Stop hackers

A UN/ECE regulation has imposed new cybersecurity requirements on new vehicle models since mid-2022. In the future, no vehicle will be allowed on the road unless the manufacturer can prove that the vehicle series was developed to be cybersecure. IAV helps OEMs and suppliers address the new requirements and processes.

IAV Mag Inware 02 Bilder Web Hacker s

First, the air conditioning system went to the highest level, followed by deafening rap music, and finally, as if by magic, the wiper system started. These were the most harmless surprises, Andy Greenberg, journalist for the U.S. magazine “WIRED” had to endure at the wheel of a Jeep Cherokee. Later, the accelerator pedal blocked in the middle of the highway, and thanks to the brakes turned off, he landed at the end of a nerve-wracking ride in the ditch next to a parking lot.

Greenberg owed his horror ride to two IT experts, Charlie Miller and Chris Valasek. They hacked into the Cherokee via the Internet and managed to access all vehicle features from their home living room via a laptop. This was made possible by a security vulnerability in the infotainment system of the jeep, through which unauthorized “CAN” messages (Controller Area Network) could be sent to air conditioning system, engine and brakes.

«This campaign made headlines worldwide in 2016. It was also a wake-up call for car manufacturers and has led to a much stronger awareness of cybersecurity.»

Hauke Petersen — Senior Technical Consultant Automotive Security at IAV.

Increasingly larger attack surfaces

Since then, however, the network of vehicles has continued to increase – and thus the number of possible attack scenarios: Hackers can now attempt to manipulate a vehicle via mobile communications, Bluetooth, near-field communication (NFC), WLAN or Car2X connections, among others. “

In addition, the IT architecture of modern cars is increasingly changing toward centralization,” explains Carsten Elvers, Head of Department Embedded Security at IAV. “There, more and more components from the PC and Internet area are being used, which makes life even easier for the attackers.”

To protect vehicles better from hackers, the UN/ECE Economic Commission for Europe has developed a new control on Cybersecurity (R155), which sets the requirements for new vehicle types and from 2024 for all new cars. Detailed processes for vehicle development are provided in ISO/SAE Standard 21434 (“Road Vehicles – Cybersecurity Engineering”).

For example, in the future, OEMs will have to prove that they have a cybersecurity management process and that they are able to develop vehicles safely in cybersecurity terms.

«We know the cat-and-mouse game with the hackers because we have been developing safety-relevant software such as immobilizers for 20 years.»

Hauke Petersen — Senior Technical Consultant Automotive Security at IAV

Therefore, IAV can offer vehicle manufacturers advice on the new requirements and support in providing the required documentation along the entire V process.

For large OEMs, the focus is on the documentation and implementation of the processes; for smaller manufacturers, advice on the consequences of the new regulations is currently required. “But Tier 1 suppliers must also become cyber-compliant,” says Elvers. “We can also support this – after all, we are in the process of adapting all processes to the new requirements ourselves.”

The aim is to make connected vehicles safer, and thus to offer hackers such as Miller and Valasek fewer opportunities to attack in the future.

You can read all articles of the new inware magazine here.