This week in Los Angeles, California, Trillium is proud to announce that it has been selected as a recipient of the prestigious Red Herring Top 100 Global Startup award. We are honored by the Red Herring community’s continued support of Trillium and will strive to live up to the high hopes set for us by the international startup communityThis week in Los Angeles, California, Trillium is proud to announce that it has been selected as a recipient of the prestigious Red Herring Top 100 Global Startup award. We are honored by the Red Herring community’s continued support of Trillium and will strive to live up to the high hopes set for us by the international startup community.
As an industry that thrives on the weaknesses of human drivers, automotive insurance is facing a difficult problem in the coming of autonomous cars. Not only are autonomous cars themselves proven to be safer drivers than humans, but they, in turn, create a safer driving environment for people not piloting an autonomous vehicle. This reality will no doubt lead to car insurance premiums falling as smart and self-driving cars begin to populate the roads of the world. Tesla motors, a pioneer in the autonomous vehicle sector, has recognized this concern and has taken steps to capitalize on it.
Earlier in October, Electreck posted an article informing that in a partnership with Liberty Mutual Insurance, Tesla’s “InsureMyTesla” insurance program was coming to the United States and Canada, after successful implementation in Hong Kong and Australia. The unique insurance package offers Tesla customers features such as a guaranteed rate for one year, 24-hour roadside assistance, genuine replacement parts, and others. Each of the items detailed in InsureMyTesla are designed to augment the autonomous capabilities of the cars, giving incentive to enroll in specialized insurance. In retrospect, it seems obvious – new cars need new insurance. A big part of that insurance is no doubt going to be cyber security insurance.
The revolution of the car insurance industry is already on the way. With safer streets and cars that need less maintenance, traditional insurance models will fall out of favor in place of plans that offer solutions to the new problems cars face. Data analytics, user-based insurance, and cyber security are features Trillium expects to see top the list of desired outcomes from insurance providers. With vehicle hacks being the largest area of concern regarding autonomous vehicles, the need to feel safe from such a threat will no doubt manifest itself in the inclusion of cyber security in insurance packages. To boot, according to a 2016 Kelly Blue Book study 50% of people surveyed were willing to pay $9 monthly for automotive cyber security as insurance or a subscription software. These signs all point to cyber security becoming a highly sought-after quality in any provider’s insurance package.
To meet this demand, Trillium has developed it’s Cyber Security as a Service (CSAAS) business plan, utilizing a B2B2B2C market strategy. This allows for the maximum amount of input from both automotive manufacturers and insurance providers, leading to the best user-oriented solution possible. Trillium’s SecureIOT is optimal for this implementation, covering every important aspect of autonomous car insurance. SecureSKYE provides advanced data analytics, leading to more refined user-based insurance policies, while SecureOTA allows for the swift implementation of necessary software updates. As the autonomous insurance landscape develops further, the value of SecureIOT’s multilayered protection will make itself clear, leading the way to a safer tomorrow.
Brakes, steering, accelerator. When asked to name some of a vehicle’s most crucial components, these are some prominent ones that come to mind. The amount of control that they provide to the vehicle’s function is indisputable; any technology linked to them must be scrutinized heavily before it is allowed to be deployed. Such careful evaluation is necessary in producing systems that have minimal vulnerabilities, so it is no surprise that the aforementioned systems are some of the robust. There is, however, one system that holds just as much importance yet has been compromised – airbags.
On October 10th, a vulnerability report was submitted to the Natural Vulnerability Database (NVD) detailing an exploit in passenger vehicles manufactured in 2014 or later that could lead to the airbag being intentionally detonated outside of expected circumstances. The CAN vulnerability, labeled CVE-2017-14937, stems from the lack of security governing the security access needed to detonate the airbags.
According to the published technical report, the ISO standard 26021 represents the only barrier to unauthorized detonation of the pyrotechnical charges linked to the airbags. This protection consists only of a key and seed pair that can be calculated via a weak algorithm that complies with ISO 26021. Since the algorithm is available to anyone with access to the ISO, the proper key can be easily calculated.
