Immobilisers and (in)security

Barnaby Donohew asks if increasingly complex vehicle security systems are an opportunity or a risk

Published:  24 October, 2017

We need to talk about security. Why? Because deliberately or not, its effects are mutating our opportunities within the automotive aftermarket. We need to understand more about it and, at some point, to try to anticipate the eventual set of circumstances to which it might lead. As they say, forewarned is forearmed.

We’ll begin by looking at an example of a recent security system and checking out its inner workings. We’ll review its potential vulnerabilities and assess the need for, and impacts of, increased security. First though, we’ll cover some general concepts, to keep in our minds the bigger picture regarding possible motivations for increased security.


Security
Security is the protection of things having value, where they might be at risk from theft or attack; i.e. when they have, or are perceived to have a vulnerability. Security aims to prevent an agent of ill-intent (e.g. criminals, intruders, missiles, or computer-viruses etc.) from gaining access. The consequence of this is the introduction of barriers to those requiring legitimate access, such as owners, occupiers, citizens or data-holders. This dichotomy is at the heart of all security implementation issues. This always begs the question; what level of security balances an intended degree of protection from risk, with the subsequent barriers to legitimate access or freedoms?

As the assessment of risk primarily determines the necessary level of security, it is not hard to imagine that superficially legitimate security concerns can be used to justify limiting access to a favoured group. It’s a simple trick, just inflate the perceived risks and exaggerate the vulnerabilities where necessary. A similar mechanism can be used in a health and safety environment, where legitimate but undesirable behaviours in the eyes of the decision makers can be quashed by deliberate overstatement of the perceived risks. When loaded with the weight of moral absolutes (“lives are at stake”), the arguments seem powerful but are they really intended to shut-down reasoned debate regarding the actual risks? Anyway, the point is, we cannot have a reasonable discussion regarding proportionate levels of security without being able to properly assess potential vulnerabilities and associated risks.


Immobilisation
Vehicle immobiliser systems have been developed to protect vehicles from theft. There is a clear need for the security as the risks are very real. Car thefts were far more common prior to their development. Such systems work by only allowing vehicle mobilisation when a key, placed in the ignition switch, is from the unique set authorised to start the vehicle. The following describes a representative immobiliser system and its behaviour during ignition-on and engine-start conditions, just after the car has been unlocked. As we will be discussing potential vulnerabilities, the make and model is not given.

Component-wise, such systems usually consist of a transponder in the key head, a transponder coil around the ignition switch and an immobilisation control system within either a dedicated immobiliser control module, or another control unit, such as the central electronics module (CEM). The CEM might be hard-wired to an immobiliser indicator in the dashboard or instrument cluster (IC), to indicate the system’s status to the user. The CEM will communicate with the engine control module (ECM) using a CAN bus. Note that, if the CEM is on the medium-speed CAN bus and the ECM on the high-speed CAN bus, then a control module that is connected to both buses, such as the IC, will need to act as a gateway to communications between the two.

There are usually two stages to the authorisation/start process; the first, a key checking phase, is initiated when the key is placed in the ignition barrel and the second is a start-authorisation phase, instigated when the operator turns on the ignition.
A typical key checking phase might progress as follows (see Figure 1 for the representative signals): initially the system will be in an immobilised state, indicated by periodic flashing (e.g. once every two seconds) of the immobiliser indicator. When the key is placed in the ignition switch, the CEM energises the transponder coil (e.g. at 125 kHz), which excites the transponder. The transponder responds by transmitting identification and rolling code data to the CEM via an inductive voltage within the transponder coil circuit. The CEM will check the returned data against the stored data to confirm its identity. The CEM might double-check the key identity using the same mechanism.

The start-authorisation phase proceeds as follows: When the ignition key is turned to position II (ignition on), the ECM detects the ignition supply voltage and sends a start request CAN message to the CEM. If the key is valid, the CEM responds positively, with a code derived from the message contents sent by the ECM. In return, the ECM replies to confirm that the vehicle is in a mobilised state and that it can crank and run the engine. Upon receipt of this confirmation message, the CEM can illuminate the immobiliser indicator (e.g. with a one second confirmation flash) and then turn it off. If the key is invalid, the CEM will respond negatively to the ECM’s start request message, such that the ECM will not crank or start the engine, and the alarm indicator will continue to indicate an immobilised state.


Insecurity
The immobiliser’s subsystems could be vulnerable to several types of attack: Key recognition; The key recognition subsystem, consisting of the CEM, transponder coil or and transponder, could be prone to attack if the correct rolling codes could be transmitted in the right way and at the right time. Note that to move the vehicle, the correct mechanical key would need to be in place to remove steering locks etc. Key-less start systems present other sequencing issues (related to direct CAN messaging, described below), which would need to be co-ordinated with the press of the engine start button etc. The biggest vulnerability and simplest way to attack the system is to clone an authorised key.

