All in all, this is a considerable risk and - an untenable situation. Reportedly, researchers were able to remotely control a car by hacking its Wifi or Bluetooth gateways. Also, in a high-stakes case in Ukraine, it was demonstrated that electricity grids could be taken over and manipulated by attackers. Researchers at imec were able to hack pacemakers, eavesdropping on the devices and injecting potentially harmful commands.
This is not to say that such attacks are easy: They require a high level of sophistication, ingenuity and patience. But in the case of highly sensitive road traffic environments, because of the sheer number of electronically identical cars involved, an attacker who manages to find a way into one system, poses a real threat to the security of a great number of other systems.
Establishing safe processing harbors
For all these incidents and scenarios there is no commercial mitigation available today. In contrast to higher-end processors in laptop computers and smartphones, the automotive control chips are small and resource-constrained. They lack the security features that are standard on other processors, such as various privilege levels and memory segmentations. Yet, replacing all embedded processors in cars with high-end systems is not an option, due to cost, complexity and power consumption.
Therefore, at Imec, we have initiated a research endeavor to design a new secure architecture that is suitable to secure today’s embedded systems. It covers the CAN networks in cars, and also industrial control systems in manufacturing, or even very small IoT devices. Such security systems have to be low on complexity and cost - a definite requirement in regard to the envisioned applications.
We started out with a lightweight microcontroller and extended its design, adding a secure memory management and a crypto unit optimized for low-power consumption. The result is a processor that is not much larger and doesn’t consume much more energy (about 6 percent). But it is able to isolate the critical network software and it creates a kind of a safe harbor for it. With this isolation concept, the software cannot be compromised. Its trusted computing base is restricted to the hardware on which it runs. Barring vulnerabilities in a protected application itself, no software, be it an application or operating system, running on the same processor or on an outside process, can override the security checks and read or overwrite the protected runtime state.
Knowing whom to trust
But even if the processor that controls the brakes of a car can no longer be hacked, it will still obey any brake command, even if issued by an illegitimate source. Therefore, we have limited the range of trusted message sources to those that can authenticate themselves as legitimate. Thus a brake command should only come from a trusted processor, which itself cannot be hacked, and from an authenticated software component. So the CAN network is now made up of small unbreakable applications that mutually authenticate and trust each other.
In an automobile, such an embedded system must be able to be contacted from the outside, for instance by a software provider that wants to install updates, or, in a more general way, for communicating with the surrounding traffic infrastructure. Therefore, Imec's Sancus provides secure communication and remote attestation. Any outside party can send or receive messages to and from a specific software module on a specific node, while making sure that this is the correct module (authenticity), it has not been changed (integrity), and its status is correct (freshness).