connected car security

70
CONNECTED CAR SECURITY Threat landscape and Potential Mitigation Strategies Suresh Mandava Cyber Security Lead for IoT/BigData Practice August 4, 2015 @sureshmandava

Upload: suresh-mandava

Post on 21-Apr-2017

2.987 views

Category:

Automotive


1 download

TRANSCRIPT

Page 1: Connected Car Security

CONNECTED CAR SECURITY Threat landscape and Potential Mitigation Strategies

Suresh Mandava Cyber Security Lead for IoT/BigData Practice August 4, 2015

@sureshmandava

Page 2: Connected Car Security

Hackers Remotely Kill a Jeep on the Highway—With Me in It July 21, 2015

We Drove a Car While It Was Being Hacked, May 29, 2014 http://motherboard.vice.com/read/we-drove-a-car-while-it-was-being-hacked

Almost Year Before

Page 3: Connected Car Security

Before Matrix there was Speed

The film tells the story of the LAPD cop who tries to rescue civilians on a city bus rigged with a bomb programmed to explode if the bus slows down or if civilians try to escape.

Trapped aboard the ship, Annie and Alex work with the ship's first officer to try to stop the ship, which they discover is programmed to crash into an oil tanker.

1994 1997

Page 4: Connected Car Security

Automotive Electronics Systems

Example: Lexus LS-460 •  Sep 2006 •  +100 ECU’s •  7 Million Lines of

Software Code

Page 5: Connected Car Security

Year(s) apart…

http://www.autosec.org/publications.html

Page 6: Connected Car Security

SpyCar ACT (July 21, 2015)

SPY Car Act, the legislation introduced by Markey and Blumenthal

The Security and Privacy in Your Car Act (the SPY Car Act) specifies that the NHTSA and FTC together issue •  Notices of Proposed Rulemaking within 18 months, and final regulations

within three years of the act’s enactment. •  The SPY Car Act will apply to vehicles made two years after final

cybersecurity and privacy regulations are issued.

Page 7: Connected Car Security

SpyCar ACT : Cybersecurity Standards •  Vehicle System Security. All entry points to a vehicle’s electronic systems must be equipped with

reasonable measures to protect against cyberattacks, including isolation measures to separate critical and non-critical software systems;

•  Vulnerability Testing and Remediation. Such reasonable security measures shall be evaluated for vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing, and must be adjusted and updated based on the results of such evaluation;

•  Data Security. All driving data9 collected by a vehicle’s electronic systems must be reasonably secured from unauthorized access while data is stored onboard the vehicle, in transit from the vehicle to another location, and in any offboard storage or use; and

•  Real-Time Attack Mitigation. All entry points to a vehicle’s electronic systems must be equipped with capabilities to immediately detect, report, and stop unauthorized attempts to intercept driving data or control the vehicle.

Violation of such cybersecurity standards would result in liability to the federal government for civil penalties of no more than US$5,000 per violation.

Page 8: Connected Car Security

SpyCar ACT : Privacy Standards

•  Transparency. Foreclosing other notice mechanisms as legally viable, the act would require that each vehicle provide clear and conspicuous notice, in clear and plain language, to owners or lessees of a vehicle of the collection, transmission, retention, and use of any driving data collected;

•  Consumer Control. Owners or lessees must be given the option to terminate the collection and retention of driving data without losing access to navigation tools or other features or capabilities, to the extent technically possible (with the exception of driving data stored as part of the electronic data recorder system or other safety systems required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance);

•  Limitations on Driving Data Use. Manufacturers may not use any driving data collected by a vehicle for advertising or marketing purposes without the affirmative and express consent of the owner or lessee, which must be obtained using a clear and conspicuous consent request in clear and plain language that does not make use of the driving data a condition for the consumer’s use of any nonmarketing feature, capability, or functionality of the vehicle.

Page 9: Connected Car Security

With 'recall,' Fiat Chrysler makes its car hack worse The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the recent vulnerability is the security equivalent of waving a red rag to a bull

"It's like if after surgery the doctor forgets a pair of scissors in your stomach, and when you find out, he just sends you a scalpel to fix it yourself."

July 27, 2015

Why Chrysler's car hack 'fix' is staggeringly stupid

http://www.zdnet.com/article/chryslers-response-to-car-hack-was-slow-and-incredibly-stupid/

Page 10: Connected Car Security

Recall Costs.

GM's total recall cost: $4.1 billion

U.S. Department of Transportation's National Highway Traffic Safety Administration (NHTSA) sets the national safety standards and can influence -- or in some cases order -- an auto manufacturer to repair safety-related defects at no cost to the consumer. Even if the fix is something as minor as a missing washer or a faulty electrical connection, the manufacturer stands to lose millions of dollars in the process

In their interviews with manufacturers, some identified difficulties in notifying vehicle owners about safety defects. For example, there was mention that not all vehicle owners keep their address information up to date with state motor vehicle registration offices. In addition, the older the vehicle, the more changes of ownership and mailing addresses occur, making it more difficult to identify the current address of the current owner.

Toyota's Out-of-Control Gas Pedals, cost of the blunder $5 billion

Page 11: Connected Car Security

Will Autonomous Cars Be the Insurance Industry’s Napster Moment ?

Autonomous vehicles will make commuting a lot safer. Consumers have to pay out a lot less money with the lower number of claims, but premiums will necessarily drop as well and the overall amount of money within the car insurance system will dwindle. One opportunity for the industry could be selling more coverage to carmakers and other companies developing the automated features for cars. When the technology fails, manufacturers could get stuck with big liabilities that they will want to cover by buying more insurance. There's also a potential for cars to get hacked as they become more networked.

Page 12: Connected Car Security

1996+ : Year the Matrix Started.

Modern automobiles are laced with a number of microcontrollers and sensors that monitor and control everything from the throttle position to the ambient air temperature. These devices typically communicate over a wired in-vehicle network like a CAN bus. CAN bus is one of five protocols used in the on-board diagnostics (OBD)-II vehicle diagnostics standard.

The OBD-II standard has been mandatory for all cars and light trucks sold in the United States since 1996

Page 13: Connected Car Security

Network technology existed in E/E architecture Mix of low data rate control or high-cost/proprietary solutions

Technology Data Rate IP Ownership Media Topology Usage

LIN 40kbps LIN Consortium Single wire P2P Body electronics

CAN 1Mbps ISO-11898 Bosch

UTP Shared Power train (Engine, transmission, ABS)

CAN-FD 2.5Mbps Bosch UTP Shared Power train (Engine, transmission, ABS)

FlexRay 10Mbps ISO-17458 FlexRay Consortium

UTP Shared High-perf power train, (Safety, drive-by-wire, active suspension, ACC)

•  Low data rate control

Technology Data Rate IP Ownership Media Topology Usage

MOST 150Mbps SMSC POF Ring infotainment

FPDLink LVDS

655Mbps – 3Gbps

TI/National Shield coax P2P Camera/display

•  High cost/proprietary

Page 14: Connected Car Security

Network Technology

Page 15: Connected Car Security

Connected through Gateway.

Page 16: Connected Car Security

Endangerment of selected automotive bus systems

Page 17: Connected Car Security

CANBUS

Page 18: Connected Car Security

Can Topology

Two twisted differential wires, CAN high and CAN low, with two termination resistors of 120 ohm each. The bus has a maximum signaling rate of 1 Mbps with a bus length of 40 m with a maximum of 30 nodes.

http://www.cowfishstudios.com/blog/canned-pi-part1

Page 19: Connected Car Security

CAN specifies only the two basic layers: Data Link and Physical layer.

