2015 年，世上还没有任何针对医院的勒索攻击，而 2016年已经有 10 起了。这些网络罪犯将渗入各个领域的内部网络，控制用户的计算机系统，并向这些受到非法控制的目标勒索赎金——这就是黑客挣钱的手段。目前，尽管我们还没有遇到任何针对汽车的勒索攻击，但目前的现状已经足够引起汽车网络安全专家的警惕。

荷兰 Irdeto 公司首席汽车安全架构师 Stacy Janes 解释说，“汽车有很多可能受到攻击的‘点’，而一些不怀好意的人就可以通过这些‘点’向车辆植入各种恶意软件，有时甚至都不需要真正进入车辆的内部网络。”除了大量应用程序，车辆最易受到攻击的“点”是一些面向外部网络的网关，比如车辆远程信息处理系统、OBDII 端口和车载信息娱乐系统 (IVI) 等。

《汽车黑客指南》(The Car Hacker’s Handbook) 一书的作者、电气工程师 Craig Smith 表示，车载信息娱乐系统比其他任何车辆组件都更易遭遇远程攻击。黑客只要拿到信息娱乐系统的钥匙（即访问权限），就相当于打开了汽车的大门。此时，整个汽车系统都将清晰地平铺在黑客面前：车辆的 CAN 总线数据包如何传输；ECU 单元如何升级；车辆是否会向原始设备厂商传回数据，传回哪些数据以及如何传回数据等。

Janes 表示，未来，汽车勒索攻击可能就是通过渗入车辆信息娱乐系统实现的。想象一下这个场景：你早上起床准备开车去上班。你打开了车上的信息娱乐系统，接着系统屏幕开始疯狂闪烁、音频系统的音量不断升高、暖气也开到了最大马力，关键是你根本关不掉。这时，你什么也做不了，只能选择把车拖到经销商那里。然而，经销店里已经停了一大批受到相同攻击的车辆。

此时，经销商的服务经理已经联系了厂商，而厂商表示目前受到影响的车辆已达数千辆。然而，攻击并没有停止。当天晚些时候，汽车厂商终于收到一封匿名邮件：“明天之内，请向我们支付价值百万美元的比特币，否则全世界都将知道这一切，这会毁了您的品牌，您一定很清楚这一点。祝您愉快。”

公共安全问题

七年前，罗格斯大学 (Rutgers University) 和南卡罗莱纳大学 (University of South Carolina) 的研究人员成功为车辆安装了一款非加密胎压监测系统（TPMS）。这个系统可以“恶搞”仪表盘，显示错误的胎压读数，并跟踪车辆行驶记录。他们当时肯定没想到，会出现今天的情况。2011 年，安全情报专家 Charlie Miller 和 Chris Valasek 博士成功“黑入”一辆丰田普锐斯 (Toyota Prius) 和福特 (Ford) Escape，禁用了车辆的动力转向系统、控制了车辆喇叭，还把仪表盘搞得一团糟。这里，值得说明的是，他们两位并非真正意义上的“黑客”，而是两位汽车安全专家，他们拿到了美国国防部高级研究计划局 (DARPA) 的研发经费，专门负责探测车辆的网络安全弱点。

2015 年，Miller 和 Valasek 又成功远程控制了一款吉普大切诺基 (Jeep Grand Cherokee)，此举也最终导致克莱斯勒 (Chrysler) 召回 140 万辆汽车，并向车主派发 USB 软件更新驱动。此后，加州大学 (University of California) 的研究人员也演示了如何通过保险公司安装在车辆 OBD 端口上的“加密狗”，成功禁用一辆克尔维特 (Corvette) 的刹车系统，并启动了车辆雨刷。此时，整个汽车行业都被惊醒了。

GENIVI 联盟网络安全团队领导人 Janes 表示，“从安全的角度来看，与其他领域的黑客活动相比，汽车领域的攻击手段仍处于初级水平。”Janes 称当前为“研究阶段”。

