motivation and solutions - etas · •evita, she, hsm secure communications •autosar 4.2.1 secoc...

[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,

reproduction, editing, distribution, as well as in the event of applications for industrial property rights.

Cyber-security for Cars

Motivation and Solutions



Automotive Basics

• Historical Perspective

Automotive Security

• Motivation, trends

Hardware and Software Security

• EVITA, SHE, HSM

Secure Communications

• AUTOSAR 4.2.1 SecOC

Network Isolation

• Secure gateways

Secure External Communications

• Car-to-car communications

2016/06/08

Agenda


reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08

Automotive Basics

Historical Development

From closed system to an interactive communication

Reason: more safety, more efficiency, …

Day before yesterday

Yesterday Today Tomorrow



Automotive Basics

Software Complexity

Today, a modern premium-class vehicle executes

complex software on 70 to 100 μP-based ECUs realizing

between up to 3000 singular functions with approx. 100

million LOC*

0.5

1.7

5.7

6.5

15.9

50

86

100

0 20 40 60 80 100 120

OpenSSL

F-22 Raptor

F-35 Joint Strike Fighter

Boeing 787 Dreamliner

Linux Kernel 3.6

Windows Server 2003

Mac OS X 10.4

Premium-class vehicle

Million Lines of Code (LOC) for different products

Assuming NASA error rates (1 defects per

10,000 LOC), results in approx. 10,000 SW

defects for a modern premium-class vehicle

* Figures according to [IEEE09] and [LOC]


reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08 5



Automotive Security

Example from Black Hat 2015

EPS ABS ACC

EnginePark

assist…

AmpDoors…

Head unit

SPI

CAN C

(powertrain, chassis)

CAN IHS

(body)

V850 (CAN

“GW”)

ARM

① Unauthorized

remote

reprogramming of

V850 through multiple

head unit security

vulnerability

② Control messages

sent over the air

Lessons Learned: protecting

interfaces not sufficient anymore



Automotive Security

Trends and Related Threats

Now Near future (-2018) Future (2018-)

ADAS

V2X

Automated driving

Android, iOS

Connected vehicle, big data

FOTA (IVI)

Forgery of V2X

messages

Forgery of CAN

messages, DoS

Privacy loss, theft of

confidential data

Reprogramming & diagnostics

Unauthorized

reprogramming

Conventional

hacking

Malicious, full remote

control of vehicle

Remote, unauthorized

reprogramming of IVI

FOTA (all ECUs)Remote, unauthorized

reprogramming of any ECU

Automated

driving

Connectivity

Diagnostics

Hardware

attacks

Medium impact High impactLegend:



Automotive Security

Prerequisite: Automotive Security Process

Production Aftermarket

Security

concept

Security

review

JasPar security

process, SAE J3061,

VDA security process

Secure

access,

flashing

HIS security module

(flashing), HIS Secure

Hardware Extension

(key management),

ISO 13185

Risk Analysis

Security

requirements

Secure

coding

Coding

Code review

ECU

penetration

testing

Vehicle

penetration

testing



Automotive Security

Four Layers of Security

Secure individual ECUProtect integrity of software and data

Hardware Security Module (HSM))

Deeply Embedded Automotive Hypervisor

Secure in-vehicle networkProtect integrity of critical in-vehicle signals

Standardized in AUTOSAR release 4.2.1

Secure E/E architecture

Use separation and securely configured gateways

to protect functional domains of E/E architecture

Secure connected vehicle

Vehicle firewalls and security standards

for external interfaces



Secure Hardware and Software

EVITA Project

Application

CPU

EVITA

Secure

memory

Normal

memory

Hardware separation

e.g. memory controller,

independent busses

Landmark European FP7 Project

On-die “security extension”– To decrease cost and increase security

No strong tamper resistance– To decrease cost

– Counterbalanced with key management

Guaranteed performance– AES for EVITA light and medium

Automotive grade (unlike TPM)– E.G. temperature, vibrations, safety...

Derived from EVITA project– Secure Hardware Extension (EVITA light)

– Bosch Hardware Security Module (EVITA medium)

⇒



Secure Communications

AUTOSAR SecOC

Data MACCounterEG: ADAS

EG: Brakes

EG: Infotainment

AES

Counter

MAC

AES

Counter

MAC’

=?

MAC

>? CounterData

Data

⇒



Network Isolation

Secure Central Gateway

OBD

Radar

Hacked telematics

unit attempting to

spoof radar

Brakes

Device connected

through OBD-II

attempting to

spoof radar

⇒




Flashing and Diagnostics

Secure environment

Dealer

Internet

（HTTPS）

Server room

DatabaseHSM

Key Key Key

Authen

tication

Secure

server

ECU keys

⇒




Security Concept for Car-to-Car Communications

Multiple certificates

(=identities)

Signed

messages

n cars in range =

10n signature

verifications per

secondCan download

new certificates

from road-side

units

⇒



Wrap-up

Holistic Security Approach is necessary!

Key

injection

Secure diagnostics tester

authentication with server

MAC

authenticationHardware security

Firewall



ESCRYPT Worldwide

Service Wherever It Is Needed

Germany

Berlin • Bochum • Munich

Stuttgart • Wolfsburg

Korea

Seoul

Japan

Yokohama

North America

Ann Arbor

China

Shanghai



Camille Vuillaume

ETAS Japan - Embedded Security

Phone: 045-222-0913

Email: [email protected]

[email protected]

www.escrypt.com

motivation and solutions - etas · •evita, she, hsm secure communications •autosar 4.2.1 secoc...

Documents