Only 2 Layers

Page 20: Connected Car Security

CAN Frames

Page 21: Connected Car Security

CanMessage

Page 22: Connected Car Security

CANBUS-FD

Page 23: Connected Car Security

Packet Size

Page 24: Connected Car Security

CAN FD : Flexible DataRate

Page 25: Connected Car Security

Honda’s CAN Network (Manufacturer Specific)

Page 26: Connected Car Security

FLEXRAY

Page 27: Connected Car Security

FlexRay Architecture : 10Mbps Time and Event Triggered Protocol

Clock Synchronization

Combined Topology (Bus and Star)

Page 28: Connected Car Security

FlexRay Architecture FlexRay Host Controller

•  Execute Main Application •  Decide what needs to be send to Communication Controller

FlexRay Communications Controller •  Realizes all functions of the FlexRay protocol •  Channel between Bus Driver and Host Controller.

FlexRay Bus Guardian •  Prevents the node from sending and receiving outside it’s time slots. •  Recognize synchronization and communication errors •  Monitors changes in the supply which could cause defects in bus •  Important Fault tolerance of the FlexRay.

FlexRay Bus Driver •  Send/Receive Data from Bus

Page 29: Connected Car Security

Automotive Open System Architecture

•  A global partnership of carmakers, car component, electronics, semiconductor and software industries founded in 2003. Ø  Defines methodology that supports distributed, function driven development process Ø  Standardizes the Software Architecture for ECU’s •  9 Core Partners

•  BMW, Bosch, Continental, Daimler, Ford, General Motors, Peugeot, Toyota, and Volkswagen •  About 50 Premium Members

Ø  OEMs: e.g. Fiat, Honda, Hyundai, Mazda, Porsche, Renault, TATA Ø  Tier1s: e.g. Delphi, DENSO, Magneti Marelli, Valeo Ø  Tool providers: e.g. dSPACE, Elektrobit, ETAS, TTTech, Vector Ø  Chip manufacturers: e.g. Freescale, Infineon, Renesas

•  About 90 Associated Members •  About 20 Development Members

•  Current Status •  Recent Version (Release 4.2 – Oct 2014) consists of 100+ Specifications and 80 related

documents

Page 30: Connected Car Security

Automotive Open System Architecture

Page 31: Connected Car Security

AutoSAR Vision : standardized architectures and interfaces

Page 32: Connected Car Security

AutoSAR Basic Architecture

Page 33: Connected Car Security

AutoSAR with VFB (Virtual Function Bus)

Page 34: Connected Car Security

AUTOSAR Layered View with CSM

http://www.autosar.org/specifications/release-42/software-architecture/safety-and-security/

Page 35: Connected Car Security

Software components for encrypted transmission

Page 36: Connected Car Security

Japan Automotive Software Platform and Architecture

Page 37: Connected Car Security

Japan Automotive Software Platform and Architecture

Page 38: Connected Car Security

Japan Automotive Software Platform and Architecture

Page 39: Connected Car Security

OBD2 Reader Car Diagnostic Tool

Price: $17.95 & FREE Shipping http://www.amazon.com/Reader-Diagnostic-Check-Engine-Light/dp/B004IV58AY Price: $99.95

Torque is an OBD2 performance and diagnostic tool for any device that runs the Android operating system. It will allow you to access the many sensors within your vehicles Engine Management System, as well as allow you to view and clear trouble codes.

Page 40: Connected Car Security

CAN-Bus Shield

Page 41: Connected Car Security

Plugin Echo-System

Page 42: Connected Car Security

SocketCAN

SocketCAN is a set of open source CAN drivers and a networking stack contributed by Volkswagen Research to the Linux kernel.