“现在，攻击者正在研究汽车，而汽车行业也在研究黑客。只要汽车人能保持略微领先优势，汽车行业就大可不必为攻击而担心。”Janes 表示，“只要汽车行业能够占据一点优势，黑客就必须投入更多资金，才能发动一场无懈可击的攻击，而这样的成本对他们来说太高了。”

但相反，如果汽车厂商稍有落后，坏人就会越来越猖狂。“金融、移动通信、媒体，甚至医疗保健系统等其他行业都存在这样的攻击。”Janes 说，“这些网络攻击就是一门生意。有时，他们发动一场攻击可能要花 100 万美元，但却能挣 1000 万美元。这样算的话，‘投资回报率’还是很不错的。在这种情况下，汽车行业必须时刻领先黑客，这样才能增加黑客发动汽车攻击的成本，迫使他们转向其他领域。”

《汽车工程》采访的一些专家认为，随着网联汽车和自动驾驶汽车的市场份额不断增加，车辆网络攻击威胁也会不断升级。目前，美国新车销售中超过半数均为网联汽车，在此背景下，可能遭到攻击的潜在漏洞数量也在不断累加。到 2020 年，全球预计将有超过 2.5 亿辆网联汽车投入使用。

2015 年，为了共同面对日益严重的威胁，OEM和供应商一起成立了汽车信息共享和分析中心 (Auto-ISAC)，从而共同解决汽车网络安全风险。目前，Auto-ISAC 大约有 30 个成员，将不间断分享任何与互联汽车有关的网络威胁、漏洞、相关事故进展及大量追踪与分析数据。

SAE International是 Auto-ISAC 社区的重要组成部分，目前已经出版了 7 部相关标准，其中包括世界上首部汽车网络安全推荐指南— J3061。SAE 新项目发展经理 Patti Kreh 表示，“SAE 希望能够成为汽车行业的战略合作伙伴。在我们看来，合作可以产生很多协同效应，而整个行业都将受益。”

2016 年底特律网络安全峰会期间，通用汽车 CEO Mary Barra 在其主旨演讲中指出：“所有汽车制造商都要面对网络安全事故，这是一项公共安全问题。”

隔离与“分层防御”

目前，最好的端对端汽车网络安全防御措施是“可以完整覆盖整个汽车互联生态环境的多层防御系统。”哈曼国际高级营销总监 Dvir Reznik 表示，“在网络安全领域没有所谓的灵丹妙药。”

专家们同意，“纵深安全”防御软件的各个组成部分，应当像乐高积木一样相互紧密相连，其中包括次级系统电子控制单元代码、所有内部网络通信监控代码，及一些在出现异常行为时发出警报的代码。这些代码的主要功能是防止网络攻击升级。此外，车辆信息娱乐系统等面向外部网络的模块，也是网络防御软件的重要保护对象。

SRI 国际 (SRI International) 是一家进行国家级网络安全研究和分析的独立非盈利研发中心。该机构项目总监 Ulf Lindqvist 表示，汽车保护措施的应用广泛，设置应该相对简洁。“安全的关键在于隔离，”Lindqvist 说，“汽车系统可以通过授权与 CAN 总线进行交互，但这并不意味着我们提倡这样做。”他继续说，问题在于，“人们似乎总是喜欢为了各种目的，而随意去连接车辆系统。”

目前，一些云安全服务产品开始进入市场。这些产品经过专门设计，可以提前检测和处理车辆网络威胁，而且还支持 OTA 空中升级和实时信息传递。很多厂商都需要这样的端到端解决方案，这也是哈曼 (Harman)和 IBM 安全 (IBM Security) 等公司开始提供扩展“安全套装”的原因之一。

Argus Cyber Security 是汽车网络安全解决方案领域的先锋。这家公司最初的“网关盒子”可以为汽车网络创建一道独立防火墙，不断扫描 CAN 总线信息，并在发现异常时及时关闭网络。Argus 目前的解决方案是将监测组件安装至车辆的一个或多个电子控制单元中。此外，Caramba、哈曼 (Harman)和诺基亚 (Nokia) 等其他领先行业公司也可以提供类似的解决方案。

