Supplier Spotlight

Show Reviews

Automotive Testing Expo Europe 2016 Show Review

Click here to read

 

Automotive Testing Expo Europe 2015 Show Review

Click here to read

 

Automotive Testing Expo North America 2014 Show Review

Click here to read

 

Automotive Testing Expo India 2014 Show Review

Click here to read

 

Latest Video


Lucid Air prototype testing

LV

Watch the development vehicle undergoing road evaluation earlier this year in the San Francisco Bay Area.

Click here to watch the video

Virtual vs. physical testing

LV

Exa Corporation's VP of ground transportation applications, Dr Ales Alajbegovic, discusses the limitations of physical testing and conventional design processes used in aero, thermal and acoustics development.

Click here to watch the video

Euro NCAP 20th anniversary

LV

On the 20th anniversary of Euro NCAP, Thatcham Research travels through time with this crashtest footage of a 1997 Rover 100 and a current Honda Jazz.

Click here to watch the video

Industry Opinion

« back to blog listings

Security alert

When it comes to testing the components of modern connected cars, of course pen-testing (penetration testing) has its place; however, it is no substitute for solid product development.

In testing, companies often operate under the notion that an identified problem can be fixed or patched. This may be true for some areas of testing, but for security, it is not sufficient. Security needs to be built-in, from the ground up. And that means starting at the hardware layer, which is seldom done today, but which is completely viable given the advancements in silicon and other connected vehicle technologies.

In fact, the prpl Foundation has produced a guide on how to secure critical areas of embedded computing that advocates the use of open, interoperable protocols and APIs, exercising security by separation, through implementing hardware virtualization and anchoring a root of trust in silicon.

Looking back at all of the recent public cases of researchers hacking connected cars, they all share the exploitation of proprietary code. This idea that closed, proprietary systems can work within Internet of Things and connected devices is a myth. In contrast, an open security framework means it has constantly been tested and had many eyes cast over it to ensure its strength.

The second thing they all have in common is that once hackers were able to reverse engineer vendor-specific code to gain access to one area of the system, they proceeded to move around laterally to other networked components. This idea that once an actor can gain access to a non-critical component in a vehicle, such as the entertainment system, and then work their way into a critical area, such as the steering, is scary to think about. But without using the time tested method of security by separation, it is a reality. This separation can be achieved by using hardware virtualization so that although independently they might not be more secure, as a system, one bad apple doesn’t compromise the whole system.

Finally, all of these security controls need to be tied to a root of trust in silicon; this can be a by-product of the hypervisor used in creating hardware virtualization or by some other method. One neat area being explored by prpl at the moment is physical unclonable function (PUF) technology that can extract a unique identifier from the silicon itself, much like a fingerprint, to provide authentication and establish a root of trust.

In summary, pen-testing is important, but it is no replacement for sound product development. Security can only be forged from the ground up in the silicon of connected components themselves. It cannot be added as an afterthought as we have seen time and time again. Testing alone does not make a product secure. From a risk management perspective, testing lowers the risk but doesn’t completely remove it. After all, upon successful testing one can say, “I couldn’t find anything wrong,” which is not the same as saying, “There is nothing wrong.”

Cesare Garlati, formerly VP of mobile security at Trend Micro, currently serves as chief security strategist at prpl Foundation and co-chair of the mobile working group at Cloud Security Alliance.

Prior to Trend Micro, Garlati held director positions within leading mobility companies such as iPass, Smith Micro Software and WaveMarket. Before this, he was senior manager of product development at Oracle, where he led the development of Oracle’s first cloud application and many other modules of the Oracle E-Business Suite.

October 18, 2016

 

Comments:

There are currently no comments.

If you would like to post a comment about this blog, please click here.
Read Latest Issue
Read Latest Issue

Web Exclusives

Site visit: Seat Technical Centre

We take a tour of the climate test facility at Seat’s Technical Centre in Montorell, Spain
Click here to read more



Measuring pressure in tough conditions

FPT Motorenforschung, a Swiss manufacturer of engines for commercial vehicles, construction equipment and agricultural machinery, uses Keller’s M5 pressure transmitters in its test benches to achieve reliable, precise measurement results
Click here to read more



Development of a new intercooler for Formula SAE

In a unique project, Swansea University Race Engineering worked closely with additive manufacturing expert Renishaw to redesign the intercooler of its race car
Click here to read more



Simulating 'realistic wind'

Exa Corporation explains how transient flow simulations can enable more realistic reproduction of real-world conditions for accurate assessment of fuel economy
Click here to read more



Case study: Ford Otosan and CD-adapco

Ford Otosan has used CD-adapco’s STAR-CCM software to analyze the thermal exchange between the hot engine gases and various critical solid engine components
Click here to read more




Supplier Spotlight

Supplier SpotlightClick here for listings and information on leading suppliers covering all aspects of the automotive testing industry. Want to see your company included? Contact jason.sullivan@ukipme.com for more details.

فروشگاه اینترنتی فروشگاه اینترنتی فروشگاه اینترنتی دانلود فیلم شعر فال حافظ کانال تلگرام کانال تلگرام بی بی سی فارسی من و تو فروشگاه اینترنتی فروشگاه اینترنتی کانال تلگرام چت روم لز رادیو فردا خبر download youtube عکس های لو رفته کانال تلگرام گروه تلگرام کانال سک30در تلگرام کانال سک30در تلگرام کانال تلگرام کانال سک30در تلگرام کانال تلگرام کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 در تلگرام کانال سوپر کده تلگرام کانال تلگرام خفن کانال تلگرام +18 کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 در تلگرام کانال سوپر کده تلگرام کانال تلگرام خفن کانال تلگرام +18 Google کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 در تلگرام کانال سوپر کده تلگرام کانال تلگرام خفن کانال تلگرام +18 کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 در تلگرام کانال تلگرام کانال تلگرام خفن کانال تلگرام +18 کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 تلگرام کانال سوپر کده تلگرام کانال تلگرام خفن کانال تلگرام +18 کانال تلگرام لوتی کانال سک30در تلگرام کانال سک30 در تلگرام کانال سوپر کده تلگرام کانال تلگرام خفن کانال تلگرام +18

Submit your industry opinion

Industry BlogDo you have an opinion you'd like to share with the automotive testing community? Good or bad, we'd like to hear your views and opinions on the leading issues shaping the industry. Share your comments by sending up to 500 words to john.thornton@ukipme.com

Advertising

Recruitment AdTo receive information on booking an advertising banner please email jason.sullivan@ukipme.com