Tesla hacked: Effective defense strategies

The security experts manipulated the control unit in such a way that they were able to put the controller into an undesired state via a brief voltage dip. To do this, the hackers resoldered several capacitors that serve to stabilize the voltage. When this happens, the controller skips certain queries. It then has a brief blackout, so to speak. If this is short enough, the controller cannot detect this, so that the states can be manipulated, as was achieved here.

Now we come to an important point. Ultimately, every manufacturer must consider how important all their data is. It is common practice to set up monitoring, carry out risk analyses and use these to assess the potential for damage. This is followed by a decision on the security mechanisms that protect the data. This process is holistic and is the only way to prevent attacks. Our rule of thumb is that the effort required to obtain certain data must be greater than what can be gained from it.

However, the specific case shows that if someone has enough time and money, like a security researcher in this case, they will find a security gap. This is why it is important to have a good monitoring system so that you can react quickly if a vulnerability is discovered. The security gap can then be closed quickly with an update. This will become increasingly important in the future. However, it is also true that not all risks can be ruled out or fully secured.

We have the Firmware Security Module project, FSM for short. It is aimed at control Units that do not have any special security hardware on board or whose hardware cannot be updated. Normally, there is a “Hardware Security Module” (HSM) that can be used to perform a secure boot of the control unit and to protect the necessary secrets on the control unit. Their disadvantage, however, is that they are limited in terms of computing power. Microcontrollers, i.e. control units that contain this, are more expensive and are difficult to retrofit with software. That’s why we designed the FSM. It is software-based and offers the option of retrofitting control units with the corresponding safety features.

Correct. We have integrated encryption algorithms into the FSM that can be updated or replaced. This makes it possible to react if an algorithm is no longer state-of-the-art or if a vulnerability is discovered. In the future, there will be quantum computers that can break existing encryptions. By then, at the latest, it will be extremely important for OEMs to have a solution for retrofitting encryption algorithms as a countermeasure. We work with the four algorithms that are most likely to prove suitable. We have therefore implemented them for a microcontroller. Furthermore, we have also developed IAV quantumSAR as an open source project. This means that anyone can use it. Customers who are interested can take a look at IAV quantumSAR and get us on board to continue and customize it.

As I said, we work with algorithms that we assume are quantum-safe. This means that if quantum computers actually exist in the future, it will be necessary to have already secured the risks in development through security by design. At the same time, we have to expect that security will still be breached at some point because it ages over the lifetime of the entire vehicle. This is now also stipulated by law. It therefore makes sense to consider what happens if what was once assumed to be secure is no longer secure in the future. The encrypted data that the vehicle and backend exchange will no longer be encrypted as soon as quantum computers are developed to the point where they can break the existing security systems and be decrypted in no time at all. Then cars will no longer be secure. Then we will need countermeasures. If we didn’t have a cryptographic algorithm in this situation, we would be helpless. Post-quantum encryption algorithms are the likely solution to this.

We deal with the entire security process and can actually map it from A to Z. We do security by design, carry out risk analyses, act as consultants, offer the development of entire security functions – and take care of testing and safeguarding right through to the pen test, where we also use methods such as those described above to unlock the autopilot at Tesla. Our security offering also includes services for the service life of the vehicle after the actual development, including update solutions. In addition to FSM and IAV quantumSAR, there is another component, the Automotive Cybersecurity Defense Center (ACDC). This is a solution that enables the monitoring of vehicles in the field. ACDC detects security vulnerabilities in the vehicle and empowers security engineers to derive appropriate responses.

We can learn a little from IT. IT is always a few years ahead. Before the vehicle was networked, all computers were networked. In IT, for example, we have seen that there are threats such as ransomware that encrypt data on computers. It is therefore obvious that these scenarios could also reach the vehicle at some point and paralyze entire fleets. The methods used to ward off these threats also originate from IT. Intrusion detection systems detect anomalies, report them to an operations center, and are classified there. If there really is a problem, responses are planned. Ultimately, there is no such thing as absolute security. That’s why it’s so important to prepare for every conceivable scenario. And that’s what we do every day.

Contact:

Marco Siebert
Head of Embedded Security
marco.siebert@iav.de
linkedin.com/in/marco-siebert-059356235