IEEE CNS 2014 Poster Session

Approaches for Vehicle Cyber Security

Hiro Onishi
Alpine Electronics Research of America, Inc.
honishi@alpine-la.com

Abstract— Vehicle cyber security that recently arouse society remote control, financial charges, and personal information
concerns have more complicated vulnerabilities, compared to stolen)’. These types of malware threaten smart phone users
ordinary computer and internet cyber security. In addition, more because of financial damage or the leakage of
frequent connection between vehicle and smart phone with confidential/privacy information [4].
limited security mechanism is considered to raise security risks.
In this paper, we will first analyze these vehicle cyber risks and
then introduce various industrial approaches for vehicle cyber
security. Finally, we will introduce the well-integrated
connectivity between vehicle and smart phone that may enhance
vehicle cyber security.

Keywords—vehicle cyber security; vehicle cyber risk analysis;

connectivity between vehicle and smart phone

I. VEHICLE AND SMART PHONE CONNECTIVITY Fig. 1. TER (Threats Exposure Rate) for PCs and Android devices [3] [11]

Recently, smart phones have been more frequently

integrated within a vehicle to provide more convenient
functions such as, concierge services, emergency call, and
remote diagnosis to drivers and passengers [1]. Vehicle and
smart phone connectivity becomes applied not only to after-
market or dealer installation systems, but also to OEM factory
installation systems. TABLE I shows smart phone integration
applied to factory installation systems observed at the Los
Angeles Auto show 2011 [2].
TABLE I FACTORY INSTALLATION SMART PHONE INTEGRATION
(OBSERVED IN LOS ANGELES AUTOSHOW 2011) [2]
II. ENLARGED VEHICLE CYBER RISKS
Passenger-vehicles with over 20,000 components
potentially have higher security risks compared to ordinary
PCs with approximate 2000 components. Furthermore as
modern intelligent vehicles have approximately 100 CPUs and
several hundred MB of software code to target autonomous
driving ultimately, vehicle cyber risk has become a serious
social concern [5]. In addition more frequent connections
between vehicle and smart phone with limited security
mechanism are considered to increase vehicle cyber risks (Fig.
2.) [6].

Fig. 2. Cyber risks caused by carry-in devices (smart phones) [6]

In comparison to ordinary computer or internet cyber
security, vehicle cyber security has the following additional
complicated vulnerabilities [6],
• Limited vehicle external connectivity causes
On one hand, smart phones with limited security
difficulty in updating security software and in
mechanism used at multiple locations and connected to
monitoring automotive electronics status
various sites to download various applications become targets
• Limited computational performance, due to high
of cyber attacks next to PCs. In multiple countries, Android
endurance and long vehicle life-cycle (over 10
devices (one type of smart phones) have higher TER (Threats
years) causes difficulty in competing against
Exposure Rate) than PCs do (Fig. 1.) [3] [11]. Smart phones
hacker’s latest high computational performance PC
have three major types of malware, i.e. ‘installation
• Need of real-time operation
(repackaging, update attack and drive-by download)’,
• Vehicle complexity as it consists of numerous
‘activation’, and ‘malicious payload (privilege escalation,

978-1-4799-5890-0/14/$31.00 ©2014 IEEE 506

 IEEE CNS 2014 Poster Session
components and parts
• Unpredictable attack scenarios and threats
• Hazard of drivers and passengers lives
III. APROACHES FOR VEHICLE CYBER SECURITY
A. Develop industrial security guidelines
In resonse to the increased vehicle cyber risks,
governments and industrial organizations are developing
vehicle security guidelines (TABLE II). These guidelines are
providing the following benefits to the industry [7],
• Awareness and outreach
• Well-defined threats and risk analysis
• Cyber security techniques and architectures
• Handling and mitigating of cyber incidents
TABLE II GUIDELINES FOR VEHICLE CYBER SECURITY [8] [9] [10]
B. Mitigate hazards
For the most critical mission in vehicle cyber security, i.e.
to maintain ‘safety’ even when ‘security’ is compromised, we
would like to introduce two types of approaches. First, in
vehicle-level approaches, ‘Infotainment (Information and
Entertainment)’ area which is frequently connected to the
external ICT (Information Communication Technology) world
is divided from safety critical areas (Fig. 3.). Samples of
individual techniques are [6],
• Install firewalls between Infotainment and safety
critical areas
• Review commands/messages from Infotainment
areas to safety critical areas
• Protect against software manipulation
In component-level approaches, critical functions should
have redundancy with hard-switches or analog back-ups [6].
Fig. 3. Hazard mitigation – Vehicle-level [6]
C. Utilize smart phone connectivity
Though the connectivity between vehicle and smart
phones is considered to increase vehicle cyber risks, on the
contrary, this connectivity can provide the following useful
security features efficiently.
• On-the-fly (security) software update (i.e. security
patch)
• Electric components’ status monitoring
507
• Certification by security authority(=anchor)
• Remedy of infected components
Especially, on-the-fly security software update has enhanced
the security of vehicles ordinary over 10 years in the market.
Considering these features, the well-considered smart phone
integration has the possibilities to strengthen vehicle cyber
security.
IV. CONCLUSIONS
In response to the increasing concern about vehicle cyber
risks, many approaches are taken place in the industry, for
example,
• Develop vehicle security guidelines
• Mitigate hazards caused by cyber attacks
• Utilize external connectivity, especially smart phone
connectivity, for security features
Though initially the connectivity to smart phones were
considered to increase vehicle cyber risks, on the contrary,
well-integrated smart phones can be utilized for many security
features for example, on-the-fly security software update to
enhance vehicle cyber security.
Ordinary security techniques in ICT have the capabilities
to enhance vehicle cyber security, but we have to be aware
that there are many specific challenges to deploy them in
vehicle environment for example, real-time operation within a
few hundred milliseconds.
ACKNOWLEDGMENT
The author thanks Mehrdad S. Sharbaf of California State
University Dominguez Hills for offering useful information
and advice in this research.
REFERENCES
[1] M. Paula, “In Four Years, Most Cars Will Work With Smart Phones”
(May ’12). Available at
www.forbes.com/sites/matthewdepaula/2012/05/19/in-four-years-most-
cars-will-work-with-smart-phones/
[2] H. Onishi, “Paradigm Change of Vehicle Cyber Security” in CyCon ’12
(Tallinn, Estonis, Jun.)
[3] “Mobile Security Solution – Sophos Mobile Control” (Japanese)
[4] Y. MA and M. Sharbaf, “Investigation of Static and Dynamic Android
Anti” IEEE International Conference on Information Technology : New
Generations ’13 (Las Vegas, NV, Apr.)
[5] A. Weimerskirch, “Security Considerations for Connected Vehicles” in
SAE Government /Industry Meeting ’12 (Washington DC, Jan.)
[6] H. Onishi, “Approaching Vehicle Cyber Security by Applying the
Functional Safety Concept“, in ITS World Congress ’13 (Tokyo, Japan,
Oct.)
[7] H. Onishi, “Guidelines for Vehicle Cyber Security”, in ITS World
Congress ’14 (Detroit, MI)
[8] EVITA deliverable D2.3 “Security requirements for automotive on-
board networks based on dark-side scenarios” (’09)
[9] Information-Technology Promotion Agency, “Approaches for Vehicle
Information Security”, (Apr. ’13). Available at
http://www.ipa.go.jp/files/000033402.pdf
[10] SAE-International, “J3061 – Cybersecurity Guidebook for Cyber-
Physical Automotive Systems” (under development)
[11] Sophos, “Sophos Security Threat Report 2013”. Available at
www.sophos.com/en-
us/medialibrary/PDFs/other/sophossecuritythreatreport2013.pdf