Automotive Cybersecurity: OEMs, ISO Certs & Guidelines

Recent automotive cybersecurity news include open Ford records, 5StarS consortium, SecureRF Corporation, StrongKey, Enigmatos and infiniDome Ltd.

UpGuard Finds Ford’s Open Backup Doors

UpGuard Inc. found that Attunity Ltd. left internal Ford Motor Co. and Toronto-Dominion Bank data records available and accessible online through a Terrabyte of Backups

“It’s a category of data breach we refer to as a keys-to-the-kingdom exposure,” said Chris Vickery, at UpGuard.

On May 13th, 2019 an UpGuard researcher discovered publicly accessible Amazon S3 buckets named “attunity-it,” “attunity-patch” and “attunity-support. Attunity was recently acquired by Qlik.  After UpGuard notified Qlik of the vulnerability, the files were no longer publicly available.

UpGuard Inc., a cybersecurity company, discovered more than terabyte of data left unsecured by Attunity in Amazon S3 buckets.. Attunity was supposed to keep the data in way that it could be shared and analyzed. The data was not locked to the public and could be accessed in plain text.

Ford data accessible included Ford’s information-technology architecture and internal project plans. inlcuding slides from the office of the CIO.

System credentials could be found in a number of places in the Attunity data set and serve as a useful reminder of how that information might be stored in many places across an organization’s digital assets. Credentials such as private keys were stored, and exposed, in directories for configuring those types of systems. 

Attunity, exposure included spreadsheets with employee data. The example below had 354 rows and included columns for ID, Employee, Actual / Forecast/Commit, Benefit Code, G/l account, Entity and Social Security numbers.

While many of the files are years old, the bucket was still in use at the time detected and reported by UpGuard, with the most recent files having been modified within days of discovery. 

The chain of events leading to the exposure of that data provides a useful lesson in the ecology of a data leak scenario. Users’ workstations may be secured against attackers breaking in, but other IT processes can copy and expose the same data valued by attackers. When such backups are exposed, they can contain a variety of data from system credentials to personally identifiable information. Data is not safe if misconfigurations and process errors expose that data to the public internet,” noted Upguard.

5StarS Consort Address Cybersecuirty for Connected and Autonomous Vehicles

The 5StarS consortium – which brings together key research bodies Ricardo, Roke, HORIBA MIRA, Thatcham Research and Axillium Research to address the cybersecurity threat – has today launched its proposed assurance framework for connected and autonomous vehicle cybersecurity from design to end of life, following a two-year research project funded by Innovate UK.

As increased connectivity of vehicle systems – such as in-car entertainment – increases exposure to cyber threats, consumers and insurers need to be able to have confidence that vehicle manufacturers are managing cybersecurity appropriately. The 5StarS assurance framework sets out to build trust in the ability of manufacturers to mitigate against cyber threats and be resilient to attacks. The framework will allow them to demonstrate that they will respond quickly and effectively to attacks or vulnerabilities.

The Roadmap to Resilience framework will enable manufacturers to gain assurance in the capabilities of their products, use resilience as a market differentiator and establish meaningful ways of communicating cyber derived risk to consumers.

Key benefits for vehicle manufacturers implementing the framework include building consumer trust in the overall safety of vehicles; highlighting vehicle countermeasures against – and resilience to – cyber attacks; cyber risk being reflected in insurance premiums, and the ability to monetize good practice in cybersecurity through a rating that differentiates their products from the competition in consumers’ eyes.

SecureRF ISO 26262 Certification

SecureRF Corporation announced it achieved ISO 26262 certification for its development methods used to deliver its advanced automotive security solutions.  These methods, used to develop SecureRF’s quantum-resistant security tools, ensure the highest levels of quality for protecting the growing number of processors now found in today’s vehicles. The company’s software development methods conform with the strictest requirements, receiving an Automotive Safety Integrity Level (ASIL) “D,” the highest classification for safety-critical processes from exida, the leading global certification company. With this accreditation, SecureRF’s solutions are ready for immediate use within the electronic systems of a vehicle.

Hundreds of embedded processors control critical operations in today’s cars. With increasingly sophisticated functions, from passenger comfort systems and entertainment to coming autonomous features, the number of electronic control units in a car is growing, raising the need for fast, small, and resource efficient security. To provide safety-compliant systems, a broadening range of stakeholders in the automotive ecosystem are supporting these standards, and SecureRF is among the first IP providers to earn ISO 26262 ASIL D certification.

