Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

Transcription

1 Security Insert the Vulnerabilities title of your of the presentation Connected here Car Presented Presented by by Peter Name Vermaat Here Principal Job Title ITS - Date Consultant 24/06/2015

2 Agenda About TRL What is the issue? Security Analysis Consequences of a Cyber attack Concluding remarks Page 2

3 TRL Transport Research Laboratory Est (RRL Harmondsworth) Independent Privatised company since staff including many world recognised experts Head office in Crowethorne, UK - Offices in Manchester, Scotland, Wales and the Middle East, Nigeria TRL is an internationally recognised centre of excellence providing world-class research, consultancy, testing and certification for all aspects of transport. TRF, which owns TRL, is a non-profit-distributing foundation with >80 sector members and no shareholders.

4 Page 4 Early research

5 Risk Our Work Simulators Driver behaviour Safety Transportation Certification Blood alcohol Infrastructure Investigations and Risk Management Track Tests Vehicle Safety and Engineering International Development Software TRAFFIC STRESS IN 2016 Environment

6 Page 6

7 What is the issue? Complexity of vehicles has increased dramatically, particularly in the last few years, for example.. Page 7

8 MM Wiring Diagramme Page 8

9 MM Wiring Diagramme Page 9

10 Page 10 Ford Focus 2011

11 Complexity Vehicles becoming externally connected All have access via ODB port, - But this requires physical access Multiple radio channels - Short range (Key access, Bluetooth, TPMS) - Longer range (Cellular, Wi-Fi, ITS G5/WAVE, V2X) - Increasingly connected vehicles provide multiple access opportunities Diverse markets and technologies Increasing loss of control by manufacturers Timescale diversity Page 11

12 Connected vehicle applications Day 1 applications - Hazard Warnings (road works, incidents, weather etc) - ecall - ISA - ADAS, LDWS, ACC - Intelligent parking, logistics - Emergency braking systems Intersection warnings Vulnerable road users Green applications Automated driving - Platooning - Increasing roll-out over time Page 12

13 Security Analysis Communications security - Hackers attempt to Prevent, Intercept or Manipulate communications - Motivated by - Fame/Notoriety/Activism (black hat, anonymous) - Enrichment (cyber criminals, fraudsters) - Damage and destruction (cyber terrorists) Requirements of Secure Communications - Authentication - Confidentiality - Integrity - Availability Page 13

14 Security Analysis Risk analysis the following need to be assessed - Attractiveness of target - Technical weakness - Threat surface entry points to the system - Threat vector how the attack can take place - Cost of attack - Damage which can be inflicted by an attack Defence options - For each vector, consider where attacks can happen and how to mitigate and prevent - Defence options include physical protection, encryption, authentication Page 14

15 Security Analysis - Vulnerabilities Vulnerability Analysis in Literature - A small number of publications directly addressing connected vehicles - Successful hacks so far have largely required physical access - Though BMW remote vulnerability has been found - Researchers have successfully accessed vehicles via GSM - One study concluded connected car no more secure than internet connected computers Page 15

16 Security Analysis - Vulnerabilities Components - Back doors, OBD port Data - Who owns data collected by vehicles? - Personal information may not be collected - Individual and cooperating vehicles - Automated driving - Financial manipulation - Traffic disruption Vehicle peripheral devices - Remote locking, use of increasingly sophisticated attacks Infrastructure - Potential for misinformation - ecall DDOS Page 16

17 Consequences of Cyber-attack Individual Vehicles - Data - Misinformation - Control, particularly automated driving Plenty of evidence that this is already possible - Key fobs compromise - Attacks into systems Page 17

18 Consequences of Cyber-attack Cooperative vehicles - Data - potential for V2V extraction - Misinformation could be used to gain individual advantage, disrupt traffic flow - Control potential for serious incidents First significant cooperative systems close to reality Page 18

19 Consequences of Cyber-attack Infrastructure - Data - Misinformation, particularly probe vehicle data - Control, particularly as infrastructure becomes dynamically controlled Some scope for financial gain Page 19

20 Concluding remarks Feasibility of remote access has been demonstrated Future connected car solutions are evolving rapidly (Apple CarPlay, Google Auto..) Vehicle manufacturers losing control of the electronic subsystems within the vehicle Specific areas of concern: - Threats to platooning vehicles - Threats to infrastructure as a result of V2I - ecall vulnerabilities and variants - Uses of data collected from vehicles Page 20

21 Do You Have Any Questions? Page 21

22 Thank you Cooperative vehicles ETSI Security Week Presented by Peter Vermaat Principal ITS Consujtant Tel: Page 22