Web and automotive
W3C workshop, 14-15 November 2012

How can webapps benefit from automotive environment, with safety?

Pierre GIRARD, security architect

Gemalto is providing digital security solutions to numerous markets including mobile telecommunication, banking and online authentication. Gemalto has a strong focus on Machine to Machine solutions and is serving the automotive sector in particular. Starting from its experience in the current automotive environment, Gemalto would be happy to share its viewpoint on the introduction of web technologies and the associated security requirements.

As a general trend we see that specialized hardware (like GPS box, eco-driving box, speed camera alert box, multimedia box ...) is now virtualized as an application on a general purpose on-board computer. Car manufacturers expose API to applications that can use it to read vehicle parameters or even trigger actions on it. The next step will most likely be to migrate some native apps to web apps. In this context, we would like to discuss the following points that, in our opinion, should be taken into account when designing a web based environment for cars:

A rich set of API should be proposed to web applications developers enabling them to take advantage of the sensors and actuators available in the automotive environment. However, usage of these API should be subject to a strict permission system both for privacy (e.g. obtaining information on location, mileage, driving patterns), safety (e.g. preventing raw access to the CAN bus) or security reasons (e.g. controlling access to door unlocking or engine starting).
As a consequence, the whole life cycle of apps should be under control. Code should be validated and permissions should be granted by a trusted party.
In order to offer value-added services, reliable identification and authentication methods should be available. As a pre-requisite, identity of the car itself, the car owner, the driver and potentially some other passengers should be separated.

We believe that if these safety, privacy and security requirements are taken into account at the design stage, it will result in a trusted ecosystem that will benefit to manufacturers, service providers and end-users. As such we recommend that the web platform, when evolving to adapt to the automotive market, makes sure that components meeting above stated requirements are developed.