The Cloud Security Alliance (CSA) released Thursday its initial research and guidance report on connected vehicle security. Authored by the CSA’s Internet of Things (IoT) Working Group, Observations and Recommendations on Connected Vehicle Security is a 35-page report that provides a comprehensive perspective on vehicle security connectivity design, possible attack vectors of concern, and recommendations for securing the connected vehicle environment.
The Cloud Security Alliance (CSA) aims to define and raise awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.
The alliance provides recommendations for enterprise-wide security controls to safeguard the driving public, and helps evaluate the security gaps that need attention. Its intent is to provide a comprehensive perspective on vehicle security design, which must be flexible enough to adapt to future challenges, and be cognizant of unanticipated threats that future disruptive technologies may bring.
The report aims to provide a thorough assessment on vehicle security design, which must be flexible enough to adapt to future challenges, and be cognizant of unanticipated threats that future disruptive technologies may bring. In the first of three sections, the IoT Working Group provides a detailed and insightful analysis of the evolution of vehicle connectivity towards fully connected and autonomous systems.
The next section outlines areas of concern for connected vehicles, and lays out nearly 20 different attack vectors and the resulting impacts to the driver or vehicle. Finally, the report evaluates the security gaps that need attention and offers recommendations for enterprise-wide security controls to safeguard the driving public.
Automobile connectivity is evolving on a number of fronts. Platforms designed in the pre-connected era are now being connected in multiple ways. This has allowed security researchers to gain access to sensitive vehicles. Sensitive functions can be compromised via direct access, such as with USB and the On Board Diagnostic (OBD-II) port, or by remote access such as infotainment consoles, Bluetooth, WiFi and cellular devices.
Nearly 20 CSA IoT Working Group members contributed to the research and development of the report. Lead authors of the report include Brian Russell, chair of the CSA IoT Working Group and chief engineer, Cyber Security Solutions at Liedos, a CSA corporate member, along with Aaron Guzman of SecureWorks, Paul Lanois of Credit Suisse, and IoT industry expert Drew Van Duren.
The CSA IoT Working Group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations.
Automobile connectivity is evolving on a number of fronts. Platforms designed in the pre- connected era are now being connected in multiple ways. This has led to the ability of security researchers to gain access to sensitive vehicle functions in order to it perform activities not intended by the driver. Sensitive functions can be compromised via direct access (e.g., USB and the On Board Diagnostic (OBD-II) port, including with third party dongles), or remote access (e.g., infotainment systems/ consoles, Bluetooth, WiFi, NFC and cellular).
One of the first stages of pervasive connectivity with vehicles has been through the infotainment system. Manufacturers include these systems to provide feature-rich services and content to their customers. Often these services are enabled through subscriptions. Researchers have shown that it is possible to gain access to an infotainment system and use that access as a jumping-o point to more sensitive vehicle functions.
Door locks offer additional connectivity options by using protocols such as Bluetooth and NFC along with key fobs and even smart phone applications. There have been recent media reports on the vulnerabilities of the Remote Keyless Entry, whereby a thief uses a device to “amplify” the signal generated by a keyless remote, or plants a device near the vehicle that intercepts the door-opening code for later playback when the owner of the vehicle is away.
Additional applications can be supported through Vehicle-to-Infrastructure (V2I) communication that incorporate connected roadside units (RSUs). These include environmental applications that provide motorists with warnings and notifications, safety applications that identify red-light or stop-sign violations as well as work-zone notifications. Vehicles can also consume broadcast messages that provide information on speed limits, signal phase and timing, and the presence of traffic conditions ahead.
Mobile applications are also a large component of the CV ecosystem. Pedestrians may use apps loaded onto their smartphones or purpose-built dongles to communicate with infrastructure equipment (e.g., traffic lights) as well as vehicles. Pedestrian-to-vehicle communication (one instance of V2X) will support abilities that include detection of pedestrians as they enter crosswalks or cross at non-designated intersections. New use cases will likely emerge as vehicles progressively communicate with smartphones.