Information technology is the driving force behind almost all innovations in the automotive industry, with perhaps 90% of all innovations in cars based on digital electronics and software. Dozens of networked microprocessors and several hundred megabytes of software can be found in a common compact class car, controlling engine and driving functions, assisting the driver and enabling various comfort, infotainment and safety functions. One crucial aspect of digital systems in vehicles is their security. Whereas software safety is a relatively well-established (if not necessarily well-understood) field, the protection of automotive IT systems against malicious manipulations has only recently started to emerge. Even though many European car manufacturers have lately established R&D groups that are dedicated to embedded security in cars, so far there has not been an allencompassing reference of this topic.
The book by Dr. Marko Wolf fills this gap, and is by far the most comprehensive treatment of IT security in vehicles available today. A particular challenge of automotive IT security is its interdisciplinary nature. Dr. Wolf has done an outstanding job incorporating disjoint areas in one comprehensive treatment. The book ranges from the relevant security technologies to a systematic analysis of security risks all the way to solution using state-of-the-art security methods.
Despite the fact that much of the material is based on results from the research community, Dr. Wolf succeeded in presenting all aspects in a very clear and accessible manner. I am convinced that the book will become an invaluable reference for designers and developers in the automotive industry, as well as for researchers in academia.
Prof. Dr.-Ing. Christof Paar
Chair for Embedded Security
Ruhr University Bochum
"I believe in horses. Automobiles are a passing phenomenon." The German Kaiser Wilhelm II. (1859-1941) in 1905.
What the Motivation for This Book Is
In spite of the German Emperor's prophecy of doom, automobiles revolutionized our lives long ago. About a hundred years after the invention of the automobile, automotive technology itself is about to experience a revolution: the digital, networked car. Until twenty years ago, automotive vehicles were virtually closed electromechanical systems with only some small isolated non-critical IT applications, whereas today the fully software-driven, digitally networked and interactive vehicle is already in the offing.
Replacing steel and mechanics with information technology consisting of bits and bytes enables highly sophisticated, intelligent, interactive functionality, which could hardly have been realized solely with electromechanical controls. Furthermore, software-driven vehicular functionality improves flexibility as well as technical and economic efficiency considerably. By networking vehicles in such a way that they can wirelessly exchange messages with traffic infrastructures and other vehicles, passive dumb vehicles are changed into interactive intelligent communication nodes. Vehicular communications, for instance, will considerably improve road safety, if vehicles warn each other about local dangers. It would further help to face one of today's largest wastes of resources: the daily traffic jam. By enabling precise interactive real-time traffic control systems, traffic jams could be prevented before they actually set in.
This favorable development of vehicles becoming software-driven digital nodes within a vehicular communication network will, however, inherently introduce many dangers. Even though most vehicular applications are developed to face various (random) technical failures (e.g., by verifying checksums or ensuring high redundancy), they almost never consider a human attacker who uses a certain functionality in a syntactically correct way, but in a bad faith. Attacks on similarly complex and networked digital IT systems, such as personal computers, handheld devices, or web servers, can already wreak havoc. However, their malicious impacts are usually to some extent "limited" in terms of wasted time, lost sales, or even destroyed documents. The attack potential of malicious encroachments on vehicular IT systems, in contrast, goes from bogus warning messages over attacks on traffic IT infrastructures, which could cause the collapse of the entire traffic of a city, up to "terrorist attacks" on individual cars. For the latter, even simple encroachments on a real-time IT system, which controls two tons of steel at 130 km/h, can actually have devastating consequences for health and life of the vehicle occupants and other road users.
Despite these alerts, many of today's vehicular IT applications are susceptible to various malicious encroachments and require dependable security measures not only to ensure driving safety. The number of potentially endangered vehicular applications is astoundingly big. Even though mainly less critical topics such as antitheft protection or illegal chip tuning still dominate the area of vehicular IT security, many future applications, which have already left the desks of the automotive research departments towards series production, can never be realized without strong IT security measures. Dependable security measures are further essential to protect the liability, the revenues, and the expertise of vehicle manufacturers and suppliers besides various newly emerging security requirements (e.g., privacy) from drivers and occupants for several upcoming vehicular business and legacy applications.
