Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Similar documents
Trusted Platform Modules Automotive applications and differentiation from HSM

Cyber security of automated vehicles

SW-Update. Thomas Fleischmann June 5 th 2015

Market Trends and Challenges in Vehicle Security

Cyber security mechanisms for connected vehicles

Connecting Securely to the Cloud

Flash Bootloader. Product Information

Diagnostic Trends 2017 An Overview

Introducing Hardware Security Modules to Embedded Systems

Countermeasures against Cyber-attacks

MIGRATING TO CAN FD. Tony Adamson. Marketing Director CAN / LIN / FlexRay

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

Connected Car Solutions Based on IoT

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Automotive Security An Overview of Standardization in AUTOSAR

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

Automotive Gateway: A Key Component to Securing the Connected Car

Architecture concepts in Body Control Modules

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Security in NVMe Enterprise SSDs

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

M2MD Communications Gateway: fast, secure, efficient

M2MD Communications Gateway: fast, secure and efficient

PREEvision Technical Article

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

TPM v.s. Embedded Board. James Y

Secure Product Design Lifecycle for Connected Vehicles

Creating Trust in a Highly Mobile World

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Securing the Connected Car. Eystein Stenberg CTO Mender.io

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

13W-AutoSPIN Automotive Cybersecurity

Secure automotive on-board networks

Automotive Security: Challenges and Solutions

Diagnostic Use Cases V

A NEW CONCEPT IN OTA UPDATING FOR AUTOMOTIVE

Trojan-tolerant Hardware & Supply Chain Security in Practice

ARM Security Solutions and Numonyx Authenticated Flash

Presentation's title

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Fast Firmware Updates Over-the-Air Mechanisms to speed up ECU updates in the vehicle

OFF-ROAD VEHICLE DIAGNOSTICS WITH AUTOSAR. Jigar Patel Namdeo Dhawle July 18, 2018

Security enhancing CAN transceivers. Bernd Elend Principal Engineer March 8 th, 2017

Securing the future of mobility

Security in Automotive Applications

Cisco Desktop Collaboration Experience DX650 Security Overview

NC1701 ENHANCED VEHICLE COMMUNICATIONS CONTROLLER

Open Source in Automotive Infotainment

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

OTA and Remote Diagnostics

Securing Vehicle ECUs Update Over the Air

Automotive Cybersecurity: A steep learning curve

Efficient testing of ECUs despite Security

MASP Chapter on Safety and Security

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Easy Incorporation of OPTIGA TPMs to Support Mission-Critical Applications

Using a Certified Hypervisor to Secure V2X communication

Atmel Trusted Platform Module June, 2014

Cryptography and the Common Criteria (ISO/IEC 15408) by Kirill Sinitski

CardOS Secure Elements for Smart Home Applications

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

10 th AUTOSAR Open Conference

Security in NFC Readers

Automotive Cyber Security

How Microcontrollers help GPUs in Autonomous Drive

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

OpenWay by Itron Security Overview

1. OVERVIEW RELEASE ITEMS HOW TO APPLY ADDITIONAL FUNCTIONS AND CHANGE FUNCTIONS FROM PREVIOUS EDITION...

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Car2Car Forum Operational Security

ITU activities on secure vehicle software updates

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility. Automotive Ethernet The Road Ahead

Resilient IoT Security: The end of flat security models

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

Create, Embed, Empower. Crevavi Technologies Company profile

PKI Credentialing Handbook

Preventing External Connected Devices From Compromising Vehicle Systems Vector Congress November 7, 2017 Novi, MI

High-Speed Reprogramming and Calibration with CAN FD: A Case Study

Titan silicon root of trust for Google Cloud

M2351 Security Architecture. TrustZone Technology for Armv8-M Architecture

Trusted Platform Module explained

ARM Moves Further Into Automotive with NXP's Launch of S32K Series to the General Market

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

DesignWare IP for IoT SoC Designs

ESOA > The Connected Automobile. Connected Automobiles Market Overview Paul Gudonis, Global Network & Services

Automotive OTA The potential and the challenge

Authentication Technology for a Smart eid Infrastructure.

