Security for Connected & Self-Driving Cars

We are looking through the lens of cybersecurity and visualizing an “optically secure” high-speed wireless network of connected autonomous vehicles. In our vision, the automotive, computer and telecommunications industries are in a dynamic state of convergence in terms of system architecture. Although at a very advanced state of convergence, these industries are yet to integrate at a much deeper tech-level in cybersecurity and communications with greater edge computing power.

Edge computing for cars is powerful but not enough. Secure communications require more edge-computation power. Connected and AI self-driving cars require much higher mission-critical levels of communications’ cybersecurity. Connected and self-driving vehicles are vulnerable and we have to address these flaws as soon as possible.

Photo Credit: Car & Driver Magazine

The “Internet-of-things” along with the advent of car electronic control units or microprocessors for “wireless connected cars” may perhaps be compared to a similar “convergence point” in the computer industry during the 1970 to 1979 period. I can see an applicable system topology metaphor: personal computers versus the Mainframe terminals? The answer was of course that users demand more computation power in their hands. I think we can extrapolate the same paradigm and realise that there is a need for more computation power in the car, at the edge. We need more local power.

McKinsey & Company “How the Convergence of Automotive and Tech will create a new Ecosystem” (1)

In terms of Cybersecurity, it’s necessary to speed up development of the connected car’s Cybersecurity architecture. At the moment, most cars rely on typical centralized Server network topologies, exposing unencrypted internet traffic to and from cars.

Source: Gyrfalcon Technology Inc.

We are faced with Cybersecurity problems in connected cars, despite the obvious powerful computer smarts of modern connected AI self-driving cars and even considering the remarkable computation power derived from over 100 individually networked micro-controllers or mini-computers on-a-chip, all part of the car’s brains. We may also find in “connected AI self-driving” automobiles, an estimated 100 million lines of car computer code are running at once.

Alas! despite of all these marvelous microcontrollers, not much power “at the AI car edge” is dedicated to wireless communications. Cybersecurity cannot be achieved at the edge by software alone, since the entire “Controller Area Network” of each car is unprotected. There is no encryption of data flowing in the CAN network of cars, which is the internal hardware network that connects all components in modern cars.

Source: Gyrfalcon Technolgy Inc.

The UK 2018 Automated and Electrical Vehicle Bill may one day require owners to install a specialized connected car Cybersecurity device, or else incur serious Insurance risk in cases of accidents for cars that operate with any level of self-driving AI software. An insurance liabiilty risk exists in the UK when, after an accident it is determined there were no secure firmware updates for the car’s operating AI software. It is hard to believe, but currently most if not all connected cars… cannot comply with this UK Law and physically due to the nature of their on-board electronics, cannot update AI firmware using secure and authenticated wireless transmissions.

United Kingdom 2018 Automated and Electric Vehicles Act 2018
https://www.legislation.gov.uk/ukpga/2018/18/section/4/enacted

Therefore, despite the technological marvels offered by connected cars today (like driving a collection of small computers on wheels) we are still not safe in terms of Cybersecurity since each one element of this automotive “Controller Area Network” does not have encryption and no way to update AI firmware wirelessly under secure authentication. There are no software “patches” possible to a hardware problem.

The automotive industry has NO shared security standards for different automotive vendors of electronic parts. Since each new part has no built-in credible Cybersecurity… once connected to the Internet, cars could become a hacking target. (2)

Hacking attacks on a “Connected Car” pose a significant risk due to the fact the car’s “Controller Area Network” manages in-car messages from different mission critical car systems, which many times may be life-critical to the driver and to the safety of other cars in proximity to the vehicle. The most vulnerable “attack vectors” are of course the user credentials & smartphone devices, which are also prone to hacking security keys and it’s best not to mention other attack vectors that pose significant “fleet” risk.

Copyright(c) Helios Energia Ltd 2022

As the car industry moves faster to develop better self-driving artificial intelligence vehicles, it becomes ever more critical to invent new solutions that offer robust network security from hacking intruders. This problem presents a significant risk for users and also for car manufacturers, as well as for the Insurance industry, since the costs of insurance coverage reflect implicit security risks in today’s digital economy.

In the future, we venture to forecast that it will not be possible to legally operate self-driving cars on UK motorways without a hardened on-board computational and secure wireless communications system for certification of the roadworthiness and reliability of such autonomous vehicles. Encrypted, secure and authenticated wireless frequent updates of critical self-driving firmware software, requires the installation of a retrofit tamper proof, new genertion “firewall” security communications device: AEBIS.

Our need for incorporating an entire new level of effective Cybersecurity to vehicle manufacturing is becoming increasingly demanding; in order to resolve the issues of safety and system integrity for more than 10 million connected cars on UK motorways alone. We respectfully and humbly posit, Connected Car Cybersecurity is a strategic imperative for the future of AI autonomous and connected vehicles to the Internet.

Floren Cabrera F. de Teresa, CEO

https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/how-the-convergence-of-automotive-and-tech-will-create-a-new-ecosystem

https://www.pcmag.com/news/the-forgotten-world-of-dumb-terminals

https://arstechnica.com/information-technology/2022/06/hackers-out-to-steal-a-tesla-can-create-their-very-own-personal-key/

I

Quantum Light Introduction

by Lawrence Klaes, Science Editor

Convergence of digital and physical worlds requires an entirely new cyber security arquitecture.

We are at the threshold of a real revolution in computer technology, one that will literally change how our society currently functions and interacts with the machines and systems we operate now in ways we can only imagine.

This technology is quantum computing and its key aspects, namely security. This computing system is so named for it operates on the very foundations and principles of quantum physics. Utilizing the seemingly magical properties of the quantum state in our macroscopic world, quantum computing offers the ability to store data in quantities that may seem as unbelievable to us as a modern laptop holding terabytes of information would to someone at the start of the Computer Age in the mid-Twentieth Century.

Protecting the New Gold Standard: Information

In the often prescient 1992 film Sneakers, the character of Cosmo explains what has become the true ultimate commodity of the modern technological era:

“The world isn’t run by weapons anymore, or energy or money. It’s run by ones and zeroes, little bits of data. It’s all just electrons.

“There’s a war out there, old friend, a world war. And it’s not about who’s got the most bullets. It’s about who controls the information …what we see and hear, how we work, what we think. It’s all about the information.”

Our civilization runs on information of all sorts every second of every day. Most of this information is now stored, analyzed, filtered, and run through our elaborate systems of computers and the networks that deliver and collect them.

While much of the information our society needs to function is widely available, there is also a plethora of data that requires being protected for reasons ranging from personal privacy to national security. While current computers have a wide range of methods to secure the information placed on them, it is not always enough. Someone always seems ready and able to find a way to break through even the most sophisticated security cyphers and codes.

Quantum computers can change all this. Using the rules of quantum physics, more information could be stored on such a system than would ever be possible on a machine in the macrorealm. These same physics can also provide encryption protection that would make it virtually impossible to decode or otherwise break both stored data and its transmission from one computer system to another.

This medium is new and pioneering. There are many obstacles to overcome. Nevertheless, quantum computing and cryptography are real and offer possibilities that could transform our world and our species in ways we now only think of as science fiction. Quantum Light is leading the way in this incredible tomorrow. Learn how here

Optical Security by the Laws of Physics

by Floren Cabrera F. de Teresa

Our world-wide-web cannot be effectively secured from hacking and much less can we currently secure “embedded devices” in the so-called “Internet-of-things.”

The security architecture of the Internet’s TCP/IP packet and DNS routing networks has largely been exceeded in terms of current capabilities to secure the Internet-of-Things. This is due to the fact a number of structural vulnerabilities exist – some still “zero-day” and others were inadvertently incorporated into the architecture for example of x86 chipsets. Many computer processors can be accessed via MINIX-3 types of utilities in order to easily obtain plain-text user-credentials dumps, directly from most types of x86 chipsets and exposing many mission critical devices to hacking threats.

