It’s no secret that advanced driver assistance systems (ADAS) and the fast-approaching autonomous driving future are set to transform the mobility market. A countless number of devices will need talk to each other in order to ensure a safe environment: multiple sensors and systems within the car will communicate securely at lightning speed while the vehicle itself will be tuned into its surroundings via vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I) ad hoc networks, and more. Road conditions, precise position, speed, traffic signals and the location of other vehicles are just some of the data that go into this mix.
This, of course, has not gone unnoticed within the automotive tech industry and beyond: the gold rush is on! The rise of autonomous vehicles is driving new opportunities for traditional auto suppliers and tech players alike as they battle for what could be a $20 billion global market for sensors, software, and systems by the end of the decade. At this year’s North American International Auto Show, AutoMobili-D showcases some 120 organizations – including 50 startups – in an exhibition hall adjacent to the atrium at Cobo Center, underlining Detroit’s commitment to the technology scene.
Autonomous driving is not secure, yet
Nevertheless, there remains a problem. What should the automotive tech industry do in a world where everything is being connected to the Internet, yet the way we are securing these systems, devices, and things is based on a flawed, outdated security model? Currently, cyber-jacking may be limited in the ways it can affect a car, with the majority of real-world incidents confined to theft of property or the vehicle itself. But what if hackers were to attack the engine management system or any of the critical components within the autonomous car that control the vehicle’s speed or direction, or the smart environment in which the vehicle operates? Such attacks have the very real potential to cause chaos, leading to gridlock, damage to vehicles, environment and infrastructure, and even loss of life.
Along with communication and data protocols, security is the big issue here. With so many sensors and devices – not to mention over-the-air (OTA) programming – there are many potential ways for hackers to disrupt systems. Of course, there are current security and encryption protocols in place on the Internet, but the automotive tech industry needs to recognize that that the security architecture and paradigm used to secure traffic between web browsers and servers is not relevant or appropriate for autonomous cars, and cannot scale to an ecosystem encompassing a range of micro services across different touch-points.
Trust on demand
It is absolutely essential that each element is able to establish trust on demand with others while communicating: trust in terms of the identity of each device and also the authenticity of the messages passing between them – and all of this has to happen on a just-in-time basis involving high latency while simultaneously keeping the volume of data traffic to a minimum.
In order to bootstrap trust into this system, it’ll require mutual authentication between end points via a distributed cryptosystem where there is distributed trust, and no single points of compromise. This means a solution that incorporates multi-factor authentication is required. However, hard-coded encryption keys for every device cannot work – especially with certificates – as both can be compromised.
Moreover, the best cryptography needs to work out in the open – secrecy does not mean security – which points toward an open-source solution. This enables the entire automotive industry to adopt an industry standard that can be hardened by the automotive tech ecosystem and prevents the build-up of proprietary system silos. Additionally, in the context of the international regulatory framework, open source is the only way for such solutions to successfully cross national boundaries.
Should automakers seek to generate and distribute secure keys for the purposes of authentication, this approach would add an order of magnitude of cost compared with a distributed cryptosystem – higher cost that can put the brakes on the autonomous driving future or risk it moving ahead without it being secure.
New cryptography paradigm needed
With the race towards autonomous cars, smart cities, and a rapidly evolving mobility market now well underway, there really is no time to waste: 2017 must be the year the entire automotive industry – manufacturers, component suppliers, service providers – comes together to define and adopt a new cryptography paradigm.
The automotive tech industry needs to heed the warning signs and move beyond simple collaboration on security standards and recognize that 20th century cryptography technology should be jettisoned in favor of a solution that is fit for purpose and the 21st century. If the industry brings the baggage of the past into the autonomous driving future, the result will be failure. Only a new security architecture and paradigm – developed together and transparently – can provide the solution needed to enable and accelerate the autonomous driving future with confidence.
A distributed, open-source solution based on elliptic curve cryptography offers the significant advantage of smaller, stronger, and faster authentication keys that are well suited to the autonomous car environment; they are also easier to manage. It’s time for all interested parties to work together to bring standards forward instead of waiting for governments to determine the path for us to follow. Autonomous cars are beginning to hit the roadways, there’s no time to lose.
1. Tim Higgins, “Car Suppliers Vie for Major Role in Self-Driving Boom”, Wall Street Journal, January 9, 2017.