Making Vehicles “Secure by Design”
Automotive security threats have gone from theory to reality. Tech-savvy thieves have stolen cars throughout Europe and North America. Mainstream videos show hackers remotely hijacking cars and potentially endangering occupants. Comprehensive protection requires hardening critical modules and authentication in addition to deploying “Over The Air” (OTA) updates and security monitoring mechanisms. We’re here to make that easier than it sounds.
Blueprint for Security “Built-In”
Protecting cars against threats has to be done in a context that works both within the car and at scale for carmakers. The responsibility doesn’t stop at the assembly line; it extends all the way from car makers to the full breadth, depth, and complexity of auto supplier relationships. Security is a concern at each tier of the supply chain, and attackers seek the weakest links.
- Authenticate all communications
- Protect sensors, actuators, and microcontrollers (ECU & BCM)
- Safely & effectively manage entire vehicle “OTA”
- Design monitoring that can mitigate the most advanced threats
Proven Technology, Adapted for Vehicles
Symantec is bringing the world’s most comprehensive portfolio of security technologies to the car. The infrastructure and technology that already helps protect billions of devices and trillions of dollars now protects automotive chips. We’re building long term comprehensive security all while delivering ground breaking protection for cars today.
Protecting Critical Modules (ECU, BCM, IVI)
Host based runtime protection for top RTOS
Critical modules, including Engine Control Units (ECU), Body Control Modules (BCM), In Vehicle Infotainment (IVI), and gateway chips protecting the CAN bus from modems and Single Board Computers (SBC) such as the IVI all require additional protection. As demonstrated recently, even modems occasionally run Real Time Operating Systems (RTOS), vulnerable enough to become infected, then control entire SBC.
Symantec Embedded Security: Critical System Protection is built on proven technology already protecting countless daily financial transactions in core back-end systems of the world’s largest providers of financial services, and is “embedded” in countless ATMs. We’ve adapted this proven, fundamental protection for automotive systems, including QNX and other RTOS systems.
Secure Boot Code Signing for All Chips
Never run unsigned code
Ensure the code running on every car’s chip is authorized to run and protected by a strong Root of Trust. Code Signing Certificates can be used with most chipsets, including Secure Boot on some chipsets. Many chipsets have proprietary code signing tool chains that require cryptographic algorithms supported by Symantec Code Signing Certificates. Symantec Code Signing Certificates can also be used for application level code signing and verification through popular open-source cryptographic libraries such as OpenSSL and Micro-ECC.
- ECC is 10x better than RSA in extremely resource constrained chips
- Hardware acceleration enables sub-second secure boot
- Can sign both boot/firmware images and application layer code
IoT Device Certificates for Authentication
Simplify key management for authentication & encryption
Leverage authentication to prevent unauthorized remote access, while also safely and effectively restricting access. Never trust unauthenticated connections or unauthenticated data. Leverage proven techniques to manage billions of keys. Leverage Security Hardware Extensions (SHE) via proven key exchange techniques, adding fine grain cryptographic authorization to CAN without sacrificing speed or standards.
Embedded Automotive Security Analytics
Vehicles today network dozens of modules. Effective monitoring of these in-vehicle networks can detect tampering and advanced threats. Symantec Anomaly Detection for Automotive learns the normal behavior patterns of modules in the vehicle and identifies unexpected behavior which may be malicious. This software can monitor virtually any CAN bus, and deploys easily onto most single-board computers, including SBC used for IVI and head units of most cars. Additionally, this software can also be fitted onto many 32-bit MCU used for OBD-II dongles, including UBI dongles, and can be deployed as part of "after market" protection solutions. We will additionally adapt this technology to other automotive network bus protocols.
Manage Code Signing for Entire Supply Chains
Control all code in cars you make
Secure Application Service helps manage signing permissions for entire ecosystems of software authors/developers and publishers/approvers, including both internal and external partner/supplier teams. Ensure that all code running on your cars is authorized to run. Ensure that all code updated “Over The Air” (OTA) is properly signed. Ensure that you have the ability to revoke signing capabilities even as employees and partners come and go. Symantec Secure Application Service currently supports signing of code in Java and standard Executable and Linkable File (ELF) formats common on real-time operating systems (RTOS). We will continue expanding this list per customer request.
Security for Manufacturing Equipment
As Industry 4.0 and the Industrial Internet drive manufacturing to increasingly connected factories, threats targeting these systems are on the rise. Symantec helps you protect your Industrial Control Systems (ICS) with solutions that include Programmable Logic Controllers (PLC), automation equipment, and factory robotics.