Direct access to the CAN bus; If the start-request from the ECM and subsequent immobiliser related messages can be intercepted and the appropriate (algorithmically generated) response codes returned, then the CAN communication system could be used to carry out unauthorised mobilisation of a vehicle. The method would rely on a controllable communication device having a physical connection with the CAN bus. Timing is important (the messages are often expected to be received within a certain time frame) and the genuine responses that would be sent out by the immobiliser controller would need to be mitigated against (e.g. the filtering out of its likely negative response to a start request, that might cause the ECM to immobilise itself).

Aside from the practical connectivity and the sequencing issues, there is the issue of knowing how to generate the correct response codes to a start request. Although, the codes are observable in an unencrypted network, the relationship between the in and out codes can be extremely difficult to calculate using analytic methods alone and are more likely to be determined from reverse engineering of the control unit’s program files. Aside from the legal implications, the challenge is still great, which is very likely why it has not appeared to have happened.

Indirect access to the CAN bus; Given the potential difficulties of physically placing a communication device on the CAN bus, an alternative approach is to hijack a device that is already connected. Any internal (software or hardware) system within a connected control module that has access to the controller’s CAN interface might provide a channel through which unauthorised access could be attempted (especially if a vehicle manufacturer has already built-in a remote starting capability).

It is this type of attack that has been highlighted as a particular concern with the advent of connected vehicles, purportedly presenting hackers with opportunity to remotely control some or all of a vehicle’s functionality. There have been notably few examples of vehicles being hacked in this way and it will be very interesting to see if that changes over the coming years.
All in all, the challenges needing to be overcome to take advantage of any the three perceived vulnerabilities and to steal a car are great. Quite simply the easiest form of attack is to clone a key. The question is then, what are the motivations for ill-intentioned agents to attack our automobiles and are they likely to want to try to steal a car through attacking the immobiliser system? I’m not sure I’m qualified to answer that.


Information
There is a further, related, development that has already dawned within our automotive landscape. Our modern motor vehicles are capable of generating significant volumes of personal data regarding much of our travel and lifestyle habits. This information is hugely valuable. Google’s company worth is colossal and their value is driven purely by their knowledge of our online browsing habits (through the use of their web applications). For the most part, we are not always online. Imagine though, if they could collect a raw feed of data regarding our offline habits, such as those we might create when we travel within our vehicles. How much would the company that had access to that data be worth? With that thought, it is clear why tech firms are falling over themselves to tap into our automotive existences.

Given that all this valuable data is flying around unencrypted vehicle communication networks (much of it is required by engine, navigation, entertainment and ADAS systems etc.), why in their right minds, would the vehicle manufacturers not want to encrypt that data and keep it to themselves? By doing so they would be able to prevent any third parties, including (coincidentally) aftermarket diagnostic tool manufacturers, from having any access to a vehicle’s CAN bus data, without the vehicle manufacturer’s prior consent.

Now, in that context, wouldn’t it be convenient if the vehicle manufacturers jumped upon the reports of the hackers’ abilities to put lives at risk, so as to justify the encryption of vehicle networks? Conspiracy theory? Maybe. I am susceptible. I once imagined that the large discrepancy between real-world and quoted fuel efficiency figures could have been indicative of an OE-level distortion of engine test results…


Further tech info
http://automotiveanalytics.net/agile-diagnostics



Related Articles

  • Certifying your future 

    The rate at which the modern car is developing to include new functions based on new technologies is exponential.

    The car owner is often unaware of this, as they see only the ‘HMI’ (human machine interface) that allows them to select and control functions and along with many other electronically controlled ‘things’, the expectation is that ‘it just works’.

    Two key elements are changing with today’s and tomorrow’s cars. Firstly, they are changing into more sophisticated, interactive electronic systems, which require high levels of software compliance. Frequently this can mean that the vehicle needs ‘updating’ which may apply to one system or the complete vehicle. Today this is increasingly conducted by using standardised interface (vehicle communication interfaces – VCI’s) and pass through programming by establishing a direct connection between the vehicle and the vehicle manufacturer’s website. This is now being used even at the level of replacing basic components, such as a battery or engine management system components.

    Secondly, vehicles are increasingly being connected through telematics systems so that the car is becoming part of ‘the internet of things’. This allows remote communication with the vehicle to provide a range of new services to the vehicle owner, driver, or occupants. These broadly fall into two categories – consumer related services, such as internet radio stations, link to e-mails, finding the nearest free parking space and much more, or business related access to in-vehicle data to allow remote monitoring of the status of the vehicle for predictive maintenance, remote diagnostics, vehicle use, pay-as-you-drive insurance etc.

