Category: Blog

13 April, 2020 . 4 mins read

AUTOCRYPT Reflection: A Letter to Our Friends

Hope everyone is not too worn out by the COVID-19 pandemic. Despite having to go through one of the hardest times in modern history, let us never lose hope and continue to protect the safety of ourselves and others.

We here at AUTOCRYPT also had a very busy spring. After spinning off from Penta Security last year and becoming an independent company, we have expanded our global customer base, increased our international collaboration, and participated actively in ITS developments.

As we relaunch our official website, we thought this would be a great time for us to share with you some of the accomplishments and milestones we have recently achieved.

Joining the 5G Automotive Association (5GAA)

AUTOCRYPT joined the 5G Automotive Association as a security expert, sharing insights and technologies with some of the largest automakers, telecommunications equipment makers, and on-board unit (OBU) manufacturers around the world.

Founded in 2016, 5GAA is an international organization formed by companies from all areas of the automotive industry. Its ten founding members consist of automakers Audi, BMW, Daimler, telecommunications equipment manufacturers Samsung, Intel, Nokia, Ericsson, Huawei, as well as OBU manufacturers Qualcomm and Harman.

First, the members are committed to creating a set of international standards for the intelligent transportation system (ITS); think of it as version 2.0 of the 1968 Vienna Convention on Road Traffic. 

Second, the members seek to collaborate on developing both in-vehicle and roadside solutions for the next generation of connected mobility and autonomous driving. 

Lastly, the members also work extensively with governments across the world on ITS projects, currently focused on testing smart roads with connected infrastructure.

Joining 5GAA is a complex process involving some of the most demanding requirements. As a worldwide pioneer of the mobility security industry, AUTOCRYPT possesses the most field experience in vehicle-to-everything (V2X) security and is proud to serve the latest security technologies for automakers, Tier 1 suppliers, and infrastructure developers.

Joining the Car Connectivity Consortium (CCC)

AUTOCRYPT has also become a member of the Car Connectivity Consortium, sharing its expertise on vehicle-to-device (V2D) security and experience in designing public key infrastructures (PKIs) with top firms in both automotive and mobile communication industries. 

CCC is a cross-industry organization that aims to advance technologies for smartphone-centric car connectivity solutions. AUTOCRYPT joined the consortium as the first mobility cybersecurity company from Asia Pacific. Other members include the world’s top automakers Toyota, Volkswagen, GM, Hyundai, and top smartphone makers Samsung and Apple.

CCC focuses on developing digital keys that enable drivers to use their smartphones to unlock their cars, turn on their engines, and share access with family members or valets. The goal is to allow the drivers to simply connect and ride, regardless of the device or vehicle.

Similar to 5GAA, AUTOCRYPT contributes its technical expertise in establishing a set of international technical standards. It also works on a series of projects related to digital key solutions performance evaluation.

Winning the 2019 TU-Automotive Awards

This was another great achievement for us. AUTOCRYPT won in the category of the Best Auto Cybersecurity Product/Service at the 2019 TU-Automotive Awards.

TU-Automotive holds an annual awards ceremony along with one of the largest automotive technology conferences. With 30 years of experience, it is exceptionally precise and accurate at analyzing products and services in the automotive sector. As such, these awards are considered one of the most prestigious in the car tech industry.

Competing with more than 400 companies, AUTOCRYPT was awarded for its outstanding future-oriented security technologies for autonomous and electric vehicles, as well as for the smart mobility infrastructure. The 2019 awards recognized major industry leaders in 12 different categories, including Amazon, Mitsubishi, and Honda, alongside AUTOCRYPT.

Shortlisted for the 2020 TU-Automotive Awards

This year, AUTOCRYPT got shortlisted again under the category of Industry Choice Award: The Automotive Teech Company of the Year. Facing off our biggest V2X competitor Qualcomm, does our twice-as-fast V2X verification speed give us an advantage at winning? Let’s leave if for the industry judges to decide.

We here at AUTOCRYPT are optimistic about the future of transportation and will stay dedicated to developing the best mobility solutions for automakers and Tier 1 suppliers.

Starting now, we will be sending out a newsletter to our followers every month, providing some short updates on AUTOCRYPT and the latest trends in the mobility industry.

Hope everyone has a great summer season ahead. Stay safe and healthy!

25 March, 2020 . 4 mins read

How Do Vehicles Connect to the Internet and Why Would Someone Hack Them?

It has only been a little more than a decade since the introduction of the smartphone, yet they have now replaced laptops and desktops as the primary personal computing device. As we become so used to being connected to the Internet anytime and anywhere, more and more “things” now come equipped with such connectivity. One of the most common Internet of Things (IoT) devices are vehicles, but what happens when vehicles connect to each other and infrastructure?

How does vehicle connectivity work?

Most new cars in 2020 come with either embedded (built-in) or tethered (brought-in) internet connectivity, or a mixture of both. Vehicles with embedded connectivity are equipped with a built-in modem to directly receive cellular data, while those with tethered connectivity borrow the driver’s smartphone data to access the Internet (similar to WI-FI hotspots).

Most automakers offer embedded connectivity free trials for a few months, after which the driver would need to pay for continued internet access. This works similarly to a smartphone plan. For instance, AT&Tprovides a connected car data plan at cost per month for coverage in the US and Canada.

Some automakers offer embedded connectivity only for critical functions such as remote control and crash notification, and require tethered internet for all other entertainment purposes.

Whether having embedded or tethered internet connectivity, connected vehicles bring a lot of convenience and joy to the drivers. They have remote control features that allow users to unlock the doors, turn on the engine, and adjust the in-vehicle environment via their smartphone. They allow users to listen to the news, search for information, and access their smartphone all through voice control. In addition, they provide high definition streaming media content for both drivers and passengers.

Why hack a connected vehicle?

Wherever there exists an internet connection, there are security threats. The cyberthreats a connected vehicle system faces are very similar to that of a traditional IT system, in which almost all threat actors are driven by financial or political motives. In the context of a traditional IT system, the three most common objectives of cyberattacks are:

1) to exfiltrate or encrypt data for financial gains (by using the data for phishing and identity theft, selling the data to third parties, or demanding a ransom),

2) to steal intellectual property from adversaries (either businesses or political units), and

3) to disrupt operations and activities of adversaries (either businesses or political units).

In contrast, let us take a look at the most common objectives for someone to attack a car:

Vehicle theft

Believe it or not, vehicle thefts are still common. Over 150,000 vehicles were stolen in California alone in 2018 according to the Insurance Information Institute. Connected cars with smart or digital keys might decrease the chance of theft from unskilled thieves, but could as well increase the chance of theft from high-skilled hackers.

Personal data theft

Connected vehicles collect and store tons of personal data. At the very least, they store the driver’s contact list, call history, calendar, search history, entertainment preferences, driving history, and location data. Some might even store financial information for automatic payment of toll fees and EV charging fees. Attackers who gain the data may use them for identity theft, sell them to third parties, or blackmail the car owner for ransoms.

Personal attack or terrorism

This is perhaps the most concerning risk involving connected vehicles. When used abusively, cars have the potential to cause serious physical damage and death. When a threat actor hacks the system and takes full control of a car, the car becomes a destructive weapon that can be used to target specific individuals or the general public. What’s worse is that such a crime would be very difficult and expensive to solve as cybercriminals are much harder to catch.

Notice that under the third objective, a so-called cyberattack has crossed the line of cyberspace to threaten our physical safety. This has always been the biggest concern of autonomous driving. To prevent criminal groups and terrorists from destroying our transportation system, governments must work with industry experts to establish a complete international regulatory compliance for vehicle security.

In a traditional IT system, we create the network, then secure it. In a connected car system, we secure first, then ride. Having an unsecured car network is essentially the same as having a bridge built with substandard materials. This is why it is critical for us to understand where the weaknesses come from and protect them accordingly. To read more on the specific threats modern vehicles face, click here.

4 March, 2020 . 2 mins read

Infographic: The History of Automotive Technology

Have a look at how automotive technology has evolved throughout the history of automobiles.

(Accessibility version below)

history of automotive technology

The History of Automotive Technology

1886 – The first modern car / Karl Benz receives patent for the motorcar
1889 – Headlamp
1911 – Electrical ignition system is invented by GM and installed on a Cadillac
1915 – Hydraulic brake. A hydraulic brake transmits uniform pressure on all four wheels
1930 – The first commercial in-car radio
1934 – Coil spring
1940 – Automatic transmission
1949 – The first modern key is invented by Chrysler, which allows the key to “turn” on the ignition
1951 – Power steering
1953 – Chrysler Imperial becomes the first car with air conditioning as an option
1958 – Volvo introduces the first lap-and-shoulders seat belt, which is still standard in vehicles today
1969 – First modern windshield wiper
1970 – First built-in cassette tape player
1971 – First anti-lock braking system which prevents wheels from locking during braking, by hitting back brake in millisecond intervals
1973 – Catalytic converter converts toxic gases from combustion into less-toxic pollutants
1974 – Digital dashboard displays
1984 – First built-in CD player
1988 – Airbag begins to come standard in a Chrysler, but only in the driver’s seat
1992 – Electromagnetic parking sensor
1994 – On-board diagnostics show problems on the dashboard
1996 – First connected car
2000 – First hybrid car with Toyota Prius
2001 – Bluetooth
2002 – Reverse camera
2003 – Automatic parking
2010 – Driving assist detects blindspots, lane departure alerts
2012 – Remote hacking through smartphones
2013 – 4G connection
2014 – Autonomous driving systems
2018 – 5G connection

9 January, 2020 . 6 mins read

IoT, Connected Vehicles, and Transport Security

IoT, Connected Vehicles, and Transport Security 

As IoT technology advances, we start to wonder if the security around the technology is sufficient enough. The time has come to assume that people with somewhat accessibility to IoT devices know how it should have stronger security than ICT security as it can directly affect and control the devices and cause actual and physical damages when exploited. 

