Connect Vehicles: A Security Throwback

Similar documents
Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

The case for a Vehicle Gateway.

Examining future priorities for cyber security management

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Electrification of Mobility

Automotive Cyber Security

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Security and Performance Benefits of Virtualization

Securing the Autonomous Automobile

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Securing the SMB Cloud Generation

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

The Future of Mobility

How To Build or Buy An Integrated Security Stack

An Experimental Analysis of the SAE J1939 Standard

Security Challenges with ITS : A law enforcement view

Cloudy with a chance of hack. OWASP November, The OWASP Foundation Lars Ewe CTO / VP of Eng. Cenzic

Car Hacking for Ethical Hackers

13W-AutoSPIN Automotive Cybersecurity

Secure Software Update for ITS Communication Devices in ITU-T Standardization

Gaining Security Insight Through DNS Analytics

13-Oct-2012 Security related parts and Vehicle Interfaces

The Fully Networked Car. Trends in Car Communication. Geneva March 2, 2005

Autorama, Connecting Your Car to

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

W3C CASE STUDY. Teamwork on Open Standards Development Speeds Industry Adoption

Roger C. Lanctot Director, Automotive Connected Mobility

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Christoph Schmittner, Zhendong Ma, Paul Smith

Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Market Trends and Challenges in Vehicle Security

How to Introduce Virtualization in AGL? Objectives, Plans and Targets for AGL EG-VIRT

ARM Moves Further Into Automotive with NXP's Launch of S32K Series to the General Market

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Secure Product Design Lifecycle for Connected Vehicles

Security Concerns in Automotive Systems. James Martin

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Securing the future of mobility

Implementing security has never been easier. Infineon Security Partner Network.

TomTom Innovation. Hans Aerts VP Software Development Business Unit Automotive November 2015

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Connected vehicle cloud Commercial presentation

Turbocharging Connectivity Beyond Cellular

Use Cases for Light Communications

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Lookout's cybersecurity predictions

Hardening Attack Vectors to cars by Fuzzing

Bluetooth in Automotive Market Research Report - Global Forecast to 2023

Personal Cybersecurity

Stepping Stone to Car Hacking

Introduction to ICS Security

Retail Security in a World of Digital Touchpoint Complexity

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

SW-Update. Thomas Fleischmann June 5 th 2015

Cyber Attacks & Breaches It s not if, it s When

OPSEC and defense agains social engineering for devels, execs, and sart-ups

Internet of Everything Qualcomm Brings M2M to the World

Security and Privacy challenges in Automobile Systems

AppSec in a DevOps World

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Linux in the connected car platform

Extreme automation of today s technological marvel - connected cars

AUTOMOTIVE FOUNDATIONAL SOFTWARE SOLUTIONS FOR THE MODERN VEHICLE

Automotive Cybersecurity: A steep learning curve

SECURING THE CONNECTED ENTERPRISE.

Connected vehicle cloud

SGS CYBER SECURITY GROWTH OPPORTUNITIES

Automotive Cybersecurity: Meeting the High-Stakes Challenge

Silicon Labs Corporate Overview

Healthcare HIPAA and Cybersecurity Update

CAV: Industry Perspectives and Impacts. Martha Morecock Eddy

Cisco Connected Factory Accelerator Bundles

Must Have Items for Your Cybersecurity or IT Budget in 2018

Network Virtualization Business Case

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Smart Megalopolises. How Safe and Reliable Is Your Data?

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

Unleashed & Cloud Wi-Fi Updates

Cybersecurity and Nonprofit

Addressing Cybersecurity in Infusion Devices

ARM processors driving automotive innovation

Fraud Risks Facing Credit Unions. ALLIED SOLUTIONS LLC SERVICE CENTER 210 East Main Street, Suite 200, Niles, MI Fax:

Countermeasures against Cyber-attacks

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

I N V E S T O R S P R E S E N T A T I O N

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Connected Cars & Security Challenges. Stéphane Desneux CTO at IoT.bzh

Sage Data Security Services Directory

Transcription:

Connect Vehicles: A Security Throwback Chris Valasek (@nudehaberdasher) Director of Vehicle Security Research

Introduction

Hello Chris Valasek Director of Vehicle Security Research IPS Dev -> Windows RE -> Car Hacking chris.valasek@ioactive.com @nudehaberdasher Fun fact: Severely allergic to cats

Agenda Why Cars? Technical Overview Automotive Attacks Manufacturer Concerns State of the Union Thoughts Q & A

Why Cars?