    Increasing isolation
    The in-vehicle E/E architecture is therefore not only increasingly complicated and inter-active, it is more vulnerable to incorrect repair processes. To ensure that this risk is minimised, the vehicle manufacturers are increasingly isolating any possible external connections from the in-vehicle communication buses and electronic control modules. Effectively, today’s 16 pin OBD connector will no longer be directly connected to the CAN Bus and in turn to the ECU(s) but will communicate via a secure in-vehicle gateway. There may also be a new standardised connection which becomes a local wireless connection in the workshop as well as having remote telematics connection, but in both cases, the access to in-vehicle data is no longer directly connected.
        
    Why is this isolation and protection of the in-vehicle systems so critical? Apart from the obvious protection against any malicious attack, there is an increasing safety issue. Thinking longer term, what happens when semi-autonomous cars or fully autonomous cars come into your workshop?
        
    The key question is how to conduct effective repairs on these vehicle systems. At first glance, it may be the basic servicing still needs to be done, but even this will become more difficult, with certain items already requiring electronic control or re-setting. As this develops into more sophisticated systems, the vehicle manufacturer may try and impose more control over who is doing what to ‘their’ vehicles, based on their claim that they have a lifetime responsibility of the functionality of the vehicle and therefore need to know who is doing what where and when. This may lead to an increasing requirement for independent operators to have some form of accreditation to ensure sufficient levels of technical competence before being allowed to work on a vehicle. However, there is also a strong argument in many European countries (the UK included) that this is a market forces issue and that it is the choice of the customer who they trust to repair their vehicle and it is the responsibility of the repairer to be adequately trained and equipped.

    What’s coming?
    Will this market forces attitude still continue when the autonomous vehicle systems are part of the intrinsic safety of the vehicle? This is increasingly becoming the case as these semi or fully autonomous systems take over more control of the vehicle and stop any driver control.
       
    Certainly, anyone attempting any DIY repair will find it much more difficult to access the information or the tools/equipment needed to repair their vehicle, as this will be beyond the knowledge and economic reach of the ‘Sunday morning repairer’, but should DIY repairs even be allowed in the future?

    This raises an interesting argument about who should be allowed to work on a vehicle as the correct repair procedures become increasingly critical. Of course, vehicle manufacturers will continue to have full access to the vehicle and it’s systems, which increasingly will be via remote (telematics) access. This may even compromise the access available to authorised repairers (main dealers), but is seen as a necessary requirement to ensure that the vehicle has been repaired correctly and that the in-vehicle software is still functioning correctly.

    The counter argument is that this also provides unacceptable levels of control and monitoring of the complete independent aftermarket – so what could be a solution?

    Controlling competition
    No one is trying to say that safety and security are not important, but there must be a balance as independent operators will continue to need access to diagnostic, repair, service and maintenance information and continue to offer competitive services to the consumer. The European legislator must protect competition, but this may also come with appropriate controls and this may mean that tomorrow’s technicians will need to demonstrate certain levels of competence, together with an audit trail of the work which has been performed in the event of a vehicle malfunction.

    Independent operators already need high levels of technical competence – necessary for the consumer and the effective operation of their own business, but in the future this may also mean a form of licensing or certification that is required by legislation. If this becomes necessary, then it has to be appropriate, reasonable and proportionate.

    The alternative is that the vehicle manufacturer could become the only choice to diagnose, service and repair the vehicles of tomorrow. I am sure we all agree that it is not what we want or need, so it may be that the increasing technology of tomorrow’s vehicles is the reason that the industry should now embrace change to mirror other safety related industry sectors, such as Gas Safe or NICEIC – qualified, competent and registered. The future is changing and the aftermarket needs to change with it.

    Want to know more?
    Find out how Neil’s consultancy for garage owners can benefit you by visiting xenconsultancy.com.

  • DENSO launches new sensors for Toyota and Lexus  

    DENSO has added 10 camshaft and crankshaft position sensors to its range. The five new crankshaft position sensors have 129 applications across the Toyota and Lexus range incorporating both past and present vehicle models. The eight new camshaft position sensors have 119 applications across the same vehicle pool.

  • OBD provision and data access included in provisional Type-Approval legislation  

    The IAAF and FIGIEFA have welcomed news that crucial provisions on the OBD connector and access to RMI have been included in the proposed EU legislation on Vehicle Type-Approval regulation.

  • Aftermarket scenario planning  

    Definition of uncertainty:
    a state of having limited knowledge where it is impossible to exactly describe the existing state, a future outcome, or more than one possible outcome.

  • Connecting to tomorrow’s lean workshop 

    In a previous article, I had written about the fourth industrial revolution, but I suspect that this may not have been the most threatening topic that you were thinking about concerning your day-to-day workshop business – the business of diagnosing and repairing cars, using a range of workshop equipment and agreeing ‘partnership’ relationships for the technical data and replacement spare parts.

