Secure Software Update for ITS Communication Devices in ITU-T Standardization

Similar documents
ITU activities on secure vehicle software updates

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Security issues related to the future Networked Car

Secure software update capability for intelligent transportation system communication devices

IRF and UNECE ITS Event

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

13W-AutoSPIN Automotive Cybersecurity

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Automotive Gateway: A Key Component to Securing the Connected Car

Car Hacking for Ethical Hackers

Examining future priorities for cyber security management

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Automotive Cyber Security

Connected Car Solutions Based on IoT

Countermeasures against Cyber-attacks

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

ARM processors driving automotive innovation

Security Concerns in Automotive Systems. James Martin

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Security Challenges with ITS : A law enforcement view

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Innovation policy for Industry 4.0

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

Securing the Internet of Things. By Robert Semple and Jack Case

Introduction of ITU-T Study Group 17 Security for ITS perspective

FREQUENTLY ASKED QUESTIONS

Fast and Vulnerable A Story of Telematic Failures

Express Monitoring 2019

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

Secure Product Design Lifecycle for Connected Vehicles

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

Securing the future of mobility

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

OTA-On-Demand (OOD) Services with AGL

Cryptography and Network Security

AGL Reference Hardware Specification Document

Contents. Precaution... Home Screen... Radio... Play DVD... USB/SD... AUX Input... Bluetooth... Screen Mirroring... Navigation...

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

ASERCOM cyber-security guideline for connected HVAC/R equipment

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

SECURING THE CONNECTED ENTERPRISE.

IC32E - Pre-Instructional Survey

White Paper. Connected Car Brings Intelligence to Transportation

PCI Compliance Updates

Emergency Telecommunications as the ASP Regional Initiative

Connect Vehicles: A Security Throwback

Internet infrastructure

CompTIA A+ Accelerated course for & exams

Securing IoT with the ARM mbed ecosystem

SGS CYBER SECURITY GROWTH OPPORTUNITIES

IoT and Smart Infrastructure efforts in ENISA

Coastal Electronic Technologies, Inc. Chrysler/Dodge/Jeep FREEDOM IN MOTION MYGIG LOCKPICK Installation and Operation Instructions

Automotive Security Standardization activities and attacking trend

Economic and Social Council

Orange Smart Cities. Smart Metering and Smart Grid : how can a telecom operator contribute? November

Network Connectivity and Mobility

The case for a Vehicle Gateway.

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

CANSPY A Platform for Auditing CAN Devices

NOTICE OF INTENDED INSTALLATION AND USE

Technology in Action

Overview of nicter - R&D project against Cyber Attacks in Japan -

HPE Intelligent Management Center

IPv6 migration challenges and Security

National Institute of Standards and Technology

NOTICE OF INTENDED INSTALLATION AND USE

Consolidated Financial Results for Fiscal 2016 (As of March 2017)

Automotive Attack Surfaces. UCSD and University of Washington

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Cyber security of automated vehicles

Hardening Attack Vectors to cars by Fuzzing

Contents. Precaution... Main Menu... Radio... Play DVD... USB/SD AUX Input Bluetooth Screen Mirroring Navigation...

Contents. Precaution... Main Menu... Radio... Play DVD... USB/SD AUX Input Bluetooth Screen Mirroring Navigation...

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Securing the Autonomous Automobile

2. Do not watch the screen for a long time while driving, which will affect driving safety, so as not to cause traffic accidents.

- Compatible with 8 and 10.2 monitor.

Honda Toyota Accord Venza Quick Start Guide

Contents. Precaution. Before installing this product. Precaution... Main Menu... Radio... Play DVD... USB/SD Important safety information

Turbocharging Connectivity Beyond Cellular

Contents. Google Play Store Settings Troubleshooting... 25

Contents. Precaution... Home Screen... Radio... Play DVD... USB/SD... AUX Input... Bluetooth... Screen Mirroring... Navigation...

Linux in the connected car platform

Tracking driver actions and guiding phone usage for safer driving. Hongyu Li Jan 25, 2018

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

AUDIO AND CONNECTIVITY

Contents. Precaution. Before installing this product. Precaution... Main Menu... Radio... Play DVD... USB/SD Important safety information

Transcription:

Secure Software Update for ITS Communication Devices in ITU-T Standardization Masashi, Eto Senior Researcher, Cybersecurity Laboratory, Network Security Research Institute, NICT, Japan 1

Background Outline Threats against networked embedded devices Necessity of remote update (maintenance) of vehicle General remote update procedure and threat analysis An approach of international standardization in ITU-T Introduction of Secure software update capability for ITS communications devices Conclusion 2

