The Vehicle Is Remotely Controlled To "Run By Itself". The Intelligent Internet Connected Vehicle Needs To Be Locked Safely

The automobile industry has entered a new era of intelligent Internet connection. With the operating system, automatic driving and other software replacing the mechanical structure as the core, the driving experience of the car ushered in a qualitative leap.

However, while the software defines the car, the security problems formed by the network are also emerging. Recently, at the 11th China automobile forum sponsored by China Automobile Industry Association, many industry insiders said that the networking and intelligent development of automobiles has brought some unprecedented safety challenges to the industry.

(ICV) there are many network security loopholes. In 2020, there will be more than 2.8 million malicious attacks worldwide. Hackers can control the driving of vehicles by means of network attacks, and can also use software vulnerabilities to control intelligent connected vehicles Huang Peng, deputy chief engineer of national industrial information security development research center and director of Information Policy Institute, introduced.

Hackers control vehicles remotely by writing code, which sounds like the plot in the past movies. But today, with the popularity of intelligent connected vehicles, it may become a fact that happens to ordinary consumers.

Previously, a Tesla owner in China once said that when using Tesla app, he suddenly found that his app was bound with five strange vehicles from Europe. He could not only view all the information of these vehicles, but also normally use the remote control functions of Tesla app, including unlocking the door, opening the window, and so on Turn on the air conditioner, etc. - this means that there are indeed loopholes in the software of smart cars, and there is the possibility of being exploited.

After the automobile network security risk appears, the automobile enterprise also pays more and more attention to the related security problems. Huang Peng said that domestic mainstream enterprises are strengthening technical means and management mechanism to greatly improve the ability to guarantee data security. Tesla, which takes the lead in intelligence, has established a set of open error reporting system to provide high rewards to open "solicit" software vulnerabilities.

However, for the intelligent connected vehicle, the current software security problem is only the beginning. Zhang Jianxin, President of the industrial Internet Security Research Institute of 360 group, said that after the vehicle safety single point protection stage, the current industry has entered the systematic and standardized construction stage, and will usher in the actual combat stage in the future“ There must be loopholes in the car. Networking leads to the expansion of the attack area. The introduction of new technologies has brought new risk points, and new problems will continue to emerge. " He said that the domestic actual combat verification has been in full swing to maintain the safety of the Internet of vehicles to the greatest extent.

Cars become targets of hackers

"With the continuous development of the automotive industry towards networking, vehicles themselves have changed from closed systems to open systems and become intelligent terminal devices like mobile phones... When automobiles become an integral part of cyberspace, they will become the targets of hacker attacks like any other networked electronic devices and computer systems, Facing severe network security challenges. " Guo Hong, deputy director of the Institute of forensic science, said at the current China Automobile Forum.

In recent years, the security incidents in the field of Internet of vehicles are increasing gradually. Zhang Jianxin said that from 2010 to 2020, the number of attacks on the Internet of vehicles has been greatly increased. However, according to the data analysis of last year's attacks, it can be found that the proportion of security problems found by "white hat" and that caused by hackers has basically reached 1:1, and the number of attacks by hackers is more than that by "white hat", The security problem of Internet of vehicles has been moving from laboratory research institute to industrial confrontation【 Note: white hat refers to a positive hacker who can identify security vulnerabilities in computer systems or network systems, but does not maliciously exploit them, but publishes them. In this way, the system will be able to fix the vulnerability before it is exploited by others (such as black hat).]

Although there is no large-scale hacker intrusion in the field of intelligent vehicles, the network security threat of vehicles exists objectively. According to Zhang Jianxin, 360 is one of the first domestic enterprises to do Internet of vehicles security. As early as 2014, they found the first vulnerability of Tesla.

At the time, Tesla CEO Elon Musk didn't acknowledge that Tesla had a security problem. But soon, musk changed his mind. At the meeting of the association of American governors in July 2017, musk admitted that "hacker attacks at the team level" was Tesla's biggest concern.

Before that, more than one person had successfully "cracked" the Tesla vehicle. In September 2016, Tencent Cohen laboratories announced that they had successfully invaded Tesla vehicles by means of "remote non physical contact" - they could remotely unlock the vehicle, open the sunroof, control the turn signal, adjust the seats, etc. when the vehicle is still, it can also start the wiper, pack up the rear-view mirror, open the trunk, and even make emergency braking.

After completing the vulnerability testing experiment, Cohen laboratory submitted the details of the vulnerability to Tesla, and Tesla engineers urgently repaired the vulnerability. In 2017, a car owner named Jason Hughes also discovered two software vulnerabilities of Tesla, involving super charging pile and remote control.

In a very dramatic scene, during the conversation with Aaron Sigel, Tesla's then software security director, Hughes crossed the United States and successfully summoned a Tesla parked in California at his home in North Carolina. He only got the vehicle identification number of the car.

Tesla is clearly not the only company with software security vulnerabilities. According to Zhang Jianxin, in 2019, with the development of intelligent Internet connected vehicles and the combination of vehicles and cloud, they also found similar problems in Mercedes Benz“ You can attack directly from the car to the cloud, and then through the cloud counter attack to all the vehicles in the network of Mercedes Benz, and remotely open the door, open the window, stop and start He recalled that 360 reported to Mercedes Benz's headquarters at the first time, and they attached great importance to it and urgently completed the repair of the loophole.

Preliminary establishment of defense system

The safety problem of intelligent connected vehicles has a long history. Since the earliest Tesla vehicles showed the possibility of remote control, automobile enterprises and other industry entities have gradually attached importance to the automobile safety issues. It is reported that at present, various host manufacturers have successively launched a lot of overall solutions for the security of Internet of vehicles, and the security defense system of intelligent connected vehicles has been gradually established.

Huang Peng said, "we have investigated some automobile enterprises and summarized their understanding and measures on current data security. Automobile enterprises are paying more and more attention to data security. Domestic mainstream enterprises intend to greatly improve the guarantee ability of data security by strengthening technical means and management mechanism. "

It is understood that at present, domestic and foreign automobile enterprises mainly have two ways to "deal with" software vulnerabilities. One is the investigation of their own development team, and the other is the repair of leakage by external security agencies. "White hat" professional teams such as 360 and Cohen laboratories have helped domestic and foreign automobile brands to find and repair security loopholes for many times.

"Network security enterprises have a bright future in the intelligent connected vehicle security market." Huang Peng said that China's mainstream network security enterprises are actively laying out new racetracks for its, mostly based on their traditional products, and then making some adaptive adjustments and optimization according to the new scene of the intelligent connected vehicle, including at the data level, from the cloud, management and end-to-end perspectives, corresponding solutions have been put forward, In terms of detection and service, it has also launched some corresponding network security products.

"We have investigated a domestic security manufacturer - Tianrongxin, which has formed a full range of penetration testing tools and services covering vehicle gateway, ECU, T-box, cloud and app. The next case comes from Baidu, whose automatic driving safety architecture has covered the whole life cycle of data security. "

It is worth mentioning that Tesla, which is ahead in the automotive intelligent network connection, has also established a set of mechanism worthy of reference in the industry in response to software security risks. After Jason Hughes proposed two major security vulnerabilities, Tesla followed the example of technology companies and established a public error reporting system. If a developer discovers a software vulnerability in Tesla, they can report it to Tesla. After reporting, Tesla can offer a reward of up to 15000 US dollars (about 103000 yuan).

The challenge of "the road is one foot high, the devil is ten feet high"

The field of intelligent connected vehicles is a huge market for the network security industry, but it also faces many challenges.

"First, the existing network security products and solutions do not meet the security requirements of intelligent connected vehicles; Second, the path of security solutions is not the same. Some network security enterprises focus on the security of vehicle end, while others focus on the security of cloud. Although none of these solutions is better, they also need to learn from each other; Third, there are still some problems in the application of safety products, such as cost and awareness. " Huang Peng said.

Generally speaking, the safety problems of intelligent connected vehicles are accompanied by the intellectualization and networking of vehicles, and are also in the early stage of development. However, according to Zhang Jianxin, the safety of Internet of vehicles has developed from the first stage of vehicle safety single point protection to the second stage of systematic construction and standardization construction.

He explained that the focus of the first stage is to discover each individual attack point in the vehicle system and design the corresponding protection capability for this attack point. Now, China has established a safety standard system for the Internet of vehicles, and the security of the Internet of vehicles has realized cross platform interconnection and interworking.

In addition to the general "network security law" and "data security law", the office of network and information technology has previously issued some regulations on automobile data security management (Draft). According to the latest news, on June 21, the Ministry of industry and information technology issued the "guidelines for the construction of network security standard system of Internet of vehicles (Intelligent networked vehicles)" (Draft for comments), and proposed that by the end of 2023, the Ministry of industry and information technology of the people's Republic of China issued the "guidelines for the construction of network security standard system of Internet of vehicles (Intelligent networked vehicles)", The network security standard system of Internet of vehicles (Intelligent networked vehicles) has been initially established, and the key industry standards and national standards such as basic generality, terminal and facility security, network communication security, data security and other key industry standards and national standards have been studied, and more than 50 key and urgent safety standards have been formulated and revised.

The government obviously plays a key role in promoting industrial development and ensuring data security. However, Huang Peng also said that the regulatory system and standard system are relatively lagging behind the development speed of the industry, and there is a problem of multi supervision, and it is necessary to refine some industrial management requirements as soon as possible“ From the perspective of data security supervision, the national network information department is the leading department, but when it comes to the promulgation of specific industry rules, it also needs the industry competent departments and some important industry associations to promote the relevant work. "

In the long run, the safety problem of intelligent connected vehicles will not become simple, but will be more challenging“ In the next stage, after the construction of standardized and systematic measures, will the Internet of vehicles be really safe? It's not. " Zhang Jianxin believes that networking leads to the expansion of attack area, and the introduction of new technologies has brought new risk points, and new problems will continue to emerge. "The Internet of vehicles is not only vehicles, but also roadside equipment. These key infrastructure will become the key targets of organized and international hacker organizations in the future."

"We must consider from the actual combat, this is not only my personal view, now the domestic actual combat verification is in full swing." Zhang Jianxin said that at present, they have also set up a verification platform for the safety capability of the Internet of vehicles in some pilot areas. We welcome the joint participation of the industry.

?