At present, intelligence, networking, electrification is the general trend of automobile development, and major automobile companies and Internet companies actively cooperate to jointly open a new era of cloud. At the same time, attacks on intelligent and connected vehicles occur frequently, making the information security problem of automobile networks increasingly prominent.
In response to the issue of automotive network information security, Mercedes-Benz Automobile Company established a partnership with 360 Group in 2017, and the Sky-Go team of 360 Group Intelligent Connected Vehicle Safety Laboratory discovered 19 security vulnerabilities in Mercedes-Benz intelligent connected vehicles and fixed them. At the 2018 BYD Global Developer Conference, BYD and 360 Group formally signed a strategic cooperation agreement to jointly discuss and solve the information security and network security problems of smart cars. Ju et al. examine the application of Ethernet in automotive in-vehicle networks and the expectations for future automotive electrical and electronic (E/E) architectures. Wampler et al. have proposed corresponding universal safety solutions for the CAN bus. Lee et al. have validated the cyber vulnerability of cars and the urgency of establishing security solutions by conducting attack experiments on cars. Chen et al. have established a classified security protection evaluation system for vehicle information systems with reference to the classification security protection evaluation standards of traditional information systems. Haas et al. research uses artificial neural networks to establish a networked car intrusion detection model to achieve filtering of attack data.
The above studies are all aimed at automotive network information security, but the network information security protection scheme for intelligent networked automobile systems has not yet been proposed. From the perspective of automotive on-board network information security, this paper proposes an automotive on-board network communication security architecture scheme, which realizes the complete security protection system of prevention-detection-early warning by constructing a multi-domain hierarchical intrusion detection model.
Domain-centralized electrical and electronic architecture
Nowadays, the functions of intelligent networked cars are becoming more and more abundant, and the number of electronic control units (ECUs) equipped with them has also increased, and the remote communication of information exchange with the cloud and third-party APPS is also increasing, which also makes the use of the cloud and third-party software to carry out attacks. If the traditional automotive distributed electrical and electronic architecture is adopted, too many ECUs will not only produce complex wiring harness design and logic control problems, but also add hidden dangers to the information security of the automotive network. The emergence of these problems all shows that the distributed electrical and electronic architecture of modern vehicles needs to be reformed. The Society of Automotive Engineers has launched the J3061TM Cybersecurity Guide for Cyber-Physical Converged Systems, which aims to promote the establishment of safety processes between automotive electrical systems and other connected systems by unifying global standards. This article refers to the process defined in the "Functional Safety Standard for Traditional Vehicle Systems ISO26262", and the vehicle information security architecture diagram is shown in Figure 1.
Figure 1 Vehicle Information Security Architecture Diagram
The vehicle information security architecture is mainly composed of three parts: information security management, core information security engineering activities, and support processes. Information security management includes comprehensive management and information security management at all stages of the life cycle. Core information security engineering activities include the concept stage, the development stage of the vehicle system, the software and hardware level, and the production and operation stage. Develop an entire security project plan during the conceptual phase, including identifying network security boundaries, external dependencies of the system, analysis of potential threats to the system, and assessment. In the development phase, the risk analysis of the vulnerability and threat of the vehicle system is carried out, the information security requirements and strategies are formulated, the penetration test is carried out after the development phase is completed, and the final security audit is completed. The production operation phase mainly carries out on-site monitoring of the product, incident response, and subsequent time tracking management. The support process phase mainly provides auxiliary support for the above stages, including corresponding configuration management, document management and supply chain management.
The vehicle information security development framework is shown in Figure 2. The system development and design phase is the basis for the realization of vehicle information security, and the design of the vehicle information security system is attached to the system design of the automotive electronics/electrical architecture (electronics/electrical, E/E). Therefore, the information security vulnerabilities of the automotive network should be checked, including the connection to the external environment (such as cloud servers, other vehicles and infrastructure), the connection to the in-vehicle network, the connection to the ECU level and the connection of individual components, etc., to build a higher level of security E/E system, from the system level to improve security. During the testing phase, the vehicle information security function inspection test is carried out, the safety assessment is carried out, and the security of the vehicle information security architecture is verified. In the overall vehicle information security development process, the hardware design and software design should be coordinated and developed, while taking into account the safety and reliability of software and hardware, and jointly realize network security.
