Security issues related to the future Networked Car

Koji Nakao

Distinguished Researcher,

Cybersecurity Research Institute, NICT

Collaboration on ITS communication standards(Geneva, Switzerland, 8 March 2019)

Reference Model to be used for Vehicle Threats

assessment （discussed in UNECE WP29-TFCS）

2

2

3

IoT era

3

Classification of IoT business (services)

Managed Un-managed

fixed

movable

Electricity

Trains

Critical Infra

Smart Phone

Life Support Robots

Smart Home

Smart City/Town

ATM

SmartElec. Meter

Smart Health

HEMS

Smart Home Apps

IoTHome GW

ref: Dr. Tokuda, Keio Univ.

Automotive

SIP: Strategic Innovation Promotion Project by Cabinet Office, Gov. of Japan

4

Copyright 2018 Connected Consumer Device Security Council Proprietary 5

IoT Applied Domain in Japan

Res：ITR/2017

1. Automobile2. Objects3. Human4. Livestock

Tracking

MonitoringAnalysis

5. Agri-Field6. Factory7. Home/Building8. Shops9. Public Facility10. Energy Plant11. Transport

Condition12. Truck Operation13. Human Health14. Livestock15. Physical Security16. Disaster17. Nature Environment

Optimization18. Energy Consumption19. Factory Production20. Supply-Chain21. Delivery Route

NewServices

22. Sharing service23. Wearable Device24. Smart Product25. Connected Car26. Smart/Telematics

Insurance27. Smart retails28. IoT Payment Device

https://www.itr.co.jp/company/press/171012PR.html

- Emergency Report Service “HELPNET”

- Leading Safe Driving “Smiling Road”

- Managing your own driving skills “YouDrive”

- V2V/V2I communication service “ITS Connect”

- IoT Platform Service「Vehicle manager」

- Various Navigation Services “T-Connect”

- Remote Parking System

- Anomaly Detection Service for Automotive

6

Examples for use of IoT in Automotive Environment

Source：https://itiger.jp/case/643.html

7

Observation of IoT devices/systems

Worldwide spread infection

• Observed from 218 countries and/or regions

• Especially from

Asian Countries

9

IP CameraDVR

Device categories

60+ categories of IoT devices are observed. IoT devices and IoT services, implemented in Vehicle system can be attack targets. Threats related to IoT in connection with Vehicle environment should be carefully considered.

10

ITS security standards in ITU-T SG17 (Security)

11

ITU-T SG17 ITS Recommendations（under development）

X.1373(rev):Secure software update capability for intelligent transportation

system communication devices

X.itssec-2: Security guidelines for V2X communication systems

X.itssec-3: Security requirements for vehicle accessible external devices

X.itssec-4: Methodologies for intrusion detection system on in-vehicle systems

X.itssec-5: Security guidelines for vehicular edge computing

X.stcv: Security threats in connected vehicles

X.edrsec: Security guidelines for cloud-based event data recorders in

automotive environment

X.fstiscv: Framework of security threat information sharing for connected

vehicles

X.eivnsec: Security guidelines for the Ethernet-based in-vehicle networks

X.mdcv: Security-related mis-behavior detection mechanism based on big

data analysis for connected vehicles

X.srcd: Security requirements for categorized data in V2X communication

12

ITU-T Recommendation X.1373

• Title of Recommendation

– Rec. X.1373 “Secure software update capability for ITS communications devices” (Revision work is on-going)

• Scope

In the context of updates of software modules in the electric devices of vehicles in the intelligent transportation system (ITS) communication environment, this Recommendation aims to provide a procedure of secure software updating for ITS communication devices for the application layer in order to prevent threats such as tampering of and malicious intrusion to communication devices in vehicles. This includes a basic model of software update, security controls for software update and a specification of abstract data format of update software module.

13

Secure Communication

Introduction of Rec. X.1373“Scope”

Embedded Information Device

Power Management Control ECU

Seat Belt Control ECU

Driving Support ECU

Parking Assist ECU

Skid Control ECU

etc.,

Communication Head Unit

Aftermarket Communication Device

Update Server and Log Repositoryat Car Manufacturer / Garage center

........

.

Functionality of Head Unit

! Status check of ECUs! Log collection! In-car diagnosis function

Diagnosis of on-board devices

! Status check of ECUs! Log collection! Verification of update module

Communication protocol

! Between Car and Manufacturer / Garage

! Encryption! Authentication

Functionality of Server

! Stored Data Definition✓ Auth info✓ Log Audit

✓ With considerations of privacy concerns

14

Basic Procedure for OTA Update

Request of diagnose of software status

Result of diagnose with software status

Report of results of ECUs in a vehicle

Receipt for submit of diagnose report

Request of update module

Update module is provided

Notification to User (driver) for Updates

Confirmation for the update

Request for updates to ECUs

Results for updates in ECUs

Report of application of the update

Conformation from the Update server

15

Revision work is now started!

Draft Recommendation X.itssec-2

Security guidelines for V2X communication systems (X.itssec-2) – under development

Scope：• This Recommendation provides security guidelines for V2X

communication systems. V2X (or "vehicle-to-everything") is a generic term comprising the communication modes termed as vehicle-to-vehicle (V2V), vehicle-to-infrastructure (V2I), vehicle-to-nomadic devices (V2ND) and vehicle-to-pedestrian (V2P) discussed in this Recommendation. This Recommendation identifies threats in the V2X communications environment and specifies security requirements for V2X communication systems.

