Law enforcement officers, emergency responders and commercial fleet operators cannot afford to operate vehicles without the assurance of security. A police officer, emergency medical technician or truck driver cannot live with any uncertainty regarding the integrity of their vehicle’s safety systems and powertrain.
That overwhelming and immediate need for security has given rise to an aftermarket for devices intended to secure the OBDII diagnostic port in most cars (made after 1996) and many commercial vehicles. The OBDII port is the same port used by Progressive’s Snapshot usage-based insurance device and Automatic’s diagnostic dongle.
The most prominent examples of these aftermarket security devices – themselves plug-in OBDII devices – come from RunSafe Security and Argus Security. A third company, Autocyb, offers a physical lock and key for the OBDII port.
The urgency of this need was made apparent from multiple conversations at the recent International Communications Data & Digital Forensics seminars put on recently by the Metropolitan Police at a venue outside London. For attendees at this event the connected car presents new opportunities while creating new vulnerabilities.
Criminals continue to gain access to and steal cars, a process made easier by the presence of the OBDII port. The new kid on the block is the cybercriminal using virtual or remote access to the car for nefarious purposes.
Once inside a car, access to the OBDII port greatly eases the criminal’s task of disabling or taking the car. But the emergence of automotive cyber attacks has created the need for a means to secure cars from wireless attacks on multiple vehicle networks for the purposes of remote control mischief, ransom or terrorist activities.
Police in the U.S. state of Virginia have been testing the RunSafe device, created by an offshoot of Kaprica Security. According to the company, which opened its doors just last year, RunSafe’s “App and OS Guardian are a preventative security overlay for native code that mitigates widespread return oriented programming (ROP) attacks.
“(The RunSafe applications) increase security by leveraging randomization (binary stirring) or novel control flow integrity (CFI) concepts. The overlay is an example of a defensive technology called run-time application self-protection (RASP). They can “shrink” app or OS attack surfaces by up to 90%.”
Argus says its technology identifies malicious attacks using its patent-pending deep packet inspection algorithms – scanning all traffic in a vehicle’s network, identifying abnormal transmissions and enabling real-time response to threats. Argus’ aftermarket solution is designed to provide a comprehensive overview of cyber attacks and irregularities, allowing car makers to identify unauthorized attempts to tune or change an ECU’s behavior.
Unlike the RunSafe plug-in device which must be removed to allow for service diagnostic tools to be connected, Argus has shown a secure OBDII plug-in that provides a port to allow OBDII connection THROUGH its device.
Both Argus and RunSafe offer embedded and cloud-based security solutions for cars. Argus is also offering its technology as an add-on for aftermarket devices from insurance companies and others.
It’s notable, in the wake of the FBI and U.S. Department of Transportation warnings regarding connecting devices to cars and the correlated risk to security, that the OBDII port is seen by both companies as a means toward enhancing vehicle security. The one weakness of OBDII-based security is the use of such technology on newer cars. As cars adopt over-the-air software update technology, aftermarket devices may come to interpret software updates as malicious code. This will pose a challenge to aftermarket solutions.
The most important aspect of the emergence of these devices is the “productization” of security. While security as a service is the more accepted and familiar model as in desktop and portable computers today – ie. Norton and McAfee Antivirus products – cars present unique security challenges creating the demand for unique solutions.
The arrival of these products demonstrates the immediacy of the need for automotive security. Fleet operators of all kinds won’t wait for car makers.
Roger C. Lanctot is Associate Director in the Global Automotive Practice at Strategy Analytics. More details about Strategy Analytics can be found here: https://www.strategyanalytics.com/access-services/automotive#.VuGdXfkrKUk