Software everywhere https://fanart.tv/fanart/movies/2609/moviebackground/planes-trains-and-automobiles-5109fd545b25f.jpg

Millions of cars & drivers https://www.fhwa.dot.gov/policyinformation/pubs/hf/pl11028/chapter4.cfm

Technology Driven Buying http://www.mlive.com/auto/index.ssf/2013/08/analysts_consumer_confidence_h.html

Software + Hardware + Physical == Fun

Cars seem to be special

Not Junk

Technical Overview

Electronic Control Units (ECU) Some only take input from sensors Many take input from sensors and the vehicle network Sophisticated ECUs may take physical action based upon network traffic (i.e. adaptive cruise control) A select few do both AND take input from the outside work Telematics, Infotainment, TPMS, RKE

Some are simple

Some are complex

Some control physical actions

How do they communicate? http://tamarathorpe.com/wp-content/uploads/2012/11/womanbullhorn.jpg

Automotive Attacks

3 Keys Network Architecture Cyber Physical Remote Attack Surface

Cyber Physical

Network Architecture

Remote Attack Surface Telematics (CDMA/3G/4G/LTE) Wi-Fi Bluetooth TPMS In-car apps V2V & V2I

Manufacturer Concerns

#1 Concern http://www.directline.com/content/dam/dlg/direct-line/products/car-insurance/product-pages/images/dl-driveplus-home-icon-plug-in-200x200.png

Many others PII GPS, BT_ADDR, TPMS Proprietary Information Security keys, algorithms, general processes DRM Maintenance software & hardware Nissan example ECU Functionality Prius Steering

State of the Union

Disclaimer I obviously don t have total insight into the automotive industry, only my interactions w/ vendors and working groups Very long development cycles make many of these issues difficult to address in a short timeframe Cars for 2018 are basically done now

Misconceptions

Secret Security Our focus, and that of the entire auto industry, is to prevent hacking into a vehicle's by-wire control system from a remote/wireless device outside of the vehicle. Toyota has developed very strict and effective firewall technology against such remote and wireless services. We continue to try to hack our systems and have a considerable investment in state of the art electro-magnetic R&D facilities. We believe our systems are robust and secure. - John Hanson Toyota Motor Sales U.S.A

Protect from the outside (only)

We re not good at this game https://www.youtube.com/watch?v=luwkxstetny

Trust of Remote ECUs * There is development of new technologies for process isolation / restriction

Complete Trust of CAN

No attack detection

Patching! http://www.wsws.org/asset/f31eb70f-4657-4cdb-9134-51834510c96p/recall_notice.jpeg?rendition=image480

You remind me of

Edge protection only http://www.edimax.us/html/faq/xpsp2firewall/sp2firewall.jpg

Lack of http://www.adopenstatic.com/images/resources/blog/mic1.jpg

Security through Obscurity

Ineffective Patching http://en.wikipedia.org/wiki/windows_update#microsoft_update * Wish I had stats on how many patched after it was completely automatic

No SDL http://www.securityninja.co.uk/wp-content/uploads/2009/09/security_ninja_chart1.gif

Time is flat circle http://media3.giphy.com/media/4dy1btpt0quza/200_s.gif

Thoughts

Complications Automotive development cycles are costly & long Cars for 2018 are pretty much set today Problems fixed today will still exist for a long time Avg U.S. car is 11.4 years old http://money.cnn.com/2013/08/06/autos/age-of-cars/ Certain processes are required to be present & easy ODB-ii ensures CAN diagnostics will be around for the foreseeable future

Thoughts Security seems to be an afterthought Transparency issue? This is changing: http://fortune.com/2014/09/24/general-motors-appoints-itsfirst-cybersecurity-officer/ Hard to justify security when there is no immediate threat MSFT 2006 v. MSFT 2014 Server v. Client side V2V will bring additional complications Patching is a HUGE problem right now OTA updates will help address the issue People are concerned because a breach could mean physical harm, as opposed to personal financial loss I m Chris and I m here to help!

Q&A

Thanks! Chris Valasek Director of Vehicle Security Research IOActive chris.valasek@ioactive.com cvalasek@gmail.com @nudehaberdasher

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback