汽車網絡安全已經成為讓整個行業擔憂的問題之一。在2015年洛杉磯車展(Los Angeles Auto Show)中的互聯汽車展(Connected Car Expo)上,專家們針對這一問題列出了數項汽車行業應當采取的措施。密歇根大學(University of Michigan)交通運輸研究所(Transportation Research Institute)研究科學家Andre Weimerskirch所舉的兩個例子,為汽車行業敲響了警鐘。
首先,最值得引起注意的汽車網絡攻擊事件,是吉普切諾基(Jeep Cherokee)被“黑”事件。2014年,兩名網絡安全專家Chris Valasek和Charlie Miller通過Sprint的網絡入侵了一輛吉普切諾基的UConnect信息娛樂系統,并最終導致菲亞特克萊斯勒(Fiat Chrysler Automobiles,簡稱FCA)對多款車型進行了安全召回。在本次事件中,這兩名“黑客”與車輛之間并無物理連接。目前,這兩人都就職于優步(Uber)的高級技術中心(Advanced Technology Center),能夠利用該中心的技術手段遠程啟用或停用剎車,甚至關閉車輛發動機和改變行駛方向。
第二個例子是美國前進保險(Progressive Insurance)公司的加密狗(dongle)被“黑”事件。Digital Bond Labs實驗室安全研究員Corey Thuen聲稱,已通過逆向工程(Reverse-engineering)入侵了美國前進保險(Progressive Insurance)公司的加密狗(dongle),并可限制其部分功能,這一事件暴露了該加密設備的脆弱性。據了解,這款加密狗(dongle)設備來自Xirgo Technologies公司,可以監測駕駛員的駕駛習慣并通過網絡進行上報,保險公司會評估該裝置收集的信息,并據此調整車主的保費。
“一切都能被黑”
Weimerskirch表示,這還僅僅只是兩個例子,“我們幾乎可以入侵任何設備。”他向大家陳述了一個可怕的事實:熟悉IT技術的攻擊者僅需了解一丁點車輛知識,就可以開始攻擊汽車。
凱迪拉克(Cadillac)已經宣布,公司將為旗下2017年款CTS配備V2V車間通信功能。此時,對整個行業而言,應對汽車網絡安全問題已經刻不容緩,因為其他生產商也有與凱迪拉克類似的計劃。但Weimerskirch指出,對汽車網絡安全的擔憂,不應僅限于車輛與智能手機和電腦間的電子通訊范圍內。他指出:“汽車安全非常難以保證,這是因為車輛是一件非常復雜的產品,擁有成千上萬個零部件,而且這些零部件還來自成百上千個不同的供應商。”
Weimerskirch表示,當然汽車行業也在不斷從其他行業吸取經驗,但目前還沒有可以直接拿來使用的網絡安全解決方案。企業級的IT解決方案采用的是大型運營商所提供的硬件和控制軟件,因而網絡安全是可以保證的,但接入網絡后的汽車安全性尚未得到保障,也還未能滿足移動應用的需要。監控與數據采集系統(Supervisory Control and Data Acquisition,簡稱SCADA)可以進行工業控制,接入網絡后的設備安全性已有保障,但也尚未進入移動應用階段。他說,智能手機,特別是iPhone已經開發了一些相關解決方案,但這些解決方案并不是專門針對提高安全性的。 “盡管如此,iPhone的確有很多措施是非常合理的。” Weimerskirch說。
據Weimerskirch介紹,大約15年前,研究人員就發現,經過正規驗證過的源代碼和接口,可以構成更加穩健的電子架構。他們那時就看到了其中的價值,但時至今日,缺仍然無法使用這些電子架構。
通過融合技術提升可信度
Weimerskirch說,自動駕駛技術可將各種各樣的雷達傳感器、攝像頭和無線連接技術帶上汽車行業的舞臺。他在論壇上表示,所有這些裝置都可能被“黑”,區別是無線連接最容易,而攝像頭最困難。雖然攝像頭可以被遮住,但其圖像卻無法被偽造。而激光雷達和雷達傳感器被“黑”的難度處于兩者之間。
Weimerskirch還說,因此我們必須采取措施,提升無線連接、傳感器和攝像頭的安全性,并將這些裝置融合到一個系統中,保證其可信度處于可以接受的范圍內。這可能意味著車輛的部分功能將被暫時限制,直到系統的安全級別達到一定水平后,才能繼續發展。
需要開設汽車網絡安全專業
就職于AutoImmune咨詢公司的Karl Heimer是密歇根州的網絡安全顧問之一,他認為,保證車輛的網絡安全離不開對人才的培養。目前,汽車業內還沒有汽車網絡安全工程方面的專業人員,因為根本就沒有這個專業。Heimer說,我們必須開設相關專業,并且,這個專業的畢業生應當擁有硬件和電子工程的背景、具備計算機科學方面的知識,并且了解汽車的運作方式。
他還補充說,這個專業的學生還應在整車廠、供應商或網絡安全公司進行實習。“天天與生產商、開發商呆在一起,根本無法了解黑客是如何進行攻擊的。”因此,學生們必須多了解真正發起攻擊的那些人。設置這個專業的最終目的,是為整車廠輸送能夠進行研發工作,或能夠勝任評估/質保工作的網絡安全人員。
Heimer指出,每家整車廠和供應商都有不同需求,因此也應采取不同的措施,但密歇根州經濟發展公司(Michigan Economic Development Corp.)正在嘗試開發一套所有大學都能采用的通用基礎培訓課程。
新提議、新政策
