Automotive Cyber Security

We've now had responses from David Evans, IDIADA.to the remaining questions that we didn't get around to covering on the webinar. 

Q: Why does the communication technology have to be vehicle specific? Why not utilise the user's mobile phone for the connection method?
David: The mobile phone does not have the same level of access to the vehicle's internal network, you could argue that a phone could be connected (e.g. Bluetooth) and act as a 'gateway' but that doesn't really help with the benefits that peer to peer (ad hoc) communication with nearby vehicles can do... Possibly 5G will make this possible, but I think introducing a mobile phone into a potentially safety critical part of the vehicle could cause more problems.


Q: Do you consider the current Internet architecture to be reliable for V2X? Or do we have to create an "Internet of the Future" for that?
David: It's a complex challenge and an increasingly growing market, I would argue there' probably more IoT devices deployed than vehicles on the road. It's certainly a challenge for the supporting infrastructure, and there's a lot of work being done on projects like H2020 C-Mobile + C-ROADS on this type of activity.

Q: Are the CAM and DENM protocols free software? Where can I find to do some tests?
David: The latest specifications for CAM and DENM are available here and in this location as well..

Q: Will the V2X technology require bespoke legislation and how does / will that affect the design and development of the system? Has current legislation hampered what you would like to include within the system?
David:  Possibly, with the introduction of new regulations for automotive cybersecurity / Over the air updates it has to be considered. You get into an interesting point about sharing GPS data with nearby infrastructure (as needed by ETSI ITS G5 CAM message), you cross a line whether you share this information with the overarching road authority to help improve the traffic and (potentially) safety benefits.

Q: Why are you sending a false vehicle position?
David: The whole basis of CAM (and other V2X messages) was to share 'where you are' and 'where you are going' with other nearby vehicles + infrastructure to enable safety applications. GNSS has been demonstrated countless times to be susceptible to attacks and vulnerabilities and I wanted to show a simple example where this could be manipulated somewhere in between the vehicle's GNSS module and the V2X module within the vehicle. In the case of the SecureIoT project, a vehicle insurer may be interested in knowing what you were 'telling' other vehicles at the point of a crash, or otherwise, to better understand an accident.

Q: Given the existing vulnerabilities around GPS, 4G, WiFi etc. Has the automotive industry already seen cyber-attacks? When do we anticipate the tipping point? when will automotive cyber-attacks will become more prevalent.
David: I believe there has been several attacks publicised, the attack on the Jeep Cherokee by Miller and Valasek  is possibly the most well-known (www.wired.com/.../), We're seeing a lot more Linux based OS' in vehicles now, I've seen several lower end vehicles using open source  libraries (e.g. to display a picture from a memory card) of which vulnerabilities have been discovered several years into the vehicle's production run. It's a constant challenge for the automotive industry, and hopefully with the introduction of ISO/SAE 21434 + regulations from UN ECE, this will be a positive step towards accountability and clear responsibility to address these issues when discovered.

Q: I thought SATNAV uses GPS tracking which is classed in this case as personal data.
David: Yes, but you're using that service (and presumably provided consent for this). In the case of V2X, will this be mandated that a vehicle 'must' use this (and as a consequence) share information (anonymised or not) with nearby infrastructure and other vehicles?


It would be good to see your further comments on these posts. 


If you didn't manage to register for the webinar, you can still watch it OnDemand.

We've now had responses from David Evans, IDIADA.to the remaining questions that we didn't get around to covering on the webinar. 

Q: Why does the communication technology have to be vehicle specific? Why not utilise the user's mobile phone for the connection method?
David: The mobile phone does not have the same level of access to the vehicle's internal network, you could argue that a phone could be connected (e.g. Bluetooth) and act as a 'gateway' but that doesn't really help with the benefits that peer to peer (ad hoc) communication with nearby vehicles can do... Possibly 5G will make this possible, but I think introducing a mobile phone into a potentially safety critical part of the vehicle could cause more problems.


Q: Do you consider the current Internet architecture to be reliable for V2X? Or do we have to create an "Internet of the Future" for that?
David: It's a complex challenge and an increasingly growing market, I would argue there' probably more IoT devices deployed than vehicles on the road. It's certainly a challenge for the supporting infrastructure, and there's a lot of work being done on projects like H2020 C-Mobile + C-ROADS on this type of activity.

Q: Are the CAM and DENM protocols free software? Where can I find to do some tests?
David: The latest specifications for CAM and DENM are available here and in this location as well..

Q: Will the V2X technology require bespoke legislation and how does / will that affect the design and development of the system? Has current legislation hampered what you would like to include within the system?
David:  Possibly, with the introduction of new regulations for automotive cybersecurity / Over the air updates it has to be considered. You get into an interesting point about sharing GPS data with nearby infrastructure (as needed by ETSI ITS G5 CAM message), you cross a line whether you share this information with the overarching road authority to help improve the traffic and (potentially) safety benefits.

Q: Why are you sending a false vehicle position?
David: The whole basis of CAM (and other V2X messages) was to share 'where you are' and 'where you are going' with other nearby vehicles + infrastructure to enable safety applications. GNSS has been demonstrated countless times to be susceptible to attacks and vulnerabilities and I wanted to show a simple example where this could be manipulated somewhere in between the vehicle's GNSS module and the V2X module within the vehicle. In the case of the SecureIoT project, a vehicle insurer may be interested in knowing what you were 'telling' other vehicles at the point of a crash, or otherwise, to better understand an accident.

Q: Given the existing vulnerabilities around GPS, 4G, WiFi etc. Has the automotive industry already seen cyber-attacks? When do we anticipate the tipping point? when will automotive cyber-attacks will become more prevalent.
David: I believe there has been several attacks publicised, the attack on the Jeep Cherokee by Miller and Valasek  is possibly the most well-known (www.wired.com/.../), We're seeing a lot more Linux based OS' in vehicles now, I've seen several lower end vehicles using open source  libraries (e.g. to display a picture from a memory card) of which vulnerabilities have been discovered several years into the vehicle's production run. It's a constant challenge for the automotive industry, and hopefully with the introduction of ISO/SAE 21434 + regulations from UN ECE, this will be a positive step towards accountability and clear responsibility to address these issues when discovered.

Q: I thought SATNAV uses GPS tracking which is classed in this case as personal data.
David: Yes, but you're using that service (and presumably provided consent for this). In the case of V2X, will this be mandated that a vehicle 'must' use this (and as a consequence) share information (anonymised or not) with nearby infrastructure and other vehicles?


It would be good to see your further comments on these posts. 


If you didn't manage to register for the webinar, you can still watch it OnDemand.