• In-vehicle network/communication is out of scope of this Recommendation.

16

Image of V2X Communications

17

Threats in Confidenciality

18

Threats in Integrity

19

X.stcv: Security threats in connected vehicles

Under Development: Based on the result of UNECE WP29 TFCS (Recommendation Cybersecurity)

Scope：Recommendation X.stcv describes security threats to connected

vehicles (vehicle eco-system), for reference and use in other

Recommendations developed by ITU-T . It first specifies the

model of a connected vehicle (vehicle eco-system) and identifies

security threats to the connected vehicle (eco-system).

This will be completed and determined in September, 2019.

20

A concept of connected vehicle (vehicle ecosystem)

21

Content

22

1. Scope

2. Reference

3. Definitions

4. Abbreviation and acronyms, 5. Convention

6. Model of connected vehicle (vehicle ecosystem)

7. Threats to vehicle systems and ecosystem7.1 Threats regarding back-end servers

7.2 Threats to vehicles regarding their communication channels

7.3 Threats to vehicles regarding their update procedures

7.4 Threats to vehicles regarding unintended human actions

7.5 Threats to vehicles regarding their external connectivity and

connections

7.6 Potential targets of, or motivations for, an attack

7.7 Potential vulnerabilities that could be exploited if not sufficiently

protected or hardened Potential targets of, or motivations for, an attack

Draft Rec. X.itssec-3 Title: Security requirements for vehicle accessible external devices

Summary• The purpose of this draft new Recommendation is to standardize security

requirements for vehicle accessible external devices in telecommunication network environments.

• This draft new Recommendation provides security threats in vulnerable points like OBD-II port or wireless connectivity and security requirements for vehicle accessible external devices to secure access to the vehicle internal systems and safe usage of their information.

The following figure illustrates a set of assumed interfaces for accessing external devices.

23

Telematics

Bluetooth

Wi-Fi

SD/USB

OBD

PLC

InternalGateway

Head Unit(AVN/IVI)

ChassisControl

BodyControl

PowertrainControl

ADAS

External communications on Vehicle Internal communications on Vehicle

ExternalGateway

Draft Rec. X.itssec-4

Title: Methodologies for intrusion detection system on in-vehicle systems (under development)

Scope: This new Recommendation aims to provide the Methodologies for intrusion detection system on in-vehicle systems. This Recommendation will include detection models and pattern rules to recognize for the impact and likelihood of threats on vehicle systems throughout the monitoring on internal communications in the vehicle. This Recommendation will contain classifying and understanding threats on the internal communication network as CAN in vehicles which is working with specialized protocols.This Recommendation mainly focuses on the internal communications on the In-vehicle network as CAN which cannot be supported by general IDS, to ensure detecting threats which are impacting ECUs communications by using various efficient light-weight detection models such as Signature based model, Entropy based model, Self-Similarity based model, Hazard Survival based model, etc.

24

Title: Security guidelines for vehicular edge computingScope: Vehicular edge computing (VEC) is a model that supports the core cloud’s capacity for decentralising the concentration of computing resources in data centers. VEC also provides more localized storage and application services to road users, thereby making it possible to achieve lower latency delays, faster response times providing mobility support, location awareness, high availability and Quality of Service for streaming real-time applications since data processing is conducted closer to the vehicle.

This Recommendation provides security guidelines for vehicular edge computing based on an analysis of the threats and vulnerabilities identified within VEC.

25

Draft Rec. X.itssec-5

ITU-T SG17 ITS Recommendations（under development）

X.1373(rev):Secure software update capability for intelligent transportation

system communication devices

X.itssec-2: Security guidelines for V2X communication systems

X.itssec-3: Security requirements for vehicle accessible external devices

X.itssec-4: Methodologies for intrusion detection system on in-vehicle systems

X.itssec-5: Security guidelines for vehicular edge computing

X.stcv: Security threats in connected vehicles

X.edrsec: Security guidelines for cloud-based event data recorders in

automotive environment

X.fstiscv: Framework of security threat information sharing for connected

vehicles

X.eivnsec: Security guidelines for the Ethernet-based in-vehicle networks

X.mdcv: Security-related mis-behavior detection mechanism based on big

data analysis for connected vehicles

X.srcd: Security requirements for categorized data in V2X communication

26

Security issues and standardization

<Security issues under ITS environment>1. Observe and Analyze “Threats” & “Vulnerabilities” including emerging

IoT threats;2. Detection of injected Malwares/Mal-functions in vehicle;3. Conducting Threat assessment and risk management (for vehicle eco-

system);4. Establishment of Remote Software/Firmware update (OTA);5. Research of Appropriate security capabilities (Data confidentiality,

Privacy protection, Authentication. Access control, incl. Lightweight crypto)

6. Remote Maintenance (e.g. Remote Kill Switch) including for IoT devices7. Global Incident handling and Information Sharing capabilities

27

<For ITS security standardization>1. Related SDOs should be coordinated and collaborated;2. Threats assessment methodology for Vehicle eco-system can be

standardized (not only for threat assessment on Vehicle);3. Standards can produce a certain level of security requirements which

will be related to “Certification of Vehicle and Vehicle eco-system”;4. Is there any requirements for establishing global incident handling

and information sharing scheme? Do we need a capability of AUTO-ISAC?