. Everyone knows that electric vehicles (EV) generate less carbon emission than ICE vehicles, but how do the two different powertrains compare in terms of performance? Perhaps the two major differences are engine efficiency and energy storage. Looking at ICE powertrains first, Internal combustion engines are surprisingly inefficient, in which when they burn fuel and transform it into power, a lot of extra energy is wasted in the form of heat. Nonetheless, the upside is that gasoline is very easy to store. On the other hand, electric motors are much more efficient, transforming most of the energy into power with very little heat waste. Yet, it is much more difficult to conserve energy within the battery, especially in freezing temperatures. Ironically, since electric motors are so efficient that very little heat is generated, it becomes a problem in the winter as all the heat must be transmitted to the battery to maintain adequate performance, leaving no leftover heat for the cabin (meaning that additional electricity is consumed to power the heater).

Therefore, current research and developments in the automotive industry are focusing on battery technology, especially on ways to conserve energy and keep unnecessary drainage to a minimum. Energy firms are dedicated to increasing battery efficiency and reducing carbon emissions in the battery production process, while OEMs are working on making powertrain improvements for more optimized energy distribution within the vehicle.

Another related industry is the EV charging industry. Currently, the charging process can be quite complicated as users need to download apps for each charging provider and register as a member. Plug&Charge (PnC) technology is developed so that the entire charging process becomes standardized and automated. The user only needs to plug in their charger and payment will be made to the respective charging provider automatically.

Trend 6: Security

As the mobility ecosystem becomes increasingly interconnected with data sharing occurring in real-time, cybersecurity must be implemented wherever data exist to keep them safe from theft and tampering. Given the high volume of personal and vehicular data in the industry, it is only a matter of time before threat actors start targeting our roads.

Fortunately, governments and industry working parties have taken a step ahead of the game by establishing regulations like the WP.29 updates that mandate cybersecurity type approval for vehicles and infrastructure, as well as standards and protocols for user verification and message encryption, such as the Security Credential Management System (SCMS).

AUTOCRYPT is a leading security deep tech in the industry. Its AutoCrypt IVS in-vehicle security solution is designed to meet WP.29 regulatory needs by providing security design, testing, implementation, and monitoring for OEMs. It combines an industry-leading intrusion detection system (IDS) with ECU protection capabilities and a vSOC (vehicle security operations center) that monitors fleet safety in real-time.

AutoCrypt V2X integrates security modules into the V2X connectivity units (OBUs and RSUs) to enable message encryption and data security. AutoCrypt SCMS utilizes PKI-based credential management to sign and verify V2X users, compatible with the SCMS, European-based C-ITS CMS (CCMS), and Chinese-based C-SCMS.

Apart from autonomous driving security, AUTOCRYPT also offers secure fleet management for fleet operators and PnC solutions that secure EV charging.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

22 December, 2021 . 2 mins read

Infographic: 2021 Year in Review

Thank you for your support in 2021. Though there have been unexpected challenges with the ongoing pandemic, we have taken every opportunity to ensure that secure transportation and mobility are prioritized in the changing landscape of connectivity and transport. See below for what AUTOCRYPT has accomplished in 2021 in review.

Here’s to 2022!

Forbes 100 to Watch – AUTOCRYPT was selected to be part of Forbes Asia’s inaugural 100 to Watch list, a list which highlights notable companies on the rise in the APAC region.

15 Million! – We closed our Seeries A funding round in January 2021, bringing the total raised to USD 15 million. Currently, Series B is in progress, open to global investors to become involved.

AutoTech Breakthrough – AUTOCRYPT was announced as 2021’s “Automotive Cybersecurity Company of the Year” for the second year in a row.

4-Layers Interoperability – In 2021, AUTOCRYPT demosntrated the “Four-Layers” interoperability of our V2X security solution. AUTOCRYPT’s solutions are compatible with C-SCMS, EU-CCMS, and SCMS, crucial for implementing security into C-ITS projects.

Germany – AUTOCRYPT’s first European office was opened in Munich, Germany in June 2021. The new office is expected to play a key role in the company’s active work with European OEMs and the continent’s C-ITS projects.

Events – We missed seeing our customers and partners in person, but were able to begin heading back out to events in the latter half of 2021.

