According to Gaz Auto on January 26, a 19-year-old cybersecurity researcher remotely hacked into a number of Tesla cars through a third-party vulnerability, and he also obtained the owner's email address and informed them that they were at risk. According to relevant personnel, the sensitive documents of more than 100 automakers, including General Motors, Fiat Chrysler, Ford, Tesla, Toyota, thyssenkrupp and Volkswagen, were published on a publicly accessible server affiliated with Level One Robotics, and the information of car companies, manufacturers and users was at risk of being hacked every day. In fact, in the seemingly calm car jianghu, it has always borne the pressure of maintaining information security.
Cars have as many as 150 ECUs and about 100 million lines of code, and this number is expanding with the development of intelligent networking in cars, while mass-market PC operating systems are less than 40 million lines of code, and in such a huge contrast, the information security risks of cars are constantly emerging. With the evolution of electronic and electrified architectures and the development of intelligent networked vehicles, autonomous driving and intelligent cockpit systems that rely on artificial intelligence, visual computing, radar, monitoring devices and global positioning systems to collaborate have collected more users' personal information. According to the data released by the Cyber Security Bureau of the Ministry of Industry and Information Technology, in recent years, the malicious attacks of related enterprises and platforms such as vehicle enterprises and vehicle networking information service providers have reached more than 2.8 million times, 85% of key components have security vulnerabilities, more than 80% of vehicle network connection platforms and APP have hidden dangers of identity authentication and data information leakage, and nearly 60% of enterprises lack automated network security monitoring and response capabilities.
More seriously, if someone takes advantage of vulnerabilities in the on-board system to control the car or disable important safety functions, people riding in smart cars or in the vicinity of smart cars will face the risk of information leakage and even life safety; supply chain organizations that rely on connected vehicles to transport goods or materials will face the risk of operational disruption; OEMs will face reputational losses; and suppliers of maintenance systems will face urgent pressure to perform software and hardware updates.
Then this will have a bad impact on the whole industry chain of OEMs, suppliers, and users, and the problem of information security is imminent, and there is no smart car without intelligent car network security.
Hacker, image source: techxplore.com
The main engine factory of hindsight
Most OEMs have accumulated for many years in the field of traditional automobile safety, so that the safety performance of the vehicle itself has reached a certain level, but in terms of information security, the OEMs have not done enough. In the past, when building cars, OEMs defined cars more as a product, and the general structure of vehicles was often limited to a closed scene, so there was a lack of consideration for information security protection. Driven by demand and technology, the car has changed from the original products provided by the main engine factory to a personalized service for users, and the shortcomings in information security at this time have been fully exposed.
In the field of vehicle information security, since 2016, after the car began to have hacking incidents, most OEMs began to realize the information security problem and began to take action to lay out the automotive information security sector. But at the same time, the tide of intelligent networking is surging forward, and in order to pursue vehicle networking, OEMs directly connect the existing architecture directly into the Internet, so that the security vulnerabilities in the original closed system are completely exposed to the Internet and become the target of attack.
Back in July 2015, two well-known white-hat hackers, Charlie Miller and Chris Wallacek, had hacked into a Jeep Freelight in-vehicle system and sent instructions to the system remotely through software, activating various functions on the vehicle. Imagine that if the user is driving an intelligent networked car that has been hacked, the hacker can remotely control the car's steering, braking and other functions, and the user's information security is infringed at the same time, and the safety of life is also threatened.
The essence of the in-vehicle information system is very complex, vehicle information security involves the cloud, the pipe end and the three systems in the car, in the car APP terminal, user data security, communication security, servers, in-car entertainment systems, AVN audio-visual navigation equipment, AST80 encryption system and other related areas have the risk of information being attacked. When the intelligent networked car makes the interaction mode diversified and Internet-oriented, with the addition of the more complex subject of "people", it brings greater challenges to the vehicle information security of the in-vehicle interaction system, and also makes it more difficult to maintain the information security in the car.
In summary, it can be found that due to the limitations of traditional concepts and product positioning, the protection of information security has started late and has a thin foundation, and has just prepared to lay out the wave of intelligent networking of automobiles in the field of information security, which makes the already inferior automotive information security system face more severe difficulties and challenges.
Image source: Phoenix.com
Challenging industrial chain
It is undeniable that while the industry is more and more aware of the importance of maintaining information security, OEMs cannot assume this heavy responsibility at this time because of their own problems with the environment. Then turn your attention to the information security system suppliers of the whole industry chain. At this time, the industry found that most of the vehicle information systems are foreign software suppliers, which creates a problem, because these software suppliers cannot provide source code, so this brings a lot of trouble to domestic related enterprises to carry out information system security protection, and also restricts domestic related enterprises to improve automotive information security.
Not only the information security system needs to be broken, but also to achieve vehicle information security, it is also indispensable in terms of supervision. First of all, it is necessary to establish an intelligent abnormal traffic monitoring mechanism based on deep learning and other technologies to improve the network security protection capabilities of automobiles; secondly, it is necessary to study the communication encryption algorithm based on the 5G certification framework to build a trusted "human-vehicle-road-cloud" collaborative communication; and it is also necessary to strengthen the research of abnormal strong interference monitoring and positioning technology to achieve the collaborative positioning of abnormal interference source locations of satellite navigation and other systems.
