Automotive Ethernet: Cybersecurity Implications
CAN vs Ethernet
As we all know, the CAN bus is the predominant IVN (In-Vehicle Network) for automobiles today. It’s been around since the 1980’s, well before cars were connected. Some key problems with the Controller Area Network, or CAN bus, is its ability to handle the volumes data being generated by new features, such as pedestrian avoidance, and the fact that Electronic Control Units (ECUs) don’t have to be authenticated to talk to each other, meaning a compromised ECU increases its chance of wreaking havoc on the vehicle’s systems and behavior. Overcoming this bandwidth limitation has led to a consortium of automotive manufacturers defining and implementing a new in-vehicle data network, the Automotive Ethernet standard.
Benefits of Automotive Ethernet
The benefits of Automotive Ethernet are numerous, and the availability of greater bandwidth allows manufacturers to build in more features and functionality including; enhanced GPS, pedestrian and collision avoidance, lane keeping, and Wi-Fi, among others. It’s already being used in many infotainment systems. Ethernet, as compared to CAN and LIN, is unlike these protocols, namely with Ethernet standards not providing for message transport at the higher OSI layers. Again, a well-known set of standards, also proven on Ethernet, were selected to provide this capability, the TCP/IP protocol suite.
Automotive Ethernet already allows speeds of 100 MB/s over the car network, with a future planned for multi gig specs. This will allow more sophisticated software capability in a product that like many others is largely evolving to be primarily software controlled. As an example, more detailed or verbose logging from different subsystems or ECUs can be relayed to analysis servers in the cloud. Or better encryption, related key management, and more sophisticated authentication should also benefit from the broader pipe. Deeper segmentation of car subsystems is key to future defensibility and a network that looks like the enterprise network of 15 years ago will mean bandwidth won’t be the obstacle to more sophisticated forms of firewalling and advanced threat detection and prevention within the car.
Negatives of Automotive Ethernet
There is also a major downside to this new in-car network infrastructure, increased susceptibility to cyberattack. The combination of Automotive Ethernet and TCP/IP drastically alters the landscape of automotive security by expanding the attack surface that could be exploited by bad actors.
Currently cars have between 50 and 100 ECUs and operating across all these ECUs is about 100 million lines of code controlling all the functionality from the engine and transmission to windows and climate control.
Transitioning from CAN architecture to Automotive Ethernet and TCP/IP will most likely require that a good portion of the 100 million lines of code will need to be rewritten. And given that production timelines have shortened for auto manufacturing compared to when much of the original code was written, that introduces the possibility of more vulnerabilities in the effort to modernize the codebase.
Besides, writing error free code is a virtual impossibility, so the potential for the introduction of coding errors that could be exploited is very high as it is in all of software development. For code that is not changing, the probability that pre-existing vulnerabilities not previously uncovered will not be found and corrected is elevated as well as physical or remote access hackers may be more inspired by the faster iteration times the faster bandwidth enables.
Use of ethernet in the car will also inspire hackers to attempt some of the malicious actions they take on corporate networks such as MAC spoofing, locating unused and open ports, flooding networks and reducing bandwidth for legitimate services and lateral movement across VLAN’s or segmentation boundaries. This means OEMs and tier I’s will need to deploy more context-intelligent cyber defenses made specifically for the connected car.
Evolution Means Change and Responsibility
With over 40 years usage within the Internet and corporate networks, Ethernet and TCP/IP have been pulled apart to find ways to exploit vulnerabilities and illegally gain access to systems and/or data for monetary gain. And unlike corporate networks which are “designed” from the outset with security in mind, an in-car network is mass produced and is inherently physically insecure if security is not designed in from the outset.
In other words, automotive electrical engineers, software engineers and software developers cannot apply a corporate cyber security approach to preventing attacks on connected cars. What should be foremost in the minds of automotive software engineers and developers is that most of these “enterprise” solutions are reactive and require constant updating of blacklists, databases or new versions to keep pace with the ever changing threat landscape. Many corporate security solutions are designed to overlay or are plugged into network infrastructure to detect and report on anomalous behaviors. Not proactively prevent them.
Automotive Ethernet will make designing security from the inside out more imperative than ever, in order to fully capture the benefits the technology affords us.