automotive

No Image

How-To: NIS2 EU Directive

The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016. NIS vs. NIS2 While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU. NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account the security of supply chains, streamlining reporting obligations, introducing monitoring measures, introducing more stringent enforcement requirements, adding the concept of “management bodies” accountability within companies, and harmonizing and tightening sanctions in all Member States. To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together: Establish or improve information sharing between member states and a common incident…

Read More

Implementing secure over-the-air (OTA) updates in embedded devices

This is a follow up article related to Secure Booting and Secure Flashing. It is the 5th article related to Strengthening the Security of Embedded Devices Implementing secure over-the-air (OTA) updates in embedded devices requires careful consideration of various security aspects. Here are some key steps to implement secure OTA updates: 1. Secure Communication Channel – Use secure protocols such as HTTPS or MQTT over TLS/SSL to establish an encrypted communication channel between the device and the update server. – Authenticate the server using certificates to ensure the device is communicating with a trusted source. – Employ strong encryption algorithms to protect the confidentiality and integrity of the update data during transmission. 2. Code and Firmware Integrity – Digitally sign the firmware updates using a private key and verify the signature using a corresponding public key on the device. – Implement mechanisms such as checksums or hash functions to verify the integrity of the received update files. – Use secure boot techniques to ensure that only trusted and authenticated firmware updates are installed on the device. 3. Access Control and Authorization – Authenticate and authorize the device before allowing it to download and install updates. – Implement access control mechanisms…


The Importance of Secure Flashing for Embedded Devices and Secure Implementation Practices

This is the third article in the series about embedded devices security, started with Strengthening the Security of Embedded Devices The second article was Secure Booting for Embedded Devices: Safeguarding Systems from Intrusions In this article, we will explore the importance of secure flashing for embedded devices and discuss best practices for implementing secure firmware updates. Secure flashing refers to the process of updating or replacing firmware on an embedded device in a secure and reliable manner. Firmware is the software code that runs directly on the hardware of the embedded device, controlling its functionality and behavior. Secure flashing ensures that firmware updates are performed in a way that minimizes the risk of unauthorized access, tampering, or corruption. Secure flashing involves implementing a set of security measures and practices to ensure the integrity, authenticity, and confidentiality of the firmware during the update process. These devices often rely on firmware updates to enhance functionality, address vulnerabilities, and ensure optimal performance. However, the process of flashing firmware onto embedded devices can introduce security risks if not handled properly.   Significance of Secure Flashing Vulnerability Mitigation Firmware updates often address security vulnerabilities discovered in embedded devices. Secure flashing ensures that these updates are…


Strengthening the Security of Embedded Devices

Embedded devices are specialized computing systems designed to perform specific tasks or functions within a larger system. Unlike general-purpose computers, embedded devices are typically integrated into other devices or systems and are dedicated to carrying out a specific set of functions. They are often characterized by their compact size, low power consumption, and optimized performance for their intended application. Embedded devices can be found in various domains and industries, including consumer electronics, automotive, healthcare, industrial automation, telecommunications, and IoT (Internet of Things). Examples of embedded devices include: Smartphones and tablets: These devices integrate multiple functionalities such as communication, multimedia, and internet access into a portable form factor. Home appliances: Devices like refrigerators, washing machines, and thermostats may contain embedded systems that control their operations and offer smart features. Industrial control systems: Embedded devices are widely used in manufacturing plants and industrial environments to monitor and control processes, machinery, and equipment. Automotive systems: Embedded devices are essential components in modern vehicles, managing functions such as engine control, entertainment systems, safety features, and navigation. Medical devices: Embedded systems are utilized in various medical equipment, such as patient monitoring devices, implantable devices, and diagnostic tools. IoT devices: These are interconnected devices that gather,…


No Image

The Automotive industry’s inadequate approach towards software (in the cars)

Introduction The automotive industry has witnessed a paradigm shift with the increasing integration of software in vehicles. Modern cars are no longer just mechanical devices with a motor, wheels and steering; they are now sophisticated machines having dozens of CPUs (called ECU), entire computers, high speed network to connect them (called CAN-bus) and relying on complex highly distributed software systems. In my opinion, the industry fails to adapt to this new reality and fully embrace the concept of cars as hardware running software has significant consequences. This may sound contradictory at first, on one side they have these complex systems, on the other side they fail to adapt to this reality. In this article, I will explore how the automotive industry is not dealing correctly with this transformation and its potential implications.   Limited Focus on Software Development and Updates Traditionally, the automotive industry has primarily focused on hardware design and manufacturing, treating software as a necessary mean to make the hardware work. This approach results in a lack of emphasis on software development practices and updates capabilities. While cars are becoming more connected and dependent on software for various functionalities, manufacturers often overlook the importance of continuous software improvements…


ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.   First post was about CSMS and ISO 21434 and this one is about TISAX.   Query: Tell me about challenges in TISAX certification    ChatGPT: “TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector. There are several challenges associated with TISAX certification: Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification. Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses. Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements. Cost: The cost of TISAX certification can be…


ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive. Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them. Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )   Here it is:   Query: Tell me about CSMS from ISO 21434   ChatGPT: CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector. CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats. It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity. The framework covers a range of cybersecurity-related activities, including:…



A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…


Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on. All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers. When we talk connectivity, we MUST talk about cybersecurity.   This is why the Automotive industry has started to take this very seriously: We have the  ISO/SAE AWI 21434 : Road Vehicles — Cybersecurity engineering which is in the preparation stage We have the European Automobile Manufacturers’ Association (ACEA) who have released the “Principles of Automobile Cybersecurity“ ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source): BMW Group, DAF Trucks, Daimler, Fiat Chrysler Automobiles, Ford of Europe, Hyundai Motor Europe, Iveco, Jaguar Land Rover, Opel Group, PSA Group, Renault Group, Toyota Motor Europe, Volkswagen Group, Volvo Cars, and Volvo Group ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats. 1. Cultivating a cybersecurity culture 2. Adopting a cybersecurity life cycle for vehicle development 3. Assessing security functions through testing phases: self-auditing & testing 4. Managing a…


%d bloggers like this: