How automation and EVs are creating new cybersecurity risks

Cars are becoming more like computers on wheels.

But as vehicle software becomes as important as the hardware, there are potential security risks that experts say should help inform the way car companies design and validate new features.

Tech Brew spoke with Dennis Kengo Oka, an automotive cybersecurity expert who serves as senior principal automotive security strategist at electronic design automation firm Synopsys, about these risks and how they relate to electrification and autonomy.

This conversation has been edited for length and clarity.

What are some of the most pressing cybersecurity challenges facing the automotive sector right now?

The fast development now of new features is driving a higher demand for, for example, software-defined vehicles…which then leads to a number of new attack vectors. If you now have features on your phone that can control the car, or you have various backend services that communicate with the car, you have new ways of attacking the car itself, you have new ways to attack different assets within the vehicle…That fast development is causing a gap between where these new features and functionalities are being developed versus where the cybersecurity level is…Closing that gap is one of the biggest challenges I see.

Advanced driver-assistance systems are becoming increasingly more common in vehicles. What are some of the biggest security risks that some of those features carry with them?

With autonomous vehicles, you have, typically, various sensors, cameras, radars, lidars, and so on, used to gather data about the environment. And then you process that and decide how the vehicle should behave. If an attacker is able to manipulate that input by providing some malicious data that’s processed by the vehicle to make it misbehave, that can cause serious accidents.

One example is, imagine there’s a stop sign and the vehicle’s supposed to stop when it reads that stop sign. But if you can manipulate that input so that the vehicle will recognize the stop sign…as a 65-mph sign instead, so instead of stopping, the vehicle will just drive through.

So those are some of the new attack vectors that you may not have thought about when you designed the vehicle, because you focused on the functionality and making sure that it will correctly identify the different traffic signs and the surroundings. But if you think about the malicious types of attacks that can actually cause your vehicle to misbehave, that adds another layer of cybersecurity protection that you have to think about.

Are these types of attacks on vehicles happening in the real world?

Most of these attacks on safety are more done by security researchers. So they do the experiments, and test, and see that they can make the vehicle misbehave, they can disable the brakes, or they can manipulate the steering to make the vehicle drive off the road.

Luckily, we haven’t seen any cyberattacks causing safety impacts, as far as we know, but what we see instead is cyberattacks where you target, for example, different assets of the vehicle. So it could be vehicle theft, which is very common. So these keyless-entry type of attacks, where you…either clone a key or you do a relay attack, a replay attack, you capture the signal from the real key fob, and then you’re able to gain access to the vehicle, start the vehicle, and drive off with the vehicle. Those types of attacks are much more common because there’s more of a financial motivation for the attacker to steal these luxury vehicles and sell them, for example, rather than causing a safety impact or causing an injury to a driver.

How does Synopsys work with clients to minimize some of these risks?

The way we help organizations in the automotive industry is firstly understanding what the threats are, so providing services on doing threat modeling, risk assessments, so we can identify the different attack vectors to a vehicle, to the ecosystem.

And then secondly, once we understand what those threats are, what kind of vulnerabilities may exist…then we also provide various tools to help find those vulnerabilities during development.

For example, as you’re writing code for your [electronic control unit] or the entertainment system…you can scan that with static analysis tools that find vulnerabilities, weaknesses in your software that developers then can fix before you release the vehicle…You can perform fuzz testing—so you send malicious or malformed data to a target system over wi-fi or Bluetooth, the way that attackers would typically target your vehicle as well. And then you test the robustness or you test the security features to make sure that that vehicle, that component, is still behaving as it should. And if you find any issues, you can fix it before you release your product.

What are some technological innovations you have on your radar?

With artificial intelligence, we have a number of new use cases or scenarios that can really benefit the way you develop vehicles and you test vehicles. So looking at, how do you automate some of these manual processes you have today? Anything from requirements, management, design reviews, code reviews, and so on. Can you automate using AI, as well as generating appropriate test cases, performing testing, and validating results? So AI will definitely play a major role here.

The question is, how much of that AI would be mature enough to work the way it should and can be trusted?...We already see software being developed using the help of AI, and you can generate your code—but is that code really secure or not? So we still need to have an additional step of scanning that generated code, making sure there’s no vulnerabilities.

How do you think about the risks that come along with electric vehicles and charging them on the grid?

There are a number of cybersecurity risks that you have to think about because now you go from protecting one vehicle or a fleet of vehicles to potential attacks on critical infrastructure, on power plants, on the grid. So on the vehicle side, we have to look at, how can a vehicle be targeted? Because now you have another interface to the vehicle, the charging system…You can also try to attack the grid as well, the backend network. So all these entry points will need to be considered potential security threats and will require the appropriate security solutions.

Anything to add?

We see the smaller [electronic control units] being consolidated into [high-performance computers]. And now you have more of these IT systems running in your car, like virtual machines and Linux. So you have to think about, “What are the new threats on running these IT systems in your car?”

Before you had to have some automotive experience and expertise to know, how can I target an ECU?...But if it’s a Linux system in the car, you potentially attract many more cyberattackers, because they’re familiar with Linux…One thing is, we have to make sure we protect those embedded systems in a better way. And that’s where Synopsys can help with scanning the source code as you develop it, scanning for open-source software, identifying vulnerabilities, as well as doing this fuzz testing, for example, over wi-fi, Bluetooth on these Linux-based systems…That’s the main thing that we have to think about: Securing the vehicles, but also this ecosystem. The cloud services, mobile apps, charging stations, the grid.