FBI vs Apple – Implications for connected car security and privacy
Last week the Federal Bureau of Investigation (FBI) and tech giant Apple clashed over a case to mine data from an iPhone involved in the San Bernardino, California, terrorist attack that happened late last year.
The clash involves the FBI obtained iPhone 5c of Syed Farook, one of the individuals involved in the attack of Inland Regional Center in San Benardino. While the FBI has a warrant to search the phone, the passcode protecting the device prevents the federal agency from obtaining information.
Things heated up on Tuesday, February 16th, when a federal judge ordered Apple to assist the FBI by developing software that will circumvent the stringent security layers behind Apple's simple-looking passcode. Apple's CEO Tim Cook responded himself on Wednesday by essentially saying "no," thus igniting a rhetorical war between homeland security hawks and cyber security advocates.
This insight will explain the security measures designed into iOS devices, what the FBI wants Apple to develop to circumvent them, as well as the implications in the car.
What the FBI wants
What the FBI wants is for Apple to build a backdoor around its rugged security apparatus. This universal "unlock" key would essentially require a flash-update and new code on the cryptology engine that would allow brute force attacks to succeed in an insignificant amount of time thus unlocking the phone and its data. It's important to note that the FBI isn't asking Apple to modify iOS or any of its software level security but instead is asking for modifications to the hardware level and firmware level security.
Apple is understandably worried that building such a backdoor for this specific case will create vulnerabilities across all of its iOS devices. Apple posits that once such a bypass is created it is only a matter of time before such information falls into the wrong hands. Perhaps another country will reverse engineer the firmware bypass and use it to spy on its populace, for instance.
Implications in the car
Cyber security in the car is in a nascent stage. Most controller area networks in the car weren't designed with security in mind and mainly act as broadcast mediums making them very vulnerable to attack. Most of the immediate cyber security solutions being proposed in the car are small software based encryption systems to prevent denial-of-service (DoS) attacks on safety critical engine control units (ECUs) and microcontrollers (MCUs). These solutions mostly reside on the controller area networks.
Eventually, automobiles will feature more advanced ECUs with more processing power, RAM and flash memory for stronger encryption, high throughput buses, background processing and more secure boot loading. More sophisticated hardware will lead to hardware level security similar to what is seen on the iPhone.
Fortunately for most of today's cars, they don't have any sort of gateway or telematics control unit (TCU) that connects these vulnerable systems to the web and thus to attack. There also isn't a lot of stored data in most of today's vehicles.
However, connected vehicles can hold a treasure trove of data, especially in the infotainment system which essentially functions similar to a smartphone or tablet computer. Infotainment systems have similar types of stored data like text messages, call logs, contacts, calendars, device settings, waypoints, and more.
Like Apple, today's OEMs comply with subpoenas and search warrants when it comes to this type of data-including remote server data which can be used against you in a court law.
As cars become highly- or fully-autonomous, more productivity will come to infotainment systems and users will likely want similar levels of protection seen on the iPhone and Android devices. In fact, many suppliers and OEMs have already shown cockpit concepts and reference designs that utilize passcodes and finger print technology to further secure user data.
In this regard, Apple standing its ground acts as an important precedent in regards to the privacy of stored personal data. It remains to be seen if this precedent would also pertain to automobiles. In most jurisdictions today, an automobile and its information can be searched with a warrant and it may be more difficult for OEMs to use the same legal reasoning as Apple has, assuming the company succeeds.
The auto industry can also learn from the Apple iPhone's security structure and implementations including on-chip MCU security features and the multiple levels of software security.
Colin Bird is Senior Analyst, Automotive Technology, IHS Automotive
Posted 22 February 2016
- AutoMobility LA Previews Continue
- AutoMobility LA 2019: Automakers focus on electrification, utility vehicles
- California tightens availability of EV credits
- EU expects to avoid US tariffs on cars
- Sales of electrically chargeable vehicles in EU grow 51.8%
- Japan looking to subsidise compact BEVs
- The UK passenger car market went into retreat again in October, falling by 6.7% year on year
- UK government considering green number plates to identify zero-emission vehicles
Press previews at the 2019 AutoMobility LA convention and auto show this week have included several reveals of auto… https://t.co/rZ9aqPaT20