CSPN Security Target. HP Sure Start HW Root of Trust NPCE586HA0. December 2016 Reference: HPSSHW v1.3 Version : 1.3

Area Covered is small Area covered is large. Data transfer rate is high Data transfer rate is low

Total No. of Questions : 09 ] [ Total No.of Pages : 02

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

The Adaptive Platform for Future Use Cases

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Transcription:

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen Axel Freiwald 1/2017

All OEMs Will Implement Software OTA As Soon As Possible IHS Study Motivation: Save on recalls caused by software bugs Evolution not Revolution: Implement into vehicle s network with as little changes as possible Wireless SOTA Revenue Cost Savings per Year Functional SOTA Update Revenue SOTA Royalty Revenue Challenges: Cyber Security Safety 2

Secure OTA Architecture A brief explanation Step 1: Download while driving Software download to central storage Unnoticed by the customer Vehicle shall be at any time safe and operational Auto Apps Software Update Security Updates Performance Upgrade Step 2: Update from central storage After customer approval In the background or at key-off Permissible update time (100s to 15min) Confirmation to Backend Safety and security must be ensured throughout the process 3

Evolutionary Software OTA Flow From Software Development to Vehicle Reboot Transport via Internet Service pack at OEMs update server Formatting for Update Handling Generate and release new Software version transport Over The Air Telematics unit TCU Receive and decrypt from secure wireless protocol Download service pack Check OEM authenticity Setup encryption services Service pack stored in vehicles central storage Verify data Unpack for ECUs Updating the vehicle i.e. using UDS Start UDS programming session Send service packs to ECUs in small blocks using UDS protocol (UDS, ISO 14229-1:2013) Update inside ECUs: Secure Flash Bootloader and HSM Erase Flash Decrypt and unzip blocks (end to end protection) Write new code into Flash Update and verify signatures (HASH) Reboot the vehicle with new SW versions Exit update mode Restart all ECUs within the car 4

Secure Update: OTA vs OBD Equal Basics for both flows to update ECUs via OBD or OTA : Precondition: The new SW version must meet all legal requirements (Fahrzeugfreigabe). The service pack is distributed from the OEMs server via the internet. ECUs receive the commands and service packs via their bus interfaces i.e. in UDS format. Inside the ECUs the functions for updating software are handled by e.g. the Secure FLASH Bootloader Restrictions: o Not all code can get updated. i.e. the secure FLASH Bootloader itself is excluded. o For multiple ECU updates all updates must be successful. Partially updated vehicles are not allowed to drive. Differences OTA to OBD updates: With OBD updates the external diagnostic tool provides the update service. With OTA the update service must be implemented inside of the vehicle. OTA updates shall get started by drivers without technical background. Special safety measures apply to ensure that nobody gets harmed during and after the update. The update flow must be power fail prove. Long update times are more vulnerable for power fails. LAN Diagnostic Tool = UDS Update client OBD UDS ECU ECU UDS Onboard Diagnostic Service 5

SW OTA Comes Along With Security Threats Security Threats are Safety Threats Cloud connections are typically active all the time and thus OTA interfaces are potentially accessible for hackers. SW OTA services provide doors for attacks which might endanger the operation of vehicles. Typical examples: Functional changes, Tuning, Trojans Already the potential to attack vehicles is threatening Tier1s, OEMs and politicians. https://www.youtube.com/watch?v=mk0srxbc1xs 6

Protection and Safety Interests for OEMs and Tier1s transport OEM targets: vehicle and server protection and safety responsibility Certified Signatures vehicle level: Secure Update Service Tier1 targets: ECU-IP protection and safety responsibility Encrypted SW Secure HASH ECU level: Secure Flash Boot Loader End to End Protection Required 7

Security is a global system requirement The whole process must be secured from all sides Keys and passwords must get especially protected Extra trust zones for key storage and key management: Vehicle: TPM and HSM OEM & Tier1: security server All parties involved with key handling are requested to have high security levels. OEMs and Tier1s challenge: production and service 8

SOTA Flow Security Elements From Infineon Service Authentication Mutual authentication between car and OEM update server Encrypted transport channel OPTIGA TPM Verification and Central Storage Service Pack reception 1 st verification Store in car s central memory HSM Update of Target ECU Service Pack reception 2 nd verification Flashing of code memory HSM 9

Firewall Trust Zone: Hardware Security Module (HSM) AURIX TC3xx: Full compliant TriCore0 TriCore1 Flash HSM 32-bit CPU Sec APP Security CPU Sec APP AES RNG ECC Sec RSA APP sec APP HSM SRAM 96kB Boot ROM Hardware Security Module (HSM) SRAM Peripherals Bridge Peripherals Peripherals AES 128 PKC ECC256 HASH SHA 2 TRNG Timer Trusted Execution Environment A highly flexible and programmable solution HW accelerator matching performance for automotive protocols: AES128 PKC ECC-256 SHA224/256 Crypto- and Algorithm Agility by Software AIS31 compliant 128bit True Random Number Generator (TRNG) with high Random Entropie over Lifetime 10