Maintaining information security is constantly mentioned, but according to Zhaopin's recruitment survey, there are only more than 50,000 information security professionals trained by universities in the mainland in recent years, while the total demand for information security-related talents exceeds 1 million people, a gap of up to 95%, and this demand is doubling every year, and the shortage of talents has become another important factor hindering the development of the industry.
Through these reasons, we can find that the framework of vehicle information security cannot be achieved by the power of the main engine factory or the supplier alone. Under the multiple influences of technology, supervision and talent, the automotive information security system is out of place in the industrial chain, and due to the unclear positioning of the role between the main engine factory and the supplier, the automotive information security system is in the stage of crossing the river by feeling the stones for a long time, and there is a great risk of leakage.
Image source: For Chen Xin'an
Perfection, follow-up of policies and regulations
In 2021, China has also introduced many laws and regulations and policies to guide the development of automotive information security. On September 1, 2021, the Data Security Law and the Regulations on the Security Protection of Critical Infrastructure were promulgated and implemented, on October 1, 2021, the Several Provisions on the Safety Management of Automotive Data were promulgated and implemented, and the Personal Information Protection Law was issued on November 1, 2021. At the policy level, the Ministry of Industry and Information Technology has also issued a series of policy guidance documents, such as the "Guidelines for the Management of Intelligent Connected Vehicle Manufacturers and Product Access (Trial)", "The Management Specification for Road Testing and Demonstration Application of Intelligent Connected Vehicles (Trial)" and so on. It pointed out that communication security standards include in-vehicle communication, V2X communication security requirements, intelligent communication gateway security requirements and test methods, etc., and put forward protection requirements for vehicle and vehicle system communication, data, software and hardware security.
At the standard level, the strong standard "GB Vehicle Information Security Technical Requirements" and "GB Automotive Software Upgrade General Technical Requirements" will also be introduced in 2022. Relevant state departments, third-party agencies including the AutoMotive Standards Commission and other parts in the process of accelerating the formulation of standards, major automobile manufacturers, suppliers, safety companies are also constantly contributing their wisdom and capabilities, industry experts generally believe that before 2025, the construction of the mainland automotive information security standard system is expected to be rapidly promoted.
Maintenance, multi-party cooperation to build the Great Wall of security
As far as information security is concerned, there are many common aspects, so the common research of different vehicle information systems can find more loopholes and seek solutions, which can help different vehicles improve information security as a whole, which is also a necessary measure to improve automotive information security. At present, the research of common technologies in the field of domestic automotive information security is an important means to improve the field of automotive information security in mainland China.
Image source: Dongjiang Port District
In December 2019, Mercedes-Benz announced that it had worked with 360, a leading domestic cybersecurity company, to fix potential vulnerabilities related to 19 Mercedes-Benz intelligent networked vehicles, opening a precedent for OEMs to cooperate with technology companies to build information security. The industry is more and more aware that the construction of automotive information security walls requires the joint cooperation of OEMs, suppliers and Internet companies, and it is difficult for any party alone to improve the security of automotive information systems.
When the multi-party cooperation continues to break through, the oem will continue to improve the information security quality control capabilities of parts, and its safety standards for restricting parts suppliers and internal security verification and testing capabilities will also be continuously updated. In 2018, Chery joined hands with Baidu to build the Apollo Automotive Information Security Laboratory. In 2020, Great Wall Motor established a partnership with the National Internet Emergency Response Center, Qihoo 360, Baidu Safety Laboratory, and China Automobile Center to carry out information security technology research and improve the level of vehicle information security protection. In addition, FAW, SAIC, Geely, Changan, Dongfeng and other representative OEMs in China are building their information security systems through multi-party cooperation, and with the continuous landing of intelligent networked vehicles, these systems will become more and more important.
At present, Shanghai Panqi Information Technology Co., Ltd., Victor, Lange Information Technology, Synopsys Technology and other companies in the industry are constantly breaking through security protection technology based on cryptographic algorithms; Jida Zhengyuan, Xin great wall, Geer Software, Tiancheng Anxin and other companies are deeply engaged in the security certification technology of PKI technology; EB, bottle bowl, love encryption, Zizhi security, Jiwei security is constantly breaking the boundary of intelligent networked vehicle information security reinforcement technology (T-box/IVI/app); in the intelligent vehicle network security test technology, Keysight Technology, Desbeth, Open Source Cybersecurity, Neusoft, ETAS, Weichen Xin'an and other enterprises also have a lot of say.
In general, it still takes a lot of effort to comprehensively do a good job in data leakage prevention. The information security solutions provided by major companies have their own capabilities in security policy management, configuration management, security capability management, security log management, and other functions such as specific security applications, covering data security, mobile security, cloud secure storage, encryption applications, and sensitive information protection.
In order to fully respond to the challenges of vehicle information security, Gaz Auto will hold the 2022 China Automotive Information Security and Functional Safety Conference on March 17-18, 2022 to understand the industry trend and clarify the development direction.