INVERS GmbH, the market-leader for carsharing solutions, provides multi-vendor carsharing as well as car-sharing optimised for mobile use (i.e. via apps) with the CloudBoxx platform. For this, secure communication between the relevant server or app and the vehicle’s onboard computer is critical – but presents challenges due to technical limitations. These challenges have now been overcome, thanks to solutions developed in partnership with Secorvo Security Consulting GmbH.
A CloudBoxx onboard computer in a carsharing vehicle needs to handle a variety of tasks: It logs and transmits vehicle and user data, unlocks the vehicle’s immobiliser, and also provides keyless access to the vehicle via the app. To accomplish this, the computer communicates with the INVERS CloudBoxx server in secure data centres and a carsharing app.
In app-based carsharing scenarios, the customer books a vehicle for a specific time period using the car-sharing app. The customer’s profile is authenticated via the booking portal prior to gaining access to the vehicle. Once this is done, a virtual “car key” is granted. This virtual key is sent from the app via mobile data connection or Bluetooth to the onboard computer, initiating a command for the vehicle doors to open.
If hackers were able to replicate these messages to the onboard computer, or intercepted and then replayed individual messages, entire vehicle fleets could be remotely unlocked or shut down. This is why the CloudBoxx protocols use cryptographic algorithms to ensure security. With the support of Secorvo, appropriate algorithms and parameters were developed so that the data exchange can be completed in accordance with recognised design principles and cryptographic protocol elements.
The challenge in this process was the bandwidth of the communication protocol (a message length of 150 bits) and the performance limitations of the hardware. These are typical constraints of embedded systems. Furthermore, there was the issue of balancing security, usability, and operating costs.
At the beginning of the project, INVERS presented a security concept, an excellent foundation for the joint development of the cryptographic protocol. Based on international standards and best practices, this resulted in an intensive collaboration to develop a solution that was “impressively clear and simple, thanks to the excellent preparation” Sebastian Thias, INVERS’ Head of Development, explained. Secorvo reviewed the solution developed using a threat analysis and supported its implementation by advising on widespread implementation errors, specifically in terms of the cryptographic algorithms.
Within just a few weeks, a practical and secure solution was developed, which has by now allowed for millions of data packages to be exchanged securely. “I would like to emphasise that the cooperation was outstanding in terms of effectiveness, efficiency and friendliness, said Thias of the positive collaboration. All in all, this is an excellent example of how security can be successfully integrated during the early stages of the development process.
More information on Secorvo: https://www.secorvo.de/