Shiva Nejati and Kunj Dhonde working on circuitryDoctoral students Shiva Nejati and Kunj Dhonde are part of a UWindsor research team working to make the vehicles of tomorrow safe from cyber attack.

Securing the road ahead: SHIELD research centre leads in automotive cybersecurity

At the University of Windsor, two teams — red and blue — are locked in a strategic battle, working toward the same goal: safeguarding the future of automotive cybersecurity.

These teams, operating from the Automotive Cybersecurity Centre of Excellence, better known as SHIELD, are focused on opposing areas of security solutions for the auto sector.

With an eye on the future, SHIELD, the only centre of its kind in North America, has the goal of ensuring vehicles of tomorrow are safe and secure.

“I always go back to the difference between computers and cars,” said co-founder Mitra Mirhassani. “We typically keep our computers close and secure, while cars connect to networks outside our control when parked or at a repair shop. This lack of control raises safety concerns, especially since cars can physically harm us if their security systems fail.”

Although the auto security sector shares similarities with IT security, Dr. Mirhassani explained that it operates under distinct mandates, regulations, and methodologies. This is because vehicle manufacturing and production are now globalized.

“Parts in North America might travel 45 times between Canada, the U.S., and Mexico to get assembled before finally being installed in the vehicle. Which, of course, comes with its own set of complexities, from supply chain to design requirements,” she said.

Mirhassani, a professor in the electrical and computer engineering department, established the centre with colleagues Ikjot Saini, an assistant professor in computer science, and Beth-Anne Schuelke-Leech, an associate professor of engineering management and entrepreneurship.

Mirhassani said there is a lot of focus from government agencies on financial loss due to vehicle theft, however, the most crucial concern is safety.

“Not to disregard the frustration people have about auto theft; it’s a serious issue,” she said. “But things will only get more sophisticated and could lead to loss of life and other issues that cannot be fixed with reimbursement. Those are the issues we must start thinking about.

“Most modern cars are, in one way or another, connected to the cloud. If a hacker knows how to take advantage of that, they can easily manipulate the car’s behaviour while you’re in it. The issue is, they may not need to steal the car — they could send you a message that says, ‘I have control of your car, you have half an hour to give me this number of bitcoins.’”

As academics, Mirhassani said, they must always look toward the future.

Introducing the blue team

PhD student Shiva Nejati works on what’s called the blue team. Members develop and implement hardware based on algorithms created to protect against any potential attacks on future automobile systems.

“In the future, all automobiles will be interconnected,” Nejati explained. “Just like how you can see all your devices connected to the internet, imagine that every car is connected too. This means that if someone gains access to just one vehicle and launches an attack, they could potentially gain control over all connected cars and manipulate them.”

Her research primarily focuses on post-quantum cryptography, which involves creating algorithms and methods to encode information resistant to quantum computers.

IBM describes quantum computing as a rapidly emerging technology that utilizes the principles of quantum mechanics to tackle problems too complex for a standard computer.

Nejati said these computers are more powerful and, while still in the early stages of development, they’re expected to be more prevalent in the future.

“Currently, digital data is protected through encryption: we encrypt it before sending and decrypt it upon receipt, ensuring security. However, quantum computers operate differently. They can break through our current encryption and security systems within minutes or even seconds, unlike the years it would take for traditional computers to do the same,” she said.

“Imagine the day that all your digital data is available to anyone. Your digital photos, your bank account information, your medical documents, your passport, and your image. And believe me, it's not a science fiction movie, it's something that would happen if we don't prepare for that.”

Modern vehicles are becoming increasingly digitized, incorporating technology for navigation, connectivity, vehicle control, and safety. As a result, they require cyber protection similar to phones and computers.

“We need to be prepared for this type of threat. Researchers are developing new algorithms, some of which are candidates for post-quantum cryptography — security measures resistant to quantum computer attacks,” Nejati said. “Our focus is now on designing, developing, and implementing hardware tailored for these algorithms. However, transitioning these algorithms to hardware poses challenges, potentially opening for side-channel attacks.”

