KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Measures for Automaker's Legal Risks from Security Threats in Connected Car Development Lifecycle

  • Kim, Dong Hee (National Security Research Institute) ;
  • Baek, Seung Jo (Graduate School of Information Security, Korea University) ;
  • Lim, Jongin (Graduate School of Information Security, Korea University)
  • Received : 2016.06.30
  • Accepted : 2016.12.08
  • Published : 2017.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

To improve passenger convenience and safety, today's vehicle is evolving into a "connected vehicle," which mounts various sensors, electronic control devices, and wired/wireless communication devices. However, as the number of connections to external networks via the various electronic devices of connected vehicles increases and the internal structures of vehicles become more complex, there is an increasing chance of encountering issues such as malfunctions due to various functional defects and hacking. Recalls and indemnifications due to such hacking or defects, which may occur as vehicles evolve into connected vehicles, are becoming a new risk for automakers, causing devastating financial losses. Therefore, automakers need to make voluntary efforts to comply with security ethics and strengthen their responsibilities. In this study, we investigated potential security issues that may occur under a connected vehicle environment (vehicle-to-vehicle, vehicle-to-infrastructure, and internal communication). Furthermore, we analyzed several case studies related to automaker's legal risks and responsibilities and identified the security requirements and necessary roles to be played by each player in the automobile development process (design, manufacturing, sales, and post-sales management) to enhance their responsibility, along with measures to manage their legal risks.

Keywords

References

  1. Broy. M. et. al., "Engineering Automotive Software," in Proc. of the IEEE, vol. 95, no. 2, Feburary, 2007.
  2. ED Markey, "SPY Car Act of 2015"
  3. Paul T. Durbin, Critical perspectives on nonacademic science and engineering, Lehigh University Press, 1991.
  4. Shirley Radack, THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC), National Institute of Standards and Technology (NIST), 2009.
  5. ISO/TS 16949:2009 Quality Management Systems, International Organization for Standardization, 2009.
  6. Advanced Product Quality Planning(APQP), 2nd Edition, Automotive Industry Action Group (AIAG), July, 2008.
  7. ISO 26262-6:2011 Part 6: Product development at the software level, International Organization for Standardization, 2011.
  8. I. Rouf et al., "Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study," USENIX Security '10, in Proc. of the 19th USENIX conference on Security, 2010.
  9. S. Checkoway, et. al., "Comprehensive Experimental Analyses of Automotive Attack Surfaces," USENIX Security Symposium, 2011.
  10. Tyagi, et. al., "Investigating the security threats in Vehicular ad hoc Networks (VANETs): Towards security engineering for safer on-road transportation," in Proc. of Computing, Communications and Informatics (ICACCI), 2014 International Conference on IEEE, 2014.
  11. J. Petit, S. Shladover, "Potential Cyberattacks on Automated Vehicles," IEEE Transactions on Intelligent transportation systems, vol. 16, no. 2, April, 2015.
  12. An Approach to Communications Security for a Communications Data Delivery System for V2V/V2I Safety: Technical Description and Identification of Policy and Institutional Issues, U.S. Department of Transportation (RITA), November, 2011.
  13. A Survey of Remote Automotive Attack Surfaces, IOActive, 2014.
  14. Paul Spisto, et al., v. Toyota Motor Corporation, U.S. District Court of Central California, Civil Action Case No. CV11-04479CBM(RZx)
  15. Toyota in $1.1 Billion Gas-Pedal Settlement, The Wall Street Journal, Dec. 27, 2012.
  16. Cahen, et al. v. Toyota Motor Corporation, et al., U.S. District Court of Northern California, San Francisco Division, Civil Action No. 4:2015cv01104.
  17. Regulators Investigating Fiat Chrysler Cybersecurity Recall, The Wall Street Journal, Jul. 24, 2015.
  18. Volkswagen's Emissions Scandal, The Wall Street Journal, Sep. 21, 2015.
  19. The Motor Vehicle Supply Chain: Effects of the Japanese Earthquake and Tsunami (Congressional Research Service 7-5700), Bill Canis, May. 23, 2011.
  20. Korea Auto Industries Coop. Association (KAICA),
  21. A Survey on Distribution of Spare Parts for Vehicle (No. 10-05), Korea Consumer Agency (KCA), May, 2010.
  22. A Study on Distribution for After-Sales Vehicle Parts and Promoting Competition in Mechanic Field, Fair Trade Commission (FTC), Sep. 30, 2002.
  23. Over-the-Air Updates to Slash Automobiles' Recall Rates, Finds Frost & Sullivan, PR Newswire, September, 2013.
  24. Caution: Malware Ahead, An analysis of emerging risks in automotive system security, McAfee, 2011.
  25. I. Kruger, "Improving the Development Process for Automotive Diagnostics," in Proc. of 2012 International Conference on Software and System Process (ICSSP), pp.63-67, June, 2012.
  26. Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, ED MARKEY, Feburary, 2015.
  27. W. B. Jaballah, M. Conti, M. Mosbah, C. E. Palazzi, "Fast and Secure Multihop Broadcast Solutions for Intervehicular Communication," IEEE Transactions on Intelligent Transportation Systems, Vol.15, No.1, pp.433-450, 2014. https://doi.org/10.1109/TITS.2013.2277890
  28. G. Calandriello, P. Papadimitratos, J. P. Hubaux, A. Lioy, "On Performance of Secure Vehicular Communication Systems," IEEE Transactions on Dependable Security Computing, Vol.8, No.6, pp.898-912, 2011. https://doi.org/10.1109/TDSC.2010.58