By Samantha Beaumont, Sr. Consultant, Software Integrity
In modern vehicles, sensors measure everything from the crankshaft’s rotating speed to the oxygen level in exhaust gases, fuel temperature, and the throttle position. Many are key components in safety-critical functions like advanced driver assistance systems (ADAS), providing another set of “eyes” for the vehicle. When your car “sees” an obstacle on the road ahead, it’s relying in part on sensors to provide the object detection that will trigger the automatic braking system to act. Safety—for you, your passengers, and those around your vehicle—clearly relies on the sensors operating properly. Today’s vehicles boast at least 200 sensors, working in concert with sophisticated algorithms and powerful processors to deliver intelligence and autonomous functions. Considering the integral role they play in vehicle operations, it’s clear that this is an attack surface that attackers might focus on.
As such, it’s clear that automotive sensors must be designed according to the functional safety development process mandated by ISO 26262, which assures that these components will perform as intended. Security is the other part of the equation, as the increase in smart technology inside vehicles open the doors to additional points of vulnerability. For example, the U.S. National Highway Traffic Safety Administration (NHSTA) currently classifies vehicles as “cyber-physical systems and cybersecurity vulnerabilities could impact safety.” NHTSA has an updated 2020 draft of its Cybersecurity Best Practices for the Safety of Modern Vehicles document, which mandates compliance from anyone manufacturing or selling vehicles in the U.S.
All of this begets the question, “From a security perspective, what are the key areas of sensor vulnerability—and what makes it challenging to fortify them”?
What if, for example, a bad actor tricked a LiDAR sensor into detecting a vehicle obstruction that isn’t actually there, causing the sensor to feed data back to the electronic control unit (ECU) to direct the vehicle to swerve unnecessarily? Similarly, could someone cause an object to disappear from the sensor’s path? Instead of preventing accidents, LiDAR sensors used in ADAS could be manipulated into causing the very types of accidents they’re supposed to prevent. Attacks such as these are addressed in NHTSA’s cybersecurity report, which notes: “an emerging area of cybersecurity is the potential manipulation of vehicle sensor data.” The report goes on to highlight an array of tactics that designers and developers can follow to protect their automotive solutions from cybersecurity breaches. NHTSA recommends that the automotive industry follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity Framework. The report advises automakers to consider risks related to sensor vulnerabilities and potential sensor signal manipulation acts including GPS spoofing, road sign modification, LiDAR/radar jamming and spoofing, camera blinding, and encouraging of machine-learning false positives. This framework suggests a layered approach to cybersecurity that is structured around these key functions: identify, protect, detect, respond, and recover.
Different categories of vulnerability are marked by what the sensor is measuring and how it is measuring. Consider our LiDAR sensors example. These measure the positioning of vehicles and are used in many vehicle-to-everything (V2X) applications. Their function depends on their ability to accurately sense objects. Accurate sensing, in turn, relates to how these sensors measure light and radiofrequency data.
We can’t afford to consider sensors without also considering the systems in which they operate. System designers must safeguard system operations while striking the right balance in terms of alerts shared with drivers.
From a hardware perspective, preventing unintended activities comes down to ensuring that silicon chips, as well as the high-speed interfaces transferring the data to ECUs, are protected from exploitation. In a vehicle, each sensor typically has its own dedicated ECU. The challenge, for both hardware designers and software developers, is that sensors in the field are expected to receive “dirty” data; however, they need to have the logic to discern what is dirty and what is not. In other words, they cannot rely on the user or the backend to discern the data for them.
When something does go wrong due to a security breach, most systems today don’t have a really good way to communicate that an error occurred. Consider ADAS, which is designed to warn drivers of impending dangers on the road as well as potential system failures—early enough so that the driver (or the vehicle) can take appropriate action. There’s a delicate balance in terms of the amount of information to provide to the driver. It’s important not to limit the information provided to prevent user errors due to information overflow. At best, incidents are often flagged internally to be investigated at a future date if the log is ever retrieved, normally due to an accident. Usually, such system errors or failures trigger a recall that requires a trip to the dealership and, for the carmaker, a potentially expensive fix. A better approach would be to build in the security to prevent a malicious act from causing the error in the first place.
Assessing security from the system level is a pragmatic way to prioritize where safeguards should be implemented. Sensors for safety-critical applications like ADAS and airbags, for example, should be given top priority. Look at the chips supporting each sensor, as well as the high-speed buses that transfer sensor data to the respective ECU. Deploy redundancy where necessary, so that if one area goes down, this won’t affect another critical area (this is important not just from a cybersecurity perspective, as ISO 26262 also stipulates redundancy in the interest of functional safety compliance).
While you might expect that as automakers examine their balance sheets, some may be averse to the cost of integrating these security considerations into their designs to maximize profits, surprisingly the trend is the opposite. We’re seeing more and more openness in the industry with regards to investing in security upfront. As is the case with any business, protecting silicon, software, and systems against malicious attacks early on can prevent the costly damages associated with such attacks. In addition, given how long drivers keep their cars, preventing security-related problems helps reduce the overhead associated with addressing these issues over the course of the 11 years that an average vehicle spends on the road.
With our long history of delivering automotive design, verification, prototyping, IP, and software security solutions, Synopsys is dedicated to helping our customers develop safe, secure, reliable, high-quality automotive electronic systems. With our solutions and our expertise, you can:
The smarter vehicles get, the more opportunity for points of vulnerability to emerge, making automotive cybersecurity measures more important than ever. Vehicle sensors, in particular, are becoming more prevalent, particularly in safety-critical applications. By designing security into your sensors from the ground up, you’ll ensure that their role in keeping our roadways safe will not be compromised.
Catch up on our other automotive security blog posts: