In Conversation With: Gilad Bandel, Arilou Automotive Cyber-Security
September 22, 2020
iTWire: Let’s start by having you describe the contribution your company, Arilou Technologies, is making to automotive cyber security.
Bandel: Arilou has been a pioneer in the automotive cybersecurity field for over ten years. The idea behind the company’s technologies and solutions were developed in 2010 when the Arilou’s founders, two veterans of an elite cybersecurity unit in the Israeli Defense Forces, completed research and demonstrated possible attack scenarios on vehicles. The company itself was registered in 2012 and then acquired in 2016 by NNG, a larger Europe-based provider of automotive software, specifically navigation. Over time, we have raised awareness to the cyber- threats in automotive security and have developed solutions to provide protection against those threats.
iTWire: So, with that in mind, where does Arilou see its major strengths?
Bandel: The feedback we get from our technology and channel partners as well as our customers is that our offerings are mature and advanced. We also have had a strong R&D team and as result our products and technologies are easy to deeply integrate in a vehicle’s CANbus and Ethernet networks. [see note below]
iTWire: You mention CANbus, which widely regarded as a very insecure environment. Is that still the primary car networking standard, or are there newer protocols that will take over?
Bandel: Yes, your assessment is correct. CANbus is a legacy network used in the automotive industry with many drawbacks, although it is here to stay for many years to come. However, the emerging automotive Ethernet will eventually supersede CANbus networks in the future due to its clear advantages. We anticipate a gradual shift to this new technology beginning. This transition will likely begin with German OEMs and then will spread to the rest of the world.
iTWire: Given that, what role, if any, is Arilou taking in standards development?
Bandel: Yes, Arilou is actively participating in several standardization committees. We are providing our knowledge and experience to these standardization bodies as a way to contribute to the benefit of all. For example, the ISO/SAE 21434 [see note below] in which we participate provides ways to implement the UNECE WP.29 regulation [see note below].
iTWire: Broadly, there are two categories of attack. Those that come from within the vehicle and those from without. If someone can physically connect into the vehicle network, how do you defend against that intrusion?
Bandel: External attack vectors are far more severe and risky. Regardless of the source of the threat, there needs to be a strong detection mechanism that monitors signatures and searches for anomalies to efficiently identify any indications of cyberattacks. Again, this needs to be done regardless if the source of the attack is internal or external.
For this we offer a unique approach to protection. For example, if a physical device is attached to the CANbus network and is tries to impersonate another Electronic Control Unit (ECU), our technology not only performs a deep packet inspection of traffic messages, but also authenticates all messages based on electric signal fingerprinting methodologies. This quickly classifies an unknown transmitting device as rogue and prevents it from further communicating with the vehicle.
iTWire: so, I assume this means you’re utilising a level of device identification and authentication to quickly identify these rogue devices. Encryption as well?
Bandel: The identification is performed at the device level based on the physical principle that each hardware device, including the wiring, has a unique transmitting electric signal characteristic. This is the base for the authentication. However, encryption is not part of this technology. Encryption is is possible using a different product of ours – Arilou CANcrypt. This is a pure software product that performs a combination of CANbus messages compression, digital signature-based authentication and encryption.
iTWire: On the other hand, Charlie Miller has demonstrated time and again that ‘smart’ vehicles are susceptible to external attack. Will he (and his ilk) continue to win, or are you sure you can shut him out?
Bandel: The ongoing race between attackers and defenders is a never-ending story. This is not limited to just the automotive security space. We also see this in many other domains. One example is the convergence of IT and Operational Technology (OT) and the impact over Industrial Control Systems (ICS).
The automotive industry needs to provide safety, security and privacy to its customers if it wants to continue survive and thrive. Regulations are requiring cybersecurity protection of vehicles. As such, the automotive industry is investing lots of resources in the cybersecurity of vehicles. From the other side, vehicle have become more connected and computerized. This clearly has turned a vehicle into an attack vector with a widen attack surface and many risks.
My anticipation is that for the next few years the attackers will have the upper hand until the industry catches up and creates a viable balance. This does not mean that vehicles will ever be 100% cyber-proof.
iTWire: I’m sorry, but that’s rather a generic response. Can you be a little more specific? Are there some examples you can share with our readers? Also, you mention that regulations are requiring better protection, but I’m not too sure I recall the last time that the ‘bad dudes’ paid any attention to that kind of thing. Would it be safe to assume that you’re red-teaming these systems as hard as you can?
Bandel: Unfortunately, for obvious reasons, I cannot share the details of specific cases that are known to us. However, I can say that our cyber-research team has been able to find multiple vulnerabilities in more than one case in which we were able to gain access and control of critical safety components of vehicle. There is no reason why hackers are able to achieve at least similar results. The regulation mentions a long list of risks and sets of mitigations for minimizing the risks. Hackers obviously read these mitigations and generate new ways to overcome the implementation of thoee measures. This definitely makes their life more difficult and the car safer. The OEMs that will fully take these measure will be able to pass the certification requirements and reduce that chances to become a victim of such an attack.
iTWire: Where is the future? Will we see an increase in vehicle-to-vehicle communication? If so, how can that be protected (key exchange will be *nasty*!).
Bandel: Connected and autonomous vehicles, V2x communications, smart mobility and shared driving are all major technologies that are continuing to expand and will further increase the connectivity of vehicles.
