How Ethernet Can Secure The Connected Car

In-car networks could become the next favorite target for hackers. Ethernet offers many options to protect the connected car from malicious attacks.

Ben Gale

December 16, 2014

7 Min Read
NetworkComputing logo in a gray background | NetworkComputing

In-car networks are increasingly being designed-in and deployed to connect systems such as infotainment, driver assist, autonomous driving and safety systems, often on shared, high-bandwidth infrastructures. These networks, and the devices that connect to them, require diagnostics and service through external interfaces. Additionally, more and more of today’s connected cars are equipped with Internet access, and oftentimes a WLAN,  to communicate with devices inside and outside of the vehicle.

Consequently, the connected car could also become a prime target for hackers.  Using just a laptop or tablet, hackers have the potential to take control of the electronics in your car. There is already research today that documents and demonstrates such attacks with alarming consequences.

In contrast to traditional IT networks, the in-car network is manufactured and physically insecure. So, with access to a mass produced vehicle and the appropriate time and resources, a hacker can develop a set of “attacks” against the vehicle and then distribute those attacks through an entire fleet. In other words, a single, well-engineered attack could have a wide impact.

Figure 1: Figure 1. The connected car is vulnerable to attacks at many different entry points into the network via firmware corruption or through an Ethernet on-board diagnostics port, Ethernet port access or gateway device. The types of attacks that can occur include network control (hackers install or corrupt a device on the network so they can control the operation of other devices), denial of service, and snooping (information theft).

Figure 1. The connected car is vulnerable to attacks at many different entry points into the network via firmware corruption or through an Ethernet on-board diagnostics port, Ethernet port access or gateway device. The types of attacks that can occur include network control (hackers install or corrupt a device on the network so they can control the operation of other devices), denial of service, and snooping (information theft).

Increasingly, Ethernet is being designed into in-car networks because of its high bandwidth, price-performance, ubiquity, and future technology roadmap, while new standards such as single twisted-pair and Audio Visual Bridging (AVB) are opening up many new automotive use cases. Ethernet's already in some vehicles today.

By 2020, Frost and Sullivan estimates that most cars will have 50 to 60 Ethernet ports, with premium vehicles pushing that number toward 100. Even entry-level vehicles are expected to get in on the action with roughly 10 Ethernet ports.

Ethernet, particularly switched Ethernet, has been deployed in IT environments for several decades and has a long history of standards and solutions that can help secure the network.

To better understand how Ethernet can help secure the connected car, it’s important to first understand some basics about the technology. As shown in Figure 2, Ethernet uses a standard packet format that includes a source and destination address, a VLAN tag and a Frame Check. This provides a basic level of authentication, isolation and data integrity. The addresses can be globally unique or locally administered (given that the in-car network is mostly a closed network).

The Ethernet switches provide traffic isolation and filtering using a Filtering Database (FDB) or Multicast Forwarding Database (MFDB), and can act as management points for further network control. A rich set of statistics standards enable anomaly monitoring in software. 

Figure 2: Figure 2. The Ethernet frame's header contains destination and source MAC addresses as its first two fields and a cyclic redundancy check (CRC) to verify packet integrity. It may also contain a VLAN tag, which defines a system and procedures to be used by bridges and switches to support VLANs.

Figure 2. The Ethernet frame's header contains destination and source MAC addresses as its first two fields and a cyclic redundancy check (CRC) to verify packet integrity. It may also contain a VLAN tag, which defines a system and procedures to be used by bridges and switches to support VLANs.

Switched Ethernet offers a base level of security protection, but more is needed, and many additional features have evolved and are widely supported in Ethernet standards and/or products. Because the in-car network is typically highly-engineered and static with predictable traffic characteristics, it offers the opportunity to tightly configure and constrain the network operation according to design intent.

For instance, there are several ways to control the scope of network traffic and in turn, the potential for snooping and attack. One approach uses VLANs to create multiple broadcast domains within the physical network (see Figure 3); this is already broadly deployed and supported by Ethernet switches. Using VLANs, you can isolate traffic of different types on the shared physical network such that devices can only talk to the other devices within their domain. For example, one VLAN can be configured for Infotainment while a separate one can be configured for driver assist and another for safety.

Network isolation between the two can be enforced by the Ethernet switches. Traffic isolation also can be achieved within each VLAN through the use of unknown unicast or multicast filtering. Rogue stations and MAC spoofing can still occur, but techniques such as static provisioning of the FDB, port MAC locking, and implementation of software learning limits can all be used to mitigate this risk.

Figure 3: Figure 3. VLANs can be used to limit the scope of traffic and mitigate the risk of attack. Note that no connectivity exists between the VLANs themselves without a router.

Figure 3. VLANs can be used to limit the scope of traffic and mitigate the risk of attack. Note that no connectivity exists between the VLANs themselves without a router.

In addition, access control lists (ACLs) can  reduce the scope of traffic and are particularly well suited for the in-car network because of the opportunity to design in knowledge of expected device and network behavior. ACLs provide precisely configured match-action rules for packet forwarding that define which stations can transmit and where the traffic is allowed to go.

NEXT: More security features 

Other areas where new features are helping to further secure the Ethernet infrastructure and in turn, connected cars, include:

Rate limiting and bandwidth awareness
By default, Ethernet does not impose limits on how much bandwidth an end-point can use. That means one badly behaved end-point can disrupt or deny service to others. Existing methods to address this issue include storm control, which rate limits on broadcast/multicast/unknown unicast traffic per port and ingress/egress metering for limiting overall port traffic. Flow-based policing, which can precisely define and enforce bandwidth rules on a per-flow level, is another powerful option, as is using the many standard counters for software-based monitoring.

Device authentication/authorization
While each Ethernet packet contains a source MAC address, MAC addresses can be spoofed. So how exactly does one authenticate a device as valid prior to letting it onto the vehicle’s Ethernet network? The widely implemented 802.1x standard is one option. 802.1x defines a standardized means of passing Extensible Authentication Protocol (EAP) frames over a wired or wireless LAN. The framework allows for the exchange and validation of security credentials prior to granting access to the network. EAP supports many authentication methods (e.g., EAP-PSK and EAP-TLS), each one with its own set of authentication keys and credentials for device verification.

The strength of the authentication is determined by the different methods and credentials used, and this can all be pre-configured in the private environment of the manufacturing or service facility

The IEEE 802.1AR secure device identifier standard, widely used in point-of-sale devices today, may also prove helpful for securing the connected car for highly sensitive devices, such as a secure gateway.  It defines device identity and cryptographic binding to the device, as well as operation with EAP-TLS/802.1x.

Data encryption
Encryption ensures that encoded data is accessible only to authorized parties. Encryption can be performed at many layers in the communication stack, including the Ethernet layer; the 802.11AE MAC Security (MACSec) standard offers MAC-level encryption and message authentication for Ethernet using 802.1x for secure key exchange. However, it does require hardware support, which brings added cost and power demands, so it's not typically supported in mainstream devices.

There are many other standard methods for performing data encryption and authentication for Ethernet transport, including IEEE 1722a, IP SEC, and HDCP.

While Ethernet has long been used as an IT network technology, its application in the connected car is an undeniably growing trend. Ethernet offers a variety of mature, standard and widely supported and deployed options to protect the car from malicious attacks, and to secure the network infrastructure. These features will ensure Ethernet is well primed to play a critical role in securing the connected car for years to come.

About the Author

Ben Gale

Technical Director, Infrastructure and Networking, Broadcom

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights