Startseite > International > Camera Security Framework Addresses Regulatory Requirements

Automotive Imaging Systems

Camera Security Framework Addresses Regulatory Requirements

7. November 2024, 15:29 Uhr | Authors: Philip Hawkes and Rick Wietfeldt, Editor: Irina Hübner

The UN R155 regulation specifies that in-vehicle imaging systems must also be reliably protected against security vulnerabilities. The MIPI Camera Security Framework provides an end-to-end security framework for such systems.

Regulatory Push for Cyber Secure Vehicles

The United Nations Economic Commission for Europe Regulation No. 155 (UN R155) sets out uniform provisions for vehicle cyber security to address concerns over the »hacking« of safety-critical vehicle systems and unauthorized access to personal data within those systems. The key objective of the regulation which, as of July 2024 is legally binding for road vehicles sold in 64 countries, is to ensure vehicles implement adequate controls against a comprehensive list of security vulnerabilities.

This article examines several UN R155 examples of security vulnerabilities that apply to automotive imaging systems, the requirements and design challenges they present, and how a new camera security framework developed by MIPI Alliance helps mitigate those threats.

Matchmaker+ Anbieter zum Thema

zu Matchmaker+

Automotive Imaging Systems Must be Cyber Secure

Cameras and related perception and imaging sensors are fundamental to advanced driver assistance and autonomous driving systems, and according to UN R155, it is essential that these systems be protected against security vulnerabilities. UN R155 also requires imaging systems to be protected against privacy risks arising from unauthorized access to images and image-related metadata.

Specifically, the regulation highlights the following examples of vulnerabilities related to sensor-based systems (in Table A1, section 4.3.7):

Manipulation of electronic hardware (e.g. unauthorized electronic hardware added to a vehicle to enable a »man-in-the-middle« attack)
Replacement of authorized electronic hardware (e.g., sensors) with unauthorized electronic hardware
Manipulation of the information collected by a sensor

The regulation also lists general cybersecurity risks to in-vehicle communication networks that connect image sensors to their corresponding electronic control units (ECUs).

Imaging System Requirements Derived from the Regulation

To mitigate the vulnerabilities identified in UN R155, the following requirements are recommended by MIPI Alliance when implementing an automotive imaging system:

»End-to-end data« protection. Image data must be protected from “data source” within each image sensor, to »data sink« within the sensor’s corresponding ECU (shown in figure Y), using application-layer security (as opposed to multi-hop link-layer security) to enable end-to-end security irrespective of the underlying communication network.
Component authentication. Components within the imaging system must be trusted, requiring the capability (by the ECU) to authenticate image sensors and the key communication network components used to connect the sensors (i.e., SerDes bridges)
Source-selective security. Integrity of the data generated by a sensor must be verified by the ECU
Data encryption. Where there is a risk of data exfiltration from the imaging system, end-to-end data encryption should be applied
Secure command and control interfaces. Sensor command-and-control interfaces must be secured to mitigate risks arising from misconfigured sensors.
Standards-based framework. Industry-verified security standards must be leveraged within automotive imaging systems.

Imaging System Design Challenges

These automotive imaging system requirements present multiple design challenges. For example, to minimize design complexity, cameras are connected using various network topologies, such as daisy chain or tree structures, so implementing security that is agnostic of the network topology, at the “application layer” and independent of the network components used to provide the communication network, is highly beneficial to system designers. Furthermore, image sensors generate massive amounts of data. It is essential that security operates with minimal data overhead to not exceed the in-vehicle network bandwidth, and with strict power and heat dissipation targets. Advanced security techniques, such as the use of partial data integrity protection, where the level of protection is configurable based on the criticality of the data sent within each image frame, must be leveraged to optimize system design.

New MIPI Camera Security Framework

In 2024, building upon the use of MIPI Camera Serial Interface 2 (CSI-2), a de facto imaging protocol that is widely used in automotive imaging systems, MIPI released a suite of camera security specifications that provide an end-to-end security framework for imaging applications. The framework consists of four specifications:

MIPI Camera Service Extensions (MIPI CSE) v2.0 – defines security services to enable data integrity protection and optional encryption of CSI-2 data. This is in addition to the functional safety services provided in CSE v1.0.
MIPI Camera Security v1.0 – defines system security management of MIPI CSE and MIPI CCISE, using the DMTF (Distributed Management Task Force) SPDM (Security Protocol and Data Model) architecture to authenticate and establish secure sessions between imaging system components.
MIPI Camera Security Profiles v1.0 – defines a set of common security profiles to enable interoperability, including profiling SPDM authentication mechanisms.
MIPI Command and Control Interface Service Extensions (MIPI CCISE) v1.0 – defines security services to enable data integrity protection and optional encryption of the MIPI Command and Control (CCI) interface based on I2C. This specification is presently under development with completion expected by the end of 2024.

The framework provides a choice of security protocols, ciphersuites, integrity tag modes and security controls, providing a high degree of implementation flexibility to balance required security level against processing efficiency, implementation complexity, thermal regulation and power consumption. Most importantly, the framework supports end-to-end data protection using CSI-2 application-layer security (as opposed to multi-hop link-layer security) to enable end-to-end security irrespective of the underlying communication network and topology.

The new camera security framework is a key component of the MIPI Automotive SerDes Solutions (MASS) full stack of connectivity solutions, with the new security services within the framework being fully complementary to pre-existing functional safety services (shown in figure Z).

Additional information on the new camera security framework can be found on the MIPI website, including a recently published whitepaper, »A Guide to the MIPI Camera Security Framework for Automotive Applications.«

The authors

Philip Hawkes
is co-chair of the MIPI Security Working Group. His experience covers mobile networks, location technologies, IoT/M2M, WiFi and wired connectivity. Phil is currently a principal engineer, technology, at Qualcomm Technologies Inc., and started his career as a symmetric cryptography expert involved in both design and analysis of algorithms.

Rick Wietfeldt
is co-chair of the MIPI Security Working Group and serves as vice chair of the MIPI Alliance Board of Directors. He is also a senior director, technology, at Qualcomm Technologies Inc., where he established the Advanced Connectivity Technology office responsible for the standards development organizations (SDOs) that drive mobile interface standards. Rick is a frequent author and has been awarded numerous patents in mobile device architecture and operation.