How NNG Successfully Navigates Security Risks to IVI Systems

In an era where consumers demand increased functionality and outstanding experiences, the latest connected In-Vehicle-Infotainment (IVI) systems now offer drivers access to more features than ever before. However, this has also seen the number of threat surfaces increase, offering criminals new ways to cause disruption – or even pose danger – to drivers as well as cause significant reputational damage to OEMs.

New features, new threats

For example, unsecured IVIs can give attackers access to new exploits including:

– Cause sudden changes in the volume and/or play intentionally disruptive sounds over the speaker.

– Display an alarming message on the screen, such as threatening to cause damage to the vehicle or release private driver information unless a ransom is paid; even if none of these can be realized by the attacker, scared vehicle owners may still pay.

– Launching privacy attacks such as eavesdropping, GPS location tracking, accessing phone contacts/call histories, and accessing third party services using the driver’s accounts (email, messenger services, payment providers, etc.).

– In worst-case scenarios, the attacker could take control of the vehicle’s subsystems (including brakes, transmission, engine, cruise control, etc.).

Previously, such attacks were considered to be only possible with physical access to the vehicle. This perception was shattered in 2015 when a pair of researchers demonstrated to Wired Magazine that a full takeover of a 2014 Jeep Cherokee was possible via cellular network from anywhere on the planet, a revelation that led to the recall of 1.4 million vehicles.

Importantly, for OEMS, it showed connectivity could open IVIs up to the risk of being hacked remotely and in theory at least, in vast numbers, meaning automotive ransomware could become a genuine threat. And due to the convergence of IVI platforms with Android and AGL, hacking a large number of vehicles (i.e., multiple models or model years) is set to become more economically viable for criminals as well.

Such vulnerabilities pose significant risks to OEMs as well including:

– Lost revenue from software, service and content sales.

– Legal exposure to software, content and service providers, class action suits from vehicle owners, and more.

– Increased operational costs during service provision.

– Increased support costs including dealer service and IVI hardware replacement (i.e., recalls).

Identifying risks

This threat landscape has been created by multiple issues with modern connected IVIs, principally across three key areas:

Operating system

An IVI typically runs an off-the-shelf operating system (often Android or Linux), as well as an extremely complex software stack. Traditionally, IVI operation systems are not hardened. This means if any component’s security is compromised, the integrity of the entire system is compromised.

Now factor in that the launch of a new vehicle model takes up to five years with the IVI’s OS version usually chosen at the early stages of development. Subsequently, by the time the IVI hits the market, the OS is already outdated and will lose official support from the OS vendor early on in the vehicle’s lifetime.

Additionally, the update cycle for IVI systems is slower than smartphones or PCs with any vulnerabilities potentially persisting for months or even years, instead of weeks. Also, the unique software and input devices used in IVI systems can become an attack vector as they are typically developed in isolation and rarely subjected to third-party testing or code reviews before launch.

Cloud services

IVI connectivity offers a two-way street for malicious actors. On one hand, criminals can use it to remotely access and hack a vehicle. On the other, they can pose risks to the cloud services that connected vehicles rely on. For instance, a bad actor could use information reverse-engineered from a compromised IVI unit to launch a Denial-of-Service (DoS) attack against servers, potentially affecting other vehicles and generating significant costs for OEMs.

Worse still, criminals could reverse-engineer the credential provisioning system and launch attacks using multiple valid credentials. Usually, vehicles are identified by their VIN and since these are not a secret/private identifier, it is relatively simple to guess thousands of valid values. Such an attack could force service providers to revoke all credentials and potentially deny services to all affected IVI units. Restoring services may also require a software update – or in worst-case scenarios, force drivers to make a dealer visit to rectify the issue.

Driver threat

Risks can also be introduced by drivers themselves. For example, according to NNG’s own estimates, approximately 20% of IVI users are willing to use free hacks from forums on their head units to access additional features or updates. In addition, 10% are willing to buy known pirated map updates if they are cheaper than official updates – with 5% even prepared to remove the IVI system from the dashboard in order to hack the head unit. Inevitably, such exploits leave the driver wide open to self-inflicted malware and ransomware damage as well as potentially exposing any affected OEM to serious reputational risk.

Securing IVIs

However, it is not all bad news as IVI systems do have one significant security advantage – most pieces of software that run on the system can be limited to a controlled set. This allows for the creation of a ‘chain-of-trust’, where each piece of software must be signed with a strong cryptographic signature, and can only be executed after verifying its integrity and authenticity.

A chain-of-trust makes it very difficult for criminals to step one level below the piece of software they wish to modify. In turn, if every level of the system is protected right from the boot loader (i.e., secure boot), then it becomes very difficult to go below each individually protected software – although it does not prevent hackers from exploiting a vulnerable code, only from changing or re-flashing the software.

Securing apps

A major element of IVI’s future are user-installed applications from either an OEM-controlled or third party application store. However, based on over a decade of experiences in the smartphone app-store business, it is clear that third-party applications cannot be trusted and their security can never be guaranteed.

To ensure apps cannot compromise the security of an IVI – or even a vehicle itself – strong security controls must be deployed. At the very least, these must offer mandatory access to control mechanisms (i.e., SELinux) or the running of third party applications in a virtualized environment (i.e., an OS running in a virtual machine that is completely cut off from other parts of the vehicle).

Best practices delivered

At NNG, we have extensive specialist knowledge in building secure boot solutions for IVI systems as well as offering expert guidance to our clients in embedded system hardening. We also adhere to several crucial ISOs and best practices to deliver robust and secure software for IVI systems that OEMs can rely on. For instance, we recommend systems are developed in accordance with ISO 21434, with an emphasis on Threat Analysis and Risk Assessment (TARA).

Our headline recommendations for IVI system security include:

… apply OS hardening techniques.

… deploy a secure boot solution or other means to verify the authenticity of at least all executables and their configuration data using strong, asymmetric cryptographic signatures.

… use public-key cryptography for the authentication of external users (diagnostics, support, etc.). If this is not feasible then strong, unique passwords must be utilized and stored in a secure, hashed format.

… only allow the modification of executables and configuration data during a controlled software update process.

… use over-the-air software updates to minimize security risks of new vulnerabilities and deliver regular OS updates.

… provide a cryptographically-secure pseudorandom number generator with multiple and independent sources of entropy (none should be time-based), i.e., noise from a physical source such as GPS/Wi-Fi/Bluetooth signals, microphone, etc.).

… use mutual authentication whenever accessing cloud services.

This raft of security processes and recommendations ensures NNG is ideally placed to offer the best possible protection for our clients – and their consumers – from the increasing threat created by connectivity and ‘opportunistic’ hackers.

And acting now is essential: It is predicted there will be 400 million connected cars on our roads by 2025, and without robust security, each and every one represents a potential threat to drivers and OEMs.