Analysis and Countermeasure of the Status Quo of Intelligent Connected Vehicle Information Security
Car information security is inevitable, and car information security is a prerequisite for the development of intelligent networked vehicles. Only by realizing the information security of automobiles can the healthy development of intelligent networked vehicles be guaranteed. Vulnerabilities are inherently based on the CMM model speculative software with about 0.32 security holes per 10,000 rows. And the intelligent networked car system is extremely complicated, its software code is easily more than 100 million lines, and the hidden vulnerabilities will exceed 3,300.
At the "The 4th Annual China Automotive Cyber Security Summit" hosted by GRCC, Mr. Liu Yangyang from the Data Resource Center of China Automotive Technology Research Center explained the analysis and response of the intelligent information security status of intelligent network.
The issue of car information security is very important. It will affect property security, life safety, and even national security. Therefore, car information security cannot be delayed. After many times of automotive information security testing, Mr. Liu summarized the current status of the current car for us: the status quo 1: the level of information security of the car network is limited, hindering the development of smart cars; the status quo 2: the host factory is not bound enough to the IT company, resulting in The security level of the networked auxiliary products is not up to standard; the status quo 3: The OEMs focus on the T-BOX, ignoring the information security of other components; Status 4: Frequent attacks on car events frequently.
First of all, Mr. Liu explained to us the relevant policies and regulations of the country: In the past two years, automobile information security has become one of the major development strategies of the country. More institutions in the industry have begun to pay attention to automobile information security, and the VTC has gradually formed “5+4+”. 1" standard project team working mode. And on December 25, 2018, written on December 25, the Ministry of Industry and Information Technology released the "Car Network (Intelligent Networked Vehicles) Industry Development Action Plan" mentioned three aspects of automotive information security: 1, sound security Management system: Focus on operational safety, network security and data security of products and systems, clarify relevant subject responsibilities, conduct safety supervision and inspection regularly, improve event reporting of vehicle networking network and data security, emergency management and responsibility identification, etc. . 2, improve security protection capabilities: focus on the industry's functional security, network security and data security core technology research and development, support security protection, vulnerability mining, intrusion detection and situational awareness and other security products. Supervise and urge enterprises to strengthen network security protection and data security protection, and build a comprehensive factor security detection and evaluation system for intelligent networked vehicles, wireless communication networks, vehicle networking data and networks, and conduct security capability assessment. 3. Promote the construction of safety technology means: Enhance the support ability of industrial safety technology, focus on improving the level of hidden danger investigation, risk detection and emergency response, and build safety platforms such as monitoring and early warning, threat analysis, risk assessment, test verification and data security. Promote enterprises to increase safety investment, innovate safety service and consulting and other service models, and enhance the industry's security services capabilities.
Then Teacher Liu introduced and showed the work of the China Automotive Research Center. Carry out research on information safety testing technology for complete vehicles and key components, and find out the maximum information of vehicle information safety through testing, and propose repairs to protect automobile information security. And showed us the network architecture test, T-BOX test and ECU test. In ECU security testing, it is mainly software security, hardware security and communication security. In the software security, the firmware code of the device is obtained by the tool, the analysis code is disassembled, and the code for the production seed and the key is found. Traditional embedded attacks are used in hardware security. In communication security, the system is infused with carefully constructed input information to perform unintended operations.
Finally, Mr. Liu introduced and demonstrated the Vulnerability Emergency Response Platform (CAVD): drawing on the experience of the Internet and the financial industry, establishing an emergency response mechanism through vulnerability collection, management, and system operation, aiming to reduce the harm after the security problem occurs. To the minimum.