Figure 2 Vehicle Information Security Development Framework Diagram
Taking Tesla Motors as an example, we analyze the E/E architecture scheme of the car. Tesla Motors, as the leader of the automotive E/E architecture change, model 3's electrical and electronic architecture is divided into 3 parts: the central computing module (CCM), the left body control module (BCM_LH) and the right body control module (BCM_RH). CCM directly integrates the two functional areas of driver assistance systems (ADAS) and infotainment systems (IVI), including external communication and in-vehicle system domain communication; BCM_LH and BCM_RH are responsible for the functions of the body and convenience systems, chassis and safety systems, and partial power systems, respectively. The three modules all use high-performance processors to meet a large number of computing needs in the functional domain, the rest of the ECUs in the domain only control the car peripherals, the systems in the domain communicate through the local area network, and the modules communicate through the bus, achieving basic security isolation.
The emergence of centralized electrical and electronic architectures in the automotive domain provides solutions to the problems of information security and insufficient computing power. Automotive domain centralized electrical and electronic architecture refers to the car according to the function divided into several functional blocks, each functional block to the domain controller as the dominant construction, each functional domain internal communication according to the communication rate requirements of different functions using different kinds of communication buses, such as CAN, LIN, FLEXRAY, MOST and other buses, communication between each functional domain through a higher transmission rate of Ethernet to achieve information exchange, domain centralized electrical and electronic architecture diagram as shown in Figure 3. Domain controllers are primarily responsible for communicating domain-to-cloud, domain-to-domain, and intra-domain communications. The domain ECU is only responsible for executing the device's operating instructions accordingly, using a controller with communication functions.
Figure 3 Domain Centralized Electrical and Electronic Architecture Diagram
According to the national conditions of the mainland, the centralized electronic and electrical architecture of intelligent networked vehicles combines the application of intelligent, networked and electrified.
Compared with the previous automotive distributed electrical and electronic architecture, for the lack of computing power, the domain controller as an independent controller of each domain, its internal need to match a processor with strong core computing power to meet the requirements of intelligent networked vehicles for computing power, the industry currently has NVIDIA, Huawei, Renesas, NXP, TI, Mobileye, Xilinx, Horizon and other brand solutions. In terms of security protection, the domain centralized architecture divides the vehicle into several independent function modules according to the function and communication rate requirements, if the attacker wants to attack the vehicle through a function, the domain controller where the function is located can monitor and eliminate hidden dangers in time, will not affect other functional domains, and effectively reduce the possibility of expanding the attack surface.
Analysis of information security threats faced by intelligent connected vehicles
With the great expansion of vehicle connectivity functions, functions such as navigation positioning, automatic parking, remote control and diagnostics have gradually become the standard in automobiles. These functions bring great convenience to people, but also bring more security risks.
Depending on the way of attack, the safety hazards of intelligent connected vehicles can be divided into the following 4 aspects from far and near:
(1) Cloud layer security risks. The cloud platform stores the key information of the car, can provide the car with road condition information, positioning navigation, alarm, remote control, etc., if the cloud platform is hacked, a large number of important data leaks, the consequences are unimaginable.
(2) Network transport layer security risks. Intelligent networked vehicles through wireless communication to achieve information interaction with cloud platforms, mobile terminal APP, other vehicles, traffic conditions and other data, and wireless communication methods may have identity authentication, data information encryption, protocols and other security issues, so the car also has corresponding security risks.
(3) Vehicle communication layer safety hazards. With the increase of external interfaces of vehicles, the safety hazards of electronic control unit firmware in the process of internal communication of vehicles and the safety hazards in the process of data transmission have also increased.
(4) External interface security risks. At present, there are many third-party apps on the market, and there are many kinds of APPS, and its security protection is also an important part of eliminating hidden dangers. If hackers hack into an app, they can even remotely control the car directly. In addition, there are also security risks in the communication interface between the charging gun and the charging pile of the electric vehicle, and once it is attacked, the energy system of the electric vehicle is destroyed, which may bring life danger.
