Freescale calms fears over automotive hacking

Freescale's head of global automotive system solutions, Rainer Makowitz, has spoken out over fears that the increasing complexity and connectivity found inside modern vehicles could constitute a valid attack vector for ne'er-do-wells intent on mayhem.

With car manufacturers adding increasingly integrated and connected computing systems to their vehicles - excellently demonstrated by the Ford Evos concept, which includes an internet-connected in-car computer that is capable of controlling every aspect of the vehicle, from the audio system to engine power and brake responsiveness - fears are growing that attackers could exploit these systems to put drivers' lives at risk.

A report from last year claimed that attackers with access to a car's on-board diagnostic port could disable the braking system or switch off the engine - even while the vehicle is travelling at high speed - and multiple follow-up investigations have since appeared.

Makowitz, who heads up the automotive engineering team at semiconductor giant Freescale, believes such fears are drastically overblown and incredibly unlikely.

"After the malware attacks on mobile devices running the Android operating system, speculations about automotive viruses have soared again," Makowitz writes on the Freescale blog. "Compared to IT and telecom, the plague of car viruses has not - yet - arrived in the automotive industry."

Makowitz goes on to suggest three very good reasons why cars are generally safe from digital attack: "Physical access is required to reach 'open interfaces' like the OBD II connector or USB plugs; most malware routes into the car are indirect in nature via attacks on service equipment and infested consumer devices; wireless access points are still rare and should be well defended."

Although Makowitz admits that there have been well-publicised 'proof-of-concept' attacks against on-board automotive computing systems - some, although not many, of which use Bluetooth or Wi-Fi connectivity to attack the system without physical access - he argues that with a back-to-basics approach to security combined with technological countermeasures there should be nothing to fear.

"This new impetus for security will be addressed with the help of microcontrollers from Freescale, which provide security features [including] whitelisting approved code in automotive electronic control units [which] closes the main attack route of intruders and is accelerated by the security engine on the MPC5646C microcontroller [and] security anchors on an automotive network - as proposed by the SEIS community - can be implemented using the secure flash memory and the cryptographic service engine."

Makowitz also points out that his company's ARM-based i.MX application processors - popular choices for rich-media navigation and entertainment systems - include support for platform virtualisation, trusted execution, high-assurance boot, secure storage and signed updates which can help prevent privilege escalation and poisoned firmware downloads.

"With these countermeasures properly implemented," Makowitz goes on to claim, "virtually all the threats that have been documented up to now could have been thwarted."

The key there, of course, is "virtually" - and with the cars of tomorrow becoming increasingly interconnected, it's likely we haven't heard the last on this subject.