AI driven, Arm accelerates the future of software defined cars

We are ushering in a new era of automobiles, namely the era of Software Defined Vehicles (SDV). According to predictions by the analysis firm Counterpoint Research, by the end of 2026, there will be over 1 million vehicles equipped with L3-level Advanced Driver Assistance Systems (ADAS) on Chinese roads.

It is foreseeable that with the increasing demand for high-performance computing and more software, the computational power required in automobiles is also rapidly increasing. Given that future AI-powered SDVs will contain up to one billion lines of code, coupled with significantly enhanced connectivity features, the security challenges have become increasingly severe. To avoid the serious impact of security vulnerabilities, the automotive industry has already started taking action to build deep security defense measures across the entire SDV. Unlike home environments, vehicles have unique "mixed-criticality" requirements, necessitating both safety and real-time functionality while also supporting more personalized user experiences and higher levels of autonomy.

This distinguishes automobiles from other scenarios and makes the extensive work Arm is undertaking in the automotive field highly targeted. In addressing security challenges, Arm has introduced a series of new automotive technologies this year, aimed at meeting the higher requirements of AI-powered SDVs in terms of performance, functional safety, and information security. These include a new set of automotive-enhanced (AE) IP processors based on the Armv9 architecture, with the core of this design being the latest Arm information security features. Common automotive information security challenges, such as extensible software attacks, have exposed numerous severe vulnerabilities in other markets, which also cannot be avoided in the automotive industry.

Historically, most automotive software stacks have been proprietary, making security vulnerabilities in the code difficult to discover. However, software used in other markets, such as consumer electronics and the Internet of Things, may also be utilized in the automotive market, leading to the emergence of more vulnerabilities. As a result, relevant departments have proposed requirements for maintaining Software Bill of Materials (SBOM) to strengthen the security of the software supply chain, so that once a vulnerability is discovered in a piece of software, all locations where it is used can be identified. Consumer behavior also impacts security and business revenue. Firstly, consumers may attempt to bypass security controls to enable features to avoid additional costs, resulting in revenue losses for automobile manufacturers. Secondly, if consumers use unofficial, inexpensive "non-original" parts, it may lead to the software in automotive applications being infiltrated and manipulated by unknown third parties, thereby increasing the risk of ransomware attacks. If a third party controls the vehicle, it can directly impact the safety of the vehicle.

Furthermore, the use of non-original parts also results in lost business revenue. Today's SoCs in automobiles need to simultaneously run software from multiple untrusted entities, and the automotive supply chain is vast and complex, presenting numerous security challenges. Overcoming these intricate supply chain issues requires hardware-supported software management, as well as isolation technologies and frameworks. Finally, SDVs are essentially large interconnected devices, and as the basic security goal of interconnected devices, secure communication is crucial for the automotive industry. Automobiles need to acquire sensory data from multiple sources (such as LiDAR, radar, and cameras), so ensuring the security of high-speed communication is also a major challenge that the automotive industry urgently needs to address. To this end, adopting high-performance security mechanisms to protect delay-critical sensor data is necessary. Additionally, secure updates are also vital for the ongoing maintenance and improvement of SDVs through remote wireless (OTA) software updates‌.

In SDVs, the increasing integration of smart cabins and IVI systems adds complexity to their creation and subsequent management. As the connectivity features and demands in these systems continue to grow, the attack surface expands accordingly. The smart cabin has a larger attack surface due to its multifaceted nature, including cloud connectivity, connection to personal devices like smartphones, USB plug-in capabilities, and the ability to download applications. The motivations for hackers to infiltrate smart cabins are diverse, with the personal data contained within, such as payment information, being highly valuable to them. For IVI systems, the primary security risk lies in their role as gateways connecting to other parts of the vehicle, which can be exploited for theft or control of the vehicle. This creates opportunities for ransomware or denial-of-service attacks. Smart cabins and IVI systems must also meet advanced functional safety requirements, adhering to safety case standards like ISO 26262 and ASIL B levels, which necessitates additional information security measures. Both systems integrate secure and non-secure multi-displays, as well as single physical displays that combine functional safety requirements with other relevant information for passengers and drivers. This results in a mixed-criticality security environment that requires effective management from an information security perspective.

The integration of ADAS and AD systems increases the volume and value of data onboard vehicles. This includes sensor and actuator data, AI models and algorithms for perception and object classification, graphically intensive computations (such as 360-degree cameras), and various mixed-criticality considerations. As the amount of software continues to grow, the potential attack surface expands, and since ADAS and AD directly impact vehicle control, this could lead to further escalation of security threats.

MCUs and Zone Architectures: In the past, vulnerabilities in automotive MCUs were limited to attacks within the vehicle, targeting specific automotive electronic devices like door mirrors. However, as the automotive industry accelerates towards more integrated and connected vehicle architectures, hackers can launch remote attacks on the entire system from outside the vehicle through increasingly connected components.