The actual subject matter of this work is to prevent a similar scenario of ceaseless security vulnerabilities, as known from the world of personal computers connected to the Internet, in future vehicular IT systems. This is all the more important because in the automotive domain a single successful attack can already suffice to seriously jeopardize the public confidence in a brand, even if the actual endangerment remains marginal [Puc01]. The work you are holding in your hand is actually the first attempt to give a comprehensive and detailed insight into the emerging area of vehicular security engineering.
What This Book Is About
This work gives a comprehensive and detailed insight into the emerging area of vehicular security engineering, which aims to ensure the trustworthiness and dependability of vehicular IT applications. It should help you to understand the specifics whenever designing security critical vehicular applications while providing you with a solid set of general approaches, practical methods, and helpful implementation concepts. Therefore, it can be seen as a textbook as well as a practical guide, which helps you:
- to learn about threats to vehicular IT systems by showing various current and forward looking exemplary security-critical vehicular applications,
- to understand what causes these threats by analyzing possible attack incentives, attackers, and attack methods,
- to reduce security vulnerabilities and security risks by providing practical methods for designing, implementing, and enforcing security efficiently in the automotive domain.
Thus, this book should, on the one hand, be of interest to automotive engineers and technical managers who want to learn about security technologies, and, on the other hand, to people with a security background who want to learn about security issues in modern automotive applications. In particular, this book can serve as an aid for people who need to make informed decisions about vehicle security solutions, and for people who are interested in research and development in this exciting field.
What This Book Is Not About
This book is not a replacement for reading one of those great security books that cover the topic of IT security in general. Even though this book tries to give a short general introduction into cryptography and IT security, it cannot replace further readings, which can be found for instance in [And01, SB07, Sti95].
This book is not concerned with vehicular IT safety. Even though IT safety and IT security are indeed interleaved fields and sometimes have fuzzy boundaries, this book is only concerned with the protection of vehicular IT systems against malicious encroachments (i.e., IT security) and not with precautions against random technical failures (i.e., IT safety).
This book is further not concerned with IT security of backend IT infrastructures. Protecting offboard servers and networks is a topic of its own, which is covered by general network and system security.
This book is also not a detailed implementation or configuration setup tutorial. This book intends to help you understand the specifics, which have to be taken into account whenever designing security-critical vehicular applications. Since IT security is rather a continuous individually tailored process than a standardized building block, virtually no book can give you a ready-made security solution which you could simply add to the corresponding product.
Finally, this book should not be useful to people trying to compromise vehicular IT applications or to break into vehicular IT systems.
How This Book Is Organized
This book is divided into three parts.
Part I: The Preliminaries. The first chapter gives a short introduction into the problem and helps you to understand and define the matter. It reviews related work in the field of vehicular IT security and provides a short introduction into security and cryptography, which is essential for vehicular security engineering.
Part II: The Threats. First, this part tries to raise awareness of the strong necessity of vehicular IT security by identifying, explaining, and classifying potential threats, potential attacks, and potential attackers for various current and future vehicular IT applications. However, this part also presents the multitude of new possibilities enabled by properly implemented vehicular IT security. This work further describes how to deduce appropriate vehicular security requirements which can thwart afore identified security threats properly. The last chapter of this part indicates characteristical advantages and constraints which arise when establishing IT security in the automotive domain.
Part III: The Protection. The final part of this work provides a solid set of practical security technologies and security mechanisms that are able to implement the identified security requirements efficiently and dependably in the automotive domain. Before ending with a detailed conclusion, it lastly describes some important organizational security aspects from the vehicular manufacturer's perspective, which have to be considered when establishing vehicular IT security.
Many people have helped me to realize this book. I wish to personally thank at least all the people from the Chair for Embedded Security at Ruhr University Bochum, in particular my Ph.D. advisor and highly valued mentor Christof Paar, my current employer escrypt GmbH who enabled me to continue working in my favorite research area in theory and practice, all the people from Vieweg+Teubner Verlag helping me to publish this book, and last but not least all my good friends, my loved family, and especially Ellen.