The IT-infrastructure of a vehicle is subject to varying security requirements. Important aspects are capturing, storing, and selecting of sensor data to, for example, recapitulate in case of an accident. Another important aspect are techniques to recognize and prevent attacks, e.g., unauthorized starting or controlling the car. In case of an accident or the recognition of an attack IT-forensic analysis is of great importance. Evaluation of digital traces is important to reconstruct the circumstances of the accident, identify attacks on the vehicle-infrastructure to prevent further attacks, and identify infected systems and completely clear malware.
In contrast to IT-forensic analysis of classical IT devices like computers, where all files are frozen upon discovery to secure all traces, the ex-post analysis of vehicles is in most cases not well applicable as for the large amount of data that occur and the circumstance that the information might not be recorded or not stored. This can lead to the situation that technical aid in finding the trigger of the accident is not possible.
The goal of AuFoP is
to design, develop, and implement a prototype of a modern, scalable method for a data safety conform and revisioned monitoring procedure for all sensor data in the vehicle.
Autonomous driving requires new automotive technologies that rely on increased computing power and increased data exchange within the vehicle and to the outside world. New technologies such as Automotive Ethernet are replacing or extending legacy technologies within a vehicle such as LIN, CAN, MOST, or FlexRay. Also new E/E architectures are used in autonomous vehicles including domain fusion, centralization, ECU consolidation / integration of multiple functionalities in one ECU (including mixed criticality), and increased backend connection. Also, in the automotive world new approaches such as service-orientation are introduced with the AUTOSAR adaptive platform. From a security perspective, this technology change is ambivalent since it enables new attacks but also enables the use of (new) sophisticated security solutions or the use of established Internet security protocols within a vehicle.
However, there are still many issues to solve. Internet protocols such as (D)TLS or IPsec using TCP/IP or UDP/IP have not been specifically designed to address automotive requirements, e.g., support for multicast communication, or latency and bandwidth guarantees. A thorough evaluation of such protocols and adaptions / improvements is required. In addition, entirely new protocols need to be developed for certain scenarios. Furthermore, designs for communication architectures, e.g., the use of firewalls, domain separation, filtering mechanisms, or VLANs, requires additional research. In addition to already intensively investigated ITS Vehicle2X communication, new communication protocols are rising. For example, autonomous electric vehicles will communicate wirelessly with charge points using ISO 15118 Edition 2. The vehicle communicates the estimated time of arrival, battery status, required energy, and desired point in time to continue the travel to the charging point, which enables optimal charging schedules as well as the optimization of the load management to use the energy grid effectively. In addition, protocols for secure over-the-air (OTA) code updates are required (which is also required by the UNECE WP.29 regulation).
The goal of SEACOP is
to improve the communication security within the E/E system of autonomous vehicles and for selected external communication. To achieve this goal, we evaluate existing protocols, develop new protocols, and implement and evaluate our new solutions. Concrete, we address the following objectives:
- Evaluation of (security) protocols used in the automotive domain and other domains which may be suitable for use in E/E architectures of autonomous vehicles.
- Development of improved and adapted protocols as well as new protocols for the use within vehicles.
- Evaluation of protocols used for external communication with focus on remote management and communication of electric vehicles with the charging infrastructure.
- Development of improved and adapted protocols as well as new protocols for the external communication.
- Prototypical implementation and evaluation.
Research in the field of automotive security faces several challenges. Vehicles are expensive, closed source, require special test equipment, and changes (either by developing new techniques or by attacking the vehicle) may result in physical damage. Moreover, vehicles are a source of physical dangers (e.g., high voltage, airbag explosives). Due to these factors, evaluations are often based on estimations or theoretical models. Even if researchers have access to one specific vehicle, it is in most cases not possible to simulate attacks and mitigation actions because relevant future technologies are not yet implemented in available vehicles or information on important technical details is not disclosed by OEMs. Thus, a test and evaluation environment is required, which resembles real or near-future autonomous vehicles.
The SECTEA platform to be developed in this project is needed to analyze, for example, new protocols for securing the communication, the effectiveness of intrusion detection systems (IDS), or the efficiency of intrusion detection and prevention systems (IDPS). Automotive IDS research did not yet consider the novel designs of in-vehicle networks and how it affects the different detection techniques or the placement of the IDS. Once an attack is perceived to have been detected, the system must decide what action to take. In computer networks, the IDS raises an alert to the user reporting the incident and asks what action to take. However, in a vehicle, such a distraction by an alert to the driver could lead to a traffic accident.
Studying and designing appropriate alerting methods and decision support on reactions in the case of vehicular IDPSs is a further research direction that requires investigation. For IDPSs, the proposed SECTEA platform can address specific challenges in autonomous vehicles. For example, suitable detection techniques can be developed which make use of the higher resources of certain ECUs (e.g., artificial intelligence-based computations in edge computing nodes) and utilize the changes of in-vehicle networks by retrieving data from multiple data sources.
The goals of SECTEA are divided into three categories:
- SECTEA platform for evaluating security concepts for autonomous driving
- Mitigation techniques against cyber-attacks on autonomous vehicles
- Develop new IDPS approaches for autonomous vehicles
Cars and comparable vehicles contain more and more sensors and electronic systems. They are therefore a potential subject of IT forensic investigations. While the derivation of an accident in the physical world is carried out as a routine by police and experts, the investigation of the electronic traces of the accident is still not given much attention. Although detailed investigations have been carried out in the recent past in connection with accidents involving autonomous vehicles, these have been more concerned with sensors and the decision of the controlling artificial intelligence, i.e., debugging rather than a forensic investigation.
A forensic investigation requires comprehensible procedures, the results of which may be legally binding, and which are therefore based on traces that are ideally verifiably unadulterated. This requires appropriate mechanisms to collect and protect data. If for example an error is found in software, which causes a car accident, not only the error and its effect would have to be represented in the forensic investigation, but it would also have to be provable that the software version containing the error was installed in the car. The purpose of a forensic investigation is also essential not only for the analysis of accident events but also the evaluation of driving style by insurance companies, the billing in the event of disputes with rental or leasing vehicles and the investigation of driving behavior by a repair shop. It becomes clear that several parties are interested in the data of a vehicle. In turn, this makes it necessary not only to ensure reliable data collection but also to take a closer look at data protection. Time stamps and sensor data, such as the driving behavior or seat settings, can easily generate personal data that is worth protecting.
The overriding goal of the project is
to identify data sources for forensic investigations in the automotive environment, to record them in a way that they cannot be modified, and to ensure that access to these data complies with data protection regulations. To this end, we pursue the following sub-goals:
- Evaluation of potential data sources in the car and known attack methods for data safety.
- Data access to prevent subsequent falsification of the data concerning their suitability for the embedded environment in cars.
- Privacy-preserving forensics and privacy-by-design approach.
- Limitation of the data economy and the transparency of data collection and access to these for the owner of the vehicle.
- Development of a demonstrator with comparison of strong and weak data protection.