Securing Inter-Processor Communication in Automotive ECUs 2019-26-0363
Modern cars now come with sophisticated telemetry which often involve connecting to the internet over mobile telephone networks or Wi-Fi. The telemetry or cloud functions of the car is typically handled by a Telematics Control Unit or the Infotainment System. The microcontrollers (Host Processor) powering the ECUs are very powerful and often have operating systems such as Linux or QNX to drive the large displays or perform modem functionalities. These powerful microcontrollers take several seconds to startup and does not offer hard real-time performance - both of which are critical to handle the vehicle CAN network. Hence, it is common to include a less powerful microcontroller to the ECU to perform the management of the vehicle CAN network. These smaller microcontrollers (Vehicle Processor) can startup fast and provide hard real-time performance. The Host Processor and the Vehicle Processor are connected by the Inter-Processor Communication Link (IPCL) to exchange information between them. This communication link, while often overlooked regarding complexity and importance, must be included in security/threat analysis, as well. This was made obvious when the vehicle functionalities of the 2015 Jeep vehicle was controlled remotely by unauthorized actors, which involved compromising the communication link and reprogramming the Vehicle Processor to take control of the Vehicle CAN bus. This paper analyses the threat vectors pertaining to IPCL and provides solutions that address each of those threats with minimal impact to the performance of the communication link.