Exclusive Insight into Premier Vehicle Networks
Lee Cresswell from Lynx Software Technologies talks about separation, security, and the connected car.
These days, most cars are packed with various wireless technologies like cellular, Wi-Fi, Bluetooth, near-field communications, and other RF communications. Often, there’s a direct link between these wireless features and the car’s central system. This link can provide access to important functions like navigation, security, brakes, steering, and cruise control.
Given this connectivity, there’s a steep learning curve for both companies and individuals to understand the potential problems and find the right solutions.
Attack Surfaces
The ISO 26262 standard offers a way to assess risks and set safety levels for different automotive systems. This standard assumes that the most critical systems in a car are kept separate from less critical functions to prevent compromises.
In the past, this separation was manageable because each Electronic Control Unit (ECU) was dedicated to a specific task, like engine control or anti-lock braking. However, as vehicles became more integrated, these modules started interacting more frequently. For instance, in an automatic transmission system, the engine needs to communicate its speed to the transmission, which then informs other modules when a gear change happens.
Initially, these communications were handled by a complex wiring loom, but as the need for more features grew, this system became overly complicated. The solution was to develop vehicle networks, often using a CAN bus. This network allows different modules to exchange data easily, simplifying the vehicle’s wiring architecture.
When cars were isolated from external networks, the connectivity between internal modules posed little security risk. Once the communication protocols were validated to ensure they didn’t compromise system integrity, the principles of ISO 26262 were maintained.
However, the rise of the connected car has changed everything. External access to the car’s systems creates vulnerabilities, known as attack surfaces. Even if a low-priority system is compromised, it can potentially give access to critical systems. For example, a hack into the car’s infotainment system could potentially lead to a breach of the braking system.
To ensure safety and compliance with ISO 26262 for connected vehicles, it’s crucial to minimize attack surfaces and optimize system separation.
Hardware-Based Separation
The Tesla Model S uses a physical gateway (LAN-CAN) box to separate the infotainment system from crucial vehicle controllers. This gateway uses a structured API that limits the range of commands between the two networks. Thus, accessing the safety-critical controllers requires detailed knowledge of this API. However, this method isn’t entirely foolproof and adds significant hardware costs.
Software-Based Separation
While Tesla’s approach is effective, finding an equally good or better solution through software could be more efficient.