Analysis of potential safety hazards of automotive on-board information
Vehicle-mounted smart terminal (vehicle-mounted T-BOX) attack
Vehicle-mounted T-BOX is mainly used for communication between vehicle-to-vehicle networking service platforms, with vehicle remote control, remote query, alarm and other functions. Under normal circumstances, the on-board T-BOX reads the internal CAN communication data information of the vehicle and transmits the information to the cloud platform or APP through wireless communication. The security risks of vehicle T-BOX mainly have 3 aspects: one is the firmware reverse, the attacker reverses the vehicle T-BOX firmware, obtains the key, decrypts the communication protocol; the second is to read the internal data and analyze it through the reserved debugging interface of the vehicle T-BOX to decrypt the communication protocol; the third is to send the instructions to the interior of the car through the control instructions of the counterfeit cloud platform to achieve remote control of the car.
In-vehicle infotainment system (IVI) attack
In-vehicle infotainment systems are used in applications such as navigation, road condition broadcasting, vehicle information, communications, driver assistance, CD/radio, etc. Due to the rich functionality of the in-vehicle information entertainment system, attackers can attack the system through communication methods such as USB, Bluetooth, Wi-Fi, etc., or they can gain access through software upgrades.
Diagnostic interface OBD-II. attack
Automotive diagnostic interface OBD-II. is an interface for the automotive ECU to interact with the outside, its main function is to read the vehicle's data information and fault code for vehicle maintenance. Once the OBD-II interface is attacked, it can not only crack the internal communication protocol of the car through the interface, but also control the vehicle by implanting malicious hardware to send control instructions.
Sensor attacks
Intelligent networked vehicles have a large number of sensor devices for communication between cars and cars, cars and people, cars and roads, and cars and clouds. If the sensor is attacked by malicious information injection, eavesdropping, etc., highly automated vehicles may not be able to correctly judge the behavior of the surrounding environment, resulting in serious consequences.
In-vehicle network transmission attacks
Most of the internal network communication of the car adopts CAN bus transmission, which has the characteristics of low cost, moderate communication rate and strong anti-electromagnetic interference ability, so it is widely used in automotive electronic control systems. However, the CAN bus adopts non-destructive bus arbitration mode, which has the characteristics of simple verification, multiple readings, etc., and the security protection measures are weak, if the attacker attacks through the CAN bus for packet replay, denial of service, tampering, etc., it will lead to the failure of the driver control command and the consequences of the car not being able to drive normally.
Automotive Telematics Security Solutions
In terms of information security protection of intelligent and connected vehicles, according to the different processes of attacks, system security protection measures for active protection, intrusion monitoring and emergency handling are established to ensure the information security of automobiles. Before the attack occurs, do a good job of active protection, screen and filter the communication data of the car, and effectively prevent common attack methods. After the attack occurs, continuously monitor the changes in the communication status of the car, take emergency measures at the attack point in time and update it in time to prevent the occurrence of danger.
According to the current analysis of the applicability model of automotive information security technology, combined with the new automotive domain centralized electronic and electrical architecture, the vehicle multi-domain hierarchical intrusion detection model is constructed, and the layered intrusion detection is carried out for the cloud layer, the domain controller layer, the ECU layer, and the in-vehicle network transmission layer, and corresponding active protection measures are taken to achieve the effect of accurate protection. The multi-domain hierarchical intrusion detection diagram is shown in Figure 4.
Figure 4 Schematic of multi-domain hierarchical intrusion detection
Domain controller layer
In the new architecture, a domain controller is both a compute integration platform for the entire domain and a gateway for the exchange of information between domains and between domains and the cloud. As the security boundary for the interaction of network information inside and outside the car, the domain controller is the focus of the automotive vehicle network security protection. Therefore, a security firewall is established in the security frontier to carry out security detection, access restrictions, logging and other security detection of data information to achieve security protection.
The communication message of the car is composed of ID, data information, check digit and other parts. The ID determines the transmission priority and destination address of the message, the data information determines the operation instruction, and the check digit ensures the integrity of the transmitted data information.
The main role of the security firewall is to implement the access control function, and the automotive security firewall framework diagram is shown in Figure 5.
Figure 5 Security Firewall Framework Diagram
The implementation of the firewall access control function is mainly based on the establishment of a whitelist database of automotive communication messages, once the message request is detected, the message ID is compared with the whitelist database, and the successful match is passed, and the failure is discarded.