Canada – Establishing a North American subsidiary, we opened a new corporate office in Toronto, bringing us closer to partners and OEMs in the region.

ITF-CPB Member – AUTOCRYPT officially joined the ITF’s Corporate Partnership Board. As a partner, AUTOCRYPT will bring its security expertise to work on intelligent transport systems, and the future of mobility.

Mobility Services – We launched a number of new services which utilize our fleet management solution, including a EV charging information application, and a Demand Responsive Transport (DRT) for inclusive transportation.

7 December, 2021 . 3 mins read

Infographic: 7 V2X Application Scenarios

V2X (vehicle-to-everything) communication technology enables real-time wireless communication between vehicles (V2V), infrastructure (V2I), and pedestrians (V2P) in the C-ITS (Cooperative Intelligent Transport Systems), paving the path towards full driving automation.

Establishing a V2X ecosystem is a massive project that requires a solid foundation, before building blocks are gradually added to serve functional purposes. Thankfully, years of development and testing across multiple industries have laid the foundation that brought the technology to the surface. Many V2X-enabled services are now being applied in smart cities across the globe, marking the beginning of large-scale commercialization.

The below infographic illustrates seven V2X application scenarios that are widely seen today.

V2X Application Infographic

Download PDF

(Accessibility version below)

  1. Signal Phase and Timing – SpaT is a V2I service used at signalized traffic intersections. The RSU in the traffic signal controller sends a message indicating light color and remaining time to the OBUs of the inbound vehicles. The vehicles then use this information to determine whether to cruise through or decelerate to a stop.
  2. Emergency Vehicle Preemption – EVP is a V2I service that gives road priority to emergency vehicles. The OBU of a dispatched emergency vehicle sends a special message indicating its location and path to the RSUs of upcoming traffic lights. These traffic lights then work in favor of the emergency vehicle to ensure safety and a speedy response.
  3. Intersection Collision Avoidance – IVA is a V2V service that prevents collisions at traffic intersections. The RSU of the roadside camera monitors vehicles and moving objects in all directions and sends a warning message to inbound vehicles when it detects potential signal violators in the cross direction, preventing T-bone collisions.
  4. Emergency Brake Warning – EBW is a V2V service that prevents rear-end collisions caused by sudden braking. The OBU of the braking vehicle sends a message indicating its intended behavior to the OBU of every subsequent vehicle, so that they can all start braking at the same time, preventing collisions and overbraking.
  5. Pedestrian Collision Avoidance – PCA is a V2P service used for pedestrian protection. roadside cameras detect pedestrians on the roadway and send warning messages to nearby vehicles. Newer developments embed RSUs into smartphones so that such warnings can be sent directly from the pedestrian’s devices.
  6. Smart Parking – Smart parking is a V2I service used to match the supply and demand for parking space in real-time. The RSUs of the parking lot sensors send messages notifying parking availability to nearby vehicles, allowing vehicles to drive towards the nearest parking space seamlessly, easing traffic jams in high-density commercial zones.
  7. Do Not Pass Warning – DNPW is a V2V service that is used to ensure safe overtaking on undivided highways. The OBU of the first vehicle in the lane sends messages to the vehicles behind, warning them not to pass when it sees vehicles traveling down from the opposite direction.

To learn more about V2X application scenarios and AUTOCRYPT’s V2X security solutions, see AutoCrypt V2X.

22 November, 2021 . 7 mins read

COP26: How We Have Overcome Barriers to EV Adoption

What Happened at COP26?

The 2021 UN Climate Change Conference, better known as COP26, concluded on November 12 after two weeks of negotiations by world leaders in Glasgow, UK.

As a member of the International Transport Forum (ITF) Corporate Partnership Board (CPB), AUTOCRYPT’s Co-Founder and CEO Daniel ES Kim called for climate actions at the ministerial meeting on November 9, collectively with other business leaders on board, emphasizing AUTOCRYPT’s commitment to decarbonizing transport.

