Infotainment Security – The Next Big Thing in Vehicle Telematics!

17 07 2012

Over the past few years, one of the most emerging and advanced technology in vehicle telematics is the rise of Infotainment. Infotainment basically takes your day-to-day electronic devices and integrates with your vehicle and empowers a driver to avoid driver distraction, provide hands free calling and navigation and other cool features such as touch screen, usability of Apps similar to a smartphone, Bluetooth connectivity, audio streaming, interactive messaging in case of emergencies and remote diagnostic notifications. All these features combined, provide the next best advancement in the automotive industry which is a new competitive edge for most car manufactures out there like GM with their OnStar and CUE, Ford with their Sync and MyTouch, Toyota with their Entune and Hyundai with their BlueLink systems to name a few.

But, as the saying goes, with great power comes more responsibility, is very true with these technological advancements. One of the key areas these automotive manufacturers are focusing on is security. Security plays a vital and an important role in our daily use of technology. Add to this picture, the mix of numerous electronic devices that can now be integrated with your systems and all of a sudden, all your personal data is now available to be accessed via the cloud, or through the cellular providers if one is using their data plans. One of the key challenges in the space of infotainment is, how to provide the best consumer experience for a driver from the moment they step in to their car and integrate their electronic devices such as their smart phones, MP3 players, notebooks, iPads etc. seamlessly yet keeping their information secure, private and confidential?

Some of the challenges companies face in this space is as follows:

  • Authenticating a user and their device to the vehicle, example: My personal phone is paired via Bluetooth in my vehicle and the moment I enter my vehicle the phone is paired but then, it also can access my entire contact list, last dialed calls and missed calls. The question to ask is this data being stored in the vehicle and if yes, what happens to this data when the vehicle is sold or stolen? If no, then how is my data being accessed and is it secure?
  • Authorizing the user to access and perform certain functions based on the features provided, example: most Infotainment radios in vehicle these days have embedded apps such as Pandora or Sticher. If I choose to enable these apps and stream them while driving, they are either using a Wi-Fi hotspot or my smart phone’s data plan to stream music. The question to ask is how is this data being accessed and what personal information is being used for authentication and authorization and how?
  • Providing real-time access to a backend system (use of web services and/or API’s) or cloud to share personal data (via the internet), access personal data or local settings and provide a rich consumer experience. This also plays in with the point above such that, the moment this data is on the internet, the IP address of the vehicle is now available for the open public and is vulnerable for internet attacks

One of such recent security threats was done by a group of research students from the University of Washington and California, who connected a laptop device to one of the GM Vehicles with OnStar Enabled and hacked through the OnStar Remote Link App and where able to remotely start and shut off the vehicle and honk horns and flash lights. This goes to show, if proper measures of security are not identified and implemented correctly, it’s a matter of time when actual thefts can occur causing these home based inventions.

Some ways of remediating these security threats and vulnerabilities are as follows:

  • In order to provide a secure access between the vehicle and an outbound network, it is critical to separate the two and ensure that there is constant monitoring on each of the different environments and also create a layer of security as another step between the two to restrict any attacks
  • In addition to the above, it is also critical to create a secure credential based authentication by enabling the driver to have a Username/Password to perform any basic functions such as running the apps, downloading them over the web, syncing them with the back end, deleting them etc. This can also provide a seamless experience from a website perspective if they do prefer to create and set their profiles online vs. in the vehicle.
  • Implementation of security tokens such as Auth, Access and SP tokens enables a secure transaction of data and credentials to authenticate and authorize a user
  • Ensuring all the web url’s for the web services and API’s being accessed are over HTTPS and other secure mechanisms
  • Enable root certificates and code signature level packets within all firmware files to ensure the right software goes with the right radio hardware

The above methods are among a few examples but there are a lot more other ways that are being researched in terms of security for in-vehicle telematics. The future direction of in-vehicle telematics is Vehicle-2-Vehicle communication and this is just the tip of the iceberg.

_______________

1.  EE Times, Article by: David Kleidermarcher, Green Hills Software, posted on 1/3/2012:

http://www.eetimes.com/design/embedded-internet-design/4233756/In-vehicle-infotainment-software-architecture–Genivi-and-beyond—Part-1

2.  Harmon, Infotainment Security:

http://www.harman.com/automotive/en-us/products-innovations/infotainment_systems/Pages/default.aspx

3.  Automotive IT, Article by: Hilmar Dunker, posted on 6/6/2012:

http://www.automotiveit.com/hackenberg-in-interview-explains-vws-new-infotainment-architecture/news/id-005987

4.  Gizmodo, Article by Jack Loftus, posted on 5/16/2010:

http://gizmodo.com/5540029/no-kidding-onstar-cars-can-be-hacked-remotely-controlled

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: