26–27 September 2017

Tokyo, Japan


Interview with Arthur Taylor, CTO of Advanced Telematic Systems

Secure Over-the-Air (OTA) software updates will be key to delivering the future promise of connected and autonomous cars, throughout the vehicle lifecycle. Arthur Taylor, CTO of Advanced Telematic Systems GmbH, is one of the world’s leading experts in secure automotive OTA technology. We caught up with him to find out more.

What are the key issues when it comes to ensuring the security of an OTA update solution?

When we consider the security of OTA solutions, we tend to think of three main aspects - a sound architectural design, a high-quality implementation of that design, and operational security in deployment. From an architectural point of view, the best OTA solutions have peer-reviewed security architectures; OTA solutions that depend solely on in-house security expertise are not able to take maximum advantage of the work going on in the community and in publicly funded security research into the topic of automotive cybersecurity.

In terms of implementation, we believe that transparency is key here. Implementations should at the very least be audited (both source code and production deployment) by independent third-parties on a regular basis, and the source code should in the best case be available for review by the customer themselves. The use of well-maintained open source components can be key here, increasing the likelihood that the code has been reviewed in depth by multiple people, and giving the customer ultimate transparency of implementation.

When it comes to security in deployment, a rigorous approach to identity and access management, for software and update metadata signing, for device and user authentication, and for operational staff administering the systems, is critical. Finally, robust process for disclosure and resolution of reported security issues in the OTA solution should be in place - this should be a core element of the security posture of any credible OTA solution vendor.

What is Uptane and why is it important?

Uptane is a research project carried out in 2016 by NYU, UMich and SWrI in the United States, funded by the US Department of Homeland Security. It builds on existing research into secure software update systems (derived from the Tor Browser project), and extends an existing security framework (TUF) to address automotive threat models and use cases.

This work is important because it shines a bright light on what have previously been hidden processes inside OEMs and OTA vendors. The automotive industry has traditionally been very good at addressing safety issues in software systems, and there is extensive legislation and best-practise guidance on the topic of safety, but it has been slow to define and adopt standards in security.

Some manufacturers treat their security architectures as confidential trade secrets, in the hope that hiding the system architecture from attackers will protect the deployed systems from attack, but there is ample evidence from automotive security breaches in recent years (as well as from the long history of information security) that this approach is flawed. By creating an open, peer reviewed architecture for OTA that is already being adopted as a de facto standard in OTA security in the industry, Uptane has given manufacturers and regulators a tool that they can start to use to encourage better security practises for OTA within the industry.

You are firmly of the view that an open-source approach to security of SOTA platforms is the best way to protect connected vehicles. Why is that?

I certainly believe that open source systems offer adopters more confidence of their security than their proprietary equivalents. It is a well established principle the design of secure systems, that one should assume that your adversary will immediately gain full familiarity with them. One way to ensure that a system is not depending on security by obscurity is to publish the implementation for the world to review.

Aside from that, collaboration between software vendors and manufacturers to develop core, non-differentiating technologies in the open makes much more economic sense than tens of companies independently and secretly developing the same technology to solve a problem that doesn't intrinsically help car manufacturers to differentiate their products. That said, I do not believe that the deployment of SOTA, in and of itself, is enough to fully protect connected vehicles. Vehicles must include multiple independent security mechanisms - trusted hardware platforms, secure boot and secure software platforms, cryptographic key management, secure communications channels, runtime cybersecurity protections - and manufacturers must have a comprehensive approach to security throughout their entire organisation and the organisations of their suppliers.

A robust and secure SOTA platform can only help mitigate the impact of vulnerabilities in connected vehicle systems – it cannot prevent them existing in the first place, and it does not guarantee that a manufacturer is organisationally ready to respond to the challenges of modern automotive cybersecurity.


Life imprisonment for car hacking. Is that a good idea?

Lawmakers in the US state of Michigan are now so worried about car hacking that they’ve proposed making it punishable by life in prison.

