Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

Similar documents
Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University

Uptane. Securing Over-the-Air Updates Against Nation State Actors. Justin Cappos New York University

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

to Address Cyber Physical Systems Security (CPSSEC)

Automotive Cyber Security

Security Concerns in Automotive Systems. James Martin

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Security & Phishing

13W-AutoSPIN Automotive Cybersecurity

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Heavy Vehicle Cyber Security Bulletin

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Connect Vehicles: A Security Throwback

ITU activities on secure vehicle software updates

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Securing the future of mobility

Experimental Security Analysis of a Modern Automobile

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

ANATOMY OF AN ATTACK!

Cybersecurity: Operating in a Threat Laden World. Christopher Buse, Assistant Commissioner & CISO

IoT and Smart Infrastructure efforts in ENISA

SW-Update. Thomas Fleischmann June 5 th 2015

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Internet of Things real life cases Alex Ahlberg

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

ESOA > The Connected Automobile. Connected Automobiles Market Overview Paul Gudonis, Global Network & Services

Cybersecurity The Evolving Landscape

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Using Delegations to Protect Community Repositories. Trishank Karthik Kuppusamy, Santiago Torres- Arias, Vladimir Diaz, Justin Cappos

ECE 1161/2161 Embedded Computer System Design 2. Introduction. Wei Gao. Spring

Securing Vehicle ECUs Update Over the Air

Automotive Gateway: A Key Component to Securing the Connected Car

Security Analysis of modern Automobile

An Experimental Analysis of the SAE J1939 Standard

M2MD Communications Gateway: fast, secure, efficient

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Development of Intrusion Detection System for vehicle CAN bus cyber security

DIGITAL ACCOUNTANCY FORUM CYBER SESSION. Sheila Pancholi Partner, Technology Risk Assurance

The Internet of Things. Steven M. Bellovin November 24,

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Compute solutions for mass deployment of autonomy

Cyber security - why and how

Cybersecurity and Communications Based Train Control

M2MD Communications Gateway: fast, secure and efficient

SECURING THE CONNECTED ENTERPRISE.

CS 356 Operating System Security. Fall 2013

Ransomware A case study of the impact, recovery and remediation events

June 2 nd, 2016 Security Awareness

Automotive Cybersecurity: A steep learning curve

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Third public workshop of the Amsterdam Group and CODECS C-ITS Deployment in Europe: Common Security and Certificate Policy

The Value of Automated Penetration Testing White Paper

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Countermeasures against Cyber-attacks

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Automotive Anomaly Monitors and Threat Analysis in the Cloud

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Cyber Fraud What can you do about it?

Security and Authentication

Examining future priorities for cyber security management

Cybersecurity and Nonprofit

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

A Peer-to-Peer Approach to Digital Key Sharing for Vehicle Access & Control. Tony Rosati Director of IOT Security, ESCRYPT

Computer Security and the Internet of Things

Some example UW security lab projects, related to emerging technologies. Tadayoshi Kohno CSE 484, University of Washington

GridEx IV Panel Discussion

Chain 365 Cyber Threat Intelligence Enterprise & Cyber Security. August 2017

Cyber Risk and Networked Medical Devices

Phishing in the Age of SaaS

University of Tartu. Research Seminar in Cryptography. Car Security. Supervisor: Dominique Unruh. Author: Tiina Turban

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Cybersecurity Engineering and Assurance for Connected and Automated Vehicles

Panda Security 2010 Page 1

INTRODUCTION. Figure 1 Mobile subscriptions by technologies (in billions) Source:

TRENDS IN SECURE MULTICORE EMBEDDED SYSTEMS

Sizing and Scoping ecrime

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Recommendations on residual issues relevant to ecall

10 FOCUS AREAS FOR BREACH PREVENTION

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Verizon Software Defined Perimeter (SDP).

