Buy it and Fly it: The Aftermarket Autonomy Market

As technology continuously moves towards making human life better and more effortless, transportation is a field that receives a lot of attention. From improving the speed of airplanes to the congestion in traffic, it seems that transportation has the most potential to benefit from technological advances. Self-driving cars are no small part of this. The ability for one’s car to take them along their every-day commute without the driver’s full attention will be a great leap towards the society of tomorrow, increasing road safety and allowing for more productive hours throughout the day. So anticipated is this revolution that tools are already being developed that can offer the same sort of functionality to vehicles already on the road – the aftermarket autonomy industry.

Far away from Tesla’s custom autopilot system or any other state of the art self-driving platform under development by Google or another large corporation, the startup scene has given birth to many self-driving solutions of its own. Focusing on the average consumer’s reluctance to buy a new vehicle solely for the sake of self-driving functionality, the players in the aftermarket autonomy market have developed “kits” that aim to be installed in cars already on the road to offer them self-driving capabilities. As the number of players in this market increases, so does the number of supported makes and models of vehicles. This technology opens the convenience to a larger number of people than would be able to buy a brand-new autonomous vehicle, expanding the connected and autonomous car sector to include older makes and models to make the roads safer for everyone.

These solutions often incorporate an external sensor (like a camera) with a device that allows commands to be sent to the OBD-II port found in most vehicles, granting direct control of the vehicle’s inner mechanisms. While the technology used in these products is remarkable, it raises the concern of unsecured connectivity being introduced to a diagnostic port – a situation that could potentially end in disaster if exploited. The merit to be gained by using such products cannot be understated, however just as with all things related to a connected ecosystem, security needs to be taken into account.

Infrastructure Hacking: Cyber Crime on the Rise

Last month in Detroit, Michigan, a gas station on 7 Mile and Southfield roads was the target of a crime – a robbery, specifically. What makes this incident different from the more commonplace robberies that frequently target gas stations is that the theft was not of cash or goods from within the store, but of gas itself. All the more puzzling though, is how it was achieved.

ClickOnDetroit reports that the gas pump was hacked. Two thieves armed with what can only be called “a device” were able to gain unauthorized control of a gas pump and freely discharge gasoline from it for over 90 minutes. In that time they were able to discretely steal 600 gallons of gas, a value of over 1,800 dollars without anyone catching on. By having cars come and fill up directly instead of filling up barrels that might draw suspicion, the thieves were able to avoid detection, abusing the fact that the station in question was almost always busy by blending in with the natural traffic.

The threat identified by this incident is no laughing matter. The root cause stems from the over-specialization of computer systems that carry out simple transactions like gas purchases. The devices used for these applications are often only designed to carry out that specific function, making them cheap but unable to implement peripheral systems, such as cyber security. This lack of security could result in not only theft of gas, but the credit card information of previous customers at the pump.

It is to secure resource-constrained devices such as those found in so many Internet of Things edge-nodes that the SecureGO module of Trillium Secure platform was originally developed. With its ability to add robust cyber security features to even the most basic automotive-grade hardware, SecureGO has the potential to introduce cyber security to the entire IoT edge-node ecosystem, securing every link in the chain that defines the interconnected world of tomorrow. As incidents like this become more frequent, the world will constantly be reminded that any defense – cyber or otherwise – is only as strong as its weakest link.

 

Connected Car Data: More Than Just a Byproduct

Given the number of computers residing in modern vehicles, it is no wonder that they generate a large amount of data during their operation. That data is used by the vehicle to facilitate its operation in real-time, but when aggregated and analyzed over long periods of time, that same data can be utilized in a myriad of ways to enhance road safety and user experience. Indeed, analysis of the data generated by vehicles is a valuable undertaking, offering both real-time and long-term benefits to consumers.

With an increasing number of sensors being used to assist drivers during travel, vehicles have the ability to learn about their environments during operation. For self-driving and other drive-assist functions, data on the locations of obstacles is a given, however the same tools used for these services can also provide data such as road conditions, wind speeds, precipitation status and traffic conditions. Vehicles receiving this data, if communicating with a common cloud server, can share information about their mutual environment to shorten commutes and increase safety. Even simple knowledge of the vehicle’s weight during operation can allow for optimization of the car’s performance, saving fuel and time for the user.

Despite the seemingly endless use-cases for vehicular data analysis, there are still some hurdles that need to be overcome. The sensitivity of the data collected is one such example, with studies showing that while users are more likely to share “objective” data such as road conditions and the technical status of their vehicles, they are more reluctant to share more personalized data such as personal driving preferences or GPS data. The personal value of this data cannot be undermined, and legislation is quickly taking steps to enforce its sanctity. Recognizing this, Trillium is dedicated to providing GDPR (and other future legislation) compliant data management technology that preserves the privacy, confidentiality and anonymity of all consumer data it manages. Without such a solution in place, the monetization of consumer vehicle data will never become the $500 billion industry it is destined to be.

Excerpts from escar USA 2018: Making the Michigan Market

Known as one of the first regular, automotive cyber security-focused events, the escar conference series has made itself a key part of the automotive security ecosystem. Showcasing new products, strategies, and research from industry veterans and newcomers alike, escar brings cutting-edge developments together in every major automotive market. As in previous years, Trillium attended the conference alongside its industry partners and customers to help spur the innovation of the automotive cyber-security and data management field.

Escar USA 2018 is no exception, gathering automotive and security industry professionals in the Metro Detroit for the sixth year in a row. The myriad of thoughtful presentations held at the venue came from both industry and academic experts, detailing possible technological solutions to problems facing connected and autonomous vehicles, new innovative technologies, and in-depth analysis of hacks performed on vehicle subsystems by researchers.

A trend that saw a significant rise in popularity at escar is the use of cyber-security methods at relatively lower abstraction levels. This includes hardware and digital signal analysis-based intrusion detection and protection systems, such as the analysis and subsequent phishing attack on clock-based intrusion detection systems by researchers at the University of Michigan, Dearborn. The university was not the only one bringing attention to hardware, with industry players also giving lectures on low-level, highly integrated embedded design analysis.

The sheer number and variety of talented individuals present at this year’s escar USA is all the proof needed to vouch for Michigan’s importance in the development of automotive cyber-security. Serving as the crossroads for the traditional automotive industry in Motor City and the new-age artificial intelligence research done in the Ann Arbor area, the mitten in the Midwest is poised to distinguish itself on a global scale. This reality is the driving motivation behind the opening of Trillium’s new Midwest Development and Operations Center. With a base of operations from which critical partnerships will be nurtured and maintained, Trillium hopes to be a leader in the advancements to come from the Great Lakes State.

Penetration Testing: Beating Hackers to the Chase Through Offensive Security

As a basic rule of any defense system, knowledge of the opponent is imperative. In The Art of War, Sun Tzu states that “He who knows his enemy and knows himself need not fear the result of a hundred battles.” The wisdom behind these words undoubtedly applies to defense in the cyber realm as well. Hackers trained to exploit and break into a system think in entirely different ways from a system engineer, programming a cyber-security system. Given that someone with that set of skills is the most likely party to break through one’s cyber-defense, would a complete defense strategy be complete without the hacker’s perspective?

This reality is what spurs the penetration testing industry – an amplification of cyber defense based on offensive defense. By employing professional hackers to intrude upon one’s system, companies have the opportunity to discover weaknesses in their security in a controlled environment well in advance of product finalization. Defects discovered after deployment of a product can lead to expensive recalls if they can’t be remotely patched. In areas as heavily regulated as the automotive industry, heavy penalties can be incurred and the damage to the affected brand’s reputation may persist for years.

As new connectivity platforms get added to vehicles, the previously isolated internal networks become exposed to a sea of threats, many of which have never been explored in an automotive environment. The marriage between resource-constrained, streamlined ECU designed to only perform a limited number of tasks to the dynamic environment that is long-range wireless communications has brought about large numbers of unforeseeable data vulnerabilities. This has fueled a slew of programs dedicated to training personnel capable of testing these new connected car systems for exploits.

The demand for automotive penetration testing services is today high and is only expected to grow. With legislation threatening heavy fines for misuse of consumer data like the GDPR becoming more common, automotive OEM and fleet owners are more wary than ever. The long-term benefits to investing in pre-market penetration testing of automobiles and their accessories far outweigh the initial costs.

In order to ensure the integrity of any security solution, it must be as a high priority from the outset of any product design. By involving experts trained in the hacking and exploiting vulnerabilities early on in the phase of any project the risk of a costly exploit being found later on is heavily mitigated.

