33 Cybersecurity | Tech focus E-Mobility Engineering | March/April 2025 penetration testing and developing processes to close the gaps found in the first security audits. Cybersecurity now includes ongoing monitoring, and current implementations need to respond to attacks that emerge over time. Cryptographic measures are being introduced more widely as a top-down requirement from OEMs who are asking suppliers to deliver secure systems. These systems have authenticated network communications and secure software updates, as well as verification of software on the ECU when the system boots up. The challenge is how to move across platforms, from a low-end ECU to a high-end controller. Encryption is the golden solution, but it doesn’t prevent vulnerabilities in other areas, such as the controller area network (CAN) injection in headlights, so cybersecurity includes not forgetting the basics. The car maker found this out after a researcher got involved after a series of thefts. The thieves disconnected part of the headlamp and used a malicious device to send signals to the control CAN bus within a vehicle, allowing the doors to open and the car to start without the key or remote control. The thieves needed to purchase a relatively expensive emergency start device, costing around £2500 to £4000, and gain physical access to the vehicle’s CAN bus communication wires for an uninterrupted period of time. Once connected, the device can send a prioritised series of CAN signals to bypass the vehicle’s security and immobiliser systems, which could unlock the doors and turn on the ignition. The thief can then disconnect the device, enter the vehicle and start the car without the key. Enhanced security hardware was added to the latest versions of the models previously targeted, and the platform was changed to avoid the fault injection attack. However, the vulnerability still exists. In late 2024, thieves exploited vulnerabilities in adaptive headlightcontrol ECUs, which were improperly isolated from the vehicle’s CAN bus. By physically accessing the headlight wiring, attackers sent spoofed CAN messages to the powertrain ECU, bypassing immobilisers and enabling keyless theft. This attack emphasised the importance of segmenting non-critical ECUs such as lighting systems from safety-critical networks and implementing CAN bus intrusion-detection systems (IDS). One key standard for building secure automotive systems is AUTOSAR. This standard has detailed guidelines for cybersecure development (see below) and there are various software tools with techniques such as static code analysis that can help developers avoid the pitfalls. AUTOSAR is also changing the way security is implemented, with strategies moving away from securing the Also, a high severity relay attack vulnerability (CVE-2022-38766) in a popular EV in Europe, which allowed unauthorised access to vehicles and the ability to remotely start them. Legislation around the world over the last decade has required car makers to provide more secure systems in both hardware and software to protect vehicles from attack. This is being achieved at the hardware level with rootof-trust and encryption techniques, and in software though tools to identify vulnerabilities and reduce the attack surface – the number of places where a potential vulnerability might let an attacker in. The Advanced Encryption Standard (AES) technologies used today with 128 bit and 256 bit keys are safe from cracking by today’s supercomputers, but are vulnerable to the coming generation of quantum computer systems. This has led to the development of postquantum cryptography (PQC) algorithms that need to be included in vehicle security infrastructure. Developers have had cyber requirements in place for vehicles for several years. They have been through one development cycle with the first platforms and are now having to apply the learning from this to all their vehicle platforms. This is marking a shift from developers looking at how to implement security to ensuring a secure system through Car makers are having to meet global cybersecurity standards over the coming years (Image courtesy of Horiba MIRA)
RkJQdWJsaXNoZXIy MjI2Mzk4