How would you feel if you spent months designing a part for a new car, only to discover third-party vendors offering versions of the component that are strikingly similar to yours? Or, what if you're a driver who discovers non-genuine parts inside your vehicle? With electronic systems becoming increasingly prevalent in today's cars, protecting your designs from counterfeiting or similar threats should be a top consideration in the name of safety.
Indeed, the automotive industry is currently undergoing one of its most innovative moments in history. With more electronic components inside, there are more points of vulnerability to consider than ever before. As automotive OEMs progress toward fully autonomous vehicles, there are growing fears that self-driving cars will be easily hacked. You might remember the well-publicized white-hat hackers' effort to remotely kill a Jeep during a highway drive a few years ago.1 But it isn't only self-driving cars that could be affected. The problem of unauthorized parts has been a growing area of concern, considering they can trigger incidents such as:
- Counterfeit airbags not deploying properly after a collision
- Unauthorized engine and drivetrain components triggering engine failure or even fires
- Non-genuine body parts not performing as intended in a collision
- Improperly made brake pads compromising the vehicle's stopping capabilities
- Fake windscreens that shatter or displace2
As cars continue to boast greater intelligence and rely more heavily on data from over-the-air (OTA) updates, secure software is a key component to protecting the automotive ecosystem, as well as for ensuring that the data being sent to and from the car is private and its integrity is intact. When it comes to protecting peripheral systems in cars, hardware security remains key—especially for key management. Ordinary flash memory doesn't offer guaranteed protection from invasive probing attacks. This means that a hacker can modify the flash content or even inject other authority keys into the flash memory. Furthermore, if hackers can extract and clone this key, that means that they can make as many clones as they want. All of these clones would be read as a valid part of the system. But, wait, there's more: knowing the private key would allow a clone to sign data and send this data to the vehicle's electronic control unit (ECU) and convince the system that this data is valid! Bottom line, security along with clone prevention and system integrity all rely on the private key being unclonable and immutable.
If software security isn't enough, what else can be done to protect automotive systems? Hardware security modules (HSMs) are being used to secure various components within a system. HSMs can, however, be costly and are often larger in size and greater in complexity than a standalone authenticator. For these reasons, HSMs are often a great choice for adding security in the larger, more centralized systems within the car, such as one of the many ECUs. HSMs are especially necessary when large quantities of data may need to be encrypted or validated, such as when that data is being pushed up to the cloud as it is with OTA updates. However, for securing smaller peripherals within a car, such as a camera or sensor, HSMs are not the best option due to size and cost. So how does one implement hardware security, while keeping cost and size down?
Secure authentication provides a proven technique to prevent counterfeiting. It supports use cases including:
- Safety and reliability: make sure only OEM-approved components are connected to critical systems in the vehicle
- Data integrity: confirm connectivity of genuine modules and sensors that only produce valid data
- Secure boot: validate firmware installs to detect load errors and thwart the risk of malware attacks
- Feature control: securely manage system features as subscription- or factory-based options
With secure authentication ICs, you can authenticate module and sensor combinations remotely or locally.
Figure 2. A secure authenticator in a peripheral component communicates with the vehicle's ECU within the car to prove that this component is a valid part of the OEM's system before mission-critical data is sent to the ECU. This sequence prevents clones and unauthorized counterfeits from operating within the automotive system.
Some OEMs are even implementing two-way authentication on high-value components that are at a higher likelihood of getting stolen. With this approach, if a component is stolen from a vehicle and placed in another car or system, the authenticator within the peripheral can block the part from operating in this invalid system. This prevents vehicle components from being repurposed.
Maxim's DS28C40 provides an example of a secure authenticator that was specifically designed to stop the growing threat of automotive component counterfeiting. The device provides:
- ECC-P256 compute engine
- SHA-256 compute engine
- FIPS/NIST true random number generator
- 6kb of one-time programmable memory for user data, keys, and certificates
- Configurable GPIO
- Unique 64-bit ROM ID
- I2C communication up to 1MHz
Given its small size the DS28C40 can be embedded inside any automotive peripheral at risk of being cloned, replaced, or stolen, such as a camera, sensor, EV battery, or front-light module. Its role within the peripheral is to prove to the ECU that the component is a genuine, OEM-approved part of the system. The device does this by using ECDSA cryptography, an asymmetric algorithm that relies on a certificate and a public-private key pair to validate itself to the host ECU module. Asymmetric cryptography makes key management easier to implement. The private key, which is unique to each authenticator, is securely stored in the DS28C40 and cannot be accessed externally. On the host ECU side, the public key is read from the authenticator, but like the "public" description suggests, it does not need to be protected against discovery.
Test-drive the DS28C40 for your next automotive design by buying the evaluation kit. DS28C40EVKIT, available for $68.25, consists of five DS28C40 devices in a 10-pin TDFN package, a DS9121CQ+ evaluation TDFN socket board, and a DS9481P-300# USB-to-I2C/1-Wire adapter.
This blog post was adapted from an article that originally appeared on Electronic Design on January 22, 2020.