Trillium’s secure platform is built with a hacker first mind-set and the SecureGO, SecureIXS, SecureOTA and SecureSKYE modules are perpetually tested by an internal Red Team, the Car Hacking Community at conventions like Defcon and on-going partnerships with external actors. Continuous work with eco-system partners allow Trillium to ensure that its platform is the market leading solution for keeping connected and autonomous vehicles safe from hacker attacks.

Trillium and the Tanks: Cyber Security for Defense

This week in Detroit, Michigan, Trillium Secure, Inc. is attending the Vehicle Electrification Forum held by the US Army’s Tank Automotive Research Development and Engineering Center (TARDEC).
“TARDEC is identifying technologies and solutions for prompt deployment, as well as those to be used 30 years into the future. Vehicular cybersecurity is viewed as an enabler for most future technologies and military vehicles, from electrification, through autonomous vehicles, to robotics,” said Zoran Kehler, Trillium’s director of global strategy & aerospace and defense sales. “The goal is not to make vehicles unhackable—but rather to create cost-prohibitive barriers to hacking vehicles. Trillium, has been invited as a thought leader in our space, to provide our perspective on the threat spectrum and solutions that harden the vehicles.”

With its multiple flexible layers of security, Trillium’s solutions are primed to cyber secure the mission-critical military assets of the US armed forces and their allies. We look forward to further cooperation with our partners in the defense sector towards a military safe from cyber terrorism.

Hack for the Strap – Car Hack Results in Stolen Pistol

On May 31st, 2018, Michigan Macomb County Executive Mark Hackel was the victim of an unfortunate crime. At about 4:00 AM that morning, a thief broke into Hackel’s car, stealing his lawfully registered 40-caliber semi-automatic Glock from his car’s central console. If it wasn’t for his neighbor tipping him off, however, he may have never known to check his car – there were no signs of a break-in, after all.

Thanks to a recording of the incident on his security camera, Hackel was able to discern the nature of the crime. Using a device to mimic the signal from the car’s key fob, the perpetrator was able to easily unlock the vehicle and get inside. This type of hack is unfortunately rather common – with several incidents of luxury vehicles being broken into in this exact same fashion. The issue comes with the added features one gets access to with a higher-end vehicle, such as remote starting and climate control capabilities. Any interface that allows a vehicle to communicate with a device outside of its chassis has the potential to be exploited and abused, putting the vehicle and its owner at risk.

This incident serves as a stark reminder of the looming danger that is automotive cyber-crime. While the vast majority of the public isn’t aware of the threat, it is slowly making itself a reality by preying on those unaware vehicle owners vulnerable to such exploitation. With even a county executive falling victim to such a crime, the public can no longer ignore the fact that this threat is already at their doorsteps. The fight against car hackers is not a new one, however. With improved community awareness and cutting-edge innovations in the automotive cybersecurity field from Trillium, the fight against automotive cyber-terrorism is far from an unwinnable one.

Over the Air and Under Your Screen: The Magic of OTA Updates

A key, almost trademark feature of modern electronics is their ability to be updated wirelessly with help of the internet. Updates to games, device security policies, and even firmware are all bundled under the umbrella of over-the-air (OTA) updates. The advent of administering updates to technology over the internet revolutionized the way customer service for connected devices is carried out, eliminating the need to send a device back to the manufacturer to repair or upgrade it. Critical security updates can now be applied instantly, reducing the number of victims that would suffer in the time it took to have their device physically updated. This is a key functionality in mitigating the damage that could be caused by a data breach or other cyber-attack. The technology used to carry out such updates is also remarkable, especially when it comes to updating the firmware controlling the device’s hardware.

Due to the firmware being the base upon which all other software on a device runs, updating it poses certain challenges, such as how to optimize memory usage while also mitigating the possibility of an update malfunction. Two prevalent techniques for updating device firmware are binary replacement and delta updating.

Binary replacement is the simpler of the two, requiring the entire firmware binary file to be downloaded before the update can begin. Once the update is downloaded, some situation-specific trade-offs must be made before updating. If the manufacturer wishes to include a rollback feature (ability for an old firmware to be re-installed in the event of a failed/compromised update) then they must allocate space equal to three times that of the device’s firmware. The advantage to including a rollback is that it becomes very difficult for a device to be disabled due to a failed firmware update, and not including a rollback can cause damage beyond the scope of another OTA update.

A delta update is a more selective, resource-saving strategy to applying firmware updates. This technique uses knowledge of the firmware version already on the target device, and only transmits the differences between the new and old versions, reducing the amount of data needed for the update. Once the device has downloaded the patch and enters update mode, however, there still remains the risk of errors resulting in a bricked device if proper mitigation steps are not taken.

As the computers in connected cars begin to drive the innovation and progress of the automotive industry, secure OTA update capability will be a necessity in automotive applications of the future. Administering firmware and security patches to vehicles not only protects user data and privacy, but their very lives as well. Despite being born to the mobile device industry, OTA technology will see its true potential in the automotive ecosystem.

Ride-Sharing: Paving the Way for the Future of Transportation

Since their introduction into the transportation landscape, ride sharing companies such as Uber, Lyft, Gett, and MOIA have changed the way travel is viewed for an entire generation of riders. Filling a gap in the industry left by traditional public transportation and private vehicle ownership, ride sharing services are set to be a focal part of the transportation landscape of tomorrow. Their impact is already being seen today, with new buildings in cities like Chicago already accounting for people arriving through ride-share by reducing the number of parking spots made.

A large part of what makes fleets of ride share cars so powerful is their ability to gather large amounts of data over a long period of time. The data gathered includes that of routes traveled, time in transit, popular destinations/starting points, vehicle condition, and more. This is possible thanks to advancements in vehicle connectivity, allowing tire pressure monitors, GPS modules, and Electronic Control Units to send their data to a backend server through cellular networks and Wi-Fi.

Of particular use to fleet owners seeking to manage their vehicles is the diagnostic data that can be collected from the different components in the vehicles. Dashboard alerts that can sometimes be missed by drivers can be foregone in favor of direct notifications to the fleet management server, alerting the owner of the vehicle more effectively. This data can also be analyzed over long periods of time, and through the use of analytical algorithms pre-emptive maintenance can be applied, saving time and money by detecting potentially costly faults ahead of time.

With the ability to gather data from millions of vehicles at once, the mobility of the future will continue to be refined, leading to new innovative smart mobility solutions. With the efficiency provided by car-pooling-based ride sharing services, the transportation of tomorrow is set to improve the environment, human work rate, and overall community productivity.

GDPR and Your Connected Car

On May 25th 2018, the General Data Protection Regulation (GDPR) passed by the EU in 2016 will begin to take effect. This set of regulation standards for the handling of European citizens’ data is an unprecedented document in the history of data protection policy, bringing to these issues a level of clarity rarely seen in legislation.

The regulation dictates many policies for anyone that offers products or services to consumers in the EU, regardless of the location of the provider. All policies veer in favor of the consumer’s rights to their data. This includes prohibiting use of data without the owner’s consent, allowing the consumer to see what data is being used and how, and allowing consumers to request that their data be deleted from any service without question. Of equal importance is the GDPR’s strict policies regarding data breaches, stating that knowledge of a user’s data being compromised must be reported to them without “undue delay,” and that any breach must be reported to Data Protection Authorities within 72 hours. The penalty for non-compliance in the event of a breach is heavy, equaling 4% of a firm’s annual revenue or € ($23 million), whichever is greater.

This legislation will have a profound impact on the automotive industry in the coming decades. The vehicles of tomorrow process an enormous amount of user data every day for the purpose of connected car-enabled safety systems and user experience enhancements. The contents of this data ranges from phonebook data and call history to minute-by-minute location data provided through GPS. With real-time V2X technologies coming to fruition through Dedicated Short-Range Communication and 5G technology, even more venues in the vehicle will have access to sensitive user data.

The changes brought by the GDPR will motivate members of the automotive industry to pursue strategies that prioritize the security and accessibility of user data. This calls for all data collected from a vehicle to be securely aggregated and analyzed with around-the-clock safeguards in place to react to any data breaches. Vehicular cyber security must be implemented at every level from In-Vehicle Networks to back-end cloud servers, safeguarding the closed-loop data architecture that is key to the success of connected vehicle deployment. SecureIoT, Trillium’s multilayered automotive cyber security suite is made with this need in mind, having been built from the ground up for ensuring user and data protection in vehicular applications.