Guarding automotive security has become more and more challenging today due to many factors, for example, vehicles are becoming more intelligent and connected, and above all, their lifecycle has doubled in 40 years in Europe. Cyber attacks emerge every day. One of the new challenges is to regulary patch and keep adapting like Tesla does. Vehicle safety has become more dependent on cyber-security now than ever. Regulations and policy recommendations are adopted for security in the US and also in Europe. The current automotive best practices include offline and secure online communication, firewall and IDPS, over the air software updates, secure synchronized time manager, and security monitoring and logging.
There were many presentations on different aspects of security in vehicles. Discussions around how to apply threat modelling methods from the computer industry to automotive industry were everywhere. One specific presentation showed how such method can be applied to the connected car and its underlying software architecture. TARA was used for a high-level overview of threats while STRIDE was used to evaluate a specific functionality of the vehicle. Blockchain received a lot of attention throughout the conference. Its applicability to the economy of things and using it to move from fault-tolerant systems to attack-tolerant systems are especially attentive. A privacy-aware data access system which gives users control over potential privacy sensitive data-flows leaving the car was also presented at the conference. Various techniques for reconciling privacy and security mechanisms in V2X were described.
Ransomware attack in modern vehicles was predicted to grow and motivated by describing a new “business model” behind it, and shown how such an attack can be prevented. Commercial vehicles and large vehicle fleet owners are most “promising” attack targets. Vehicular ransomware can be easily created and “utilized”. A holistic approach to prepare, protect, and react was described.
The research challenges around vehicle-to-cloud for the intelligent vehicle were highlighted. One of them was about sustainability in security solutions. For example, how we can ensure systems that are designed today would still be in good shape 20 years from now. It was emphasized that defeat devices in vehicles are created to crack legislation and it was described in detail how this can be done in many ways. Of course, in a security conference about vehicles the CAN protocol cannot be missed. A different approach to probe attacks on the physical layer of CAN network was presented. In one of the presentation, it was concluded that interest in hardware attack is increasing and it is less complicated than anticipated.
There were several theoretical presentations at the conference. One of them was about formal analysis approach and its application in automotive context. Applicability of machine learning techniques for analysis of security attacks was discussed and a specific mechanism for reducing the number of false positive was presented. Also, security analysis of digital key sharing using the smartphone was presented.
This conference report is delivered by AB Volvo. If you have questions, please contact Atul Yadav.
