The use of advanced IT equipment in automobiles is growing rapidly, increasing the importance of the security of that equipment. We are supporting this trend in two ways:

Support of laws and regulations on in-car security

Currently there are three in-car devices for which a security certification is mandated by Dutch law and/or European regulations:

  • For European digital tachographs (a device recording vehicle speed and driving time), both the smartcard and the vehicle unit must currently be certified
  • All Dutch alcohol interlocks (a device preventing intoxicated drivers from starting their car) must be certified by 2011
  • All Dutch taxi board computers must be certified by 2012

We support these programs by providing consultancy to developers on how to meet the security requirements and by performing the requisite security evaluations.

Support of in-car security

Modern vehicles incorporate up to 80 microprocessors in many kinds of control units connected via several different bus systems. Additional communication interfaces are being added to the on-board network to enable communication to the outside world. This ranges from embedding mobile devices into the car up to enabling the vehicle itself to communicate with other vehicles and with the traffic infrastructure (V2X). In fact, electronic systems inside the automobile contribute almost half of the manufacturing costs of a new car. All of these new technologies demand additional security for protecting the car against unauthorized access or manipulation of essential systems.

We support car manufacturers in gaining assurance on the security level of the electronic components (ECU’s) that are delivered by external as well as internal suppliers. Depending on the assets protected by these devices, various attack techniques can be deployed. These range from probing of the circuit board, module interrogation, misuse of (debug) interfaces, unauthorised software retrieval and modification to reverse engineering and component replacement.

We also perform risk analyses of system security solutions and integration of third party consumer electronic devices into the onboard systems. In these complex systems, logical attacks aimed at exploiting implementation or design errors are also considered. This enables manufacturers to validate their risk model and implement additional risk mitigating mechanisms.

Furthermore, we act as a consulting party providing direct feedback on proposed design solutions based on our many years of security expertise. In this way, weaknesses in the design can be identified and fixed at an early stage of the development.

Having products or processes evaluated by an accredited third party can provide a crucial advantage over other competitors. Potential customers of in-car components will more likely trust companies putting a noticeable effort into securing their products. Evaluations can be targeted at single devices or complete (onboard) systems.