Made in IBM Labs: Solution for Detecting Cyber Intrusions to Connected Vehicles, Part I
Co-authored by Yair Allouche.
Since the inception of the first vehicles in the early 20th century, the automotive industry has gone a long way to satisfy market-driven requirements and evolve cars into a means of transportation that engages state-of-the-art electronics and information technology for passengers’ comfort and entertainment.
The Value of Connected Vehicles
In particular, recent years have seen vehicle connectivity as a fundamental part of the connected society. This gives rise to a host of value-add services that benefit all stakeholders in the automobile ecosystem. The value proposition of connected vehicles has been rapidly embraced by the industry, with expectations for 250 million connected vehicles shipped by 2020, according to a Gartner report.
|Stake Holder||Value-Add Services (examples)|
|Car owners||Social navigation (e.g., Waze), individualized infotainment, automated driving support.|
|Automakers||Enablement for new business models and revenue streams (e.g., pay-as-you-drive models for car insurance), proactive aftermarket diagnostics (e.g., predictive maintenance), over-the-air ECU firmware updates.|
|Businesses||Optimized transport services such as real-time fleet management.|
|Municipalities||Smart city services such as traffic congestion management and emission control.|
Table 1: Benefits for Stakeholders
However, along with the benefits of connected vehicles come the risks associated with security breaches, as well as concerns over data privacy. The reason for this is that the automobile, a product that was originally purely mechanical, has evolved into a complex IT network on wheels. Vehicle original equipment manufacturers (OEMs) have always been keen to put driver safety as a top priority, and this has been the major motivation behind developing driver assistance systems. While these programs have dramatically improved passengers’ safety over the last decade, cybersecurity risks became relevant for the OEMs when the vehicle became connected to the Internet and offered outsiders access to the vehicular network.
Nothing Is Without Risks
These risks are now amplified by the fact that modern vehicles are among most complex software-driven system invented by mankind. Certain studies have estimated that an average modern car hosts around one hundred million lines of software code, roughly twice the size of the software that drives the Large Hadron Collider in Switzerland, the largest particle accelerator ever built.
Moreover, vehicle software and firmware manage anywhere between 70 to 100 electronic control units (ECUs), which are connected by many Controller Area Networks (CANs). Since vehicles now employ multiple communication protocols to connect with other machines and infrastructure systems, and they are equipped by a host of related communication features (e.g., Bluetooth, USB ports and even near-field communications), the connected vehicle threat surface is wide and highly exposed to attacks, as various researchers have observed.
Many credible automakers have fallen prey, often publicly, to attackers that exploited those vulnerabilities. Those automakers were forced to issue expensive recalls in order to patch security vulnerabilities. They likely have also incurred indirect damages to brand value and reputation.
Using an IDS for Protection
Given the high stakes, industry players conduct important research to develop solutions for securing connected vehicles. A popular approach pursued by several vendors is a specialized intrusion detection system (IDS) for vehicles, wherein elaborate analysis algorithms — possibly implemented in an embedded device — are used to continuously inspect the car’s internal communication network. When a threat is detected, a corrective action is taken; for example, the communication channel is blocked, and an alert is potentially raised.
While the vehicular IDS approach has merit, it also has limitations. First, a vehicular IDS mainly inspects and reasons about communication traffic exchanged among the ECUs over the vehicle’s CANs. While this information is important, especially if an IDS applies elaborate analysis techniques, the insights obtained from such local analysis represent only a relatively small subset of relevant security events internal to the vehicle’s environment. Some attacks on the vehicle may be detected with this approach, yet many sophisticated attacks — such as Sybil attacks, where an adversary forges the identities of many imaginary cars to subvert the network — will remain undetected.
Another limitation of vehicular IDS is the constrained processing and memory resources that such a device can consume due to the cost sensitivity of automakers and price sensitivity of buyers. Those constraints and the low computational footprint available for an IDS in the car inherently limit the performance and quality of the security coverage that can be provided.
The Final Word
A comprehensive solution for connected vehicle security must reconcile conflicting requirements and address multiple design challenges. On the one hand, as described above, the threat detection potential at the vehicle level is limited; on the other hand, a centralized, server-based architecture will not be a proper solution either. The dynamics and scale of a broad vehicular network would impose severe computational and communication costs in managing the network and uploading security data from the vehicles to the server. A solution that provides a comprehensive real-time security view must therefore reconcile the above design trade-offs and integrate multiple capabilities.
In the coming International Motor Show in Frankfurt, Germany, we will present a prototype solution for securing connected vehicles, based upon research conducted by IBM in its Cybersecurity Center of Excellence in Israel. Our solution is based on a client/server architecture where an in-vehicle component communicates with a cloud-based server component. Using a novel approach for coordinated anomaly detection, this powerful solution, designed in the IBM Lab, can identify attacks on the integrity of both individual vehicles and across vehicle networks.