I’m at the annual BlackBerry Security Summit this week. The session I was most interested in was on Security and Autonomous cars. This is because these cars will likely be the very first wave of truly autonomous robots we will have around us and as a bit Terminator fan, I’m a tad worried about any proliferation of autonomous robots that could potentially decide I’m a speedbump. This could too easily happen if these coming robotic platforms aren’t secured. Whether it is a hostile government, terrorist group, or just a bunch of kids with more skills than sense the chance these things will become hostile is very high unless they are properly secured. BlackBerry is focused on fixing that problem which, for me, means they certainly have my attention in addition to my support for this critical effort.
Defining The Problem
It starts with the supply chain because if an unsecure component and there are millions of lines of code and increasing numbers of smart computing devices and sensors in these cars. BlackBerry proposes using a Root of Trust approach to assure each component is secure and that there are secure keys and certificates in each component as well as an ongoing set of diagnostics looking for and eliminating any rogue elements.
You need a defense in depth which means you need a strong application of existing security knowledge and relevant toolsets, not only do the applications that go into the car need to be secured but so does the hardware, Operating system, and the elements that make up the core stack of features.
Because the car will need to be updated it can’t be isolated but if a hostile agent gets into the car it can then take control of it. This suggests you isolate the safety critical systems from the non-safety oriented systems, this way if the user accidentally installs a non-secure app in the entertainment part of the car, it doesn’t compromise the operation of the car. Being killed by the latest Tayler Swift song should only be a concern for the poor saps who date her, I shouldn’t have to worry about that. This means the use of hypervisors, secure gateways, and lots of secure encryption and authentication to assure that no one, not even Tayler Swift, turns your car into a candidate for Death Race (insert current year here).
One of the big requirements is ongoing monitoring and remediation along with inter manufacturer sharing of common Cyber threats. Effectively a what you have in an OEM security network like what PC Security companies set up between their customers so that an attack on one car can be captured and used to immunize other potential vulnerable cars regardless of who makes them. This is also used for software bugs and updates delivered via secure Over the Air (OTA) software updates. As it is with enterprise systems the whole mess is overseen, BlackBerry proposes, with a unified endpoint management tool (as you would expect, BlackBerry sells one of the most advanced endpoint management tools.
Finally, the OEMs need to have a security and safety culture regarding Cybersecurity. This is so security isn’t an afterthought like it was initially with both PCs and Smartphones, it is imbedded in the process and no software or hardware is released that has known critical security faults.
This segment ended with the list of 20 individual products BlackBerry has created to address these exposures.
Project Halo
This was a particularly interesting tool so I figured I’d give it special coverage. One of the biggest problems with assuring the supply chain with cars is with the software. With millions of lines of code in various forms there isn’t, or wasn’t a good way to analyze the code and assure it hasn’t been compromised or have an unacceptable security exposure. Project Halo is a BlackBerry service that uses customized scanning (both BlackBerry best practices and custom OEM operations) to assure the software meets the security and safety requirements of the OEM and so that potential security problems are eliminated prior to manufacturing and delivering of the car.
Wrapping Up: Creating the Secure Car
Here what is scary about this segment. It is clear to me that most of the car OEMs out there are rushing at warp speed to create cars that drive themselves. Many of these cars aren’t even going to have optional controls so your life will be in the hands of those that build them. It would quickly seem to me that unless we want to have a far more exciting ride or be held accountable for giving someone else an excessively exciting ride, scare, or early dirt nap we likely should be, when we buy our first autonomous driven car, we likely should be looking for a BlackBerry logo on the paperwork otherwise our shortened lives will be more exciting than we expect or want to worry that, should you hear the Taylor Swift song, “Look What You Made Me Do” that it is your car’s not so subtle way of telling you it had suddenly gone Terminator on you and that suddenly you were John Conner.