在SAE年度Battelle Cyberauto Challenge研討會上,專家們一致認為,網絡安全教育領域的機會正在不斷增加。這一研討會為期5天,與會人員在這一平臺上探討了汽車領域的最新趨勢。下一屆會議將在2016年7月25日到29日舉行。
David Strickland是一位律師,曾擔任美國國家高速公路安全局(NHTSA)局長。他指出,目前立法者已經開始就2015年的SPY Car Act法案展開討論。據了解,該法案要求車輛必須“合理”采取包括入侵檢測在內的多項措施,保護自身不受網絡攻擊侵害。當然,國會并不知道具體該怎么辦,因此,這項工作自然落到了NHTSA和聯邦貿易委員會(Federal Trade Commission)肩上。
David Strickland還同時提到了剛剛成立的Auto ISAC,即汽車信息共享分析中心(Information Sharing and Analysis Center)。Strickland稱,該中心的成立是汽車行業成員為互通網絡威脅信息而邁出的第一步,這里說的行業成員既包括汽車制造商,也包括供應商。
目前,整車廠使用的是獨立的測試方法和設備,與會專家對此提出了擔憂,因為這些裝置可能通過車輛的CAN總線或信息娛樂系統的無線網絡接入汽車,給黑客提供攻擊的機會。
安全對功能的影響
Weimerskirch表示,我們必須依靠設計手段來保證安全,而不能直接封鎖接入信息娛樂系統的信息入口,其他與會專家也同意這一點,“我們知道該怎么做。”Heimer補充說,我們不能靠隱藏診斷所需數據包的內容來抵御網絡攻擊,而是應當通過設計手段,保證數據包的內容不被篡改、所含的指令不被攔截。
與會專家均認為,由于網絡安全方面仍存在隱患,車輛的部分功能目前還無法發揮最佳效果。Weimerskirch舉例說,如果無線網絡被“黑”,馬路上行駛的汽車之間就必須保持更大的車距,因為此時系統必須重新從雷達和攝像頭讀取數據,并且需要進行道路上的實時調整。Heimer補充說,車主能夠下載的內容也會受到限制,“不能指望整車廠”為車主下載行為所帶來的全部風險買單。
發言人承認,為了提升車輛抵御網絡威脅的能力,通過“無線傳輸(over-the-air)”進行的軟件升級必不可少。他們指出特斯拉(Tesla)的“空中升級”做法,比向車主郵寄閃存盤來進行軟件更新要好得多。目前已有其他生產商表達了轉向“空中升級”的意向。
作者:Paul Weissler
來源:SAE《汽車工程雜志》
翻譯:SAE上海辦公室
Cyber security issues, need for college curriculum raised at Connected Car Expo
Automotive cyber security is moving to the front of the line of industry concerns, and panelists at the recent 2015 Los Angeles Auto Show's Connected Car Expo outlined approaches that the industry should take. A pair of loud wake-up calls were cited by Andre Weimerskirch, a research scientist at the University of Michigan's Transportation Research Institute.
The most noteworthy auto cyber hack was a project by Chris Valasek and Charlie Miller, now researchers at Uber Advanced Technology Center, in which they remotely could apply or disable the brakes, even kill the engine and affect steering. Their work, applied to a 2014 Jeep Cherokee, through the UConnect infotainment system with Sprint cellular, led to a Fiat Chrysler Automobiles safety recall on a wide range of models. The control was exercised without physical access to the vehicle itself.
Still another security researcher, Corey Thuen of Digital Bond Labs, claimed he had reverse-engineered the Progressive Insurance dongle, and performed limited functions that indicated it was vulnerable. The dongle, supplied by Xirgo Technologies, monitors driving patterns, reports via cellular, and the information is used to adjust policy rates.
