NETWORKING

  • 12/16/2014
    7:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

How Ethernet Can Secure The Connected Car

In-car networks could become the next favorite target for hackers. Ethernet offers many options to protect the connected car from malicious attacks.

In-car networks are increasingly being designed-in and deployed to connect systems such as infotainment, driver assist, autonomous driving and safety systems, often on shared, high-bandwidth infrastructures. These networks, and the devices that connect to them, require diagnostics and service through external interfaces. Additionally, more and more of today’s connected cars are equipped with Internet access, and oftentimes a WLAN,  to communicate with devices inside and outside of the vehicle.

Consequently, the connected car could also become a prime target for hackers.  Using just a laptop or tablet, hackers have the potential to take control of the electronics in your car. There is already research today that documents and demonstrates such attacks with alarming consequences.

In contrast to traditional IT networks, the in-car network is manufactured and physically insecure. So, with access to a mass produced vehicle and the appropriate time and resources, a hacker can develop a set of “attacks” against the vehicle and then distribute those attacks through an entire fleet. In other words, a single, well-engineered attack could have a wide impact.

Figure 1:
Figure 1. The connected car is vulnerable to attacks at many different entry points into the network via firmware corruption or through an Ethernet on-board diagnostics port, Ethernet port access or gateway device. The types of attacks that can occur include network control (hackers install or corrupt a device on the network so they can control the operation of other devices), denial of service, and snooping (information theft).

Figure 1. The connected car is vulnerable to attacks at many different entry points into the network via firmware corruption or through an Ethernet on-board diagnostics port, Ethernet port access or gateway device. The types of attacks that can occur include network control (hackers install or corrupt a device on the network so they can control the operation of other devices), denial of service, and snooping (information theft).

Increasingly, Ethernet is being designed into in-car networks because of its high bandwidth, price-performance, ubiquity, and future technology roadmap, while new standards such as single twisted-pair and Audio Visual Bridging (AVB) are opening up many new automotive use cases. Ethernet's already in some vehicles today.

By 2020, Frost and Sullivan estimates that most cars will have 50 to 60 Ethernet ports, with premium vehicles pushing that number toward 100. Even entry-level vehicles are expected to get in on the action with roughly 10 Ethernet ports.

Ethernet, particularly switched Ethernet, has been deployed in IT environments for several decades and has a long history of standards and solutions that can help secure the network.

To better understand how Ethernet can help secure the connected car, it’s important to first understand some basics about the technology. As shown in Figure 2, Ethernet uses a standard packet format that includes a source and destination address, a VLAN tag and a Frame Check. This provides a basic level of authentication, isolation and data integrity. The addresses can be globally unique or locally administered (given that the in-car network is mostly a closed network).

The Ethernet switches provide traffic isolation and filtering using a Filtering Database (FDB) or Multicast Forwarding Database (MFDB), and can act as management points for further network control. A rich set of statistics standards enable anomaly monitoring in software. 

Figure 2:
Figure 2. The Ethernet frame's header contains destination and source MAC addresses as its first two fields and a cyclic redundancy check (CRC) to verify packet integrity. It may also contain a VLAN tag, which defines a system and procedures to be used by bridges and switches to support VLANs.

Figure 2. The Ethernet frame's header contains destination and source MAC addresses as its first two fields and a cyclic redundancy check (CRC) to verify packet integrity. It may also contain a VLAN tag, which defines a system and procedures to be used by bridges and switches to support VLANs.

Switched Ethernet offers a base level of security protection, but more is needed, and many additional features have evolved and are widely supported in Ethernet standards and/or products. Because the in-car network is typically highly-engineered and static with predictable traffic characteristics, it offers the opportunity to tightly configure and constrain the network operation according to design intent.

For instance, there are several ways to control the scope of network traffic and in turn, the potential for snooping and attack. One approach uses VLANs to create multiple broadcast domains within the physical network (see Figure 3); this is already broadly deployed and supported by Ethernet switches. Using VLANs, you can isolate traffic of different types on the shared physical network such that devices can only talk to the other devices within their domain. For example, one VLAN can be configured for Infotainment while a separate one can be configured for driver assist and another for safety.

Network isolation between the two can be enforced by the Ethernet switches. Traffic isolation also can be achieved within each VLAN through the use of unknown unicast or multicast filtering. Rogue stations and MAC spoofing can still occur, but techniques such as static provisioning of the FDB, port MAC locking, and implementation of software learning limits can all be used to mitigate this risk.

Figure 3:
Figure 3. VLANs can be used to limit the scope of traffic and mitigate the risk of attack. Note that no connectivity exists between the VLANs themselves without a router.

Figure 3. VLANs can be used to limit the scope of traffic and mitigate the risk of attack. Note that no connectivity exists between the VLANs themselves without a router.

In addition, access control lists (ACLs) can  reduce the scope of traffic and are particularly well suited for the in-car network because of the opportunity to design in knowledge of expected device and network behavior. ACLs provide precisely configured match-action rules for packet forwarding that define which stations can transmit and where the traffic is allowed to go.

NEXT: More security features 


Comments

Public confidence

Interesting post. It's going to be really important to emphasise security as a selling point when it comes to automated and really interconnected vehicles, as one big hack with nasty consequences could really sour people on the technology for a long time - which would be a real shame. 

Re: Public confidence

I agree. Security researchers such as Charlie Miller have already demonstrated security vulnerabilities in connected cars: http://www.wired.com/2014/08/car-hacking-chart/. So automakers should know that they need to make cybersecurity a priority.

