Airbag Security Debunked – or Rather the Lack Thereof

Brakes, steering, accelerator. When asked to name some of a vehicle’s most crucial components, these are some prominent ones that come to mind. The amount of control that they provide to the vehicle’s function is indisputable; any technology linked to them must be scrutinized heavily before it is allowed to be deployed. Such careful evaluation is necessary in producing systems that have minimal vulnerabilities, so it is no surprise that the aforementioned systems are some of the robust. There is, however, one system that holds just as much importance yet has been compromised – airbags.

On October 10th, a vulnerability report was submitted to the Natural Vulnerability Database (NVD) detailing an exploit in passenger vehicles manufactured in 2014 or later that could lead to the airbag being intentionally detonated outside of expected circumstances. The CAN vulnerability, labeled CVE-2017-14937, stems from the lack of security governing the security access needed to detonate the airbags.

According to the published technical report, the ISO standard 26021 represents the only barrier to unauthorized detonation of the pyrotechnical charges linked to the airbags. This protection consists only of a key and seed pair that can be calculated via a weak algorithm that complies with ISO 26021. Since the algorithm is available to anyone with access to the ISO, the proper key can be easily calculated.

Furthermore, a brute-force attack can also cause the detonation of the airbag – as the key proposed by ISO 26021 is only of two bytes. This results in only 65536 different possible keys, a small list for any script to exhaust. This is further magnified by the fact that, according to the ISO standard, “There is no time period which needs to be inserted between access attempts,” meaning that a brute force attack on the system will take place in a miniscule amount of time.

Ironically, the first of these bytes is also mandated to include the definite version number (0x01) of the implemented load detonation method – a reality that, in practice, leaves only one variable byte for the key. With the number of possible keys reduced to a mere 256, the threat this vulnerability poses cannot be underestimated. This guarantees that even without access to the algorithm provided in ISO 26021, the vulnerability can still be exploited at the expense of the passengers.

This discovery points out a dire flaw in the automotive industry’s approach to the security of its in-vehicle networks. The security access originally designed to prevent such premature deployment of a car’s airbags has been turned into a weapon against the consumer – one that could cause severe injury or death. As vehicles continue to rely more and more upon computer systems, appropriate levels of security must be developed in tandem. Without multiple robust layers of protection at every level, smart cars are little more than moving time bombs.

Trillium at the Autotech Council’s Silicon Valley Re-Invents the Wheel!

This past Monday, at the Autotech Council of North America’s “Silicon Valley Reinvents the Wheel” conference, Trillium had the honor of presenting its technology and business strategy to a gathering of industry and VC executives from around the world. Our novel and multilayered approach to automotive cyber security was well-received by council and audience members alike. In addition, Trillium had a great showing in the Council’s Science Fair, showcasing our SecureCAR technology in tandem with our BrainBox In-Vehicle-Network facsimile. We wish to extend our heartfelt thanks to the organizers of the event and the Autotech Council for making such an opportunity possible.

Trillium Inc Wins Prestigious Red Herring Top 100 Asia Award

MANILA, Oct 3,  2017 Trillium Inc, a leading automotive cyber security solutions provider, has received the prestigious Red Herring Top 100 Asia 2017 award acknowledging the potential of its CSAAS (Cyber Security as a Service) business model and advanced SecureIoT cyber security suite.

The Top 100 Asia award, presented at Red Herring’s 2017 Asia summit in Manila, underscores Trillium’s position as a world leading provider of transportation safety and information security systems. “We are humbled by this honor and proud to be recognized for the many years of dedicated research and development by our global engineering team,” said Trillium’s CEO, David M. Uze.

“For decades, and still today, Red Herring has been the divining rod for identifying successful start-up companies in their early years. We are honored to be identified by Red Herring’s leadership as a potential future unicorn success story,” said Dr. Sachio Semmoto, Trillium’s Chairman.

“Trillium’s cutting-edge technology and novel business approach represent exactly the type of company for which the Red Herring 100 award was intended — ready to disrupt through innovative technology and compelling go-to-market strategy. We look forward to following Trillium’s progress over the coming years,” said Alex Vieux, Red Herring CEO.

Established in 1996, Red Herring’s Top 100 is recognized as one of the high-tech industry’s most respected awards. Top 100 Award winners are judged on the basis of 20 criteria, including disruptiveness in respective markets, social contributions, growth rates, technological advantages, and team composition and experience.

The Red Herring recognition follows on Trillium’s success as a technology sponsor in the Car Hacking Village at DEF CON, Las Vegas. SecureCAR, Trillium’s in-vehicle-network protection platform, successfully defended vehicular message streams from more than 700 systematic hacker attacks over three days. Not one hacker at DEF CON 25 could compromise Trillium’s robust, multi-layer software-based cyber-security solution.

About Trillium Inc.

Established in July 2014, Trillium Inc, is a transportation safety and information security company specializing in life cycle protection for vehicles and fleets of vehicles. Its offerings include lightweight encryption, authentication, cryptographic key management, IDS/IPS and secure, over-the-air software update technology under the under the Trillium, SecureIoT, SecureCAR, SecureIXS, SecureOTA and SecureSKYE trademarks. Trillium will expand its target markets beyond transportation systems, to include cybersecurity for factory automation, medical, aerospace and robotics applications. For further detail, please visit www.trillium.co.jp.