Internet connectivity combined with the specter of self-driving has turned a spotlight on in-car infotainment including video services, but the pay TV industry has been slow to latch on to the opportunities. Fears over security may be one impediment, which is why Irdeto has stood out from its revenue protection peers by making a play in the connected car field through at least two partnerships. While its competitors are also targeting the IoT (Internet of Things), generally most of them have not singled out the connected car for particular focus.
Kudelski is collaborating with u blox, a fabless wireless integrated circuit design house, to integrate its IoT security suite into the latter’s modules aimed at the automotive and industrial sectors, but this is more about positioning for self-driving than infotainment. Verimatrix had hinted it would not address connected car security for now because it involved different partners and distribution channels, although that may change after its acquisition by France’s Inside Secure for $143 million in December 2018.
For now then, Irdeto is the only traditional pay TV revenue protection company making a strong play for the connected car, after announcing around CES 2019 two partnerships addressing different aspects of automotive security. One with London-based mobile app developer Conjure is tackling the security of smartphone-based services such as remote car key and wallet applications enabling ride sharing services. This has just culminated in the launch of Keystone, a companion app that enables remote lock operation as well as management of sharing and riding services with support for location as well as payment. Keystone combines tamper-proof policy management designed to prevent various potential vehicle hacks, including Man-in-the-Middle and Man-at-the-End attacks, remote and in-vehicle tampering, and reverse engineering. This is achieved through integration with Irdeto Cloakware Software Protection.
More relevant for pay TV operators is Irdeto’s other new partnership with Japan’s Access centered on infotainment but also addressing the overlap with other components of the connected car that can be vulnerable to the same points of attack. The primary mission is to extend current pay TV security to connected car infotainment systems as another category of OTT device, but the companies recognize that the car presents some unique challenges resulting from the proximity of safety critical systems as well as other entry points of attack.
So, as well as aiming to secure infotainment content delivered to the vehicle, the two companies are also focusing on network communications and endpoints in the connected vehicle ecosystem, such as telematics ECUs (Engine Control Units), the in-vehicle entertainment system itself, and roadside units. They talk of multi-layered security, which seems to have become mandatory in marketing communications associated with connected car system protection. Irdeto says it wants to build out from entertainment protection to address all the cybersecurity requirements of the connected car, including privacy protection, countering data theft and preventing compromise of critical components.
It says it has introduced unsupervised machine learning algorithms designed to detect the abnormal vehicle behavior that could result from exploitation of an unknown vulnerability. This is being integrated in the Access Twine for Car which bundles the various connected entertainment options into a single UI.
This move into the connected car is bringing Irdeto up against different competitors than the ones it has faced in pay TV revenue protection, sometimes with roots in enterprise cybersecurity. Some vendors of automotive components, such as Germany’s Continental, now incorporate security at the design phase of all products in partnership with cybersecurity specialists where necessary. This begins with risk analysis before any new project and assurance that the end product will support upgradeable security in the field to anticipate advancing threats.
The company notes that cyber-attack surfaces are expanding as connected car services become increasingly interrelated, with notable vulnerabilities being in infotainment systems, smartphone apps, Bluetooth connections, communication intercepts such as keyless entry and even tire pressure sensors, as well as direct network access via the OBD (On Board Diagnostics) port. As one example that could be relevant for video, a vehicle’s infotainment system could, through the CAN Bus, gain control of an ECU controlling the autonomous emergency braking or other safety critical system. The potential attack domain is then set to expand further to include the IT-infrastructure of dealers or repair shops, as well as the digital supply chain.
Some companies that have entered the connected car realm from a cybersecurity background, such as Israel’s Argus, have outlined clearly what multi-layered security means here and why it is desirable. Essentially, it addresses the interconnectedness of the various connected car components addressing different end applications. This means that the first layer, comprising defensive software solutions that can be housed locally on individual ECUs to secure these against attacks, is not sufficient on its own to protect the whole car against compromise, although it provides the foundation for security.
The next level is then software to protect the vehicle’s whole internal network by scrutinizing all communications links, illuminating any changes in normal in-vehicle network behavior and aiming to block attacks from advancing even if they have penetrated the first level of defense. Then at the top the end user structures, particularly the infotainment system, need insulating from external attack. This is the most critical layer for the car’s overall defense system because it guards the border between the vehicle’s internal network and the external Internet.
German security services supplier Escrypt has gone further by adding a fourth layer it calls Intrusion Detection and Prevention Solution (IDPS) that records details of attempted attacks and forwards the data automatically to a cybersecurity backend for evaluation. This adds the monitoring dimension already being deployed by some of the pay TV revenue protection vendors such as Verimatrix and Kudelski’s Nagra, but Escrypt has honed it into a five stage defence procedure that is executed as a continuous process exploiting knowledge of past attacks. At this stage the process has only been partially automated, with security and data forensic experts in its own Cyber Defense Center deciding on countermeasures. These can include adjustments to the firewall, updates to the rule sets, or closing loopholes that have been identified in the software, which then may require close cooperation with manufacturers of the infotainment system or other ECUs affected by the breach.
This highlights the complexities involved which Irdeto will have to engage with to become a complete connected car security provider. It is easy to see why Verimatrix and others have shied away so far but it may be they end up with little choice but to get involved as connected cars become important endpoints for video entertainment.