Page 61 - ATZ11 November 2019 Professional
P. 61
In this way, new attack vectors can REQUIREMENTS tem is only as strong as its weakest
arise which the automotive industry entity or unsecured interface of its
and the end consumer have not yet The requirements for virtual vehicle communication channels. Therefore,
encountered. With a virtual vehicle key keys have included more than the just a security-conscious orchestration
in particular, the interconnectedness above-mentioned analysis of the entire of all entities in their diversity is of
extends deep into the vehicle system ecosystem and new attack vectors. Many decisive importance.
until the immobilizer is deactivated. If years of experience in insurer internal This makes it even more important
the ecosystem is insufficiently designed, theft and security research, industry-spe- for the automotive industry during the
far-reaching risks arise that a vehicle cific regulation and compensation pro- design of the ecosystem, not to restrict
user cannot assess in everyday life. cesses and the protection of customers itself to the entity vehicle and its inter-
Therefore, the responsibility for virtual against unjustified suspicion also char- faces to other entities, but to consider the
keys must not simply be delegated to acterize these technical guidelines. entire spectrum of security measures in
the customer. The requirements are structured into combination. On the vehicle side, the
FIGURE 3 shows schematically possible four chapters [2]. In the first part, the selection of parts that are now to be cer-
attack vectors on the ecosystem of vir- requirements for the overall system tified specifically for safety-critical appli-
tual vehicle keys. Unauthorized access based on the current IT basic protection cations remains important.
to backend or communication channels of the BSI are found. These are followed When designing and implementing
enables access to the entire ecosystem. by the requirements for the design and usage authorizations, the access authori-
An important attack vector from the implementation of the usage concept on zation must be separated from the driv-
viewpoint of motor insurance is a total a mobile device. Finally, the backend ing authorization. For example, an ac -
theft. A classic theft is committed at the requirements are formulated as a data- cess authorization in the trunk for a
scene of a crime by direct manipulation bundling entity sensitive to remote at - courier service must not lead to the sub-
of the vehicle, such as smashing a win- tacks. The last part of the requirements sequent deactivation of the immobilizer.
dow. The physical proximity to the vic- deals with forensics in an event of a total On the procedural side of the system,
tim and the danger of being discovered theft and describes transparent data log- a multi-factor authentication is required.
can now be replaced by a remote attack ging and a consistent manufacturer-in- For an inexperienced user, the additional
and executed by manipulating data or dependent revocation procedure for effort seems unnecessary and time-theft-
compromising security mechanisms assigned user authorizations. ing at first glance. From the perspective
at the backend, from anywhere in the The new access and driving authoriza- of IT security, this fundamentally in -
world. This creates new attack vectors, tion systems for networked vehicles must creases the security of the application
the so-called cyber risks, which the in general be protected against unautho- and makes unauthorized manipulation
insurance industry is not familiar with rized access and manipulation in order significantly more difficult. In order to
and has not yet gained any empirical to guarantee the security of the overall be able to close any potential vulnerabili-
experience. system. The virtual vehicle key ecosys- ties afterwards, the implementation of an
over-the-air interface for remote updates
over the lifetime of a vehicle model is
essential.
The storage of sensitive data must
be performed exclusively on a tamper-
proof storage environment in order to
protect this data and the security-critical
operations against all types of soft-
ware-based attacks (for example privi-
lege escalation attacks). The transmis-
sion channels must be protected against
already known relay attacks on keyless
locking systems, such as keyless entry
and go, and against attacks known from
the IT industry, such as side channel
attacks and spoofing of entities.
Every reported total theft must be
checked for plausibility by the insurers.
If a claim occurs, the policyholder must
fulfil his contractual obligations and pro-
vide information regarding the circum-
stances and hand over the complete set
of keys to the insurer for checking the
completeness of the key set. With virtual
keys on smartphones, this process is
FIGURE 3 Attack vectors on the ecosystem virtual vehicle key (© AZT) very difficult to manage from a data pro-
ATZ worldwide 11|2019 55
