Securing the Smart Car

  • September 24, 2020
  • William Payne

The connected car market is big business. One authoritive estimate of the market’s value today puts it at just over $63 billion. Estimates of future value soar into the stratosphere: $200 billion by 2026 is typical.

But there’s a big fly in the connected car ointment: security.

The more connected cars get, the bigger targets for hackers and cybercriminals they become.

That’s obviously a big concern in itself. No carmaker wants to sell a car that’s potentially unsafer than last year’s model. And they certainly don’t want to sell a car that can be tampered with while travelling at speed down a freeway.

There a second big concern though: it’s going to kill the market for autonomous cars.

Multiple studies and surveys have shown that members of the general public have fears over autonomous cars. According to a 2019 survey by America’s AAA, as many as 71 percent of the public fear self driving cars. And it’s growing according to the AAA, up from 63 percent in 2017. Worries about autonomous car hacking are among the main fears driving distrust of the new technology, fuelled by widespread media coverage on the subject.

A recent IMC online conference tackled this subject head-on, and presented a number of different approaches to securing connected and autonomous cars.

GlobalPlatform is an industry association focused on securing IoT devices and services. Comprising 2,600 representatives from over 80 companies, it has some four task forces, 20 working groups, and has produced over 150 technical documents.

The Association is working with the Connected Car Consortium to develop standards and specifications to secure connected cars. The Consortium has completed phase one of a digital key specification based on GlobalPlatform’s Secure Element technology.

At the heart of GlobalPlatform’s approach is its Device Trust Architecture that utilises secure components to establish two key concepts: a ‘root of trust’, and a ‘chain of trust’.

According to Nils Gerhardt, chairman of GlobalPlatform, the root of trust is the beginning of security in its scheme for IoT security. It comprises secure components, running in a secure execution environment, from the boot layer through to the device OS, and all applications running on the device. The whole of this makes up what GlobalPlatform calls the chain of trust.

The Association has collected all its IoT security efforts into a framework that it brands ‘IoTopia’.

IoTopia is made up of four planks: secure by design; device intent; autonomous onboarding; and device lifecycle management.

Unpicking those main components, the first is securing IoT systems through defining and certifying common device capabilities, with flexible definitions for different industries.

The second plank is aimed at addressing how to secure components or devices within a wider ecosystem. It relies on something called a ‘MUD’, or manufacturer usage description. Manufacturers provide a standardised description of the device and its purpose that allows it to be secured within the overall system framework.

To expand the use of MUDs, GlobalPlatform will soon be launching an initiative to simplify their use, and promote their take-up.

The second plank makes possible secure onboarding of devices and components into systems. But according to Nils Gerhardt, the sheer number of IoT devices makes manual onboarding impossible. The third plank aims at making the process automatic and scalable.

The fourth plank aims at a proper device lifecycle management of devices in order to limit attacks. To this end, GlobalPlatform has launched a number of initiatives, including software component transparency, and end of life management.

Blockchain is another approach to securing connected vehicles that is attracting a lot of interest within the automotive industry.

BMW is just one of a number of carmakers that has established a major automotive blockchain initiative. BMW sees the technology as strategic to future connected and autonomous cars.

According to analyst Joshua Taubenheim of MachNation, a Boston-based IoT benchmarking and testing specialist, blockchain is increasingly seen as providing a secure technology base for building new solutions such as EV recharging, autonomous vehicles, and smart road infrastructure.

Blockchain is a new form of database, often described as a ledger. Transactions are stored in blocks.

The security advantage of blockchains is twofold.

Firstly, they are decentralised, self monitoring networks. Manipulation of one node can be cancelled by the other blockchain nodes. Legitimate transactions require a majority of nodes to assent.

The second advantage is that each transactional block contains two hashes, or digital fingerprints. One is its own, the second is the preceding block. This is the ‘chain’ on a blockchain. Manipulation of a block breaks the chain, and be immediately detected.

Joshua outlined three notable use cases where blockchain is being actively implemented in automotive applications: EV billing; crowdsourcing road conditions; and ride sharing.

Blockchain can eliminate the need for drivers to swipe their credit cards to recharge their vehicles. Instead, sensors such as RFID, GPS, and BLE, combined with blockchain and cloud, can automatically bill a customer without the need to produce a card. For the driver, it means a safer, more secure and faster recharging experience.

The technology can also provide a secure means to collect real time traffic and road condition data from onboard smart car sensors. The advantage of blockchain is that it makes crowdsourcing such data secure and preserves participant anonymity within the network. The data can then be provided to other road users, and to public and safety services.

Building a ride-sharing business can also benefit from blockchain. It provides for secure transactions, and can preserve participant anonymity. Blockchain also reduces the cost of operating such networks through transactional decentralisation, leading to lower minimum fees for journeys.

Robust security at every level is essential for connected and autonomous cars. As manufacturers extend the scope of the connected car, and introduce more autonomous driving features, the public needs assurance that automotive device security is all-embracing, multi-layered, and unhackable.

The IMC Auto IoT Day provided insights into the emerging technologies and standards that are achieving that new level of automotive security.