Furthermore, a brute-force attack can also cause the detonation of the airbag – as the key proposed by ISO 26021 is only of two bytes. This results in only 65536 different possible keys, a small list for any script to exhaust. This is further magnified by the fact that, according to the ISO standard, “There is no time period which needs to be inserted between access attempts,” meaning that a brute force attack on the system will take place in a miniscule amount of time.
Ironically, the first of these bytes is also mandated to include the definite version number (0x01) of the implemented load detonation method – a reality that, in practice, leaves only one variable byte for the key. With the number of possible keys reduced to a mere 256, the threat this vulnerability poses cannot be underestimated. This guarantees that even without access to the algorithm provided in ISO 26021, the vulnerability can still be exploited at the expense of the passengers.
This discovery points out a dire flaw in the automotive industry’s approach to the security of its in-vehicle networks. The security access originally designed to prevent such premature deployment of a car’s airbags has been turned into a weapon against the consumer – one that could cause severe injury or death. As vehicles continue to rely more and more upon computer systems, appropriate levels of security must be developed in tandem. Without multiple robust layers of protection at every level, smart cars are little more than moving time bombs.
“The digital world offers unprecedented opportunities. Nevertheless, opportunity comes with risks, and one of these is the threat of a direct cyberattack on your car or indeed a whole fleet of vehicles. Keeping cybersecurity risks for connected vehicles in check is therefore of crucial importance.”
These words, spoken by Erik Jonnaert, Secretary General of the European Automobile Manufacturers’ Association (ACEA) perfectly summarize the hurdle facing connected cars that is cyber terrorism. The ACEA represents 14 Europe-based car, van, truck, and bus makers – including Volvo, Daimler, and Volkswagen among others. The consensus of their members on automotive cybersecurity is clear indication of its importance to the industry.
The limitless opportunities stemming from the increased connectivity of connected cars host a slew of vulnerabilities that, if exploited, will threaten personal data, public and private property and human life.
In order to bring these threats into focus, the ACEA published six key principles of automotive cybersecurity for the industry to adhere to. These principles establish a foundation for more developed, specific guidelines to build upon in the future. As reported by Automotive World, they are as follows:
1. Cultivating a cybersecurity culture
2. Adopting a cybersecurity life cycle for vehicle development
3. Assessing security functions through testing phases
4. Managing a security update policy
5. Providing incident response and recovery
6. Improving information sharing amongst industry actors
The principles echo many valuable sentiments put forth by other legislative bodies over the past year, drawing emphasis to the necessity of a cybersecurity culture and secure update policies. The call for appropriate incident response procedures is also familiar, with the United Kingdom’s “Key Principles of Vehicle Cyber Security for Connected and Automated Vehicles” identifying the same need.
While an important step in the development of best practices and in-depth cyber security guidelines for vehicles, the principles laid out by the ACEA serve as a valuable foundation. Instead of serving as a standard for the quality of the security needed in the industry, the ACEA’s principles provide guidance for the path manufacturers should take in developing their automotive cyber security. The framework set by the principles will likely grow to include specific technical requirements for cybersecurity as the industry matures. In time, more data will be available in this yet-blooming field, driving forward the new age of safety policy and legislation.
This past Monday, at the Autotech Council of North America’s “Silicon Valley Reinvents the Wheel” conference, Trillium had the honor of presenting its technology and business strategy to a gathering of industry and VC executives from around the world. Our novel and multilayered approach to automotive cyber security was well-received by council and audience members alike. In addition, Trillium had a great showing in the Council’s Science Fair, showcasing our SecureCAR technology in tandem with our BrainBox In-Vehicle-Network facsimile. We wish to extend our heartfelt thanks to the organizers of the event and the Autotech Council for making such an opportunity possible.
On September 26 and 27th Trillium participated in the first ever CYBER SECURE CAR Event in Japan, held in Shinjuku, Tokyo. Apart from moderating and presenting at the conference, Trillium provided demonstrations of the SecureCAR SDK and BrainBOX automotive cyber security development platform.
A special thank you to all our customers and partners that came by our booth!
Last week, Trillium’s CEO attended the awards ceremony for the Red Herring Asia 2017 competition in Manila. On this spectacular occasion, Trillium is proud to accept the Red Herring Top 100 Asia Award. We are honored to be recognized for the creativity and hard work of our growing team by the renowned Red Herring leadership and community. We want to express our sincere and heartfelt thanks to all our supporters, and hope we can continue to grow together.