OPTIGA TPM Trusted Platform Module Temper proof design and architecture: CC EAL4+ certified Individual private key by hardware Unlimited number of asymmetric /symmetric keys Certified true random number generator TRNG: AIS31 TPM use case in vehicles: Main trusted anchor for the vehicle Asymmetric cryptography in authentication services Central generation, storage, and processing of individual keys for the vehicle including production and service Flexible Authorization mechanisms to protect against duplication/misuse OPTIGA TPM TPM use case in SOTA process: Mutual authentication of vehicle with OEMs servers Key generation (SHA) 11

Secure SW OTA Front End Security Elements and Formatting Step 5: Over The Air Update download is established by Provision of authentication and encryption services File of service pack is formatted and encrypted for wireless data transport Step 4: Service pack into update server OEM For updating multiple ECUs in one operation all individual UDS service packs of all effected ECUs are integrated to one package Service pack is signed with OEM signature Service pack is loaded into update server as one file SW update server signed service pack keys OTA security server signature OEM security server Step 3: UDS Formatting Individual service pack is wrapped to get handled by the protocol of the Unified Diagnostics Services (UDS, ISO 14229-1:2013) individual service pack UDS formatted Step 2: Formatting for Secure Flash Bootloader zip encrypt sign with keys and signatures from Tier1 ECU specific individual service pack individual service pack keys signature Tier1 security server Step 1: Engineering New software version for ECU Verified and released TIER1 files from tools new SW 12

Paradigm Shift: Vehicles Get Attacked Every Day. The Task Is To Reduce The Damage Security risk mitigation: successful hacks must not endanger the whole fleet Individual keys for each vehicle - No fleet keys The number of persons who can see the keys shall go down to zero. Keys shall get generated and distributed automatically within a secure environment without personal interaction of people. Automatic key and password change Frequent change of keys: successful attacks do not get control for a long time Session keys for data transport Use of intermediate keys for production and service Transport keys Service keys 13

OTA Overview And Example For 4MB Updates Typical network topology (Background Slide) OBD Infotainment ETH Ethernet ca.16s for 4MByte 1) 50% Dynamic segment usage 2) ISO CAN FD, 64 Bytes data field, 2 MBaud, 50% bus load 3) Classical CAN, 8 Bytes data field, 500 kbaud, 50% bus load 4) Bandwidth depending on used protocol e.g. UCP or TCP/IP 5) AURIX TM, 65nm generation Telematics Unit e.g. TC29x Comfort CAN TC23x TC2xx CAN-FD Chassis Modem TPM Central Gateway FlexRay (or CAN) EPS e.g. TC23x ABS e.g. TC23x CAN ca.290s for 4MByte Central Storage FlexRay ca.30s for 4MByte Drive Train CAN-FD EMS e.g. TC27x TCU e.g. TC27x Cellular Update Roof Antenna CAN-FD ca. 66s for 4MByte 1. Bus-Transfer (4MByte) Usable Date Rate 1) FlexRay (10MBit/s): ca. 300 KByte/s ca. 13,6s 2) CAN-FD (2MBit/s): ca. 88,5 KByte/s ca. 47,4 s 3) CAN (500kBit/s) : ca. 16,8 KByte/s ca. 250s 4) Ethernet (100MBit/s): ca. 5-10 MByte/s ca. 1 s 2. Processing & Reprogramming inside ECU (4MByte) AES-128 Hash: ca. 0,16s and + Erase 5) : ca. 8s and + Programming: ca. 4s (5V burst mode) 1. + 2. + 10% communication overhead (e.g. for 8KByte block transfer) 14

Three topology proposals to minimizing the downtime of one ECU classic approach Downtime: Minutes (CAN), Secs (Ethernet) State of the art today No cost adder A/B swap Downtime: Seconds Products available today Medium to small cost adder update from local storage Downtime: None Products under evaluation, not available today High cost adder 15

Summary Software Over The Air impacts the overall car architecture Security is essential; on product and process level - Certified products such as TPM are best practice for securing critical external interfaces HSM is mandatory for Secure Flash Bootloader implementation Revolution of network topology is unlikely - Smooth SOTA migration path required - Key will be the customer acceptance of potential downtime - Solutions are available today without significant cost impact Infineon can support SOTA with AURIX TM and OPTIGA TM TPM 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback