The U.S. National Highway Transportation Safety Administration, or NHTSA, recently published a notice requesting comments on the topic of automotive security (http://www.regulations.gov/#!documentDetail;D=NHTSA-2014-0108-0001).
TCG has been working for some time in several of its work groups to define ways that proven standards and solutions, including the hardware root of trust enabled by the TPM, can be applied to automotive security.
TCG recently submitted comments to the agency’s notice. Those comments can be seen in their entirety here. Excerpts:
“…We suggest that the agency should examine the Trusted Platform Module (TPM), which is a dedicated, tamper resistant component designed to support secure hardware boot and remote attestation of platform integrity, that has been defined by the TCG. TPM has been widely used in the computing industry since 2004 to offer a high assurance of platform security.
ISO/IEC 11889 defines the TPM, a device that enables trust in computing platforms in general (http://www.iso.org/iso/home/search.htm?qt=11889&sort=rel&type=simple&published=on).
The notice also requests comment on the following: “What additional types of techniques (either in real world occurrences or as a part of research) have persons used to gain unauthorized access to vehicle systems? What types of systems were such persons able to gain access to?”
TCG Comment:
Attackers used all means available to gain unauthorized access to vehicle systems, including aftermarket devices they could buy on e-Bay and plug into OBD port, devices to intercept short range communication like BLE or WiFi, devices that allow stealing digital keys from key fobs which are in a house while a car is parked outside, etc. Even a simple DVD could present attackers with a possibility to infect a vehicle. USB dongles could also be used as an attack vector. In effect, any interface in the vehicle to which an attacker could connect is vulnerable and that includes vehicle-to-vehicle and vehicle-to-infrastructure channels where it was shown that local attacks against a vehicle could be propagated to infect road infrastructure and spread to other vehicles.
Attackers can gain access to virtually any system in the vehicle, especially if they have physical access to it, including breaks, airbags, IVI.
The TCG Embedded Systems Work Group (EmSys) develops trust and security specifications for embedded computing platforms such as automotive vehicles. Our viewpoint is that a connected vehicle should be resistant to common hacking techniques such as fuzzing, sniffing, code injection, code modification, and so on.
The notice and all comments can be found here: http://www.regulations.gov/#!documentDetail;D=NHTSA-2014-0108-0001
Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.
Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.