The recent WIRED article by Andy Greenberg – HACKERS REMOTELY KILL A JEEP ON THE HIGHWAY—WITH ME IN IT, highlights the disregard for security by some manufactures in the rush to implement features and bring online connected technology to market. This type of hack is both a canary for what is coming, and at the same time, is completely avoidable.
I’ve spent years developing solutions specifically designed to address exactly these kinds of problems, and our fears are finally starting to be realised. The technology to address security in the automotive, and the more general IoT landscape exists today, we and others have already developed it. What’s needed however is a greater focus on security and investment in this security technology by automotive companies.
At Open Kernel Labs, we developed the OKL4 Microvisor – a small, lightweight but highly efficient and secure hypervisor and separation kernel. Robustness and security have always been some its most important offerings. A separation kernel by design, allows software to be compartmentalized almost as if each component ran on its own isolated processor, and then allows you to add back in a very controlled and limited set of inter-component communication which are fundamental to the functioning of the whole, but simple enough to lock down and secure.
The problem is fairly straight forward, a car has some obvious critical systems which include the brakes, accelerator control and steering, and some less obvious ones such as speedometer display, sound-system and lights etc. – any of which under a hacker’s control can be deadly. What is being added by connecting vehicles to the internet is a whole suite of non-critical extras – such as streaming media, tracking and news, remote monitoring and GPS tracking, and some potentially dangerous remote control and firmware update type functionality which have the intention of being used safely, for example turning on the lights or engine before arriving at the vehicle, or monitoring your battery charging. It should be obvious that what is needed is to separate the critical systems from the connected systems, and this includes infotainment systems etc which are open to local hacking via USB for example. Finally, for those remote control scenarios, a very carefully managed and controlled interface between the car systems and the consumer systems is required. The design should always assume that the online and consumer systems are malicious from the start, this means very careful validation of commands received, and a very well designed and simple set of rules regulating what remote actions can take place and under what situations. For example, a vehicle under active driver control should never accept remote control instructions which may impact the safety of the driver, such a brake or accelerator control or even sound-system volume. Other independent continuously active processors such as ABS and cruise control / auto pilot shouldn’t accept any unsigned requests at all.
At the very minimum, many good design principles focus on separation. For example, a car should separate the trusted automotive buses connecting the automotive processors, from all consumer systems such as infotainment and online interfaces. Ideally the automotive busses should even be encrypted, but that would add a major cost and is unlikely to be adopted for a long time. Systems controlling other non obvious but potentially dangerous functions such as audio volume need to be separated and be placed under rule based control, such as always allowing the driver to override the software. Being unable to turn off the stereo as Andy experienced shouldn’t ever be possible.
The next step is to allow sharing of hardware resources between differently trusted software. The powerful CPUs which drive modern heads-up displays, are expensive and can also run the navigation and infotainment systems, even the remote connectivity. Here a software separation layer which is equivalent to using separate physical hardware is a must when consolidating functions. While some may want to rely on the built in separation provided by an operating system, in reality having a separate separation kernel such as the OKL4 Microvisor provides far higher assurance and a vastly smaller set of APIs which a hacker can use to attack one component from another compromised one. Security in automotive is not just about preventing remote attacks, but includes a whole range of additional functions such as preventing your crashed Android infotainment systems or resource hungry apps from interfering with more critical functions.
Some manufactures have put in a bit of effort, however the article Tesla hackers explain how they did it at Defcon shows that even a well designed monolithic system will have vulnerabilities and can only be fully addressed by starting with the right system architecture. With a well designed architecture and use of separation technologies such as the OKL4 Microvisor, car (or any IoT device) hacking, shouldn’t be so easy.
Cog Systems leverages the experience of many years hard work building secure and trusted systems at Open Kernel Labs, General Dynamics and NICTA, and has the goal of making this technology more accessible and easy to adopt than ever before.