Autonomous vehicles are here today, and unbeknownst to many, they are already on public roads, test driving next to unsuspecting traffic – this is done before proper legislation to protect innocent bystanders is put into place.
This reality is one that causes great concern among the few who are aware of it. There is almost no regulation at a local level, and the technology is still very much in the development phase. Even worse, much of the development is conducted on public roads, right alongside human drivers. What will prevent an experiment from turning into an accident, potentially taking lives in the process?
Luckily, you will not have to fear for the safety of public roads much longer. On Tuesday, September 12th, the US National Highway Traffic Safety Administration (NHTSA) administered their updated guidelines on development of Autonomous Drive Systems (ADS). This document helps local governments develop their own regulations, as well as providing businesses developing ADS a clear message of what will and will not be tolerated.
It is no surprise that vehicle cybersecurity is listed as one of the 12 essential safety design elements. Without cybersecurity, a vehicle becomes a hacker’s plaything – allowing them to take complete control of the car, including steering, braking, and acceleration. The possibilities for malicious abuse of autonomous cars are endless, ranging from extortion to remote cyber terrorism. The NHTSA stresses the importance of cybersecurity, stating that entities developing ADS “should insist that their suppliers build into their equipment robust cybersecurity features. Entities should also address cybersecurity, but they should not wait to receive equipment from a supplier before doing so.” The message is clear and urgent; implement cybersecurity at every level, and do it quickly.
Trillium agrees, and we are ready to help suppliers, developers, and OEMs implement these guidelines today. Trillium has partnered with the world’s largest automotive IC vendor, NXP, to provide support for Trillium’s SecureCAR platform on NXP’s next-generation S32K automotive microcontrollers (MCU). Our modular, multilayered approach also allows for developers of ADS technology to add cybersecurity directly onto their existing hardware today – without requiring costly changes to their underlying systems.
It is essential that the industry adopts these guidelines quickly and immediately, especially as autonomous vehicles are deployed on an increasingly larger scale. As connectivity and reliance on machine learning increase, so will the damage hackers can cause. Autonomous cars are set to shift the entire transportation landscape, with companies rolling out entire fleets within the next ten years. One rogue autonomous car is a hazard, an army of hacker-controlled vehicles is an avoidable, unnatural disaster.
“Software is eating the world” – perhaps no other phrase better sums up the era in which we live. In this increasingly interconnected world, new software-driven technologies continue to revolutionize every aspect of our lives. One important consequence of this innovation has been the rise of smarter medical devices, such as software-controlled pacemakers, which have contributed towards increasing the average life expectancy in the US every year for nearly the past quarter century. Now these life-giving devices, to which many owe their lives, are squarely in the crosshairs of hackers.
On August 29th, the US Food and Drug Administration issued a recall on St. Jude Medical pacemakers, stressing that the means to conduct an attack on these pacemakers are easily and commercially available today. Despite the reported ease of accessibility of the hack, the potential consequences are grim: hackers would have the ability to either drain the battery or administer incorrect pacing, with either attack resulting in a sudden cardiac arrest. Such an event can easily prove fatal if proper medical care is not administered immediately.
While no cases have been reported thus far, all pacemakers of the recalled model require an update to their firmware, one that allows only verified parties to make changes to its settings. This process will no doubt carry a hefty price, both in time spent and resources used to carry out the modification. The lack of a secure path to quickly update the settings of these devices is a key issue in this case, once again stressing the necessity for seamless over-the-air updates in modern technology.
The FDA has set a strong example: no longer shall cybersecurity be treated as an inconvenience. It is of utmost importance that device manufacturers, physicians, and patients all heed this warning. Trillium agrees, and looks forwards towards a world in which every device is safe from hackers, but until that day, we must strive to improve cybersecurity in not just one industry, but in every industry. Trillium’s portfolio of lightweight, scalable, and effective cybersecurity solutions were created with this goal in mind.
Trillium had a great run at the Technology in Motion conference last week! It was a great event filled with informational speeches and populated with the best in the industry. We would like to extend a special thanks to our partners who visited our booth, as well as the organizers and judges who saw fit to award us with the User Experience Award!