Argus 北美业务发展执行总监 Meg Novacek 表示，一个理想的汽车网络安全架构应有四个组成部分，分别为安全通信网关；可以立即识别/阻止网络攻击的入侵检测/预防系统 (IDPS)；汽车软件 OTA 更新功能，及某些集成了远程认证功能的主要硬件安全模块。

Caramba 软件工程师编写的二进制车辆代码中，也包括公司专门用于监控的“数字指纹”代码。一旦植入车辆，这些代码即可进行不间断的监控，如果有任何东西试图改变“数字指纹”或者覆盖任何内容，系统即会立刻断开网络连接。

Navigant Research 分析师 Sam Abuelsamid 表示，这种措施的优势在于：“汽车厂商所确定的车辆系统架构是固定的，任何试图做出改变的外部操作，都会导致整个系统的关闭。”

一些工程师和网络安全专家表示，机器学习和人工智能 (AI) 也很有可能成为异常检测的解决方案。巴特尔纪念研究所 (Battelle Memorial Institute) 等一些此类技术的支持机构表示，这种系统对具体平台并无区别对待，可以适用于任何车载电子控制单元，不需要对签名数据库和发动机检测元件进行定期更新。在这种系统中，一旦监测到任何异常，系统即会根据威胁的严重程度，采取不同等级的措施，包括发出声音警报、采取车辆干预措施（如“自我保护”模式），或直接通知紧急救援机构等。

无尽的战斗

目前，一些公司正在开发可以在威胁解除后，将车辆恢复至之前状态的“自愈”软件代码，也就是大家所熟知的区块链技术。具体来说，区块链可通过独立计算机网络，也就是分布式总账系统发送信息，保护数据和财产安全，进而保护交易和所有权的安全。丰田研究院 (Toyota Research Institute) 正在与 MIT 媒体实验室及其他合作伙伴共同进行区块链研究。许多专家认为，这种技术可以促进网络安全自动驾驶技术的发展。

值得一提的是，所有网络安全专家均已达成共识：黑客攻击将永远不会停止。

“在这个领域中，谁都无法做出任何保证。”SRI 国际的 Lindqvist 表示，“我们能做的是尽量减少黑客出现的几率，并限制他们可能产生的影响。”

Irdeto 的 Janes 表示，“这是一场间谍之间的大战。”Janes 等人表示，一些OEM和一级供应商已经开始让网络安全工程师共同参与车辆电气架构和次级系统的设计。现阶段，他们正在进行详细的威胁分析，并开始将安全需求加入供应商的报价申请书 (RFQ) 中，这种做法可以将网络安全需求逐级传递至不同级别的供应商。

“我们可以说自动驾驶汽车行业非常脆弱，只要发生几起造成人员伤亡的自动驾驶汽车网络攻击事故，整个行业就全完了。”Janes 说，“工程师需要站在黑客的角度思考问题，理解他们的想法，并顺着他们的思路采用更有效的应对措施。”

In 2015 there was no such thing as a ransomware attack against a hospital. In 2016 there were 10 such attacks. The cyber criminals who penetrate and disable computer networks until users pay ransom, profit from vulnerable and easy targets. And while there have yet been no ransomware attacks against automobiles, they’re the threat cybersecurity experts fear the most.

“There are multiple ‘attack surfaces’ in vehicles through which nefarious players can plant bad software; you don’t need to be on the internal networks,” explained Stacy Janes, Chief Security Architect – Automotive, at Netherlands-based Irdeto. Along with various apps, the most vulnerable points of entry are those on the outward-facing gateways: vehicle telematics, the OBDII port and the IVI (in-vehicle infotainment) stack—all of which connect the vehicle to outside communications.