Page 43: Connected Car Security

SocketCAN # ip link set can0 type can bitrate 500000 listen-only on

# ip link set can0 up # candump -cae can0,0:0,#FFFFFFFF

vdesi@vdesi:~$ candump -cae any,0:0,#FFFFFFFF can0 440 [8] 40 00 80 00 00 00 00 00 '@.......' can0 442 [8] 42 00 80 00 00 00 00 00 'B.......' can0 440 [8] 40 01 80 00 00 00 00 00 '@.......' can0 620 [8] 10 80 00 00 00 40 00 80 '.....@..' can0 442 [8] 42 01 80 00 00 00 00 00 'B.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......' can0 440 [8] 42 02 00 00 00 00 00 00 'B.......' can0 620 [8] 10 00 00 00 00 40 00 80 '.....@..' can0 442 [8] 40 02 00 00 00 00 00 00 '@.......'

canplayer < candump-2015-08-02_120603.log & mplayer VDESI0012.AVI -ss 1:17

Canberry V 1.1

Page 44: Connected Car Security

The general purpose Controller Area Network swiss army knife / development platform.

Canb.US Triple (3 CAN Controllers)

Read and Dispatch CAN packets Bluetooth 4.0 LE Programmable and Open

79.00 USD

Page 45: Connected Car Security

https://github.com/CANBus-Triple/CANBus-Triple

Page 46: Connected Car Security

“In the midst of chaos, there is also opportunity” ― Sun Tzu, A Arte da Guerra

“The art of war is of vital importance to the State. It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no account be neglected.” ― Sun Tzu, The Art of War

Page 47: Connected Car Security

Ethernet Becoming a Standard Ethernet is now being considered as a replacement for legacy bus protocols such as MOST and FlexRay by car OEMs including BMW and Hyundai.

Ethernet could be the catalyst for bringing the automotive industry a step closer to connected vehicles,” says Frost & Sullivan Senior Research Analyst, Divya Krishnamurthy.

Broadcom has helped set up the OPEN Alliance special interest group (SIG) to promote BroadR-Reach as a de facto automotive Ethernet standard.

CAN network doesn’t have enough capacity to carry the encryption overhead necessary to carry and protect messages effectively. From both angles, performance and security, we see a role for Ethernet in the eco networks

Page 48: Connected Car Security
Page 49: Connected Car Security

78% of car owners will demand connected features in their next vehicle

Page 50: Connected Car Security

Diversity and complexity of ADAS applications Demands high-performance and flexible compute platform

Vision Rear View Camera Vision Enhancement Auto dimming headlights Blind Spot Detection 360 View Parking Assist Sign Recognition Traffic Signal Detection Lane Detection Rain/Fog Detection Pedestrian Detection Pedestrian Avoidance Eye Focus Detection Driver Monitoring Sign Recognition Vehicle Detection

Audio/SoundRearObjectDetec,onParkingAssist/AutoParkVoiceRecogni,onCabinNoiseReduc,onEmergencyRecogni,on

RadarFront Collision Avoidance BrakingAdaptive Cruise Control360 degree Hazard Awareness

Rear Collision Detection

Page 51: Connected Car Security

Global Connected Car Market

Page 52: Connected Car Security

V2V : US to push for mandatory car-to-car wireless communications

The government believes vehicle-to-vehicle data links will help improve driver safety, and will push for legislation requiring it in "a future year."

Page 53: Connected Car Security

NHTSA to require backup cameras on all vehicles

Start phasing in on May 1, 2016 models and be at 100% by May 1, 2018.

Page 54: Connected Car Security

Over-the-air software coming soon to your next car

Tesla's OTA upgrade bumped up the all-electric Model S's 0-60mph speed by about one-tenth (0.1) of a second. Tesla CEO Elon Musk tweeted about the upgrade, saying it was an update to the inverter algorithm. An inverter changes direct current electricity to alternating current.

We have a software and firmware team that packages updates. The packages are matched to a VIN [vehicle identification number] to ensure the car has the required hardware to receive all relevant updates

Page 55: Connected Car Security

Autonomous Car’s

Uber CEO To Tesla: Sell Me Half A Million Autonomous Electric Cars In 2020

Page 56: Connected Car Security

SECURITY STRATEGY

Protecting Real-world Threats

Page 57: Connected Car Security

ECU Module Consolidation

Adding a new ECU for new features is no longer sustainable. Dedicated processors, memories and other electronic components for new features increases cost and architecture complexity, says Thomas Wendt, Senior Partner in Roland Berger’s North American Automotive Practice. The solution he suggests is module consolidation. This approach would leverage modern technologies to add speed and flexibility to vehicle electronic architectures, while saving cost. The consultancy estimates at average $175 per vehicle for cockpit electronics.

