SAE 2016全球汽车年会之互联技术论坛(2016 SAE Congress forum on Connectivity)听起来更像是一场在作战室内召开的军事作战会议，随时都会蹦出“攻击通知”、“资产部署”等专业词汇，大家聊的也都是“全新联盟”和“全球风险”等话题。从某种意义而言，本次论坛的确是一场“作战会议”。

当下，网络安全问题刻不容缓，行业必须拿出先进措施，积极抵御网络攻击。在这个问题上，汽车行业给出的答案与航空业很类似，那就是成立一个信息共享分析中心（Information Sharing and Analysis Center，即ISAC）。

航空ISAC中心执行总监Faye Francy解释说，这个中心可以提供一个信息收集的框架，并匿名分析任何可能攻击所有厂商架构的普遍威胁。与航空ISAC类似，刚刚进入运营的汽车ISAC中心也将作为一个中心情报收集枢纽，追踪汽车行业内的网络威胁，并识别具有普遍性的电子元件漏洞，也就是说将主要集中在可能会对不止一家厂商造成影响的威胁。

汽车ISAC中心由两个行业协会组成，目前共有22个成员。Francy表示，“从某种程度而言，可以说我们一直都处于被攻击的处境之下。”

在本届大会上，论坛专家从多个角度强调了由恶意软件入侵汽车而带来的问题。采埃孚天合(ZF TRW)安全卓越部全球总监Brian Murray表示，黑客的威胁将“摧毁人们的信任。”

美国国土安全局（Department of Homeland Security，简称DHS）网络安全项目经理Dan Massey表示，“如果人们感觉有什么东西不安全，那事实究竟是不是如此，其实已经不重要了，即使至今为止并没有发生任何实质性伤害，也不会改变大家的看法。”此外，Kaprica Security公司CEO Doug Britton提出，“只要存在伤害，就会引发人名的担忧，而具体存在多少次，通常并不重要。”

“个别事件已经足够引起公众的警觉，你并不需要统计出事故数量是不是五万起，”Britton表示，“通常10个案例就够引起人们注意的了。”

“ABS防抱死”系统的维护命令存在漏洞

美国密歇根大学网络安全专家Andrew Weimerskirch指出，汽车在进行维护时，经常会用到一条禁用车辆防抱死系统(ABS)的命令，而该命令可能存在暴露严重漏洞的风险。很多年以来，汽车维修技师一直在使用这条命令，排空车辆液压制动系统中防抱死模块内的气体。举一个最常见的例子，技师在更换车辆制动调节管时，就会先用这条命令，排清回路中的所有气体，保证制动液可以充满整条回路。

一般来说，市面上几乎所有哪怕最基础的扫描工具都内置了ABS禁用功能，黑客可以通过OBD II网关或装入的电子狗访问该命令，该功能也因此成为一个汽车网络安全漏洞。Weimerskirch表示，“这一功能根本不应该存在。”

然而，按照当下大多数车型的ABS控制配置，隔绝这一功能可能并不简单。更重要的是，ABS禁用功能仅仅是我们面临的威胁之一。采埃孚天合公司的Murray谈到了保护“车辆维护安全”的整体问题，他告诉与会者，电子维护设置与故障代码修正一般在汽车研发的后期进行，主要是出于保修的目的。

国土安全局的Dan Massey也提出了一些内置功能可能暴露的弱点。他说，“有时候我才上5年级的女儿都能用自己的手机配对到别人家的车。”

《维修权利法》的影响

根据各州的维修权利法，比如马塞诸塞州即将出台的法规，所有汽车修理厂，哪怕并不是经过授权的独立修车厂，都可以获知整套车辆故障诊断命令。也就是说，只要愿意支付使用费，基本上任何人都能拿到这些命令。尽管经销商的技师应该是“值得信任的”，但包括Weimerskirch在内的多名网络安全专家均明确了一条信息，那就是对汽车的安全防护必须建立在“安全流通车辆原厂信息”的前提之下，也就是说要确保包括技师在内的所有人员均不能通过外部功能对车辆进行修改。

然而，这些网络安全专家必须亲自解决这些汽车命令带来的问题。举个例子，在《维修权利法》之下，大众汽车就必须公布控制电动转向器运行，以及关闭发动机的软件相关信息。

采埃孚天合的Murray表示，远程入车钥匙也已经变成了一个严重漏洞。他提醒观众，“如果你车钥匙丢了，你应该把这把钥匙变成“砖”。

”