"Hack into everything"
Those were just examples, Weimerskirch said, adding, "we can hack into pretty much everything that's out there." A fearsome issue he cited: an attacker just needs a tiny bit of automotive background because, assuming familiarity with enterprise IT, he/she can hit the car.
Cadillac's announcement that it will introduce V2V (vehicle-to-vehicle) communication on the 2017 CTS gives a sense of urgency within the industry, as the rest of the industry is preparing to do the same. But, he pointed out, the car raises concerns beyond electronic communication via smartphones and computers. Weimserskirch noted three primary issues: "safety, a super complex supply chain with hundreds of suppliers, and a complex product—the car with thousands of components."
The auto industry, of course, is looking at what other industries are doing, Weimerskirch said, but there is no other application in which the auto industry could just adapt its cyber security solutions. Enterprise IT, which deals with the hardware and control software systems used by large operations, must be cyber-secure, but it doesn't involve the same level of safety or mobile use. SCADA (Supervisory Control and Data Acquisition) deals with industrial controls, so safety is involved, but not mobile use. Smartphones, he said, particularly the iPhone, has developed relevant solutions, but not in the area of safety. "However, [the] iPhone does a lot of stuff right," he added.
Some 15 years ago, Weimerskirch continued, researchers saw the value of more resilient electronic architectures with formally verified source code and interfaces, and today we're still not using them."So let's start," he urged.
Fusing to raise confidence level
The move to autonomous driving, he said, will bring in use of various types of radar sensors, cameras, and wireless. Each can be hacked, with wireless the easiest and cameras the hardest. Although cameras can be blinded, their images can't be forged. Lidar and radar sensors are somewhere in between, he told the forum.
So the approach, Weimerskirch continued, must be to take the security levels of wireless, sensors, and cameras, and fuse them into a system that raises the total confidence level to an acceptable perch. That is likely to mean that some features will have to be limited until the security level can be made high enough.
Cybersecurity curriculum
This work will require trained talent, observed Karl Heimer of AutoImmune, a cyber security consultant to the State of Michigan. There are no cybersecurity engineering degree graduates, because there is no degree program in the subject. A curriculum is needed, he said, including a good background in hardware/electrical engineering, education in computer science, and how automobiles work.
The degree program, he added, also should include internships at either an OE manufacturer or supplier and a hacking company. "You don't get to understand how break-ins occur by being with a maker or developer," he said. So the interns have to live with the people who actually do the hacking. The objective is for the OE to end up with cyber security people who can work in development or assessment/quality assurance.
He noted that each OE maker and supplier has different needs and therefore likely different approaches, but the Michigan Economic Development Corp., working in curriculum development, is trying to establish a common base that colleges can adopt.
New initiatives, legislation
Cyber security education opportunities are proliferating, the panelists agreed, pointing to the annual SAE Battelle Cyberauto Challenge, a five-day workshop to identify trends in the field (the next is July 25-29, 2016)
David Strickland, an attorney who once headed NHTSA, noted that legislators already are in the fray, with the SPY Car Act of 2015 requiring vehicles to be "reasonably" equipped to protect against hacking, including intrusion detection systems. Naturally, Congress doesn't know how to do this, so it assigns the job to NHTSA and the Federal Trade Commission.
He also pointed to Auto ISAC (Auto Information Sharing and Analysis Center), a consortium which has just gone live. Strickland described it as a foundational step to share information about cyber threats among industry members, who include carmakers and suppliers.
Forum attendees expressed concern about the possible effect of OE cyber security measures on the access of independent mechanics and their test equipment to the vehicle's CAN (Controller Area Network) buses, which also are entry points, via infotainment systems' wireless, for hackers.
Security effect on features
Weimerskirch said security, therefore, must be by design, not by obscurity (denying access to the information); "we know how to do that." The other panelists agreed.Heimer added that it should not be necessary to hide the contents of a packet needed for diagnosis, and secure design would prevent it from being changed or the command it contains not going through.
Cyber security is likely to affect the maximum performance of some features, the panelists agreed. Weimerskirch said, for example, that the distance maintained between a roadway line of cars might have to be increased because if the wireless were hacked, the system would have to fall back on readings from radar and camera with on-board adjustments. Heimer added that car owners might have to be limited in what they can download; "you can't burden an OE" with the threats of any download choice the driver makes.
To improve vehicle protection against cyber threats, "over-the-air" software updates are essential, the speakers conceded, pointing to Tesla's success in that area as a superior approach to sending out flash drives for owners to use. Other makes have indicated their future intentions to do the same.