Automotive electronics complexity at tipping point, study warns

http://www.automotive-eetimes.com/en/automotive-electronics-complexity-at-tipping-point-study-warns.html?cmp_id=7&news_id=222904403&vID=35&page=0

Page 58: Connected Car Security

Ethernet streamlines automotive E/E architecture From low BW, proprietary, control-centric to high BW, standard-based data network

Gateway

DLC

CAN

LIN

CAN-FD/FlexRay CAN-FD/FlexRay

MOST

1TPCE

Powertrain Chassis &Safety

InfotainmentBodyElectronics

CAN-FD/FlexRay

Powertrain

DCU

CAN-FD/FlexRay

Chassis &Safety

DCU

Gateway

DLC

1TPCE

CAN

LIN

Body Electronics

DCU1TPCE

RTPGE

RTPGE

RTPGE

1TPCE/RTPGE

RTPGE

DCU

DCU

Infotainment

ADAS

Current

Future

Standardization •  Time synchronization •  QoS •  Redundancy •  VLAN isolation •  Power efficiency •  PHY

Bandwidth scalability •  100Mbps – 1Gbps •  Scales up to 400Gbps

Large eco-system •  Wide deployment •  Long-lasting part supply

Low cost •  Design to drive UTP •  Volume drives down ASP

Page 59: Connected Car Security

Zero Latency Encryption with FPGA’s Secure FlexRay Communication Controller.

With a custom network interface, as in the case of an FPGA-based ECU, we can integrate such data security transparently at the network layer, without affecting the real-time guarantees of the time-triggered protocol

https://scholar.google.com/scholar?biw=1248&bih=714&um=1&ie=UTF-8&lr&q=related:x4ohntcdPq8OpM:scholar.google.com/

Page 60: Connected Car Security

Automotive Security Standards and Projects

Page 61: Connected Car Security
Page 62: Connected Car Security
Page 63: Connected Car Security
Page 64: Connected Car Security
Page 65: Connected Car Security

SECURITY SERVICES

Real Time Threat Analytics for Auto Industry Powered by Cloud / BigData Platform

Page 66: Connected Car Security

Real-Time Security Telemetry Monitoring using BDPaaS

Page 67: Connected Car Security

Real-Time Security Telemetry Monitoring WorkFlow

Page 68: Connected Car Security

Security Processes Risks on Connected Cars

Service Backend

Dealer

3rd Parties

Mobile Connect

OBD

Bluetooth

Bus

ECUs

Infotainment

Key Unauthorized remote turn off of car safety

Car Safety Exploits

Maleware

Unauthorized Usage of Apps

Unauthorized Telediagnostic/ Telecoding

Page 69: Connected Car Security

Security Processes Countermeasures protecting Connected Cars

Service Backend

Dealer

3rd Parties

WLAN

OBD

Bluetooth

GSM

Bus

ECUs

Infotainment

Key

Car Safety

Cryptography

Secure

Com

munication

Secure Onboard Communication

ECU Hardening

Security Integration in Development Stages & Enrollment & Service Processes

Security Concept /Security Policy Management & Security Lifecycle

AV & Secure Proxy

Advanced Backend Security

SW-Activation

with cryptography

Telemonitoring

Secure Apps& Services with cryptography

Security P

olicy Inspection

Pentesting Lifecycle

Message Filter / IPS

Secure Patch Management via OTA

Page 70: Connected Car Security

THANK YOU Suresh Mandava, CyberSecurity for IoT/BigData Practice [email protected] Aug 4, 2015