Cyberphysical Systems
Page ▪ 1
No Safety Without Security
EICAR WG 2, 2017, Bonn, Peter Stelzhammer
About Us
▪ Auditing of IT Security Solutions
▪ Detailed, High-quality Test Results
▪ Independent Tests
▪ Leader in Innovation
Our Customers
• Leading IT Security Vendors
• Leading Analysts
• Leading IT Security Magazines
Is there a secure car?
We found at least ONE secure car
▪ It is not safe, but it is secure, no hack known by today
Hacking is becoming a bigger issue, fact.
Page ▪ 8
Fifteen of the most hackable and exposed
attack surfaces on a next-generation car.
Page ▪ 9
Page ▪ 10
Ecosystem and infrastructure of the next-generation car
Who to fight
▪ Researchers and hobbyists
▪ Pranksters and hacktivists
▪ Owners and operators
▪ Organized crime
▪ Nation-states
▪ Automotive Industry – can you trust this industry?
Possible vulnerabilities and exposures
▪ Use of a publicly available communication infrastructure
▪ Networking with vehicle on-board systems
▪ Use of applications and services from third-party providers over the
Internet
▪ Running security-related applications (such as navigation) and third-
party applications in parallel
▪ The control over communication infrastructure and applications in
the vehicle thus moves from the vehicle manufacturer to new
providers of Internet access and applications.
▪ These circumstances make the vehicle a potential target for known
Internet threats such as viruses, worms, Trojans, DOS and buffer-
overflow attacks.
Supply Chain Security
▪ No electronic product today is created by a single company. Hardware and
software components, development tools, manufacturing, product
assembly, and verification testing may all be provided by one or more
suppliers.
▪ Counterfeiting of electronic parts and components is a big problem in the
automotive industry, with significant product security implications. Supplier
quality engineers are a common role in the automotive industry, and
supplier security engineers may soon join their ranks.
▪ Cost of security will likely join cost of quality in the decision-making
process. Detecting and avoiding infiltration of tainted or counterfeit parts is
necessary to maintain the trust and integrity of the security architecture.
▪ More specifically, it is necessary to prevent well-funded criminal or nation-
state groups from gaining physical access to hardware used in the car.
Page ▪ 14
Examples
▪ FAKE WIFI for OTA
and remote control
▪ Fake updates via USB
e.g. entertainment system
▪ Vulnerable 3rd party software
CAN LIN
FlexRAY
Ethernet
© Trillium
OTA – a major attack vector
▪ Tesla's OTA upgrade bumped up the all-electric Model S's 0-60mph
speed by about one-tenth (0.1) of a second.
▪ Tesla CEO Elon Musk tweeted about the upgrade, saying it was an
update to the inverter algorithm.
▪ An inverter changes direct current electricity to alternating current.
Remote Controlled Car
Page ▪ 17
Fake WIFI connection needed
Stealth DoS Attack Against CAN Bus
▪ A Stealth, Selective, Link-layer Denial-of-Service Attack Against
Automotive Networks
▪ A security flaw that could affect millions of cars has been identified, with
researchers warning that there may be no fix available to protect
susceptible vehicles. The exploit works by overloading the so-called CAN,
or “car device network”, which connects all of the different aspects of
modern vehicles together. With the right code, essential parts of the car’s
safety features – such as the airbags or antilock brakes – could be forced
offline.
▪ CAN Bus need to be overhauled
▪ Unfixable for existing cars!!!
▪ A Wireless Hack Can Unlock
100 Million Volkswagens and other brands
- They can’t fix it
▪ Teslas sensor-jamming
▪ Hackers Hijack a Big Rig Truck’s Accelerator and Brakes
▪ J1939 open standard
▪ If you wanted to hijack someone’s car you’d have to know the brand and
model and tailor the attack. With trucks, it’s all open, so you can just craft
one attack.”
Physical HackingSafety and security must be combined
SELF-DRIVING CARS CAN BY HACKED BY STICKERS
University of Washington, University of Michigan, Stony Brook University, and UC Berkeley
Defense
Adopting Existing Standards AndEcosytems
▪ Taking Advantage of Security Standards and Best Practices Standards and industry
best practices, developed in automotive and related fields, can contribute to more
secure automotive environments.
▪ Automotive and cybersecurity ecosystems need to engage in discussion and
development of best practices for designing, developing, and deploying security
solutions. The two systems need to understand the difference between safety and
security.
▪ Automotive safety is a probabilistic science with measured and identified risks and
components built to mitigate those risks. Production practices and repair practices
give customers confidence that the safety mechanisms are in place and operating
correctly. Computer security is not probabilistic.
▪ Threats come from a variety of sources, including intentionally malicious and
unintentionally malignant. The goal of security therefore is to mitigate threats both
before they occur and after they happen. The security landscape has to mitigate these
threats over the entire lifecycle of the product, from early design decisions through
manufacturing to operation and decommissioning
Leveraging Standards
▪ ISO/IEC 9797-1: Security techniques – Message Authentication Codes
▪ ISO/IEC 11889: Trusted Platform Module
▪ ISO 12207: Systems and software engineering – Software life cycle processes
▪ ISO 15408: Evaluation criteria for IT security
▪ ISO 26262: Functional safety for road vehicles
▪ ISO 27001: Information Security Management System
▪ ISO 27002: Code of Practice – Security
▪ ISO 27018: Code of Practice – Handling PII / SPI (Privacy)
▪ ISO 27034: Application security techniques
▪ ISO 29101: Privacy architecture framework
▪ ISO 29119: Software testing standard. IEC 62443: Industrial Network and System
Security
© Intel
Is it already real? Not now, but….
▪ August 2016: “Two researchers have found that they could plug their
laptop into a network cable behind a Tesla Model S's driver's-side
dashboard, start the car with a software command, and drive it,” Wired
reported.
Wouldn't you see that if you were in the driver's seat?
▪ No hacker has ever taken remote control of a stranger's car. Not once. It's
extraordinarily difficult to do. It takes teams working full-time to find a way
to do it. By Now.
▪ We can‘t prevent this, but we can make it more difficult.
All car models will be hacked, period
▪ Sources:
▪ TrendMicro
▪ Intel Security
▪ Trillium
▪ Brian Krebs
▪ University of Washington and Innsbruck,
▪ If you miss you as a source, let us know, we will add you immidiatly.