There are many kinds of anomaly detection techniques for firewalls, and common detection techniques include intrusion anomaly detection methods, based on neural networks, clustering, genetic algorithms, information entropy, correlation rules, etc. The intrusion anomaly detection method mainly analyzes the communication data of a large number of normally running cars, constructs a network security model of automobile communication, and uses the model to monitor the behavior of users and systems, analyze whether there is abnormal illegal data activity, and record alarm records to users. Automotive messages are divided into periodic messages and event trigger messages, and intrusion anomaly detection technology can be modeled according to different situations. Periodic messages are built by setting the message cycle threshold to build an intrusion detection model, and the message cycle is compared with the threshold to determine; the event trigger message does not have a fixed transmission period, but the operation instructions of most of the messages are interrelated, such as the car's speed signal and the brake signal have a negative correlation, and the accelerator pedal signal has a positive correlation relationship with the car signal. Therefore, a positive/negative correlation intrusion detection model of communication messages is constructed through a large number of data analysis, and once the message correlation has a large deviation, it is judged as intrusion behavior and alarmed. Since the computing power of the automotive chip is not enough to maximize security and real-time at the same time, the intrusion detection method currently used needs to effectively detect the intrusion on the basis of ensuring real-time, and the current monitoring of the on-board message flow of the car is the most effective method. The intrusion detection process for access control, communication standard detection, and anomaly analysis in a secure firewall is shown in 6.
Figure 6 Intrusion Detection Flow
In-vehicle network layer
Intra-domain network transport security is the second line of defense for security. Depending on the communication requirements required for the functional domain, the on-board transmission network used varies. Currently, with the exception of infotainment systems, can bus communication is mostly used. The broadcast characteristics of the CAN bus, non-destructive bus arbitration, etc. lead to weak security protection, so it is necessary to develop a communication safety protocol.
The design of the communication security protocol consists mainly of two parts: the checksum of the ECU node and the encryption of transmitted data information. Before the car is driven, the domain controller randomly assigns the identity of each ECU, and the ECU sends an authentication request to the domain controller for identity authentication, so as to ensure the legitimacy of the node and complete the verification of the ECU node. During the driving of the car, the communication information of the on-board network needs to be encrypted to prevent attackers from eavesdropping and disguising. Combined with the high real-time requirements of automobiles, data encryption adopts AES symmetric encryption algorithm. The ECU authentication process is shown in Figure 7, and the CAN communication encryption message format is shown in Figure 8.
Figure 7 The ECU Authentication Process
Figure 8 CAN Communication Encrypted Message Format
Symmetric encryption has a small amount of computation and fast speed, which is suitable for automotive big data communication. In symmetric encryption algorithms, both the encrypting and decrypting parties must know the encrypted key in advance, and both the sending and receiving parties use the key to encrypt and decrypt the data. Based on the requirements for the security and real-time nature of automotive data, an independent encryption table can be established as a key to encrypt the data according to the successful ECU ID and the data sending ECU and receiving ECU, and according to the verification of the real-time nature of the car, the encryption difficulty of the encryption table is adjusted accordingly to maximize the security of the data.
ECU layer
ECU-level security protection is mainly firmware protection, to prevent firmware brushing, external access, malicious changes and other functions. Considering the cost, different levels of safety precautions need to be assigned according to the ECU of different functions. A hardware security module is a computer hardware device used to protect and manage keys used by a strong authentication system, while also providing related cryptographic operations. The body domain ECU adopts a lightweight hardware security module, the power domain ECU, infotainment domain ECU, and assisted driving domain all use a medium-level hardware security module, while the body domain controller, power domain controller, infotainment domain controller, and assisted driving domain controller all use heavyweight hardware security modules.
Starting from the development of intelligent networked vehicles, this paper focuses on the information security risks of intelligent connected vehicles, analyzes the protection of information security of automobile on-board networks, establishes a centralized electronic and electrical architecture for automobile domains, and proposes a preliminary feasibility scheme architecture for a complete information security protection model from protection to intrusion detection, from data encryption to hardware encryption.
Reproduced from the network, the views in the text are only for sharing and exchange, do not represent the position of this public account, such as copyright and other issues, please inform, we will deal with it in a timely manner.
-- END --