AUTOCRYPT’s “Call for Action” at COP26

The resulting agreement signed by nearly 200 nations was a historical one, but was not transformative enough to reverse climate change, as many scientists suggested. Despite a preliminary draft demanding nations to accelerate “the phaseout of coal and subsidies of fossil fuels”, after negotiations, a revised draft tuned down the rhetoric to “the phaseout of unabated coal and inefficient subsidies of fossil fuels”. Still, facing firm objection from China and India, the final agreement was changed to “the phasedown of unabated coal and inefficient subsidies of fossil fuels”.

Implications for the EV Industry

Regardless of the rhetoric, COP26 made an unprecedented emphasis on the criticality of fossil fuel exploitation to the ongoing climate crisis. The agreement specifically demands governments to phase down fossil fuel subsidies. Currently, about half a trillion dollars in subsidies were spent by governments worldwide to lower the price of fossil fuels for consumers, more than triple the amount spent on other renewable energies.

The new agreement will likely pose more pressure on manufacturers and consumers of ICE vehicles, making electric vehicles (EV) more financially appealing to both automotive OEMs and end consumers. But setting aside discussions of money and politics—let us go back to the fundamental question: Are we ready to fully commit to EV adoption?

Are We Ready for EV Adoption?

The short answer is yes. Today’s EV has come a long way from its early days. Since the COVID-19 pandemic, EV sales have grown exponentially, even in regions where government subsidies have been decreasing, showing that consumers no longer need financial incentives to purchase EVs. Most potential buyers in the car market today are seriously considering purchasing EVs.

The booming EV adoption rate is not simply due to increased environmental awareness, nor purchase incentives and tax breaks. It is more so a result of technological advancements in EV design, powertrain, battery, and supply equipment (EVSE), all of which contribute to better overall reliability. Below, we look at how these advancements helped the industry overcome all the barriers to EV adoption.

How Have We Overcome the Barriers to EV Adoption?

1. Range

In the early days of the EV, range anxiety was the biggest concern for all potential buyers. Many feared running out of power prior to reaching their destination. In 2013, the average range of all EVs in the market was about 219 km (136 mi), less than half the travel range of gasoline-powered vehicles, which on average can travel between 450 to 550 km (280 to 342 mi) on a full tank. Given that there were very few public charging stations back then, range anxiety was a real fear for EV owners. Even though 219 km was beyond the distance of most daily commutes, long-haul travels were virtually impossible due to the lack of public charging stations, making it a significant drawback as compared to ICE vehicles. As a result, most early adopters at the time only drove their EV as a second car for traveling within the city.

We are in a different world now. For the past five years, automotive OEMs and suppliers have dedicated large portions of their R&D spending on advancing battery technology and motor efficiency. Thanks to these efforts, the median range for EVs has exceeded 400 km (250 mi) in 2020. Most flagship models made by world-class OEMs can now travel longer than 450 km on a single charge effortlessly, with a few outperformers boosting a range over 600 km (see figure 1).

Figure 1. Longest EV Ranges as of October 2021

Clearly, ICE vehicles no longer have an advantage in range over EVs. This explains why even private taxi operators are now adopting EVs considering that a range of above 400 km is adequate for a full day of operation. By now, the EV industry has largely eradicated range anxiety.

2. Charging Availability

Having a long range was not the only cure to range anxiety. For many frequent travelers, having a charger at home does not help the long-haul overnight trips away from home. In this case, public EV charging stations allow the driver to top up their car during their trip, perhaps anywhere along the way or at the hotel.

The good news is that public charging stations have become very common. As of mid-2021, the United States has roughly 43,000 public charging stations and 120,000 charging ports. To put these numbers in perspective, there are an estimated 150,000 gas stations across the US, meaning that there is now one public EV charging station per every three gas stations. Considering the share of EVs in the automobile market, the number of EV charging stations per vehicle has already far surpassed that of gas stations.

Among the United States, European Union, and China—the three largest EV markets—the US is in fact the worst performer of the three. Looking at the EU, there are reportedly 225,000 public charging ports across the continent (excluding Norway and Turkey), nearly twice that of the US. And in China, there are nearly 924,000 public charging ports registered in mid-2021. Consumers in these well-established EV markets can now make long-haul overnight trips without the need to worry about charging. Moreover, the number of public EV charging stations is expected to grow at an astonishing rate. The EU is planning to establish a network of 1.3 million charging points by 2025, six times the current figure. Compared to gas stations, EV charging stations do not require additional space and are much cheaper and easier to build; most are installed on existing parking lots.

