DATA SECURITY

A solid
defense

Anyone who gets into a car nowadays is immersing themselves in a complex, connected world of software – a world where millions of data bits fly back and forth between microcomputers in mere seconds. Increasingly, this communication is also taking place with other systems and vehicles. All this is giving rise to fascinating new applications for enhanced convenience, efficiency, and safety – but it also comes with more security risks, and these have to be brought under control. Highly qualified software experts working at the Bosch subsidiary escrypt GmbH Embedded Security are working to find ways of making the world a little more secure. One of these specialists is Thomas Wollinger, managing director of Escrypt and a seasoned security expert.

  • TRANSFERRING WITH AUTHENCITY

    To protect sensitive messages from being manipulated during transfer, one of the tools Escrypt uses is the digital signature. In this cryptographic technique, the sender creates a sort of fingerprint from the message before encoding and sending it. The receiver decodes the fingerprint and compares it with a version contained directly in the message. If they match, then it’s certain that the message has not been tampered with.

     

     

  • ENCRYPTION

    In the defense against unauthorized interference, the most important weapon is encryption. It works by transforming vehicle data into a kind of ciphertext, which can be turned back into readable text only with the right key or cipher. As the core of the system, this key sits on a hardware element in the control unit, where it is well protected.

     

     

  • APPROPRIATE RESPONSE

    For every incoming message, the defense system has to make several decisions. Is the message trustworthy? If not, can it be ignored? Can we deny access to an unauthorized user? Or should the system that has received the message be separated from the network or even shut down because of a potential danger to security-relevant parts?

     

     

  • SECURE UPDATES

    Protection software has to be up to date, always ready for hackers’ latest tricks. Escrypt meets this requirement by providing regular updates. Since these will also be made available via the mobile data network in the future, vehicle owners will no longer have to take their vehicles to the garage to have the electronics updated. With help from secure over-the-air software updates (SOTA), vehicles can also receive automakers’ updates – wirelessly, efficiently, and above all securely.

     

     

Escrypt’s conference room is a high-security zone.



Specially glazed windows make it impossible for snoopers to use a laser to track the vibration of the panes, and thus to record conversations. Security wallpaper sounds the alarm if it is tampered with or if it senses a break-in. Nothing unintentionally leaves this room, which is located in an office building in Bochum, Germany. Nor should it, because what Thomas Wollinger and his associates discuss with their customers is often strictly confidential.  



 




Wollinger indicates one of the doors across the way. “In 2005, we pioneered embedded security in that room over there,” he recalls. Back then, there were three of them toiling away to make a success out of the tiny start-up. Today, nearly 100 associates are employed at Escrypt’s headquarters in Bochum and at other locations in Germany, the U.S., Japan, China, and Korea. All are working to protect software systems from attacks by hackers and the like.    

In his early years, there was little to suggest that Wollinger would end up in this career. He spent his childhood playing with kids on the neighborhood streets, not in front of a computer. It wasn’t until he started an apprenticeship in communications electronics that the subject really caught his interest. He finished his technical diploma at the top of his class, completed a university degree in electrical engineering in record time, and wrote his PhD thesis on a special encryption technique that utilizes hyperelliptic curves. It’s still encryption techniques like this one that allow Escrypt to develop protection software for what are known as embedded systems: micro-computers that are integrated into technical environments such as medical equipment, cell phones, or vehicle ECUs. And this protection is more important than ever.

Take the example of vehicles: attackers are trying more and more ways to infiltrate them – through their internet connection, cell phone interface, radio, or the navigation system. And attempts to interfere with vehicles come from all sides –  owners try to manipulate their vehicle’s odometers, competitors are interested in automakers’ data or know-how, and still others hack into connected systems to commit acts of sabotage or espionage. 

With integrated security solutions and industry expertise, Escrypt’s job is to thwart such attempts. In each of the brightly lit offices on the second floor of the Bochum headquarters, two associates sit staring intently at their computer screens. They develop encryption software, advise their clients, and attempt to find and evaluate weaknesses in their clients’ systems. The major competitive advantage in all this is that Escrypt works very closely with its parent company, the Bosch subsidiary ETAS.

While ETAS ensures that a car is safe – that its control units and systems function as they should – Escrypt’s focus is on security, protecting the systems from external attacks. In connected systems, the two disciplines have to intermesh more tightly than ever. Even before software and hardware development starts, it is up to security and safety experts to jointly assess risks, evaluate them, and formulate targets derived from them. “You can’t have safety without security – and vice versa,” says Simon Burton, who is in charge of embedded software services at ETAS. “That’s why the two companies complement each other so well.” Another factor that comes into play here is the full breadth of Bosch’s automotive expertise. Wollinger views it as an ideal combination, since “we can offer everything from a single source.”

Even with all the expertise that Escrypt pits against hackers, Wollinger understands that drivers have some concerns. “No one can guarantee one hundred percent security, not even us,” he concedes. However, because Wollinger and his team work closely with security experts in companies and at universities, “we can anticipate potential attacks very early on. And we’ve been working on countermeasures for a long time.”

“We can offer everything from a single source.”