Here, security has to be implemented from day zero since the damage that can be caused by an amplification attack on a fleet of vehicles driving on a major highway, for example, can be devastating. The security protection has constantly performed in depth and at all layers. For example, string authentication, deep packet inspection, deep content inspection, plausibility, misbehavior detection using advanced techniques such as sensor fusion at the vehicle level and big data at the fleet and national levels, today are all essential.
This is a new and very challenging area where much research is required and experience needs to be gained for the appropriate measures to be imposed in the proper places to ensure the safety of increasingly connected vehicles.
iTWire: Further, I can envisage all manner of denial-of-service methods by (for instance) rich neighbourhoods flagging their local streets as ‘unfit for traffic.’ Of course many other examples easily spring to mind.
Bandel: Threats of Denial of Service and the more sophisticated Distributed Denial of Service are indeed realistic attack scenarios that need to be protected against in connected vehicles.
There are clearly effective technologies and solutions to protect IT networks against these and other type of attacks. However, the computing power in a vehicle is much more restricted, making a vehicle much more susceptible to massive flood attacks.
iTWire: I’m sure you’re aware of the recent low-tech denial of service attack by the man in (I think it was) London who pulled a trolley full of one hundred mobile phones slowly along a minor road and had Google Maps flag it as a major congestion and routed all the other vehicles around it. It seems that sometimes low-tech attacks are often the best.
Bandel: KISS – Keep It Simple Stupid – is in many cases one of the most effective ways to attack. This is a kind of guerilla warfare that uses one weak points as a virtue. Furthermore, keep in mind that the defender needs to protect against all possible penetration points and attack vectors. The attacker needs to find just one entry point to launch an attack. Therefore, using simple “low tech” attack methods is a preferred method used by attack actors that have limited resources available. OEMs need to take measures against the entire spectrum of threats, from the simplest once to the most complex scenarios.
iTWire: The previous questions address different aspects of ‘denial of service.’ Is this the biggest issue you face? What else is there?
Bandel: Actually, no. Denial of Service is of course a major issue, although we are more concerned about active attacks that influence a vehicle’s operations, such as an attack taking control over the steering or brakes. This has implications for everyday driving scenarios from individual drivers to public transportation to even military operations.
iTWire: What about ‘ethics?’ It’s a hot topic in AI at the moment – do you see it as important in your area?
Bandel: Attackers have no ethics. They will take advantage of any vulnerability to attack. Keep in mind that as opposed to attacks in the IT world that have to do with data, privacy, reputation, money and so on, here in the automotive space we are speaking about safety and reliability. This means the potential for loss of lives and damage to property. In the IT sector, once a software attack tool is weaponized and ready to be launched, there is not reason to wait. A ransom attack will always be launched as soon as possible. However, in the automotive world, the weapon might lay dormant for a long time and the activation will be in case of a strategic event, such a war when the adversaries will take advantage of all available technological tool to inflict damages on the other side of the conflict.
iTWire: Finally, what does the future look like? Where are we heading… in the near-term, mid-term and long-term.
Bandel: In the next couple of years, the industry will get ready for compliance with UNECE WP.29 certification or the other equivalent regulations in many countries.
In parallel, the increasing risks and attack vectors, especially looking at automotive Ethernet and connected autonomous driving, will give rise to a cat and mouse game between attackers and defender in the mid-term.
For the long term, it would be appropriate here to quote former Nobel Prize winner Niels Bohr. He once said “It is very hard to predict, especially the future”. With this is mind, beyond a horizon of five to six years, it is very difficult to tell what is to come.
iTWire: So, we’re not going to see remotely ‘piloted’ police cars any time soon – the suburban road equivalent of the Air Force Reaper drones!
Bandel: In the future, we will see a few advances in the automotive industry that will influence the cyber-security field. Here are a few examples:
Automated driving will go beyond level 3 and reach levels 4 and 5. This implies less involvement of a human driver and relies more and more of computers to control the automobile. While this is a very positive direction in terms of commodity and safety, it also exposes the vulnerability to cyber-attacks that need to be prevented.
Connected and automated driving adds to the individual vehicle computerization the connection to many other entities. This V2x – vehicle-to-everything. Having a heavily networked vehicle implies the existence of many new possible attack vectors, such as from vehicle-to-vehicle – V2V – communications and vehicle-to-network – V2N communications as well as from the Cloud for vehicle-to-Cloud communications and others. In these cases, even if the traffic is authenticated and protected against tampering, a compromised object, such as another vehicle or a roadside unit can inject rouge data and induce havoc in the vehicle traffic. Image a truck leading a fleet of an additional 30 trucks reports on a non-existent roadblock as part of a hacker attack. Protecting again such events is more complex since it requires a combination of methods, such as sensor fusion, message plausibility, misbehavior detection and so.
Electronic vehicles will have their impact as well. It is enough to note that connecting the vehicle to a charging station implies conducting a communication session and exchange of information between the two sides. Hackers can take advantage of this channel to attack the vehicle. In this case, appropriate security measures need to be taken to prevent such attacks.
iTWire: And that seems like a great place to finish. Thanks for your time.
Bandel: Thank you.
*CANbus is a widely used industrial control environment, defining both the transmission hardware and the signaling protocols. It was originally defined by Robert Bosch in the early 1980s for use within an automotive setting, although it is now widely used in general-purpose industrial control environments (manufacturing and other processing situations).
* ISO/SAE 21434 “Road Vehicles – Cybersecurity Engineering” for example, here.
* UNECE WP.29 “The UNECE World Forum for Harmonization of Vehicle Regulations” See here.