She explained side-channel attacks operate differently from breaking algorithms and instead exploit data obtained from the hardware, like power consumption or electromagnetic emissions.

Nejati said attackers can gain access to sensitive data and potentially compromise the system, making it crucial to develop hardware designs to stay ahead of emerging threats.

Introducing the red team

This is where the red team comes in.

Researchers on this side work as hackers, finding any loopholes in the hardware developed by the blue team and launching attacks to show where it is vulnerable so it can be redesigned and reimplemented.

“We’ll do emulation, so that means I have a network or a hardware component, and before trying any type of hacks onto it, what I’ll do is try to replicate the whole system along with all its physical devices and its protocols,” said PhD student Kunj Dhonde, whose research focuses on the software side of cybersecurity.

“From there we’ll implement it onto our dummy hardware, then we try to emulate it and test the existing hardware and software. That way we ensure the product is not getting harmed in any way when we run attacks, which can give us feedback on where there could be vulnerabilities.”

Dhonde said with more electric vehicles continuing to roll in, involving a lot of hardware and software systems that become vulnerable as they evolve and become “smarter.”

“My research is focused mostly on how that component of the EV works, and how that can be exploited by some other third actor outside. So, before that happens, my responsibility is to tell the manufacturer or the supplier that this is what security loopholes your component has, and make sure you fix it before it launches into the market,” she said.

Dhonde explained that in a modern EV, there are 60-70 electric control units connected through a Controller Area Network, which allows devices to communicate with each other with just two wires connecting all components of the vehicle.

If just one line is hacked, or being monitored then, “Boom! It’s gone. Your EV has already been hacked,” she said.

Exploiting just one wire can affect all the different types of units connected to that network.

She said the risks can vary and depend on the threat actor’s intentions. There are two types of hackers: “white hat hackers” attack the hardware on the vehicle to identify security weaknesses to help manufacturers improve security features, like the blue team at SHIELD.

Black hat hackers, Dhonde said, are those with malicious intentions who try to break into the systems to gain access for nefarious purposes such as collecting sensitive information, disrupting systems for ransom, or selling important data, to name a few.

A collaborative approach

Additionally, the efforts of the SHIELD centre extend beyond its internal research teams, working alongside local and national organizations to drive advances in the automotive cybersecurity space.

Currently, the centre is collaborating with Invest WindsorEssex to offer a unique opportunity for auto parts manufacturers and companies working in the automobility sector. The program provides Ontario-based small to medium companies complimentary access to SHIELD’s equipment and expert assistance.

“If a company has a core part they would like to have assessed, they can reach out to Invest WindsorEssex and arrange to come in and have access to one of the largest catalogues of threats. Companies can come in and leverage our technology and specialized knowledge to improve their products,” explained Mirhassani.

With the support of the Ontario Vehicle Innovation Network, the team at Invest WindsorEssex operates the Windsor-Essex Regional Technology Development Site, which offers two free cybersecurity programs to help ensure automobility products are secure.

The WE RTDS has a dedicated automotive cyber threat analyst on staff to work directly with these companies to provide threat analysis and risk assessment using the advanced Cyber Threat Catalogue of the Automotive Security Research Group. Once an assessment is completed, automated penetration testing can be conducted at the SHIELD lab.

An automated penetration test is completed through Keysight Technologies’ specialized equipment, and participants are provided with the results.

“Invest WindsorEssex is thrilled to partner with the University of Windsor SHIELD Centre and offer Ontario-based automobility companies the expertise and resources needed to test the security of their products,” said Ed Dawson, executive director of the Invest WindsorEssex Automobility and Innovation Centre and director of the Windsor-Essex Regional Technology Development Site. “This partnership with one of Canada’s leading cybersecurity institutes provides companies with research and development tools that are typically only available to research centres and large companies.”

The centre remains committed to ongoing collaborations with community and industry partners and is now working on several projects. Learn more at shieldautocybersecurity.com.

Stay up to date with the latest and greatest at UWindsor:

Subscribe to DailyNews