3. Charging Time

Recent developments in EVSE have also shrunk the average EV charging time remarkably. Most home chargers (7 kW) can easily charge a typical EV from empty to full in about eight hours. Fast and rapid chargers found at public charging stations (22 kW fast or 43-50 kW rapid) can fill up an EV in between one to five hours. These are especially common at office buildings, shopping malls, and service plazas near highways, where people can top up their cars for an hour or two while working, shopping, or eating. The fastest rapid chargers today (150kW rapid) can fill up a Tesla Model S in less than an hour and add up to 160 km of range in less than 35 minutes. Nonetheless, these chargers remain relatively rare and are not compatible with all EVs.

For the average consumer, charging time should no longer pose any inconvenience. Expect to charge at home about once or twice a week, while occasionally topping up at public charging stations during longer trips away from home. With a little planning ahead, you should be able to easily blend vehicle charging into your schedule and never need to spend a minute waiting for charging.

4. Charging Complexity

After overcoming all the above EV adoption barriers, the last concern for some potential EV buyers is the perceived complexity in charging. Those who use public charging stations frequently might find it a hassle to keep a handful of membership cards or mobile apps for different charging point operators (CPO).

To simplify this process, AUTOCRYPT is actively working with the EV charging industry to accelerate the application of Plug&Charge (PnC) technology, an advanced charging and payment system that automatically verifies the vehicle when the charger is plugged in, then authenticates the transaction in the backend without the need for any RFID cards or mobile apps.

This verification and authentication process is conducted by AutoCrypt PnC, a secure V2G (vehicle-to-grid) communication interface based on ISO-15118-compliant AutoCrypt PKI technology. By 2023, PnC-enabled charging stations with V2G bi-directional charging will be widely available.

Revolutionize Transport With AUTOCRYPT

Apart from electrification, AUTOCRYPT’s effort in securing Cooperative Intelligent Transport Systems (C-ITS) and autonomous driving will make our roads and traffic smarter, less congested, and more energy-efficient, helping us accelerate our goal towards net zero.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.

2 November, 2021 . 6 mins read

3 Stages of In-Vehicle Security: A Step-By-Step Guide to Vehicular Cybersecurity

Vehicular cybersecurity is now an inseparable component of automobiles. To establish an ecosystem where vehicles can safely connect with the outside world, UNECE’s WP.29 regulations on vehicular cybersecurity require automakers (OEMs) to manage cybersecurity risks at every stage of a vehicle’s lifecycle. This includes 1) pre-production design and development stage, where cybersecurity gets embedded into the supply chain; 2) production stage, where hardware and software components are integrated and tested for interoperability; and 3) post-production stage, where continuous monitoring and timely updates are required to keep the vehicle protected throughout its lifespan.

As a cybersecurity adviser on the International Transport Forum’s Corporate Partnership Board (CPB), AUTOCRYPT has been contributing its expertise in vehicular cybersecurity standardization and policymaking, making the company a specialist in cybersecurity integration and regulatory compliance. Developed to help OEMs integrate cybersecurity with functional safety, AUTOCRYPT’s in-vehicle security solution, AutoCrypt IVS, provides a robust end-to-end security package for all three stages of vehicle production, stretching beyond regulatory requirements.

In this article, we break down AUTOCRYPT’s in-vehicle security process to look at how a vehicle is secured at each stage.

1. Threat Assessment and Remediation Analysis (TARA)

The biggest difference between vehicular cybersecurity and IT cybersecurity is that a vehicle does not run on a host computer, nor a unified operating system. Instead, each vehicle has a unique electronic and electric (E/E) architecture made up of over a hundred electronic control units (ECU), interoperating through the Controller Area Network (CAN bus). This means that there cannot be an off-the-shelf cybersecurity software or tool that is readily installable across all vehicles; instead, in-vehicle security needs to be custom-designed for each vehicle model.