“ISO 26262 Automotive Safety Certification demands that a company demonstrate competence in applying the ISO 26262 specification to real-world engineering situations,” said Ted Stewart, Senior Safety Engineer at exida. “To achieve its certification, SecureRF’s entire development process—from initial requirements specifications to final validation—underwent intense scrutiny.  SecureRF’s investment in achieving this certification illustrates its commitment to a strong safety culture, which is a requirement for ISO 26262 compliance.”

“We made this investment in certifying our methods to support our semiconductor partners’ design teams. They are on the leading edge in developing new electronic control units, sensors, and artificial intelligence solutions that will ultimately enable a wide range of new functions including self-driving vehicles, so it is critical that we meet the highest security and safety standards,” said Louis Parks, Chairman and CEO of SecureRF. “This was a significant effort by our engineering, safety, and quality teams, and we are proud to be one of the first security companies to deliver ISO-certified identification, authentication, and protection methods that address the embedded processors now being used by the automotive community.”

SecureRF’s security library includes fast, small, and low-energy Key Agreement Protocols and Digital Signature Algorithms that are quantum-resistant to all known attacks.  Software Development Kits for a wide range of platforms, and supporting the most popular development tools, are available for free.//

StrongKey and Infinenon

StrongKey announced today that it has become a member of the Infineon Security Partner Network, combining the company’s innovative research and solutions with Infineon’s leading-edge security technology. The strategic partnership will bring benefits to the automotive, aerospace, biotechnology, finance, government services markets and more.

Enigmatos & Orpak

Enigmatos, a cybersecurity startup specializing in connected cars,  announced that it will be providing technology consulting services to Orpak to strengthen the protection of its fuel management systems.

The automotive industry is in the midst of a revolution. With the rapid growth in the number of connected vehicles on the roads today and increasingly automated services for cars, the potential for cyberattacks is growing.

Orpak joins the list of Enigmatos partners who are working to improve the security of their products against hacking attempts. Pelephone, a leading Israeli mobile operator, signed a cooperation agreement with Enigmatos to provide cybersecurity services for its connected car products just a few months ago.

Enigmatosan Israeli startup company, is active in the field of vehicle protection against cyberattacks. The company’s technology blocks cyberattacks on vehicles already on the roads, both at the software and hardware levels. The company is the first to create a unique profile for each vehicle by uploading all the data to the cloud, enabling it not only to locate the source of the attack but also to intercept it immediately and accurately

infiniDome Jams GPS

infiniDome Ltd., the Wireless Security Company, performed a live field demonstration of GPS jamming/spoofing protection of a self-driving autonomous car at the EcoMotion Main Event on June 11th which was the heart of the international future mobility conference, EcoMotion Week 2019.

In the demonstration, BWR self-driving car was operated in the conference demo center, when a nearby GPS jammer was activated and disabled the autonomous car’s navigation capabilities. Then, infiniDome CTO easily connected GPSdome protection solution, and the same autonomous car with the same GPS system was able not only to detect the jamming attack but also to retain the GPS signal and the navigation capabilities under the jamming attack.

“In our live demo we presented our field-proven solution for protecting GPS-based systems against jamming attacks in front of huge players in the industry some of whom are key partners of DRIVE (the automotive accelerator in TLV which we are part of),” said Omer Sharar, infiniDome CEO. “Our cyber solution’s competitive advantage is the retaining of the GPS signal under these attacks. Our approach, unlike the competition, is not only to detect the attacks but to protect from them. We strongly believe that the autonomous car cannot stop at the side of the road when it’s being attacked, it has to keep going.”

“The EW (Electronic Warfare) approach of our GPSdome protection is a breakthrough in the autonomous car field”, said Moshe Kaplan, infiniDome CTO. “We are further developing our technology to provide the autonomous car with full protection from jamming and spoofing attacks of other wireless communications it depends on, like 5.9 GHz (used for V2X communication) as well as its cellular link to the world.”

“GPSdome is field-proven and shipped to numerous customers all over the world,” said Ehud Sharar, infiniDome President. “Our commercially available product is an enabling technology. It allows for the industry to continue relying on the availability of GPS for navigation, sensor fusion and V2X which simply don’t work without it.”

infiniDome Ltd. provides front-end cyber solutions protecting wireless communications from jamming and spoofing attacks. The company’s first product, GPSdome, protects against jamming and spoofing of GPS-based systems, which are critical for autonomous vehicles, drones and connected fleets. GPSdome has been successfully proven in the field and sold to customers globally.

Read all Automotive Cybersecurity.


You are welcome to subscribe to receive email notification of publication of Connected Car News Cybersecurity, you can also get weekly news summaries or daily emails.