OPSEC and defense agains social engineering for devels, execs, and sart-ups

Introduction to Cyber Security Issues for Transportation

Security Challenges with ITS : A law enforcement view

ISACA West Florida Chapter - Cybersecurity Event

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Vehicle & Transportation Infrastructure Cyber Security Discussions. IQMRI

Transcription:

Uptane: Securely Updating Automobiles Sam Weber NYU samweber@nyu.edu 14 June 2017

Credits Funded by DHS S&T CSD Work done by New York University University of Michigan Transportation Research Institute (UMTRI) Southwest Research Institute (SWRI)

Overview Motivation High-level Uptane Design Development Process Uptane Details Summary

The modern automobile Airbag Control Unit Engine Control Unit Radio HVAC Brake ABS Line TCU Transmission Exhaust Keyless Entry Anti-Theft Internet/ PSTN Body Controller Locks/Lights/Etc Telematics _ 4

Cars are computerized A car is basically a bunch of computers on wheels Complex computerized control Millions of lines of code 50-100 distinct computers (ECUs) Shared internal networking (e.g., CAN, FlexRay) Increasing external communications features Telematics, Bluetooth, TPMS, RDS, XM radio, GPS, keyless start/entry, USB ports, WiFi, etc Updates both with a mechanic and over-the-air Tomorrow s car -> much more of everything V2V/ACAS, V2I, traffic control, autonomous driving

Security Issues In 2010 Savage & Kohno s team demonstrated remote attacks on commercial automobiles Could cause brakes to fail while car was on highway Could eavesdrop on conversations in car without occupants being aware

Takeaways Cars are very complex cyber-physical systems Serious security issues Traditional approaches: recall, or patch flaws ASAP

What do these companies have in common?

What do these companies have in common? Victims of a software update hack!

Repository compromise impact SourceForge mirror distributed malware. Attackers impersonate Microsoft Windows Update to spread Flame malware. RubyGems compromised with RCE. Opera users automatically installed malware signed by compromised key. Node Packaged Modules compromised. Attacks on software updaters have massive impact E.g. South Korea faced 765 million dollars in damages.

Why are so many SUs vulnerable? Lack of separation of trust All eggs in one basket Assume repository / key will never be compromised

Software Updater The purpose is to fix a flaw An insecure updater means you have two flaws

High-level Design

Principles Separation of Duties Each entity does only one thing Limits effect of attack Ability to recover from adverse event Ex: revoke compromised keys Address known threats

Threat Examples Forging update messages to car Attacked update service: distributes malware-infected ECU images distributes valid but incompatible ECU images downgrades ECUs to versions with known vulnerabilities

Main Entities Server-Side: Director Repository Informs car of what updates needed Image repository Holds valid ECU images Car: Primary ECU(s) Responsible for communication outside car, internal distribution of updates Secondary ECUs update themselves, possibly relay on internal network

Development Process

Process Engaging with automotive community 40+ participants (OEMs, tier 1s, gov) Openly available: Detailed draft specification, deployment recommendations Reference implementation Current activities: Open security review Discussions with T1s on Uptane integration Potential use by Commercial Truck industry

Detailed Design

Entities and Communication Image Repository Time Server Director Repository Suppliers Primary ECU OEM ECU 2 ECU 3 ECU 4 ECU 5

A.* Uptane: Design Principles signs metadata for signs root keys for metadata images root delegates images to signs for images A1 A.img timestamp snapshot targets B.*, C.* ε BC C.img

A.* Separation of Duties signs metadata for signs root keys for metadata images root delegates images to signs for images A1 A.img timestamp snapshot targets B.*, C.* ε BC C.img

A.* Threshold signatures signs metadata for signs root keys for metadata images root delegates images to signs for images A1 A.img timestamp snapshot targets B.*, C.* ε BC C.img

A.* Explicit and Implicit Key Revocation signs metadata for signs root keys for metadata images root delegates images to signs for images A1 A.img timestamp snapshot targets B.*, C.* ε BC C.img

A.* Minimizing Risk signs metadata for signs root keys for metadata images root delegates images to signs for images A1 A.img timestamp snapshot targets B.*, C.* ε BC C.img

Summary Automotive updates involve many non-obvious issues Uptane working with automobile and security communities open design process Draft specification and other documents available See https://uptane.github.io

Contacts Website: https://uptane.github.io (Public mailing list, and documents available there)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback