With Great Code Comes Great Vulnerability

How Auto Makers Are Working to Secure Connected Cars

Last week, Fornetix attended the inaugural Auto-ISAC summit. “ISAC” stands for Information Sharing and Analysis Center. There are several long-standing ISACs for other industries including aviation, electricity, natural gas, and financial services. You can find the full list here if you are curious.

What is an ISAC?

Industries, whether it be a utility, a form of transportation, or even just a collective of organizations have systems and components that span between companies and affect the whole industry. ISAC was started so that companies can report vulnerabilities or defects to each other and the government before it is publicly released. This allows the industry as a whole to respond to the issue, rather than a single company addressing it and leaving the vulnerability or defect out there for each company to find on their own.

As an example, imagine if one of the big airlines found an issue in their video monitors that allowed a passenger to take control of a plane. Chances are good that the same model plane or video monitor is used by another big airline. The airline that found the issue has two options: fix the issue on their own and leave the vulnerability for their competitors to deal with or alert the industry so that the issue is fixed on all affected models at the same time. If the company is in the Aviation ISAC, then they will share the issue with all airlines and manufacturers at once. This is better for public safety and better for business overall as each company gets back as much if not more than they put into the ISAC.

How does an automotive ISAC work then? Aren’t all the cars different?

We tend to think of cars by their brands or by the models. There are a number of companies involved in the creation of a car though  enough that they have tiers. When we break it down, there are 1) the Original Equipment Manufacturers (OEMs) such as Ford, General Motors, and Tesla, 2) the Tier One manufacturers that supply parts or subsystems to the OEMs like Magna, Robert Bosch, and Delphi, and 3) there are Tier Two and below manufacturers that supply to the Tier One manufacturers or the next tier up. The easiest example of this is probably tires. Whether the car is made by Ford, GM, Toyota, Honda, or Hyundai there is a good chance that they could all have the same type of tire made by a company such as Goodyear, Yokohama, or Firestone.

Sharing issues with parts like tires make sense. Why would a cyber security company get involved with the Auto-ISAC though?

The easiest way to answer this is to talk about code complexity. Simply put, the more code that must be written for something, the greater risk of a mistake or a bug that someone can take advantage of. Automotive complexity is surprisingly high.

For comparison, how many lines of code are in a car or a plane or Microsoft Windows, for that matter? Here are some examples:

  • 100,000 lines of code: average iPhone application
  • 400,000 lines of code: US Space Shuttle
  • 2,000,000 lines of code: Lockheed Martin F-22 Raptor
  • 12,000,000 lines of code: Android Operating System
  • 14,000,000 lines of code: Boeing 787 Dreamliner (total flight software)
  • 24,000,000 lines of code: Lockheed Martin F-35 Joint Strike Fighter
  • 50,000,000 lines of code: Microsoft Windows 10
  • 61,000,000 lines of code: Facebook’s entire code base
  • 100,000,000 lines of code: Average modern high end car

Source: informationisbeautiful.net via Fast Company

Being that the average high-end car that you would buy today has more code than all of Facebook, and therefore a greater chance for coding error or vulnerabilities, it makes sense that the cyber security industry would try to help protect it as best as we can.

100 million lines of code is huge. Why do cars have that much code?

Cars have become significantly more complex. There are two reasons why cars have this much code: modernization and new features. Early cars only used mechanical linkages. Eventually, mechanical relays were added for sub-systems, then solid-state relays (electronic circuits), then actual integrated circuits, then circuit boards. Today we refer to these as ECUs or Electronic Control Units. They do everything from controlling the engine, to the door locks, to the various advanced safety features that are now offered on high-end vehicles. Many of these ECUs have more computing power in them than your personal computer did 10 years ago.

Many ECUs resemble a computer when we look at their code as well. They are analogous to a Raspberry PI, running a stripped down Linux operating system with code on top. This is largely because it is far more efficient for a programmer to write and maintain code in a high-level language like C++ than some form of assembly language that would run on a chip set. With the cost of these mini-computers’ materials being very similar to that of the more basic integrated circuits, it’s more cost efficient as well. Every time a major feature is added, such as lane-assist or even just automated door locks, chances are at least one ECU is added to the car. The end result is a shockingly large number of ECUs in a new car.

On top of all these ECUs, we have other pieces such as the Infotainment system which has become more and more complex. The infotainment system used to just be a radio. Then, things like Bluetooth were added. Then, information about the car, etc. High end cars now have multiple screens with interfaces that look more like computer tablets than cars with access to the news/weather, applications that connect to your phone, car settings like sport or ECO, and of course a few old-fashioned radios.

Wouldn’t it be more efficient to just have one computer rather than dozens of small computers with all of these ECUs?

It would certainly be a lot less code! This is where we see a huge plane that can practically fly itself have a fraction of code compared to that of a car. If cars had one computer, they would have one operating system and that code would not be duplicated every time another ECU is added. Car manufacturers don’t work this way, though, because it doesn’t fit into their manufacturing model. Arguably more important, it’s not as cost efficient. If a manufacturer can create one ECU that controls the transmission for a couple of Ford models, a few Chevy models, and maybe some Dodge models, then that manufacturer can be really efficient and keep the cost of their ECU down significantly. This also allows the OEMs to pick the cheapest ECU rather than incur the cost themselves.

Why does an encryption key management company care about all of this?

There are three areas where Fornetix is looking to help the automotive industry: securing supply chain, securing the internal car data, and securing the communications between the car and everything outside of the car (V2X communications). Essentially, there is an explosion in the amount of data usage in the systems within the vehicle itself and between your car and numerous other systems (whether they be other cars, industry systems like OnStar, or consumer devices like your phone). Almost every automotive manufacturer has combined their safety and cyber security divisions. If the data in your car isn’t protected using encryption, then your car could malfunction and risk the safety of drivers, passengers, and anyone around a car for that matter. You can download a full whitepaper on securing the automotive industry here. Fornetix wants to help secure the automotive industry  not just to protect data and save money, but to literally help save lives.  

The evolution of connected technologies has given rise to enhanced threats that target the full lifecycle of a vehicle – From supply chain and manufacturing to software updates and aftermarket customizations. Learn more about how encryption and key management can help secure the future of automotive connectivity. Register for our free on-demand webcast.