Cars Need a Root of Trust

Fiat Chrysler has suffered a widely publicised attack where hackers remotely killed a Jeep. The resolution has been to send a USB stick in the post to owners, for which they have been criticised. The criticism is in two parts.

I’ll deal with the points in reverse order from the original article. Quoting Pete Bassill executive of Hedgehog Security:

Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit

This is true, but will happen however the patch is distributed. This is a common issue Microsoft, for example, deal with when issuing their monthly patches. Exploits for the problems they have resolved are created within days, for use on unpatched systems.

So it not really a fair criticism, it’s a fact of life you have to deal with. This comes down to robust vulnerability assessment and flaw remediation procedures.

Fiat Chrysler

Bassill also states:

There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.

This is fundamentally true, and something the IoT industry in general is bad at, not just automotive.

Firstly, systems will need patching – stuff happens that needs to be fixed – no matter how robust the software development process. This should be anticipated, expected and built into the vehicle’s life cycle.

A critical part of this lifecycle is how to update the vehicle in the field, an insecure, untrustworthy environment.

The vehicle needs to be able to validate for itself the integrity and authenticity of the update no matter how it is received – over the air, plugged in to a laptop or USB. Is the update genuine, and has it been tampered with?

This validation requires a root of trust which is designed into the vehicle. Designed in. This is not something that can be done as an afterthought.