The IVI system offers more remote attack surfaces than any other vehicle component, notes electrical engineer Craig Smith, author of The Car Hacker’s Handbook. Gaining access to the IVI “opens a door to additional info” about how the vehicle works, such as how it routes CAN bus packets and updates the ECU. Understanding the IVI system can also provide insight into whether the system ‘phones home’ to the OEM; if it does, hackers can use access to the IVI to see what data is being collected and potentially transmitted back to the manufacturer.

Penetrating the IVI system is how a real-world ransomware attack on the mobility industry might play out, said Janes. He offers a scenario: You get in the car, turn it on and the IVI screen starts strobing wildly. The audio system volume cranks up, the heat comes on full blast and you can’t shut it off. There’s nothing you can do, so you get the car towed to a dealership—which is jammed with vehicles victimized by the same attack.

The dealer’s service manager already has contacted the OEM, which says thousands of vehicles are afflicted. And the attacks continue. Later in the day, the OEM receives an anonymous email: “Tomorrow, your company pays us millions in bitcoin or we’ll release a statement on what we did. We’ll destroy your brand. Have a nice day.”

A matter of public safety

Such a cybersecurity scenario was not envisioned seven years ago, when researchers at Rutgers University and the University of South Carolina successfully penetrated a non-encrypted tire-pressure monitoring system (TPMS) and were able to display false tire-pressure reading “spoofs” on the cluster—and track the car’s movements. In 2011, security intelligence experts Dr. Charlie Miller and Chris Valasek, working on a DARPA grant to probe vehicle cyber-weaknesses, hacked a Toyota Prius and a Ford Escape, disabling the power steering, taking control of horns and playing havoc with cluster displays.

Miller and Valasek then executed their seminal 2015 remote hijacking of a Jeep Grand Cherokee, prompting Chrysler to recall 1.4 million vehicles and dispatch USB drives with software updates to owners. The mobility sector was awakened, but not before University of California researchers demonstrated they could disable a Corvette’s brakes and activate its windshield wipers by hacking the insurance-company dongle plugged into the car’s OBD port.

“From a security perspective those were all very basic attacks, compared to what we see in other markets,” observed Janes, who is also the cyber team lead for the GENIVI alliance. He calls the current era “the researcher phase.”

“Right now, you have attackers learning about cars and car people learning about security. As long as the car people stay a bit ahead, the attackers won’t bother with autos,” he said, “because they’ll have to invest too much money in order to mount a sophisticated attack.”

But if the OEMs fall behind, the bad guys will get bolder. “We saw this with attacks in other industries—financial, mobile, media companies, healthcare,” Janes said. “The attackers are a business. Some attacks can cost $1 million to execute, but they make $10 million—not a bad ROI, right? Automotive needs to get ahead of it and stay ahead, so it gets too costly for the attackers and they move on to another sector.”

The experts Automotive Engineering interviewed for this article believe the cyberattack threat will only increase as connected and autonomous vehicles gain market share. Already, over half of the vehicles sold in the U.S. are connected, with an expanding number of potential vulnerabilities. More than 250 million connected cars are expected to be in use by 2020.

Unifying to face the growing threat, OEMs and suppliers in 2015 founded the Auto-ISAC (information sharing and analysis center), a global community to address vehicle cybersecurity risks. With around 30 members, Auto-ISAC operates a central hub for sharing, tracking and analyzing intelligence about cyber threats, vulnerabilities and incidents related to the connected vehicle.

SAE International is part of the Auto-ISAC community, having published seven related Standards, including J3061, the world’s first automotive recommended practices on the topic. “SAE hopes to be a strategic partner—we see many synergies to benefit the entire industry,” said Patti Kreh, SAE’s New Program Development Manager.

A cyber incident “is a problem for every automaker in the world,” asserted General Motors CEO Mary Barra in her keynote at the 2016 Cybersecurity Summit in Detroit. “It is a matter of public safety.”

Separation and ‘layered defense’

The best end-to-end defense in automotive cybersecurity is “a multi-layer approach involving the complete ecosystem of connected vehicles,” said Dvir Reznik, Senior Marketing Director at Harman International. “There is no ‘silver bullet’ in this space.”

