Alex Manea, BlackBerry’s chief security officer talks about connected car security vulnerabilities and how the automotive industry can better prepare.
BlackBerry Chief Security Officer Alex Manea
BlackBerry has evolved from a maker of highly secure smartphones to a provider of software and security. Its QNX operating system is widely present across the automotive industry, and BlackBerry wants to be the go-to partner for carmakers intent on keeping both connected vehicles and the supply chain safe and secure. Alex Manea, BlackBerry’s chief security officer, recently spoke to automotiveIT International about the security challenges faced by the car industry and the way forward.
From a security point of view, what’s the difference between cars and other connected devices?
From a security standpoint, the same security concepts we apply to laptops, desktops or other Internet-of-Things (IoT) devices can be applied to cars as well. That means making sure you encrypt all the data and you hash your passwords, for example. What is interesting about cars is that they fundamentally change the threat level because when you are protecting a computer or smartphone, it is about protecting privacy; when someone hacks a car, it is more about threatening safety; not only of the person in the car, but also the people around it. That is where we see a very new threat level. The other difference lies in the sheer complexity of the car. A luxury car today can have about 100 million lines of code.
I understand that is about 10 times that of a modern airplane.
Well it is 10 times an aeroplane, but it is also 10 times the Android operating system. If you assume there is software vulnerability for every 10,000 lines of code, and so out of 100 million, that is a lot of potential vulnerability in one car.
Can you be more concrete about those threats?
There are so many different ways that cars connect to the internet and connect to the outside world, everything from the OBD2 port, to Bluetooth, to Wi-fi, to 3G, 4G and eventually 5G. Hackers are always looking for the weakest link, so the more links you have and the more software you have, the more vulnerability you have. There’s a huge attack surface in cars.
And where does BlackBerry come into this?
QNX is deeply embedded in the automotive industry. We work with around 40 different automotive manufacturers to provide a core platform for security. QNX provides an operating system, infotainment system, over-the-air software updates and a secure manufacturing mechanism that can actually inject keys within the ECUs and create a secure hardware route, for example. So ultimately what we are doing with car manufacturers is creating a security platform that people can build on top of it to build autonomous vehicles.
What do you see as the biggest vulnerabilities or weak links for vehicles?
If I were a hacker and wanted to look at hacking a car, I would look at the OBD2 port, because the OBD standard does not have many security standards built in, and by definition every car needs to have an OBD2 port. At the same time, if I am looking at it from a broader standpoint and if I would want to target a large series of vehicles, I would look at hacking infotainment systems, and to get over not just to infotainment but core driving systems. OBD2 is easier, but internet-based hacks could affect a large number of cars.
You’re talking about hacks into the cloud?
Yes. I would also look at hacking software updates. If people are sending software updates over the air, are those updates being properly authenticated, are they digitally signed, are they checking the signatures? If I can put my software on your car, it is not your car anymore. It is my car.
Do you think there is enough focus on cybersecurity in the automotive industry? I think it’s OK. The industry has become much more aware over the last 5 years because there have been so many high-profile car hacks. The auto industry is also starting to realize that if it wants people to trust their cars, and if it wants autonomous cars to become a mainstream reality, these vehicles are going to have to be very secure. A lot of auto manufacturers are partnering with companies such as BlackBerry because they have a legacy on the mechanical side of things. They are partnering with tier 1 suppliers and tech companies to really create and secure those software platforms.
Automakers are developing architectures with fewer ECUs in the cars. That should help, right?
Yes, that is ultimately where it is going. Right now one of the things that scare me is the number of ECUs on the car, as cars can have dozens of them. If you go back to the concept of the weakest link, the more ECUs that you have, the more likely that one of them can have critical software vulnerabilities.
And BlackBerry, with its QNX technology, is involved in this part of the safety equation?
Yes, and another piece of technology we are offering that is getting very popular is the hypervisor technology, which separates safety-critical parts from non-critical systems. That means that if somebody hacks into the infotainment system from the cloud or the consumer downloads malware, that piece of malware can’t jump over to the driving systems and take over the steering wheel or the brakes, for example.
The auto industry has a complex value chain with many different companies involved. Do you also need to build secure systems starting from the value chain upstream?
Yes, we need to think about how we secure the supply chain and secure manufacturing. One thing that we offer to tier 1 suppliers and automakers is a solution by which we can do our own key injection to create a hardware route of trust within the ECU. This means the ECU and different components can be manufactured physically anywhere in the world, and we can secure them remotely and create a hardware route of trust. When you then start putting the operating system on top of that and start putting in applications, you can verify the OS and the applications. We are creating a secure ecosystem and putting that route of trust directly into the hardware.
Is there a bigger role that government and regulators have to play, especially as we move toward connected cities and infrastructure?
I would like to see more regulation around IT security. Every secure device should support secure software updates. If you don’t support software updates and someone hacks your device, you are toast. Especially if that device is popular and is in millions of cars and offices. That needs to be mandated by the government. Ultimately we need to create a secure framework for all internet-connected devices.
Are some countries ahead of the curve in the area of automotive security?
The place I’ve been impressed with most so far is Singapore. They are thinking about smart cities in a holistic way, not just in terms of securing the cars on the road, but the entire infrastructure. Let me give you an example: If I drive my car up to a stoplight, I want it to communicate with that stoplight to tell my car, hey, you have to stop. A self-driven car needs to know that. But there is a lot of infrastructure that needs to be put in place around authentication, because you also create the opportunity for cyber criminals to create fake stop signals. Imagine you have a self-driving car, and all of a sudden four fake stop lights pop up around the ca. That would render the car useless. The Singaporean government is thinking about this very holistically and I suspect they are going to be one of the leaders.
Amid all the cyber threats that are around, how will the automotive industry be able to secure its products and supply chain?
I think car manufacturers can learn a lot from the smartphone industry. The smartphone has evolved over the past 10-15 years and you’re going to see a similar evolution with cars, which, after all, are mobile devices on four wheels. In the early days of smartphones, security was not seen as a feature. It was added later. At BlackBerry, we never looked at it that way, but the net result was that a lot of smartphones, computers and other connected devices were targeted by hackers. Carmakers should look at that evolution and see that, if you don’t put in the right tools from day one and you find out 10 years later that your devices are hackable, you are going to be in a lot of trouble. You’re better off putting in security straight away.
Blockchain has been mentioned as a way to secure the automotive supply chain. Do you see it that way?
I look at Blockchain as a foundational technology. Will it eventually become the foundation of a secure supply chain? Quite possibly, but I don’t see it happening anytime soon, or overnight. The evolution of blockchain is slow and it will take people a long time to reengineer their supply chains to work with blockchain.
What technologies are exciting you most right now?
I am mostly excited about self-driving cars, which one day will potentially give me a lot of time back in my day. The other technology I am excited about is hyperloop and associated technologies. How do we transport people over long distances efficiently? The reason for that is very personal because I travel so much, and I’m more than 2 meters tall. Airplanes are not my favorite thing.