The most worrisome “threat-model” is that of compromising user-credentials on-line and this has been manifest by an increasing number of “connected car” robberies and car hijackings using user compromised-credentials from typical hacks of mobile or laptop devices. In addition, the automotive industry is ill prepared to respond to this threat, as the “controller area network” (CAN) of cars is wide-open by necessity since there are no standards among many participants in the OEM electronics industry.

Vulnerabilities of the Internet and the “Internet-of-Things.”

  • IoT insecurity, low computational power & rigid Tx/Rx protocols
  • Network traffic transmission of encryption keys and sensitive plaintext credentials
  • IoT data and firmware updates (are not encrypted) and unverified before upload
  • Identity of servers is exposed by TCP/IP connection protocols for authentication
  • Firmware contains security information exposed in unencrypted traffic
  • Poorly implemented TLS 1.3 Standard as per the UK National Cyber Security Centre
  • Physical on-premise local services serious Ethernet and USB port vulnerabilities
  • Misconfigured SSL/TLS by users in addition to legacy hardware and software
  • Credentials at risk of being exposed by downloadable MCU/CPU firmware
  • Internet Cloud susceptible to SQL injection, cross-site scripting, request forgery and TLS implicit trust.

UK Automated and Electric Vehicle Bill and Cyber Security

The UK’s 2018 “Automated and Electric Vehicle” Bill poses serious liabilities for Insurance companies in case that an accident should occur without the requisite “critical software uploads and updates” as defined in the new Law. Most current “connected cars” simply use an SMS 3G/4G GSM connection via a mobile network carrier, without any thought for the required “authenticated software and firmware uploads, factory reset” and other features that now since April, are in effect mandated by Law. Therefore, we have a unique opportunity before us if we were able to rapidly deploy our AEBIS hardware/software retrofit solution.

This UK legislation addresses certain key principles of connected car security, most of which cannot be currently met by existing “connected car” entertainment and wireless systems! In other words, there could be up to 9 million vehicles on UK roads that are NOT compliant with UK law. This creates a significant risk exposure for insurance companies, as well as for drivers, who must provide proof effective of secure and authenticated firmware uploads, sanitation of user credentials or factory reboot and other features of security functionalities that current IoT (internet-of-things) automotive devices are simply not prepared to process nor are able to deliver with simple software updates.

Any viable solution that is fully compliant with the new 2018 Automated and Electric Vehicle UK Bill, will require a hardware retrofit module in order to increase the processing power and capabilities of the system to comply with UK new Laws. The insurance industry is particularly exposed to serious liabilities resulting from the current lack of compliance of connected cars.

1. – Retrofit telematics car market in the United Kingdom: there are over 32 million cars in the U.K. with an active secondary used car market valued at over £43 billion and representing over 400,000 trades per year.

2. – Connected car market in the UK, with over 8.5 million connected vehicles that are on the road today. We have traction with one of the top-ranked Venture Capital investors in AI autonomous car in the UK and if we were to deploy our solution with IBM Watson, we could close an important investment.

3. – The fleet market for long-haul lorry drivers and commercial vehicles that are constantly on the road. We are in confidential discussions with the largest fleet operators both in Europe and in America, with lots of traction and a possible sales order for our products. Three are literally millions of unprotected IoT devices, some of which are in mission critical networks. This is an urgent security need, which represents and technical challenge and an opportunity for Quantum Light to capture and together with the right large strategic partner – Helios Energia our parent company is honoured to be an IBM Business Partner. This “Big Play” business case. IoT cybersecurity problems are present for all Internet connected networks, including the IBM Cloud, since most IoT firmware and user data is not encrypted, firmware updates are most commonly not available for most “smart-devices” and those with software updates are not-encrypted and credentials are exposed.

Quantum Light Ltd has developed LightKey(R) in order to help our Clients mitigate the high level of cybersecurity risks and digital-threat environment that we all face today.