In the wake of the recent reported hacks of Jeep and Tesla vehicles, hackers now claim they can remotely track, unlock, and start BMW, Mercedes-Benz, and Chrysler vehicles. (Read more on automotive security from I Am The Cavalry) Two lawmakers have announced plans for legislation requiring security and privacy standards for motor vehicles, with more pressure from regulators and consumers sure to follow.
Securing the connected auto involves not a single device with a single operating system, as in a PC, but hundreds of sensors and multiple electronic control units (ECUs) that enhance safety, performance, fuel economy, and entertainment. These ECUs must communicate not only with each other, but also with external systems (from a manufacturer’s update service to traffic management systems) to be effective.
As in any other secure system, the element of trust is central. A trusted system is one whose identity and integrity posture are assured and verified before that system can perform a specific function or access or update specific information. One way to achieve this with commercially available and highly affordable elements is using a Trusted Computing Group (TCG) Trusted Platform Module (TPM) to support hardware-based Roots-of-Trust.
Such TPMs, already used in PCs, disk drives, mobile phones, and servers, meet many fundamental requirements such as:
- Measuring and reporting on the integrity of firmware and software within ECUs
- Creating, storing, and managing cryptographic keys in ECUs to support data integrity
- Providing attestation and assurance of identity of ECUs
- Supporting secure remote and local firmware and software updates for ECUs
- Supporting anti-rollback protection and secure configuration memory for ECUs
- Creating certifiable audit logs for all operations
TCG is defining specifications for “rich” and “thin” TPMs. The rich spec is aimed at more complex gateway ECUs that would, for example, manage communications between the vehicle and a remote maintenance center to assure the integrity of software upgrades or patches. The thin spec is designed for simpler ECUs that handle specific functions (such as entertainment or braking) and support, among other things, a local certificate store, and management services in case of a loss of communications between the remote maintenance center and the vehicle.
Protecting motor vehicles from attacks will require enhanced processes and technologies throughout the network, from manufacturers’ update centers to developers of mobile apps and ECU firmware. But creating trusted systems within the vehicles is an essential first step. To learn more, see the TCG’s response to the U.S. National Highway Traffic Safety Administration’s Automotive Electronic Control Systems Safety and Security note. You can also follow the approval of the TCG’s TPM 2.0 Library Specification as an ISO/IEC International Standard.
Seigo Kotani is a senior expert at Fujitsu Laboratories and co-chair of the TCG’s Embedded Systems working group. Ira McDonald is a network software architect at High North Inc., and co-chair of the TCG’s Trusted Mobility Solutions working group.