Autonomous Security and Regulative Security

Simply put, there are basically 4 areas that need security in the IoT environment: 1) smart home, 2) smart factory, 3) smart car, and 4) smart energy grid. 

1) and 2) tend to have the nature of being autonomous. Users can decide whether they need IoT implementations and if or when they do, they get to make their own decision of whether their implementations need security applications or not. In terms of factories, it is critical to apply security for the sole reason of safety, however, most of the factories haven’t even applied the existing ICT security as we know it.

This is when autonomous security slowly sprawls in as a form of crisis management. Crisis management in the context of IoT security most likely explains why security, of any sort, is applied only after an accident occurs. This is just like how personal computers are secured nowadays, hence most of the IoT security companies are setting their minds on this method. It’s easier and more convenient, as it resembles the ICT security application method rather than the ideal IoT security we expected. 

3) and 4) rather have the nature of being regulative. 3) not only threatens the safety of oneself but also for others and 4), in order to allow billing (pay-per-use of energy) to be programmed fairer, it is critical to have strict management and security supervision. Therefore, regulatory security can innovatively be applied as a method of pre-emptive security.

After all, being pre-emptive is all about minimizing the risks and threats after deciding to deploy security measures in the very early stages, like when designing the entire system, in the first place. It’s inevitable in order to prevent hazards and unfair charges. It’s similar to constructing private networks for the existing major infrastructures like the nuclear power plants, where they are only operated once enough security has been applied throughout the system and the network. It is established on a nationwide scale as an infrastructure, which is perceived as an integral technology application process.

IoT Security as Life Security

Since IoT is a combination of the existing IT security and OT (operational technology) it has higher risks of suffering from physical damages when failed to protect from threats. Therefore it follows rather stricter rules and regulations compared to OT, which definitely needs closed-security by blocking any risks prior to connection. 

If failed to accomplish proper IT security, the losses are exploited assets at most, however, in OT security, it could end up threatening human lives. Let’s take a look at vehicles. Everything that has to do with insufficient vehicle security threatens safety. Remotely controlling the steering wheel or locking the vehicle, changing the speed and stopping the engine, and manipulating the GPS location – all these examples have actually been carried out by hackers. 

Therefore security in vehicles means more than just protecting the vehicles. Many countries are establishing and practicing vehicle security-related regulations. The US has announced strict regulations such as ‘SELF DRIVE Act’, ‘DoT Guideline’, ‘AV START Act’, and the EU as well with their own ‘EC C-ITS’ business, smart car cybersecurity-related recommendations by ‘ENISA’, in addition to the UK’s ‘Smart Car Cybersecurity Guideline’, ‘Vehicle Security Authentication Framework’ by EC, and ‘Vehicle Cybersecurity Principles’ by ACEA. In China, the government has established the ‘Vehicle Security Committee’ in 2016 and proceeded with its ‘China Cybersecurity Law’ since 2017. 

Vehicle Security is Transport Security 

However, vehicle hacking cannot be completed just by its in-vehicle security features therefore it is more about the overall transport security rather than protecting the vehicle itself. As vehicles become smarter and connected, their ‘simple internet connection’ is transforming to allow the vehicle to become a ‘transport network direct participant’ and now is on its way to universalization thanks to the development of 5G. 

It is critical to deploy V2X (vehicle-to-everything) communications security that is not only related to internal security but also other vehicles and intelligent transport systems like C-ITS. As a matter of fact, it needs to have the capability to support edge computing security, V2D (vehicle-to-device) mobile integration security, V2G (vehicle-to-grid) electric vehicle ecosystem security in order to fully accomplish the vehicle security system. Vehicle security is just like basketball’s full-court press, and it deals with the entire transport system’s safety, via its whole-system approach. 

On the other hand, the existing vehicle security is mostly about securing a simple internet connection, which explains the reason for the deployment of telematics server security, terminal security, and general web security. However, as the vehicle directly starts to participate in the transport network, the security also transforms itself to ‘transport security’. 

Vehicles also become connected to other vehicles, smart roads, and transport systems like RSU and C-ITS via V2X as well as to energy services such as EV charging systems and electrical grid via V2G. It is only feasible when there is technical infrastructure including the existing  ICT security and new technologies such as V2X and V2G, as well as distinct features of EV and PnC (plug-and-charge). In other words, this well explains the high barrier for new entrants to the market. 

The Future of IoT Security

There sure are other areas to look into in transport-related systems. In addition to the developments of vehicles and transport systems like C-ITS, the EV market is foreseen to be taking over the fuel market and expand and grow as much as the potentials of services and technologies. The EV market is not only about the vehicle itself, but also about the energy grid like the smart meter and forms the entire infrastructure. 

The industry also requires a higher level of technologies like ‘internet of things’ authentication or decision making due to the process limitations of central management and efficiency. We believe it’ll eventually lead to the development of BIoT (Blockchain + IoT) and guide the competitive edges.  Therefore, unlike the existing ICT security where issues were resolved by only taking financial responsibilities, IoT security could really have an impact on people’s lives. So the question is – the industry is evolving, but is the security really sufficient?