NNG Prepares for ‘Massive Investment’ in Automotive Cybersecurity

Martin Pfeifle, CTO.

“I was scared, because this kind of manipulation could have been done, and will be done, not only by malicious hackers, but also by teenagers who do it for fun without thinking about the consequences,” he tells the Budapest Business Journal.

Indeed, as reported in the MIT Technology Review, the researchers had merely used a small piece of black tape to turn a 35 mph limit sign to read 85 mph and deceive the cars’ cruise control systems – a ruse so simple a five-year old could do it, assuming they could reach the sign.

But Pfeifle, who is chief technology officer of NNG, a Budapest-based automotive navigation and infotainment systems producer, was equally happy because NNG’s own technology is “not only based on processing information coming from sensors but also from static maps”, and thus would thwart any such malicious tomfoolery.

By employing NNG’s “sensor-fusion” technology in a vehicle, anyone with malevolent intent would have to be highly skilled to manipulate both maps and camera images to achieve unwanted acceleration, he says.

Zoltán Nagy, VP of Engineering, adds: “This story shows how easy it is to manipulate a car. However, to cause misbehavior or accident for one car is easy. For me the really scary story would be if a whole fleet was hacked.”

NNG, which began corporate life in 2004 as Nav N Go and now boasts 550 employees globally, is increasingly focusing on automotive security systems designed to cope with anything from crude roadsign disfigurement to sophisticated IT hacking.

All Connected

“From the connectivity standpoint, all modern cars are connected [to the internet]. Most have direct built-in cellular connectivity, and others are connected through external devices such as the driver’s mobile phone,” Ziv Levi, CEO of Arilou, NNG’s Israel-based automotive cybersecurity division, tells the BBJ.

While such systems have greatly enhanced the driving experience of modern automobiles, they come with a catch: they also open a door for malicious players to get access to the vehicle systems and manipulate them.

“Like any connected system, cars can be hacked. While with other systems this usually means a breach of privacy or potentially a financial loss, in the case of cars, there’s also a real physical risk to passengers,” Levi stresses.

He points to modern steering systems, which will correct the course if a driver fails to keep properly within the road lane.

“Like other systems in the car, this is computerized. If someone hacks in, he can control your steering wheel. In a sense, computers are driving your car, and if they are breached you have no control of the vehicle,” says Levi.

It opens up the frightening prospect of criminal activity against individual drivers, or worse still, terrorist action against random cars, causing mayhem on highways.

Zoltán Nagy, VP of Engineering.

Sleepless Nights

Indeed, the issues involved in creating practical cyber protection systems for vehicles – which include technical, economic and complex legal arguments – have given both auto industry leaders and regulators sleepless nights for years as they ponder what action to take.

Meanwhile, Levi and his researchers have been working on protection systems, most notably their patented Intrusion Detection System (IDS) which monitors and analyses a vehicle’s electronic traffic in order to detect attacks or anomalies in the vehicle network.

This investment has already begun to make a return, with the New Zealand-based Ohmio Automation choosing an Arilou protection system for its new generation of autonomous buses, along with more deals in the pipeline.

“We are currently also working on other projects together with Tier1 suppliers and OEMs [original equipment manufacturers, in other words, vehicle or parts makers], but are not allowed to comment on these at present,” says NNG’s Pfeifle

But this is merely a start. With the United Nations Economic Commission for Europe (UNECE) announcing new regulations on cybersecurity for vehicles at the end of June, NNG has the road map to fully exploit its know-how by tapping into a market of mind-boggling proportions.

“In the European Union, this new regulation makes cyber security mandatory for all new vehicle types from July 2022, and will become mandatory for all new vehicles produced from July 2024,” says Pfeifle.

This will trigger “massive investments” in automotive cyber security, he argues, pointing to a McKinsey report in March that predicts spending in this sector will almost double from USD 4.9 billion this year to USD 9.7 bln in 2030.

“The new UN Regulations will spur significant innovation and new economic opportunities among suppliers, IT companies, specialist niche firms and startups, particularly in the software development and services market,” Pfeifle predicts, with the clear implication that NNG is well placed to carve out its share of this growing market.

‘Huge Collision’ as Older Autos Meet the Internet Age

To simplify the array of wires and small servo-motors that began to appear in cars in the 1980s, German auto engineers invented the CAN (Controller Area Network) bus, which allows microcontrollers and devices to communicate without a host computer.

This was a major step forward in auto design, and worked very well. But as Tamás Kerecsen, then chief technical officer with NNG, told the BBJ last year, it is also the reason why old cars are vulnerable to modern-day hackers today. 

“The automotive industry is very iterative. Car makers build on the previous year’s model. They [almost] never do it from scratch because it’s so incredibly complex, there are so many companies involved, so many pieces involved, nobody could build something from the ground up,” he said.

It means many cars into the early part of this decade rely on technology dating from the 1980s.

“Automakers know that the CAN bus works. They have all these pieces that connect to the CAN bus, and they don’t want to break that connection. There is this huge legacy of things that were proven to work 40 years ago, all in a car that’s shaking on the road, and they don’t want to try anything new,” he adds.

But in the last decade, car owners, armed with smart phones, have been demanding increased connectivity, meaning the legacy infrastructure is increasingly used by hi-tech applications for which it wasn’t designed.

“You have all this hi-tech stuff coming in and opening new doors into this unprotected network. This is a huge collision, happening now. It’s the internet age coming into the car, which is completely vulnerable to this,” Kerecsen says.

Turning towards Arilou’s chief executive, he adds: “And that’s what Ziv has been working to find solutions for, to protect the old infrastructure that was designed for [physical] robustness and not for hacking protection.”

Ziv Levi, CEO of Arilou, NNG’s Israel-based automotive cybersecurity division.