    The way that you work may have evolved over the years, mainly due to the increasing vehicle technology, but the basic principle has remained the same. You have customers who choose to come to you due to the good service and competitive pricing that you provide. However, the world of vehicle repair is changing and if you do not adapt, you will die. Unlike previous industrial revolutions, the pace of change is now much faster. So how is this going to impact the aftermarket?

    Approach
    The ‘internet of things’ (IOT) will change the approach to diagnostics, service and repair of vehicles, but also the way that the workshop equipment will be connected, the way that you handle your customers’ data and the way that you exchange data outside of the workshop, both as a consumer of data, but also as a data provider in data trading eco systems. All this will change the way that you do business. This might all sound like some science fiction concept, but this is already happening today with many vehicle manufacturers and their associated main dealer workshops. If the aftermarket does not start to develop the same approach and service offers, then it will not be able to compete.
        
    However, to understand this better, let’s start with today’s ‘classical business model’ and then see what will change. Today it all starts with your ability to directly communicate with both your customer and with their vehicle and (for the more difficult jobs once that vehicle is in the workshop) your ability to offer a competitive quotation.
        
    Once the vehicle is in your workshop, the diagnostic work or the replacement parts are identified, the parts ordered and the ‘complete repair process’ is conducted. However, there are three fundamental aspects to ensure that this process can be fulfilled – firstly, being in direct contact with the customer, secondly, being able to directly access their vehicle via the OBD plug and subsequently its data and thirdly, using that information to conduct
    the complete repair process in the workshop.

    Internet of things
    So, what is changing and how will the ‘IOT’ help to implement new and ‘lean’ business models to remain competitive? It will still all start with the ‘repair process’, but this will no longer be with the customer initially calling you or coming into the workshop with a question of ‘can you fix my car?’, but it will be through remote monitoring of the ‘thing’ – the vehicle (via OBD plug-in devices or in-vehicle telematics platforms) to conduct remote diagnostics, prognostics and predictive maintenance services. This will inform you when the vehicle needs work and should lead into being able to contact the customer and offer a competitive quotation for the work needed that ultimately should still result in the vehicle coming into the workshop.
        
    When the vehicle does arrive, you will already know the details of the vehicle and the necessary work, so can configure the workshop resources (which ramp, what workshop equipment, what technical data, what replacement parts etc.), before the vehicle arrives.
        
    You can also ensure that the various ‘external data’ that may be needed for the job is pre-arranged and can be downloaded into the specific workshop equipment which is needed as part of the repair process. This can be a ‘just in time’ download of the technical data, the diagnostic test routine, the replacement part fitment method and so on. All this can easily reduce the workshop time needed to complete the repair process by 50%.

    Captured
    This may already sound like a great move forward to be lean, more profitable and more competitive, but there is even more! You also now have new ways to use the data that you have captured. Not only will you know the faults of the specific make and model of vehicle, which in turn, you will store in your database (non-personal, machine generated data), but you will also be able to use this data to exchange or trade data with your existing suppliers or other (new) partners to reduce both your costs and theirs. Welcome to the world of data trading – and get used to it, because it will be your future.  The internet of things, means linking to the ‘thing’ (e.g. the vehicle and workshop equipment) and then handling the data created, by using it in new ways to make the whole workshop and vehicle repair process more efficient, as well as supporting new business models beyond just what you can do today in the workshop. However, let’s also take a step back and look at workshop equipment as part of ‘the internet of things’. It already starts with a new range of ‘connected’ workshop equipment that will not only be able to be remotely monitored by the equipment manufacturer to ensure better reliability, together with faster and cheaper repairs, but will also be the basis for ensuring that the technical information you require for the job ‘in hand’ is supplied not only ‘just in time’, but also charged for on a new competitive bidding basis from a range of suppliers and charged on an individual job basis. Going a stage further, you may be able to exchange data with your equipment suppliers so that they can collect ‘big data’ from all their customers and use it for their own new data trading business models and in turn, use this to offset supplying data or services to you at
    a lower cost. This may also apply with your parts suppliers to provide them with better forecasting and trend analysis.

    Data centric
    The classic business model of today that is ‘customer centric’ will change to become ‘data centric’ that creates added value to the consumer’s experience, but also to the service provider – you!

    This change of accessing the vehicle, your customer and use of the vehicle-generated data is a disruptive evolution that will drive (no pun intended) a revolution in the aftermarket. However, the key issue will be the ability to access the vehicle, its data and in-vehicle displays to offer your services when the vehicle needs work and that is likely to be a legislative issue as the vehicle manufacturers try to use their technological advantage to dominate and control tomorrow’s repair and maintenance business. It’s up to you to fight not only for your ‘right to do business’, but for your ability to evolve your current business models into those of tomorrow.

Most read content


Search

Sign Up

For the latest news and updates from Aftermarket Magazine.


Poll

Where should the next Automechanika show be held?



Facebook


©DFA Media 1999-2018