This week in Los Angeles, California, Trillium is proud to announce that it has been selected as a recipient of the prestigious Red Herring Top 100 Global Startup award. We are honored by the Red Herring community’s continued support of Trillium and will strive to live up to the high hopes set for us by the international startup communityThis week in Los Angeles, California, Trillium is proud to announce that it has been selected as a recipient of the prestigious Red Herring Top 100 Global Startup award. We are honored by the Red Herring community’s continued support of Trillium and will strive to live up to the high hopes set for us by the international startup community.
As an industry that thrives on the weaknesses of human drivers, automotive insurance is facing a difficult problem in the coming of autonomous cars. Not only are autonomous cars themselves proven to be safer drivers than humans, but they, in turn, create a safer driving environment for people not piloting an autonomous vehicle. This reality will no doubt lead to car insurance premiums falling as smart and self-driving cars begin to populate the roads of the world. Tesla motors, a pioneer in the autonomous vehicle sector, has recognized this concern and has taken steps to capitalize on it.
Earlier in October, Electreck posted an article informing that in a partnership with Liberty Mutual Insurance, Tesla’s “InsureMyTesla” insurance program was coming to the United States and Canada, after successful implementation in Hong Kong and Australia. The unique insurance package offers Tesla customers features such as a guaranteed rate for one year, 24-hour roadside assistance, genuine replacement parts, and others. Each of the items detailed in InsureMyTesla are designed to augment the autonomous capabilities of the cars, giving incentive to enroll in specialized insurance. In retrospect, it seems obvious – new cars need new insurance. A big part of that insurance is no doubt going to be cyber security insurance.
The revolution of the car insurance industry is already on the way. With safer streets and cars that need less maintenance, traditional insurance models will fall out of favor in place of plans that offer solutions to the new problems cars face. Data analytics, user-based insurance, and cyber security are features Trillium expects to see top the list of desired outcomes from insurance providers. With vehicle hacks being the largest area of concern regarding autonomous vehicles, the need to feel safe from such a threat will no doubt manifest itself in the inclusion of cyber security in insurance packages. To boot, according to a 2016 Kelly Blue Book study 50% of people surveyed were willing to pay $9 monthly for automotive cyber security as insurance or a subscription software. These signs all point to cyber security becoming a highly sought-after quality in any provider’s insurance package.
To meet this demand, Trillium has developed it’s Cyber Security as a Service (CSAAS) business plan, utilizing a B2B2B2C market strategy. This allows for the maximum amount of input from both automotive manufacturers and insurance providers, leading to the best user-oriented solution possible. Trillium’s SecureIOT is optimal for this implementation, covering every important aspect of autonomous car insurance. SecureSKYE provides advanced data analytics, leading to more refined user-based insurance policies, while SecureOTA allows for the swift implementation of necessary software updates. As the autonomous insurance landscape develops further, the value of SecureIOT’s multilayered protection will make itself clear, leading the way to a safer tomorrow.
Brakes, steering, accelerator. When asked to name some of a vehicle’s most crucial components, these are some prominent ones that come to mind. The amount of control that they provide to the vehicle’s function is indisputable; any technology linked to them must be scrutinized heavily before it is allowed to be deployed. Such careful evaluation is necessary in producing systems that have minimal vulnerabilities, so it is no surprise that the aforementioned systems are some of the robust. There is, however, one system that holds just as much importance yet has been compromised – airbags.
On October 10th, a vulnerability report was submitted to the Natural Vulnerability Database (NVD) detailing an exploit in passenger vehicles manufactured in 2014 or later that could lead to the airbag being intentionally detonated outside of expected circumstances. The CAN vulnerability, labeled CVE-2017-14937, stems from the lack of security governing the security access needed to detonate the airbags.
According to the published technical report, the ISO standard 26021 represents the only barrier to unauthorized detonation of the pyrotechnical charges linked to the airbags. This protection consists only of a key and seed pair that can be calculated via a weak algorithm that complies with ISO 26021. Since the algorithm is available to anyone with access to the ISO, the proper key can be easily calculated.
Furthermore, a brute-force attack can also cause the detonation of the airbag – as the key proposed by ISO 26021 is only of two bytes. This results in only 65536 different possible keys, a small list for any script to exhaust. This is further magnified by the fact that, according to the ISO standard, “There is no time period which needs to be inserted between access attempts,” meaning that a brute force attack on the system will take place in a miniscule amount of time.
Ironically, the first of these bytes is also mandated to include the definite version number (0x01) of the implemented load detonation method – a reality that, in practice, leaves only one variable byte for the key. With the number of possible keys reduced to a mere 256, the threat this vulnerability poses cannot be underestimated. This guarantees that even without access to the algorithm provided in ISO 26021, the vulnerability can still be exploited at the expense of the passengers.