 

 

Re: Public confidence

I'm glad people are thinking about the security of connected cars, but if history is any guide, connected cars will be as vulnerable as home and corporate networks. VLANs, authentication and encryption are useful, but they have to be turned on, properly configured, and maintained. And as we've seen in banking and retail, a determined hacker can still get around these kinds of controls. And even if auto manufacturers manage to lock down the networking portion, we also know from experience the OS and application layers are rife with exploitable vulnerabilities.

Connected cars are a terrible, terrible idea, and I haven't even gotten to issues of privacy, location tracking, and data mining.

You'll know it's me driving down the street because I'll be in the car wrapped in tin foil.

Re: Public confidence

LOL! I may need to get some tin foil for my car too Drew. Apart from potential safety features, I don't see much of a purpose for connected cars. The security and privacy risks are too big.

Re: Public confidence

The other day I was speaking to somebody whose neighbour was outside ranting and raving on the phone, all because the newish car would not start. It turned out that he had fallen behind on the payments and the finance company stopped the car from starting! There is a downside to a connected car it would seem.

Re: Public confidence

Wow, I'd never heard of something like that. According to this report, "automated collection technology" is becoming part of the subprime automotive lending market.

 

 

 

Re: Public confidence

That's crazy -- just shows the unforeseen results of technology creep. Soon they'll be able to reposess and drive your car away automatically without you even knowing.

Re: Public confidence

Interesting Blog, sounds like some transporter movie. On board dignostic of your car, but i am curious to know, will i be able to understand all that technical reports flashing on my screen for axel, breaks or engine. This is what i call real connected world.

 

Re: Public confidence

@aditshar1, that is a good point, it will be interesting to see if the general consumer outside the IT industry will take up a liking for this level of information. A connected car is starting to seem like a full-fledged datacenter on wheels. However, this complexity is a small price to pay for the potential benefits that ADAS and fuel efficiency can provide.

And about network isolation, it is good for security, etc., but another benefit that network isolation could create is that since wireless data is quite expensive after a certain point for the consumer, isolation would enable the consumer to turn off non-essential services such as, infotainment systems, while leaving the important ADAS systems connected and save on data charges until 5G brings down data rates.

Re: Public confidence

Yes Network isolation is also a considerable point infact one of the very important point, but i believe that should not be a challenge at current stage, rather making these cars on intenet simple is big challenge right now.

I recently saw BMW X5, released last year, used single-pair twisted wire, 100Mbps Ethernet to connect its driver-assistance cameras.

I am curious to study if we have any study case for them.

Re: Public confidence

The same benefits of isolation can be achieved through software as well, for instance, the BMW X5's infotainment system enables are user to surf the internet, but it is setup in a such a fashion that it prohibits the user from browsing the internet unless the vehicle is stationary.

Re: Public confidence

@Susan, it is pretty scary although keeping up with car payments would help. You just have to wonder where this technology will pop up next.

Re: Public confidence

Hey Marcia, if I had not had heard it from a friend, I would never have believed it myself.

Re: Public confidence

@David, I had no idea that such a situation was even possible. It is good for consumers to maintain a healthy cash flow and meet payments on time, etc., but at the least the financing company could have informed their customer that they were about to switch off the car.

Re: Public confidence

@Brian I suppose that in the future it could be applied to other circumstances such as fines, curfews and so on!

Re: Public confidence

@David, I think you are 100% right as the possibilities would increase. For a few instances, it would be a welcomed addition as parents that buy their children transportation in order for their children to reach college/university would like to have an audit system in place, for other situations it will be an unwelcomed addition.

Re: How Ethernet Can Secure The Connected Car

If you're outside the automotive industry, all these great connectivity features, entertainment options, and driving assistants may just be great consumer products to you. It's easy to forget that we have IT brethren in the trenches at these automakers who have a tall order ahead of them, and that we're talking about a fundamental shift in something that's very fundamental to our society (that is, cars and driving). Talk about Google's self-driving cars has people buzzing about security concerns, but these really aren't new. Those numbers for ethernet ports in cars today and by 2020 seem high even to me, and as Marcia shared, there are plenty of vulnerabilities in cars on the road today. We may not think of ethernet as fundamental to these technologies at first glance, but your breakdown is a great explanation as to why it is, Ben.

A key point you keep hitting on is how additionally useful these security options are because they're going in a car, and I hadn't really thought about that. You don't have to worry about interoperability, future extensibility, or even standardization and compliance. Most of the car's systems only needs to talk to one another, and there's little variance in it's day-to-day operations. VLANing seems especially great. While it's already in use tons of places, automakers could really go nuts with it and hyper-segmenting systems across the board. As I was reading about the other options, it occured to me how well they would synergize with the segmentation - not only can someone not crack into a system without very well-spoofed credentials, a specific attack targetted at that model of car, and a very specific expoit in mind, but they also can't touch any other system with it. I like it.

Public Confidence

@david_allen, that is a terrible experience! Do things like this happen to everyone, or just one particular car company? This is definitely a negative effect of advanced car technology. Machines and technology are supposed to make things easier for us; sometimes, though, we forget that technology is controlled by man. So, man can do whatever he wants with it!

@Drew: "...a determined hacker can still get around these kinds of controls..." Couldn't agree more with this! It's what makes hackers scary and unpredictable. They're always like a step ahead of everyone, so even if there's new technology that's supposed to "keep them away", they always find their way around it and get to fulfill their goal. I'd ride in a connected car, but I'm not sure if I'd buy one.