Security firm Symantec has released a research report containing advice and practical guidance for combatting the increasingly significant issue of automotive security vulnerabilities.
Car security has hit the headlines this year with security researchers demonstrating the remote take-over of a car’s braking system, and BMW revealing a flaw that enables, among other problems, the remote unlocking of car doors.
The latter issue is tackled head-on in Symantec’s Building Comprehensive Security into Cars white paper which proposes that applying security updates to cars is problematic given that the traditional mechanism of applying security patches in IT infrastructure does not apply.
Solutions, Symantec explains, must be “in a context that works both within the car, and at scale for carmakers.” Real-time, over-the-air (OTA) patching, for example, is in conflict with the multi-year safety certification processes currently required by the automotive industry.
Symantec also argues that many keyless entry systems, which work by detecting the proximity of virtual key to car, are not satisfactorily capturing position and proximity data with proper precautions. Symantec advises “healthier combinations of Global Positioning System (GPS), cellular, Wi-Fi, and accelerometer telemetry, all properly digitally signed by both the car and the car keys.”
The simpler signal-strength triangulation mechanism deployed in many systems is open to relay attacks, whereby a would-be carjacker can relay the key signal to the car and vice versa with a phoney key. By deploying “digital capture of location, signing data on capture, and using secure boot and code signing to ensure that firmware isn’t tampered,” carmakers could mitigate this, the report states.
The security firm also highlighted the threats posed by in-vehicle Bluetooth implementations and vulnerabilities in systems that stream entertainment and navigation data.
“As cars begin to stream entertainment over wireless interfaces, they increase their exposure to countless threats,” Symantec writes.
Many of the problems with in-car security as it stands result from inadequate authentication between components and sensors, according to the report. However, Symantec highlights that many of the fundamental solutions are, unfortunately, only achievable long-term:
Today’s cars have a great number of layers… Protecting the whole “stack” from top to bottom with comprehensive security will take many years, given the complexity of spanning supplier relationships. All sensitive chips will need hardware support for secure boot and credential storage to prevent spoofing and tampering via OTA attack paths.