Driving Safety through Secure Infotainment Systems

Jason Brown, Information Technology Security Manager, the Shyft Group

The infotainment system is possibly the most important component in the modern vehicle today. Today, the infotainment system controls more than just the radio. You can control the climate, view directions and live traffic updates, the weather forecast, or view the overall functionality of the vehicle.

Like any digital device, the software must be updated to maintain compatibility and operability with the vehicle. However, this process can sometimes be ineffective. On average, there are approximately 50 software bugs introduced for every 1,000 lines of code. Many times, these bugs can introduce vulnerabilities or weaknesses, threatening the functionality of the vehicle. Unresolved software bugs are typically called residual bugs and can stay for days, months, or even years before they are patched. This can leave the vehicle vulnerable to outside attacks.

For tech-savvy individuals who install their own car stereos or infotainment systems, updating the software can be as simple as downloading it from the manufacturer’s website, transferring it to a USB device, and installing it in the vehicle. Sounds easy, right? But for OEM infotainment systems that are fully integrated into the vehicle, this process is not practical for the average owner.

“The installation of foreign firmware on a device could cause it to perform erratically, execute functions that were not intended, or render the car useless”

Firmware over-the-air (FOTA) updates are not a new concept for the automotive world. A connected vehicle has a secure internet-based connection to the manufacturer’s network for receiving firmware updates or performing configuration changes. Say, that new car you just bought, you can’t turn on the seat warmers without paying additional fees. You wouldn’t take the vehicle to the dealership; that would be inconvenient. Instead, it is performed over the internet. A simple configuration change, and now there are no cold people in their seats. The true test comes when the vehicle is set to receive firmware updates. How would you authenticate the software being downloaded to the infotainment system? Is it, in fact, legitimate?

One way of authenticating or proving the legitimacy of the firmware being installed is through the means of cryptographic signatures. You can utilize cryptographic signatures to ensure the firmware produced by the manufacturer is legitimate. How does it work? It uses public key cryptography, where you digitally sign the software using the private key, and the public key is loaded into a secure enclave in the vehicle. When the vehicle initiates the request, it will look for a new firmware package to download and verify the signature of the new firmware being installed.

The authentication and verification will happen at the vehicle. Once the firmware is downloaded from the central update server, it must be authenticated. This is where the public key is used to verify the cryptographic signature, and the installation can proceed. During this process, the firmware will also be checked to ensure that the entire package has been downloaded to the vehicle, verifying that it was fully downloaded.

If at any point during the verification process, the vehicle cannot validate the infotainment firmware being installed, it should fail the installation and try again. One important reason is that it prevents an adversary from installing their own firmware on the vehicle. The installation of foreign firmware on a device could cause it to perform erratically, execute functions that were not intended, or render the car useless.

Ensuring the private key does not fall into the wrong hands is crucial for this process to work properly. Several companies have deployed hardware security modules (HSMs) to safeguard the private key. An HSM is intended to stop the private key from being extracted, preventing an adversary from stealing your most important intellectual property. If an adversary were able to gain access to the private key, they could then sign their own firmware package and install it on the infotainment system without any issue.

HSMs can be pricy, costing anywhere from a few hundred dollars to hundreds of thousands annually. This piece of equipment is highly important if you or your company intend to perform cryptographic signatures. Vendors and trusted third parties may also have this functionality and specialize in this process. Performing this without an HSM can be risky. Your company should take added steps to safeguard the private key. New installations of Microsoft’s Active Directory Certificate Services default to having the private key stored in software. Meaning that the private key is stored somewhere on the hard drive and is not protected.

Cryptography is indispensable in today’s digital landscape. It protects privacy through encrypted communication when accessing sensitive data like bank accounts or medical records. It also plays a critical role in authenticating software before installation. However, diligence is required. If access to the private key is lost or compromised, the entire security framework could collapse, leading to potentially catastrophic consequences such as locking yourself out of important files or programs.