By Chris Clark, Senior Manager, Synopsys Automotive Group
Given that today’s vehicles are as smart and connected as the mobile devices you carry in your purse or pocket, it’s common for drivers and passengers to incorporate a variety of aftermarket devices into their rides. From insurance dongles to smartphones, these gadgets typically connect to the vehicle systems via interfaces provided by their manufacturers, such as Bluetooth, USB, Wi-Fi, and OBD-II port, to provide an enhanced user experience.
While the ability to “customize” your vehicle experience is desired, what if incorporating an aftermarket device into a vehicle opens the door to security vulnerabilities that threaten the car’s safe operation?
With as many as 100 electronic control units (ECUs) and around 100 million lines of code inside the newest, most advanced models on the market, today’s vehicles are wonders of electronic design. ECUs are responsible for controlling electrical systems and subsystems, such as the anti-lock braking system or the electronic fuel injection setup. The code, meanwhile, is distributed among the ECUs as well as various devices like sensors and cameras. Increasingly, cars are becoming software-defined vehicles, where software is central to popular functions like driver assistance, infotainment, and connectivity systems. This transformation also means that, left unprotected, connected cars can be as vulnerable to hacking as many IoT devices.
Every aspect of the vehicle should be designed from the start to protect against malicious attacks—and this includes applying safeguards that prevent aftermarket devices from causing harm when connected to, or incorporated into, the car. In this blog post, I’ll discuss the security considerations of aftermarket devices and what you can do to keep them from becoming security threats.
There’s a whole ecosystem of aftermarket devices for vehicles. In a report released earlier this spring, Reportlinker.com projects that the global automotive aftermarket market will top $527 billion by 2027. With this market continuing to grow, it’s imperative for both automotive manufacturers and the aftermarket providers to ensure that security is designed in from the start based on the OEM’s intent.
Aftermarket devices cover a wide range of products. There are replacement parts including everything from engine components to brakes, exhaust systems, and transmissions, that aren’t made by the original vehicle manufacturer. There’s also an array of third-party-produced accessories that drivers buy in order to customize their rides, such as spoilers, superchargers, and modified exhaust systems. While most of the items described have no electronic capabilities, those that do and are non-OEM-approved parts, can negate the terms of the vehicle warranty. If the components are not developed according to OEM specifications—not to mention any governmental or automotive industry functional safety and cybersecurity standards—there’s risk of deeper problems occurring.
It’s not just components that are inside or on the car that are of concern. Aftermarket devices also cover the gadgets that drivers and passengers plug into cars. This category includes a variety of products to enhance the driving experience:
And then there are in-vehicle apps, which are quickly emerging as another aftermarket segment. It’s a similar transformation as we’ve witnessed with smartphones. In today’s connected cars, apps are opening the doors to a wide range of features, from theft notification to the ability for the vehicle to adjust to driving conditions like winter weather and off-road terrain.
Earlier this year, the National Highway Traffic Safety Administration (NHTSA) released an updated version of its Cybersecurity Best Practices for Modern Vehicles report. The document provides guidance to help the automotive industry enhance motor vehicle cybersecurity. In its report, NHTSA notes, “Vehicles are cyber-physical systems and cybersecurity vulnerabilities could impact safety of life…NHTSA believes that the voluntary best practices described in this document provide a solid foundation for developing a risk-based approach and important processes that can be maintained, refreshed and updated effectively over time to serve the needs of the automotive industry.”
Among the various segments covered in the cybersecurity report are aftermarket devices. NHTSA warns that, even though a device’s function may not be related to safety, it can still be used as a proxy to influence vehicle systems that are central to safety, if the device is not properly tested and evaluated. The report goes on to propose a multi-layered approach to cybersecurity that focuses on vehicle entry points that could be vulnerable to a cyber-attack.
Electronic gadgets like smartphones and insurance dongles connect to the vehicle via communication ports. In this setup, there are various points that could be vulnerable to security threats, much like what we’ve witnessed in the IoT world. For example, there have been incidents of hackers gaining access to larger networks—and databases of sensitive information—by breaking into unsecured IoT devices like cameras. In the automotive world, ethical hackers famously demonstrated a remote attack on a Jeep Cherokee in 2015 and many other more advanced attacks since then. Additionally, the security of the data itself should be considered. For example, in the case of the insurance dongle, drivers certainly won’t be pleased if information about their driving habits get into the wrong hands.
Security should be treated as a foundational and holistic endeavor, designed into all aspects of the vehicle from the beginning. Any door left opened means that security can be compromised. By proactively providing aftermarket manufacturers with security requirements, along with guidelines to adhere to them, the automotive industry can influence manufacturers in its ecosystem toward protecting their products. Guidelines such as those provided by NHTSA as well as industry standards such as ISO/SAE FDIS 21434 Road Vehicles – Cybersecurity Engineering provide direction on accomplishing this.
As the market growth indicates, automotive aftermarket devices and apps aren’t going away. They will only become more prevalent. It is, therefore, in the best interests of OEMs to guide these device manufacturers and app developers toward designing their products with built-in security as well as safety. Also essential is providing approved methods for third-party providers to meet OEM security goals. When vehicle owners need a new part or want to customize their ride, they should be able to trust that their ride won’t be compromised in any way.
Get additional insights from other posts in our automotive cybersecurity series: