Security-by-design is key to preventing hacks on future smart cars, roadways F-Secure study
August 2020 by F-Secure
Securing tomorrow’s driverless vehicles and smart roadways needs to begin according to a report from F-Secure Consulting. The report, Future Threats to ITS Networks and CAV Infrastructure, identifies numerous vulnerable areas within proposals for intelligent transport systems (ITS) and connected autonomous vehicles (CAV).
“We took a holistic view of the security of ITS and CAV networks,” said Vic Harkness, lead report author and security consultant at F-Secure Consulting. “Existing literature often focuses on a single aspect of this ecosystem and considers security out of scope. The roads that you, me, and everyone else depend on will be part of this ecosystem, so it’s important to take a look at the interoperability of the whole system to see what could go wrong.”
Harkness and her team found a wide variety of potential attack entry points within the European proposals for future ITS networks, which bear strong similarities to proposals in the US and other countries.
Based on current proposals, possible attack vectors identified in the report range from in-vehicle systems such as sensors and entertainment systems; to roadside units that collect and collate network data; to data storage hubs, transmission media, and connecting protocols that currently lack security mechanisms.
These potential attacks could involve adversaries forcing cars to take malicious actions, stealing data from a car’s internal network, manipulating or disrupting traffic patterns, or using a car as an entry point into ITS networks.
Vehicle testbeds, stretches of smart roadway used to test vehicles and technologies, would be of particular interest to attackers looking to steal intellectual property or to disrupt testing of a competing product.
Towards safer connected roadways
Besides providing recommendations for securing all facets of the ITS ecosystem, Harkness and her team call for a few overall initiatives to help ensure safer future roadways:
• Testing of ITS and CAV technologies prior to deployment to address safety-critical issues. The creation and examination of CAV testbeds would help uncover these issues.
• Formation of a consortium to provide overarching guidance on CAV and ITS security, establish and maintain ITS security standards, and facilitate information sharing.
• Complex automated tamper detection, logging and message signing at every level of the ITS network to help identify and remediate a breach by an actor.
Harkness also recommends that vendors working on CAV and ITS technologies share their new developments with security researchers early on. “We can help discover potential issues before threat actors in the real world take advantage of them,” said Harkness. “Don’t assume security will be taken care of elsewhere. Ensure security is baked into your technologies from the start.”
F-Secure Consulting conducted the research as part of the Cyber Feasibility projects funded by the Centre for Connected Autonomous Vehicles and delivered by Zenzic and Innovate UK.*
Harkness will present the research at Defcon 28’s Car Hacking Village on August 8. The full report is available here.
F-Secure Consulting operates on four continents from 11 different countries. It provides cyber security services tailored to fit the needs of banking, financial services, automotive, aviation, shipping, retail, insurance, and other organizations working in highly targeted sectors.