Do Vehicles Need Data Security? 2011-01-0040

Data security was introduced to vehicles in the 1980's with the electronic theft protection system. Since then data security was also implemented in further electronic systems of vehicles, including theft protection for electronic control units, protection of mileage counter integrity, protection against software manipulation (secure flashing), and secure wireless on-board diagnoses (e.g. via Bluetooth). Vehicles include more and more electronic systems and open communication channels based on public standards, making them vulnerable to a variety of attacks. Security mitigation mechanisms are implemented in software and might be supported by a controller with basic security features.

Recently, research was started to centralize security features in a single dedicated security controller. This security controller implements cryptographic methods and provides tamper resistance. Current and future applications with need for security include vehicular communication, feature activation and pay-on-demand applications as well as digital content protection systems.

In this work we will analyze which degree of implemented security features in a vehicle is reasonable. We will consider both security features based on secure hardware and software mechanisms. We will distinguish applications that protect a financial asset (e.g. theft protection) and safety applications (e.g. future vehicle-to-vehicle wireless communication safety applications). We will evaluate whether there is a threat to safety because of new technologies, and how this threat needs to be mitigated. Finally, we will identify the useful mitigation mechanisms and describe how these need to evolve over time. We will perform the evaluation under the premise of economic security, i.e. always assuming that only economically feasible solutions will be deployed.