Weimerskirch在研讨会上表示，现在出现了很多优化汽车网络安全的思路。但首先必须存在一个测试平台，这样研发人员才能对这些思路进行验证。Kaprica公司的Britton也谈到了相关问题：我们要确保这些各式各样的想法“不会仅存在于一堆堆的文件材料之中。”

作者：Paul Weissler
来源：SAE《汽车工程》杂志
翻译：SAE上海办公室

New auto "ISAC" is framework for improved cybersecurity

The 2016 SAE Congress forum on Connectivity sounded like a meeting in a war room—peppered with terms like "notification of attack" and "assets deployed" along with talk of "new alliances" and "global risks." And in a sense, it was such a discussion.

The urgency of the cybersecurity topic has created the need for advanced approaches to defense. The auto industry has formed an overarching answer that is similar to what already has been done in aviation—an Information Sharing and Analysis Center (ISAC).

The aviation ISAC is a framework to collect for analysis, anonymously, anything that could attack all OE architectures, explained Faye Francy, executive director. The automotive equivalent, which has just become operational, also will serve as a central hub for gathering intelligence to track cyber threats and identify weaknesses in vehicle electronics that are common to more than one manufacturer.

Auto-ISAC, formed by two industry associations, has 22 members. "We're all getting attacked at some level," Francy said.

The openness of the automobile to malware intrusion was one issue addressed in different ways by the forum panelists. The threat of hackers "drives a wedge into people's trust," said Brian Murray, ZF TRW Global Director of Safety and Security Excellence.

If there's a perception that something is not safe, it doesn't matter to the public, even if there is no physical or kinetic damage to date, added Dan Massey, program manager on cybersecurity at the U.S. Department of Homeland Security (DHS). And when there is damage, the absolute numbers often aren't important, claimed Doug Britton, CEO of Kaprica Security.

"A small number is enough; you don't need 50,000," Britton noted. "You could do it with 10."

ABS service command an issue

A serious issue could be posed by so common a vulnerability as the command to disable the vehicle’s ABS (anti-lock brakes) actuator, noted Andrew Weimerskirch, cybersecurity researcher at the University of Michigan. Automotive service technicians have had to use this command for many years to permit bleeding the ABS section of the hydraulic brake system, particularly when a new brake pressure modulator valve assembly is installed, so as to purge any air and fill the circuits with brake fluid.

The ABS disabling capability is routinely built into all but the most basic scan tools, and a hacker accessing it through an OBD II gateway or an installed dongle could raise it to the level of a threat. "This command should not exist," Weimerskirch said.

However, with current ABS control configurations, isolating is not necessarily simple on many cars. And it’s just one example. The entire problem of secure service access was observed by ZF TRW's Murray. He told the attendees that electronic service decisions and trouble code modifications typically come late in the vehicle design cycle, when warranty concerns may be raised.

The present level of built-in vulnerability was raised by the DHS's Dan Massey.  "Sometimes my fifth grade daughter has been able to pair her phone with another car," he reported.

Effect of Right-to-Repair laws

The effect of Right-to-Repair laws, such as the impending one in Massachusetts, means that access to problematic commands will be available to all garages, not just independent ones—effectively to anyone willing to pay the access fees. Although the dealer technician may be "more trustworthy," cybersecurity specialists including Weimerskirch have made it clear that the protection must be based on passing through packets of needed OE information without an externally-inserted ability to change it.

However, the cybersecurity specialists must deal with the issue of the commands themselves. Under Right to Repair, Volkswagen for example, would have to release the software that permits operating the electric power steering rack and shutting off the engine.

The remote key fob, an established entry point, also has become a serious vulnerability, ZF TRW's Murray said. "If you lose the keys to a car, you can effectively turn it into a 'brick,'" he told the audience.

There are many ideas to improve automotive cybersecurity, Weimerskirch told the session. But first a test platform is needed, to enable researchers to validate them. A related issue was cited by Kaprica's Britton: it's important that the flow of ideas "doesn't also translate into a big bill of materials."

Author: Paul Weissler
Source: SAE Automotive Engineering Magazine