This discovery points out a dire flaw in the automotive industry’s approach to the security of its in-vehicle networks. The security access originally designed to prevent such premature deployment of a car’s airbags has been turned into a weapon against the consumer – one that could cause severe injury or death. As vehicles continue to rely more and more upon computer systems, appropriate levels of security must be developed in tandem. Without multiple robust layers of protection at every level, smart cars are little more than moving time bombs.
“The digital world offers unprecedented opportunities. Nevertheless, opportunity comes with risks, and one of these is the threat of a direct cyberattack on your car or indeed a whole fleet of vehicles. Keeping cybersecurity risks for connected vehicles in check is therefore of crucial importance.”
These words, spoken by Erik Jonnaert, Secretary General of the European Automobile Manufacturers’ Association (ACEA) perfectly summarize the hurdle facing connected cars that is cyber terrorism. The ACEA represents 14 Europe-based car, van, truck, and bus makers – including Volvo, Daimler, and Volkswagen among others. The consensus of their members on automotive cybersecurity is clear indication of its importance to the industry.
The limitless opportunities stemming from the increased connectivity of connected cars host a slew of vulnerabilities that, if exploited, will threaten personal data, public and private property and human life.
In order to bring these threats into focus, the ACEA published six key principles of automotive cybersecurity for the industry to adhere to. These principles establish a foundation for more developed, specific guidelines to build upon in the future. As reported by Automotive World, they are as follows:
1. Cultivating a cybersecurity culture
2. Adopting a cybersecurity life cycle for vehicle development
3. Assessing security functions through testing phases
4. Managing a security update policy
5. Providing incident response and recovery
6. Improving information sharing amongst industry actors
The principles echo many valuable sentiments put forth by other legislative bodies over the past year, drawing emphasis to the necessity of a cybersecurity culture and secure update policies. The call for appropriate incident response procedures is also familiar, with the United Kingdom’s “Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles” identifying the same need.
While an important step in the development of best practices and in-depth cyber security guidelines for vehicles, the principles laid out by the ACEA serve as a valuable foundation. Instead of serving as a standard for the quality of the security needed in the industry, the ACEA’s principles provide guidance for the path manufacturers should take in developing their automotive cyber security. The framework set by the principles will likely grow to include specific technical requirements for cybersecurity as the industry matures. In time, more data will be available in this yet-blooming field, driving forward the new age of safety policy and legislation.
This past Monday, at the Autotech Council of North America’s “Silicon Valley Reinvents the Wheel” conference, Trillium had the honor of presenting its technology and business strategy to a gathering of industry and VC executives from around the world. Our novel and multilayered approach to automotive cyber security was well-received by council and audience members alike. In addition, Trillium had a great showing in the Council’s Science Fair, showcasing our SecureCAR technology in tandem with our BrainBox In-Vehicle-Network facsimile. We wish to extend our heartfelt thanks to the organizers of the event and the Autotech Council for making such an opportunity possible.
Last week, Trillium’s CEO attended the awards ceremony for the Red Herring Asia 2017 competition in Manila. On this spectacular occasion, Trillium is proud to accept the Red Herring Top 100 Asia Award. We are honored to be recognized for the creativity and hard work of our growing team by the renowned Red Herring leadership and community. We want to express our sincere and heartfelt thanks to all our supporters, and hope we can continue to grow together.
“Software is eating the world” – perhaps no other phrase better sums up the era in which we live. In this increasingly interconnected world, new software-driven technologies continue to revolutionize every aspect of our lives. One important consequence of this innovation has been the rise of smarter medical devices, such as software-controlled pacemakers, which have contributed towards increasing the average life expectancy in the US every year for nearly the past quarter century. Now these life-giving devices, to which many owe their lives, are squarely in the crosshairs of hackers.
On August 29th, the US Food and Drug Administration issued a recall on St. Jude Medical pacemakers, stressing that the means to conduct an attack on these pacemakers are easily and commercially available today. Despite the reported ease of accessibility of the hack, the potential consequences are grim: hackers would have the ability to either drain the battery or administer incorrect pacing, with either attack resulting in a sudden cardiac arrest. Such an event can easily prove fatal if proper medical care is not administered immediately.
While no cases have been reported thus far, all pacemakers of the recalled model require an update to their firmware, one that allows only verified parties to make changes to its settings. This process will no doubt carry a hefty price, both in time spent and resources used to carry out the modification. The lack of a secure path to quickly update the settings of these devices is a key issue in this case, once again stressing the necessity for seamless over-the-air updates in modern technology.
The FDA has set a strong example: no longer shall cybersecurity be treated as an inconvenience. It is of utmost importance that device manufacturers, physicians, and patients all heed this warning. Trillium agrees, and looks forwards towards a world in which every device is safe from hackers, but until that day, we must strive to improve cybersecurity in not just one industry, but in every industry. Trillium’s portfolio of lightweight, scalable, and effective cybersecurity solutions were created with this goal in mind.
