Cybersecurity Considerations for In-Vehicle Infotainment Systems
The focus of today’s new-car buyer centers more on the “Digital Cockpit ecosystem experience” and less on the traditional features, such as horsepower and fuel economy. The automotive industry has made it a priority to deliver that experience with fully connected in-vehicle infotainment (IVI) systems of touchscreen displays, voice commands, and integrated information and entertainment functions.
What are In-Vehicle Infotainment Systems?
Increasingly, the end-consumer expects to be able to connect fully to their “digital ecosystem” experience. The “Digital Cockpit” is central in an in-vehicle infotainment system and is becoming a key differentiator for OEMs and their car brands.
IVI is a combination of vehicle systems deployed to deliver audio/video interfaces and control elements to a vehicle’s occupants — touchscreen displays, button panels, voice commands, and more.
Here’s a snapshot of the components or modules that comprise a “Digital Cockpit”:
- User Interface: What drivers and passengers see and interact with on the screen, either by touch or with knobs and dials.
- Head Unit: Includes the display, housing, circuit board, CD/DVD player, radio, and multiple processors — collectively called the vehicle’s head unit. It’s also the interface with all the vehicle’s physical inputs, such as the sound system and/or external cameras.
- Operating System (OS): The core of the infotainment system, the OS controls access to the processor, memory, storage, and the display — in the head unit.
- Application Framework Module: Manages everything from the Spotify app to navigation and interactions with the system, such as text-to-speech and voice commands. It controls all application functions and which apps can appear in the head unit.
- Mobile Integration: Enables the vehicle to connect with various smartphones and devices. Supports Wi-Fi, Bluetooth, and plug-and-play programs, such as Google Play’s Mirror Link, Apple CarPlay and Android Auto, which imports to the screen a modified version of the phone’s media and apps.
- Car Platforms: The software bridge between the application framework and the OS to support multimedia, video, navigation, audio, radio, acoustics, software updates, cloud services, and more.
According to a recent analysis by industry research firm Frost & Sullivan, “connected vehicles” will constitute nearly 86% of the global automotive market by 2025. In the same year, the IVI market is projected to reach $42.7 billion.
But it’s also the case that the IVI systems themselves along with third-party apps create numerous vulnerability threat points for cybercriminals. OEMs and Tier 1 suppliers of IVI systems to the automotive industry must work to ensure that the embedded code within those systems adheres to safety- and security-critical standards. Doing so helps avoid costs of a recall and impacts on business reputation.
Cyberattacks Pose Severe Risks to IVI
It can be said that connected vehicles are four-wheeled computers linked to the internet through their IVI system. And since an IVI system is part of an intra-vehicle network, it can create many vulnerable threat points for hackers who might be able to gain control of a driver’s smartphone and access personal data, manipulate vehicle safety-critical system functions, or fabricate system-update programs. So, it’s essential that IVI systems-development practices adhere to coding standards and guidelines.
Two more recent initiatives that are expected to benefit IVI systems are the ISO/SAE 21434 standard and the United Nations Economic Commission for Europe (UNECE) WP.29 regulation. These standards complement each other as both prepare the automotive industry for securing a new generation of connected vehicles.
The ISO/SAE 21434 standard builds on its predecessor, ISO 26262, which doesn’t cover software development or subsystems. ISO/SAE 21434 focuses on the cybersecurity risks inherent in the design and development of car electronics. The automotive software security standard provides a structured process to ensure that cybersecurity considerations are incorporated into automotive products throughout their lifetime.
Unlike ISO/SAE 21434, the WP.29 regulation places the onus on OEMs to manage cybersecurity risks along the entire supply chain.
How IVI Cybersecurity Vulnerabilities Impact OEMs
OEMs and their first-tier suppliers need to take steps to avoid the negative impacts of a vulnerability in their IVI embedded software as an attack can threaten the privacy and safety of drivers and their passengers. A cybersecurity incident can be incredibly costly and time-consuming and can lead to vehicle recalls that ultimately impact the bottom line, loss of reputation, and organizational productivity.
Why SAST Is Essential for IVI Systems Software Code
The static application security testing (SAST) software-testing methodology inspects and analyzes application source code, byte code, and binaries for coding and design conditions to uncover security vulnerabilities in IVI systems software. The working mechanism behind SAST is a static analysis tool that checks for design and coding flaws.
See for yourself how Klocwork helps ensure the quality of your embedded software. Request your free 7-day trial today.