Understanding the Need for Cyber-Secure Image Sensors in ADAS and In-Cabin Monitoring Systems
November 02, 2023
It takes some effort to remind people why automotive cybersecurity is essential. With cars transitioning toward partial autonomous driving, it is becoming a growing concern for automobile original equipment manufacturers (OEMs).
It is obvious why controls need to be implemented so that nobody other than the driver (or the piloting system that replaces them under particular and bounded conditions) can assume vehicle control.
In 2021 the United Nations Economic Commission for Europe (UNECE) working group released UN-R155, a regulation on cybersecurity for OEMs to address these rising threats. This regulation has been binding for type approval on new vehicle types produced in the UNECE member countries since July 2022. It means automotive suppliers must comply with ISO 21434 to ensure that all their cybersecurity-relevant components meet that standard.
Of course, sourcing cybersecurity-compliant parts does not guarantee that an OEM will be UNECE-compliant. However, it is an essential step in that direction, placing them in a stronger position toward achieving that goal. This article considers cybersecurity in the context of image sensors used in advanced driver assistance systems (ADAS) and in-cabin monitoring applications.
Why Image Sensors Need to be Secure
Some locations in a car where cybersecurity should be implemented are quickly identifiable - from gateways to connectivity to infotainment systems or any other vehicle subsystems connected via a network. However, it might be less apparent why cybersecurity should also apply to image sensors.
With today’s emphasis on safety and driver assistance, image sensors are the “eyes” of the vehicle. They are used in several ADAS functions, such as lane departure warnings, pedestrian detection, and automatic emergency braking (AEB). They assess the car’s surroundings and provide inputs to the fusion system for decision-making. In the future, they will assist with identifying and authenticating the car users and also monitoring their vital signs. This would enable the onboard computer to assume control if the driver becomes incapacitated. In these situations, automotive image sensors must perform exceptionally (with high dynamic range, low light capability, color tone discrimination, etc.) and remain functional, especially in the most extreme situations a vehicle can encounter.
Since cars will increasingly depend on image sensors for safe operation, a vehicle’s central computer will require authorized genuine parts to interact with it. It must also ensure that any image frame transmitted hasn’t been compromised and that all frames have been generated by a genuine image sensor. Finally, the image sensor should only accept configuration changes by the vehicle’s system and not any other party. The following use cases illustrate why the automotive industry can’t ignore the threats posed by using counterfeit image sensors that are vulnerable to third-party spoofing.
Threat 1: The image sensor is replaced by a counterfeit part
The AEB system relies on the image sensor behind the windshields to detect objects or pedestrians in front of the car. It can decide to apply the brakes if the driver is not responding promptly to prevent a collision. An AEB system operates on the assumption that its image sensor has specific characteristics (e.g. high dynamic range, low light performance, etc.) and the system is calibrated to these specifications. If a non-genuine or counterfeit part replaces the original image sensor, it could jeopardize the system’s performance.
While the replacement may look identical to the original, its performance and characteristics might differ significantly. Since the AEB system was optimized for the original image sensor, the different characteristics of the replacement will alter the system’s performance. This means that the system may not be able to detect objects or pedestrians in front of the car until they are a few meters away—leaving no time for the system to react appropriately, with possibly tragic consequences. Replacing a genuine image sensor with a counterfeit is akin to asking a driver with poor eyesight to drive without glasses.
Figure 1: The effect of replacing a genuine image sensor with a counterfeit
Threat 2: The image sensor settings are modified
A vehicle system is calibrated and programmed to optimally configure the image sensor to always return the most realistic representation of the scene in front of the car. However, if someone (or something) modifies the configuration of that image sensor, its performance can become compromised. As a result, it may no longer be possible to guarantee that the scene facing the car is perceived correctly, entirely, or optimally by the vehicle system – the electronic equivalent of throwing dust in the eyes of a human driver.
Figure 2: The effect of tampering with an image sensor’s settings
Threat 3: The image sensor is bypassed
The image sensor provides the image processor with raw video data, which it uses to extract critical information regarding front-facing obstacles so that the car can respond appropriately. For example, the image processor can detect an approaching vehicle and decide to use the brakes or steer the car away from the road, whichever is the safest action.
However, if an unauthorized party attempts to tamper with the system by modifying or bypassing the image sensor, the image processor is no longer provided with raw video data reflecting the real scenes. In that case, the system might no longer be able to detect the approaching object. Instead, the image processing element may only receive looping images of a clear road without obstacles, with potentially the same unbearable consequences as a human driver taking their eyes off the road completely.
Figure 3: The effect of bypassing an image sensor
onsemi’s Image Sensors are Cybersecurity-Compliant
onsemi began implementing cybersecurity features in its image sensors in 2018, even before the ISO 21434 cybersecurity standard was released. Initially, this implementation was driven by early customer requests but was later developed and consolidated into cybersecurity expertise. As a result, the onsemi image sensors are already cybersecurity-ready. One of the key features is authentication, which allows them to prove to a host that they are genuine. This is provided using a desired certificate chain and pre-shared keys.
Another essential feature is that they can ensure video data integrity, proving that a video data stream has not been tampered with between the sensor and the system. That integrity is provided through a message authentication code (MAC). Finally, sensor control and configuration data are protected against tampering with specific key registers that use MACs on embedded data video lines.
Cyber-Secure Components are the First Step to Cyber-Secure Automobiles
Cybersecurity compliance is a must-have for automotive image sensors to prevent them from becoming the Trojan horses of complex automotive electronics systems. For OEMs, cybersecurity compliance doesn’t stop at the cybersecurity control circuits in the image sensor. Still, they are essential for allowing ADAS and in-cabin monitoring systems to achieve full cybersecurity compliance.