motivation and solutions - etas · •evita, she, hsm secure communications •autosar 4.2.1 secoc...
TRANSCRIPT
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Cyber-security for Cars
Motivation and Solutions
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive Basics
• Historical Perspective
Automotive Security
• Motivation, trends
Hardware and Software Security
• EVITA, SHE, HSM
Secure Communications
• AUTOSAR 4.2.1 SecOC
Network Isolation
• Secure gateways
Secure External Communications
• Car-to-car communications
2016/06/08
Agenda
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Basics
Historical Development
From closed system to an interactive communication
Reason: more safety, more efficiency, …
Day before yesterday
Yesterday Today Tomorrow
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Basics
Software Complexity
Today, a modern premium-class vehicle executes
complex software on 70 to 100 μP-based ECUs realizing
between up to 3000 singular functions with approx. 100
million LOC*
0.5
1.7
5.7
6.5
15.9
50
86
100
0 20 40 60 80 100 120
OpenSSL
F-22 Raptor
F-35 Joint Strike Fighter
Boeing 787 Dreamliner
Linux Kernel 3.6
Windows Server 2003
Mac OS X 10.4
Premium-class vehicle
Million Lines of Code (LOC) for different products
Assuming NASA error rates (1 defects per
10,000 LOC), results in approx. 10,000 SW
defects for a modern premium-class vehicle
* Figures according to [IEEE09] and [LOC]
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08 5
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Security
Example from Black Hat 2015
EPS ABS ACC
EnginePark
assist…
AmpDoors…
Head unit
SPI
CAN C
(powertrain, chassis)
CAN IHS
(body)
V850 (CAN
“GW”)
ARM
① Unauthorized
remote
reprogramming of
V850 through multiple
head unit security
vulnerability
② Control messages
sent over the air
Lessons Learned: protecting
interfaces not sufficient anymore
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Security
Trends and Related Threats
Now Near future (-2018) Future (2018-)
ADAS
V2X
Automated driving
Android, iOS
Connected vehicle, big data
FOTA (IVI)
Forgery of V2X
messages
Forgery of CAN
messages, DoS
Privacy loss, theft of
confidential data
Reprogramming & diagnostics
Unauthorized
reprogramming
Conventional
hacking
Malicious, full remote
control of vehicle
Remote, unauthorized
reprogramming of IVI
FOTA (all ECUs)Remote, unauthorized
reprogramming of any ECU
Automated
driving
Connectivity
Diagnostics
Hardware
attacks
Medium impact High impactLegend:
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Security
Prerequisite: Automotive Security Process
Production Aftermarket
Security
concept
Security
review
JasPar security
process, SAE J3061,
VDA security process
Secure
access,
flashing
HIS security module
(flashing), HIS Secure
Hardware Extension
(key management),
ISO 13185
Risk Analysis
Security
requirements
Secure
coding
Coding
Code review
ECU
penetration
testing
Vehicle
penetration
testing
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Automotive Security
Four Layers of Security
Secure individual ECUProtect integrity of software and data
Hardware Security Module (HSM))
Deeply Embedded Automotive Hypervisor
Secure in-vehicle networkProtect integrity of critical in-vehicle signals
Standardized in AUTOSAR release 4.2.1
Secure E/E architecture
Use separation and securely configured gateways
to protect functional domains of E/E architecture
Secure connected vehicle
Vehicle firewalls and security standards
for external interfaces
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Secure Hardware and Software
EVITA Project
Application
CPU
EVITA
Secure
memory
Normal
memory
Hardware separation
e.g. memory controller,
independent busses
Landmark European FP7 Project
On-die “security extension”– To decrease cost and increase security
No strong tamper resistance– To decrease cost
– Counterbalanced with key management
Guaranteed performance– AES for EVITA light and medium
Automotive grade (unlike TPM)– E.G. temperature, vibrations, safety...
Derived from EVITA project– Secure Hardware Extension (EVITA light)
– Bosch Hardware Security Module (EVITA medium)
⇒
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Secure Communications
AUTOSAR SecOC
Data MACCounterEG: ADAS
EG: Brakes
EG: Infotainment
AES
Counter
MAC
AES
Counter
MAC’
=?
MAC
>? CounterData
Data
⇒
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Network Isolation
Secure Central Gateway
OBD
Radar
Hacked telematics
unit attempting to
spoof radar
Brakes
Device connected
through OBD-II
attempting to
spoof radar
⇒
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Secure External Communications
Flashing and Diagnostics
Secure environment
Dealer
Internet
(HTTPS)
Server room
DatabaseHSM
Key Key Key
Authen
tication
Secure
server
ECU keys
⇒
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Secure External Communications
Security Concept for Car-to-Car Communications
Multiple certificates
(=identities)
Signed
messages
n cars in range =
10n signature
verifications per
secondCan download
new certificates
from road-side
units
⇒
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
Wrap-up
Holistic Security Approach is necessary!
Key
injection
Secure diagnostics tester
authentication with server
MAC
authenticationHardware security
Firewall
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.2016/06/08
ESCRYPT Worldwide
Service Wherever It Is Needed
Germany
Berlin • Bochum • Munich
Stuttgart • Wolfsburg
Korea
Seoul
Japan
Yokohama
North America
Ann Arbor
China
Shanghai
[email protected] | ETAS-PSC/SCY4 | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Camille Vuillaume
ETAS Japan - Embedded Security
Phone: 045-222-0913
Email: [email protected]
www.escrypt.com