To develop a system and process for a particular vehicle, it is crucial to start by assessing the threats associated with the specific OEM and vehicle model through an engineering methodology called Threat Assessment and Remediation Analysis (TARA). TARA is widely used for the initial assessment of cybersecurity risks, based on a deep analysis of the vehicle’s architecture, followed by a prediction of potential vulnerabilities and entry points. After identifying the risks, security engineers will thoroughly select a pool of necessary countermeasures that can mitigate these specific risks.

During TARA, AUTOCRYPT begins by identifying critical assets within the target vehicle, then compiles a list of attack vectors that hackers could potentially use to access and intrude the system. After that, the level of risk and feasibility of each attack vector is analyzed, before arriving at a final list of threat priorities. These priorities are used to design and develop a security model, where detection engines and software modules get embedded in different parts of the vehicle.

2. Threat Modeling and Security Testing

After initial design and development of the in-vehicle security system, it is then time to conduct a series of tests by simulating real-life hacking scenarios to verify the efficacy of the security model. In this stage, three types of security testing are implemented: vulnerability scanning, fuzz testing, and penetration testing.

Vulnerability Scanning

Unlike threat assessment in TARA, vulnerability scanning requires the physical vehicle prototype with the adopted security model. Both software static testing and dynamic testing are performed. The former checks for errors in the development stage, including leaks and buffer overflows, whereas the latter executes the code to test for vulnerabilities in runtime environments by analyzing the behaviours of dynamic variables.

Fuzz Testing

Fuzz testing, or fuzzing, is a type of automated software testing technique that feeds a large pool of randomly generated invalid and unexpected inputs into the program as an attempt to make it crash or break it through. If a vulnerability a found, a fuzzer can be used to pinpoint the potential causes. Fuzzing is a quick and useful way to identify unexpected coding errors, highly effective at mitigating most automated hacking techniques.

Penetration Testing

Penetration testing is the most advanced and sophisticated test of the three. It requires security analysts and red team hackers to manually search and exploit vulnerabilities using complex hacking techniques such as password cracking and injection, then try to manipulate and exfiltrate data from the vehicle. AUTOCRYPT’s red team, led by experienced resident white hat hacker Dr. Jonghyuk Song, performs penetration testing to vehicle components and security software prior to final implementation, ensuring that no vehicle leaves the factory in a vulnerable state.

After completion of threat modeling and security testing, all errors and vulnerabilities will be corrected and reviewed. Finally, the vehicle will be ready to enter the market.

vehicular cybersecurity diagram
Figure 1. Three Stages of In-Vehicle Security

3. Threat Mitigation

As the vehicle gets passed down to the consumer, the role of cybersecurity does not end here. In fact, this is only the beginning of a long journey of continuous monitoring, prevention, and incident response. At this stage, the security engineering of AutoCrypt IVS works at its best to protect the ECUs by running both an intrusion detection system (IDS) and intrusion protection system (IPS) to block hacking attempts, encrypting all messages to prevent data tampering, and controlling access to all storages to ensure privacy and financial safety. It also monitors the central gateway for any abnormal behaviour throughout the vehicle’s CAN bus and between the vehicle to the external network. Such data is then collected in real-time by the OEM and reported to AutoCrypt vSOC (Vehicle Security Operations Center) for analysis.

Vehicle Security Operations Center

Similar to the SOC in IT security, vSOC brings enterprise threat intelligence to the mobility environment by monitoring the activities and conditions of all active vehicles using live data collected and shared from the OEM’s cloud. AutoCrypt vSOC provides an easy-to-navigate graphical user interface, allowing the OEM to track and analyze threats by region and prioritize updates and patches.

Figure 2. AutoCrypt vSOC GUI for an OEM customer

Vehicular Cybersecurity Made Easy With AUTOCRYPT

Most OEMs do not have the time and capacity to assess, deploy, and manage all three stages of vehicular cybersecurity in-house. Over the past decade, AUTOCRYPT has been filling this gap not only by offering AutoCrypt IVS as a product, but also by designing and developing a complete in-vehicle security solution that OEMs can rely on in the long-run.

To learn more about AUTOCRYPT’s end-to-end solutions, contact global@autocrypt.io.

To stay informed with the latest news on mobility tech and automotive cybersecurity, subscribe to AUTOCRYPT’s monthly newsletter.