Known as “security in depth,” the building-blocks of defensive software should fit together like a Lego structure, the experts agree. They include code installed in subsystem ECUs and those which monitor all internal network communications, alerting the system to any changes in normal network behavior. Their job is to halt attacks from advancing within the network. The outward-facing modules such as IVI head units “on the vehicle perimeter” also are the focus of cyber-defense software products.

Ulf Lindqvist, program director at SRI International, an independent non-profit research center involved with national-security level cybersecurity research and analysis, said a broad automotive protection approach should be relatively simple. “Security really is all about separation,” he noted. “Just because [a system] is authorized to talk to the CAN bus doesn’t mean you should do so.” The problem, he continued, is “there always seems to be some reason or another to connect” quasi-related vehicle systems.

And cloud security products and services are entering the market. These are designed to detect and address threats before they reach the vehicle. They also can transmit over-the-air (OTA) updates and intelligence in real time. OEMs are demanding such end-to-end solutions, one of the drivers behind companies such as Harman and IBM Security joining forces earlier this year to offer expanded “security suites.”

A pioneer in automotive cybersecurity solutions is Argus Cyber Security. The company's original “gateway box” was added to the vehicle network to create a discrete firewall that searched CAN messages and shut down the network if an anomaly was detected. Argus’s current technology builds the monitoring component into one or more ECUs on the vehicle. Other leading cybersecurity firms, including Caramba, Harman and Nokia offer similar approaches.

Meg Novacek, Argus executive director for North America business development, said the company’s vision of the ideal automotive cybersecurity architecture is comprised of four elements: a secure communications gateway; the company’s Intrusion Detection and Prevention System (IDPS) system that can immediately identify a cyber-attack and block it; OTA updates for vehicle software and some type of principal hardware security module that incorporates remote-attestation capabilities.

When Caramba’s software engineers build the binary code that goes into the vehicle, it includes some of Caramba’s own code that basically takes a ‘digital fingerprint’ of the binary. Once installed in the vehicle, it is constantly monitoring. And if anything tries to change that ‘fingerprint’ or overwrite anything, it shuts the network down.

The advantage of this approach is that “you know from the factory what is supposed to be in there. If anything alien tries to alter that, the whole thing gets shut down,” observes analyst Sam Abuelsamid of Navigant Research.

Some engineers and cyber-security experts say machine learning and artificial intelligence (AI) are potential solutions for anomaly detection. Advocates including the Battelle Memorial Institute say they are also platform-agnostic, can be applied to any onboard ECU and don’t require constant updating of signature databases and detection-engine components. In such systems, abnormalities detected can generate audible alerts, vehicle intervention (such as limp-home mode) or directly notify first responders, depending on the severity of the threat.

An endless battle

“Self-healing” software code that can be changed back to original form after it’s compromised, is in development at some companies, as is Blockchain technology. Blockchain sends information over a network of independent computers, known as a distributed ledger, intended to ensure that the transaction is secure and ownership rights over the data or property are protected. The Toyota Research Institute (TRI) is exploring blockchain in collaboration with the MIT Media Lab and other partners. Many experts believe it could accelerate development of cyber-secure autonomous driving technology.

One point on which all cyber-security experts agree is hacking will never end.

“It’s really hard to make guarantees in this space,” said SRI’s Lindqvist. “We have to get to the place where successful hacks are rare—and they have to have limited consequences.”

“This is a Spy vs. Spy kind of game,” noted Irdeto’s Janes. He and others said some OEMs and Tier 1s have begun incorporating network-security engineers into their electrical architecture and subsystem design processes. They’re conducting detailed threat analyses and baking security into RFQs, pushing cyber requirements down through the tiers.

“If you want to kill the autonomous-vehicle industry, let an autonomous car get maliciously hacked with injuries or lives lost,” he said. “Engineers need to adopt a hacker’s view of the world to understand and defeat the threat.”

Author: Lindsay Brooke and Bill Visnic
Source: SAE Automotive Engineering Magazine