Trillium had a great run at the Technology in Motion conference last week! It was a great event filled with informational speeches and populated with the best in the industry. We would like to extend a special thanks to our partners who visited our booth, as well as the organizers and judges who saw fit to award us with the User Experience Award!
We’ve all heard of this famous thought experiment: if there was a trolley heading down the tracks towards five people, and you had the choice to divert the trolley to an alternate track with only one person, should you do so? This question is perhaps the simplest way to demonstrate the complex ethical challenges facing the deployment of autonomous cars.
It is crucial that in this early stage of the autonomous revolution, governments must legislate a specific code of ethics for autonomous cars to prevent horrendous abuses of this newfound power. Germany, for example, has taken a step in the right direction, recently releasing a report on automated and connected driving. In this report, they outline 20 guidelines regarding the ethics of autonomous vehicles. These initial guidelines form an important precedent, for the first time giving manufacturers a clear idea of what core principles their autonomous systems should follow.
A few key points within the report highlight several necessary changes to vehicle systems:
- The driver of a vehicle retains their rights over the personal information collected from that vehicle. Use of this data by third parties must be with the owner’s informed consent and with no harm resulting.
- The vehicle should have an aviation-style “Black Box” that continuously records events, including who or what is in control at any given time.
- The threat of maliciously hacking any autonomous driving system must be mitigated by effective safeguards. Software should be designed with a level of security that makes malicious hacking exceedingly unlikely.
The first point demonstrates the necessity of maintaining privacy within a vehicle. Without respecting the rights of the vehicle owner, an OEM is infringing on that person’s right to privacy. Trillium shares this concern, and as such we have developed our SecureSKYE data mining and analytics solution with the consumer’s protection in mind every step of the way.
The second point demonstrates the importance of data integrity. This “Black Box” will be as crucial a safety feature as seatbelts and airbags historically has been, allowing improvements to be made to prevent future crashes. Without data integrity, however, any data recorded will be useless as it is open to manipulation by malicious third parties. It will only serve as a convenient collection of data for cybercriminals to steal. Trillium addresses concerns of data integrity with SecureCAR encryption, authentication, and dynamic key-lock pairing, placing the data safe behind multiple layers of security built from the ground up for automotive applications.
The third point demonstrates the importance of system-wide use of a multilayered security solution. Any cyber-security system requires not just one, but multiple layers of security to effectively safeguard against attacks. Each additional layer of security lowers the success rate of an attack exponentially. Trillium strongly agrees, offering an extensive portfolio of modular security solutions to allow for complete use of all available security resources, no matter the computational strength of the system.
Without flexible, multilayered security and customizable data analytics, manufacturing safe autonomous and connected cars is an impossible endeavor. More countries need to recognize the pressing importance of the matter before it’s too late. Germany understands the threat that autonomous and connected cars will bring, and we hope to see more countries adopt similar guidelines within the near future.
Cyber terrorism is not an idle threat. New malware and cyber-attacks are developed every day, all created with the intent of stealing money, information, identities, or as in the case of Car hacking inflict physical damage and wreaking serious havoc.
The explosive nature of the cyber battlefield has resulted in frequent anti-virus/anti-malware updates becoming a necessity, a needed measure against new attacks that exploit devices not protected by older software.
Now compare this dynamic environment to that of an automobile’s development. Designing and producing a new car is a task that takes years, with plans only rarely being changed once an OEM moves past the design stage. To assume security measures developed in such a static environment can hold up to the barrage of never ending cyber threats is naïve. In a recent article, Automotive World calls for an overhaul of the approach taken to cyber security in vehicles, both before and after a car is sold.
The needed steps to be taken to improve automotive cyber security best practices starts with regular checking of software integrity throughout the design process. Instead of leaving software analysis to the end of a vehicle’s design period, it should be checked throughout each stage of its development. As new features are added and old ones updated, software used must be scanned for bugs that could later cause problems. Automotive World emphasizes the risks OEM face by not catching code issues early on, such as delays in development, vehicle recalls, or loss of life due to a cyber-attack. To ensure the quality of the testing done, they also strongly encourage the use of third-party penetration testing and consultation services to expose holes potentially unseen by the developers. Firms like Trillium play an important part in this procedure, giving OEM the opportunity to strengthen their cars’ cybersecurity from an early stage in the development process and throughout.
The second solution to this lack of preparedness is to implement updates to their security after they’ve left the factory floor. It is unreasonable to expect cars to roll out onto the streets with perfect code, but any bugs found need to be addressed by the OEM. Legislation is moving in favor of placing the responsibility of car software integrity in the hands of the producer, meaning OEM and other suppliers need to provide the means of keeping cars safe once they are on the road. To this end, Over-The-Air update services like those found in SecureOTA are needed, giving vehicles the fast, seamless security updates they need to stay protected in cyberspace. As cars become more and more integrated into their environments thanks to V2V and V2X technology, the speed at which new attacks are brought to bear on vehicles will only increase, and only software of the highest quality can ready drivers for future threats.