Automotive conferences are beginning to tackle cyber security for automobiles as a separate topic.
Earlier this week, Synopsys was a sponsor for this year’s escar USA in Ypsilanti, Michigan. The conference focused on automotive cyber security and drew a lot of representatives from automotive suppliers as opposed to manufacturers. Some of themes in the two-day, single-track presentation agenda included:
- Connected cars have a large, expanding attack surface. The industry is becoming aware of the many threats afforded by connected cars today.
- Researchers Charlie Miller and Chris Valasek are both feared and reviled. The infamous “Jeep hack” seems to have shaken the industry to its core, but there may be blowback with some now feeling that they publicized the hack for their own good.
- CAN protocol still stinks. Some of the presenters offered reactive security solutions in the IP networking world, such as firewalls or whitelists.
Key management will be a challenge.
- Quantum computing is going to break our PKI systems. Academics are already able to design algorithms for quantum computers, one of which is good at factoring large numbers. This is exactly the challenge that underpins the current asymmetric algorithms (e.g. RSA) we use for signing and the whole PKI infrastructure. Symmetric encryption and cryptographic hashes remain largely immune, although they’ll probably need keys and hash sizes about double current values. This whole area of discussion is known as Post Quantum Cryptography or PQC. NIST is running a contest for PQC standards, but it’ll be 8–10 years before it’s complete.
- Software Defined Radio (SDR) is easily accessible and valuable in attacking cars. Hardware is cheap and good software tools are often open source. Cars use a variety of RF communications and so this is a hot area of research right now.
- Protected hardware looks like a coming thing. There are some variations, but the basic idea is that a processor won’t run code that isn’t what it is supposed to be. One term is Trusted Platform Module (TPM). There are a few different functions here, such as verifying that your software hasn’t been messed with and securely storing private cryptographic keys.
Jonathan Knudsen, cybersecurity engineer at Synopsys, attended the conference and contributed to this report.