Let’s talk about computers on wheels
Let’s talk about computers on wheels
Would you agree that the term “computer on wheels” is an accurate way to describe a modern automotive vehicle? When you sit inside a car, do you feel that you are sitting inside a computer? Probably not, but it is not very far fetched to make that claim, and it comes with implications. Read on to find out more and to see if you agree or disagree with this claim.
One point of clarification first, however. While this blog talks about automotive vehicles and more specifically about cars, we can apply this to most other modern automotive vehicle types such as motorcycles, trucks, tractors, ships, boats, airplanes, and so on. Having said that, let’s get started.
Coming a long way
The automotive industry has come a long way. While Karl Benz built his first Motorwagen, which we generally consider to be the first modern car, in 1885, the automotive industry has existed since the 1860s. This is not to say that the concept of self-powered vehicles was a 19th-century innovation: the first full-scale, steam-powered tricycle was built in 1796 by Nicolas-Joseph Cugnot, while Ferdinand Verbiest is known to have designed a steam-powered toy vehicle for the Chinese Emperor in 1672. The history goes all the way back to 1478 when Leonardo Da Vinci drew plans for a self-propelled, spring-powered car(t).
In other words, cars in various forms and functions have been part of our lives for many generations. Over the many decades, cars have evolved in ways the first generation designers might not even have imagined to be possible (case in point: NASA’s LRV or the Lunar Roving Vehicle), while their essential functions have mainly remained the same.
Cars have many symbolic values and ideals attached to them as much as there are practical considerations, too. Cars embody the freedom of movement. Cars enable the transportation of passengers and goods, and by extension, create great many business opportunities. Cars offer excitement and memorable experiences in many forms, from social settings to a variety of motorsports. And let’s be honest here, for some people, cars also reinforce their sense of self-importance and public image.
With all that, how many people look at their cars and see a computer?
A computer on wheels
A modern car is very much a computer on wheels. More than that, it is not just the engine and a set of wheels (and a heavy right foot) that makes a car move, but a network of dozens of highly specialized computers commonly referred to as Electronic Control Units (ECUs). A modern car might have up to a hundred different Electronic Control Units, such as Central Control Module (CCM), Engine Control Module (ECM), Transmission Control Module (TCM), Central and General Electronic Module (GEM). When you press a button and the side window opens? There’s an Electronic Control Unit operating that too. The number of ECUs in a car grows as manufacturers come up with new features and functionalities for their car models.
Electronic Control Units are connected to other ECUs and a multitude of sensors, switches, electric motors, actuators, and dials via a local network, the Controller Area Network, which is commonly referred to as the CAN bus. Conceptually this is very much like the LAN (Local Area Network) that connects a computer with other computers, local network appliances (printers, TVs, and the like) and the Internet in homes and offices.
So we have established that a car can be described as an automotive computer network, which has the potential to get from zero to 100 km/h pretty darn fast.
For the most part, Electronic Control Units communicate only locally with other units connected to the same CAN bus (there can be other local networks as well, but let’s not go there now). Computers and networks have interfaces to enable communication and interaction, and the same holds true with cars: an ECU is essentially a highly specialized computer that communicates with other similar units over the local Controller Area Network. This network can be physically interfaced with via an On-Board Diagnostics (OBD) port, which is the primary means for mechanics to find out about the state of the car. It is also how the various Electronic Control Units in cars can be programmed.
While OBD can be seen as the primary interface to the car’s network of Electronic Control Units and other related components, there is an increasing number of additional interfaces that enable both physical and wireless communication with the car. For example, a car navigator receives positional data wirelessly from a Global Navigation Satellite System (GNSS) such as GPS, Galileo, GLONASS, or BeiDou. Many cars have a USB-port for people to connect their mobile devices while also offering Bluetooth connections for the same purpose. 4G and 5G connection will become increasingly common as cars are linked up with cloud services to upload car statistics as well as to download apps and updates. Through all this, cars are being transformed from merely providing means of transportation to also contain repositories of personally identifiable data, among other things.
The thing with computers is that they all can be hacked. From this follows that a modern car can be hacked as well. Sounds a bit dodgy? As it happens, mechanics, motorsports teams and car enthusiasts have been doing this for a long time by programming and tweaking their engine settings and other performance influencing parameters — nothing wrong with that (though it very likely will void the warranty of your car). However, as cars become more sophisticated and easier to interact with, they are also becoming increasingly attractive targets for other kinds of hackers as well — the kind that thinks in terms of attack vectors and exploitable opportunities for various reasons and motivations.
For example, having a “keyless” car is pretty handy, but an RFID-based keys could be cloned. Sharing the car data in an unsecure cloud service could enable outside parties to track the movements of the car or to learn details about its usage. The worst case scenario could be, if the car’s internal network can be accessed from outside, an intruder could be enabled to manipulate some of the car’s subsystems. As potential attack vectors and exploits go, the development of modern cars is opening up opportunities.
This, by itself, does not need to be a problem. Other computers such as Windows, OS/X, and Linux desktops and laptops, smart-phones, and networked home appliances face similar issues. Instead, what can be seen as a problem is the lack of awareness: with ordinary computers, the users are already familiar with concepts such as computer viruses, password safety, data encryption, and having backups. Smart-phone users are learning to be wary of third-party apps, microtransactions, excessive use of network bandwidth, and suspicious calls from international numbers. There are active discussions about information security issues related to the Internet of Things, and so on. However, when it comes to cars, it is probably safe to say that information security concerns are not very high in a list of consumer concerns. The idea of having to install a virus scanner to a car might seem laughable now, but in the not-too-distant future this might actually be a responsible thing to do. While you are at it, you might as well check the firewall of your car and install the latest security patches.
The point is that vehicle information systems continue to become more sophisticated, and various means of interfacing with a car, both physically and remotely, are also increasing. All parties, and especially consumers, need to take the information security issues seriously or, at least, become more aware of the matter. Safety and reliability are very high in the automotive industry’s list of priorities, so there should be no doubt that the same attention will be given to information security concerns as well. It is just that we do not commonly associate with cars topics such as authentication and authorization (beyond having the car keys), network firewalls and encrypted connections, Secure Development Lifecycle (SDL) and other secure programming practices, penetration testing (without using a crowbar), data protection and cloud service issues. At least not yet, in the minds of ordinary people.
In the near future, as driverless cars become more common, people are going to become more aware of the reality that it might no longer be a human who is in charge of a moving vehicle. Vehicle-to-vehicle networks will also evolve and become more common as a means for cars to exchange information about their speed, position, heading, and other actions. This will make it easier to manage the flow of traffic, reduce traffic jams, and improve overall road safety, but not without introducing a new set of information security concerns. For some people it may be challenging to give up their sense of control unless they can substitute it with an improved sense of security and trust.
To conclude, as information systems are becoming ever more sophisticated, the automotive industry is facing new challenges that might not be traditionally associated with vehicle manufacturing. The information security and secure software development practices that are the norm in the software industry will, by necessity, be adopted by the automotive industry to build better and safer vehicles. For example, consider the following twelve practices from SDL:
- Provide training
- Define security requirements
- Define (security and privacy) metrics and compliance reporting
- Perform threat modeling
- Establish design requirements
- Define and use cryptographic standards
- Manage security risks of using 3rd party components
- Use approved tools
- Perform Static Analysis Security Testing (SAST)
- Perform Dynamic Analysis Security Testing (DAST)
- Perform penetration testing
- Establish a standard incident response process
With these and other information security related concerns, you are more than welcome to contact us and have our software and security professionals help your project to be successful.