Michigan Senators Ken Horn and Mike Kowall have proposed a cybersecurity bill aimed at hackers and connected and autonomous cars. While Senate Bill 928 sets out the type of crime and corresponding sentencing guidelines for car hacking, Senate Bill 927 spells out that car hacking will be a felony. The legislation says car hacking will be punishable by life in prison.

Automotive News quoted Kowall as saying, “I hope that we never have to use it. That's why the penalties are what they are. The potential for severe injury and death are pretty high. Some of these people are pretty clever. As opposed to waiting for something bad to happen, we're going to be proactive on this and try to keep up with technology.”

Sounds sensible. Critically though, the wording of the bill would appear to outlaw any form of ethical hack executed without the express permission of the owner or the manufacturer;

“A person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to wilfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle”

Wait a minute! Nobody one wants a future in which hackers are taking control of and crashing cars for mischief or criminal ends. The penalties for wilfully endangering the lives of innocent people must be as severe here as they are in other spheres of industry or life. But if security researchers can’t probe for vulnerabilities without the possibility of facing felony charges, surely we’re all less safe?

Would we have been better off not knowing that it was possible to remotely take control of a Jeep as it drove along a highway? The history of IT security thus far strongly suggests that we need openness to discover the flaws and vulnerabilities that lead to compromised safety for users.

Louis Brandeis, Supreme Court Justice (and the man who, arguably, did more than anyone to define modern notions of the individual right to privacy) put it rather better a century ago:

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is the best of disinfectants”

Let’s hope the US Senate is able to come up with legislation that can more sharply discriminate between threat actors with malicious or reckless intent as opposed to those upon whom we sometimes have to rely to expose some of the more tired and lazy engineering that might just lurk within the vehicles we buy.


How not to handle being hacked

In November 2015, toy maker VTech suffered a serious data breach that compromised the personal details of 11 million of its customers, more than 6 million of whom were children. Unencrypted data lost included names, addresses, email addresses, download history and secret security questions. The account passwords themselves had been encrypted, but weakly using the inadequate MD5 hash.

So far so bad. As a toy manufacturer, it’s reasonable to assume that VTech does not have the same strength and depth in information security that one might expect from say, a bank or a nuclear facility. But as with the automotive industry, once a business starts introducing connected features and services as a product benefit, it must accept responsibility for keeping the resulting personal data safe and private. That includes taking every reasonable precaution to protect against the full spectrum of known threats, with all the expense and management time that entails.

So how did VTech respond? Well they issued the press release that many other companies have found themselves having to issue, including the assurance that they,

“immediately conducted a thorough investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against any further attacks”.

Interestingly, there was no press release heralding their next action. The company quietly updated its terms and conditions adding the following disclaimer:

“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.”

“Recognising such, you understand and agree that, to the fullest extent permitted by applicable law, neither VTech or its suppliers […] will be liable to you for any direct, indirect, incidental, special, consequential, punitive, exemplary or other damages of any kind…”

In other words: I pay to use your service; you get breached because the security you put in place isn’t up to scratch; my privacy is compromised; it’s my problem, not yours.

Good luck making that argument in a court of law in most industrialised economies.

Good luck with the sales too. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn't have any expectation of privacy?

This must be quite close to a perfect illustration of what companies should NOT do following a data breach – ie shift the burden of responsibility on to the customer, instead of owning it within the company, taking specific action and communicating the effect of that action to reassure your customers and protect your brand.

Watch what happens when the BBC’s technology correspondent questioned VTech representatives at a trade show a couple of days ago.

I have a feeling this will make it into a few media training videos.

There are few (if any) absolutes in security. Even the best systems carry some tiny risk of being compromised. But whether you’re making toy cars or real cars, strong security is ultimately a burden to be borne by the manufacturer making the product or providing the service.

I for one hope VTech stick to toy cars.