Background 3

NICTER 4

Stats of Darknet Traffic Year Number of packets par year Number of IP address For darknet Number of packets par 1 IP address per year 2005 0.31 billion 16 thousands 19,066 2006 0.81 billion 100 thousands 17,231 2007 1.99 billion 100 thousands 19,118 2008 2.29 billion 120 thousands 22,710 2009 3.57 billion 120 thousands 36,190 2010 5.65 billion 120 thousands 50,128 2011 4.54 billion 120 thousands 40,654 2012 7.79 billion 190 thousands 53,085 2013 12.9 billion 210 thousands 63,655 2014 25.7 billion 240 thousands 115,323 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Number of packets par 1 IP address per year 5

IoT 6

23/tcp Scan from Embedded Device 23/tcp Oct. 2013 Dec 2014 Infected Devices Home Router Web Camera NAS: Network Attached Storage etc. etc... 7

IoT Devices Attacked JP Investigated by Yoshioka Lab in YNU Wireless Router Food Processing Machine Wifi Audio Receiver Confirming now Black Box Media Player Wireless Router Radio Bridge Equipment IP- Camera Dish antenna for Metrological Satellite OfficeServ System Heat Pump Solid State Recorder Most of these devices are running on embedded OS with opened port for management (23, 80, 8080/tcp). Web Content Load Balancer Thermal Detector 8

Networked vehicle is not the exception! Networked vehicle also might have vulnerable opened port to be exploited by remote attackers. 9

Remote exploitation against Jeep Cherokee (cont.) Research activity by two hackers Presented at Black Hat USA 2015 (5-6, Aug) Remote Exploitation of an Unaltered Passenger Vehicle Charlie Miller, Security Engineer, Twitter Chris Valasek, Director of Security Intelligent at IOACTIVE, INC. Demonstration of attacks against FIAT Chrysler s Jeep Cherokee Remote exploit attack against port 6667/tcp of an Internet-connected device (UConnect) Remotely controlled the vehicle on the highway Abuse a steering wheel Abuse brake and accelerator On/Off of the engine 10

What security controls should be considered! There are many security controls which should be considered for future car environment Vulnerabilities management Key management Firewall/IPS controls Authentication deployment Cryptography implementation Security risk management Threats management Secure software updates 11

Necessity of remote update (maintenance) of vehicle Improvement of vehicle Software modules inside ECUs must be frequently updated e.g.) bug fix, performance and security improvement Cost Reduction Failure of the software accounts for about 30% of the current recall of the cars. Automotive industries and users expect benefit from the remote update service in secure manner 12

General remote update procedure and threat analysis for networked vehicle 13

Model data flow of remote software update Request of diagnose of software status Result of diagnose with software status Report of results of ECUs in a vehicle Receipt for submit of diagnose report Conducted threat analysis for each step in the procedure Request of update module Update module is provided Notification to User (driver) for Updates Confirmation for the update Request for updates to ECUs Results for updates in ECUs Report of application of the update Conformation from the Update server 14

Threat analysis: example case Impersonation of ECU! Improper software information is uploaded to VMG! DoS attack against VMG by sending forged data (e.g., enormously huge data) Impersonation of VMG! Software information on every ECU in the vehicle is improperly collected Tampering / eavesdropping / replay of a message! Improper software information is uploaded to VMG! Software information on every ECU in the vehicle is improperly collected! DoS attack against VMG by sending forged data (e.g., enormously huge data) 15

An approach of international standardization in ITU-T Introduction of Secure software update capability for ITS communications devices 16

Development of an ITU-T Recommendation ITU-T: International Telecommunication Union, Telecom sector SG17: Responsible for security standards Title of Recommendation Secure software update capability for ITS communications devices (X.itssec-1) Purpose to provide common methods to update the software by a secure procedure including security controls and protocol definition The adoption of the Recommendation is not mandatory for automotive industries, but the Recommendation would be a guideline of the baseline security for networked vehicle. Editors Masashi Eto (NICT) Koji Nakao (KDDI/NICT) 17

Security controls for the software update Message verification Threats: tampering, eavesdropping and replaying of messages Measure: message verification mechanism based on Message Authentication Code (MAC) or digital signature method Trusted boot of ECUs Threats: tampering of software in ECU Measure : hardware Security Module (HSM) to verify software modules in ECUs boot sequences Authentication of communication entity Threats: impersonation of the entities Measure : authentication of both client and server of each communication based authentication protocol such as SSL/TLS Message filtering Threats: DoS attack against VMG or update server Measure : message filtering based on white listing of senders and frequency limitation of received messages, etc. Fault tolerance Threats: DoS attack against VMG Measure : measures such as auto-reboot for recovery of normal state, safe suspension of operation should be taken if something irregular is detected on the operation of VMG. 18

Protocol definition (Phases) diagnose phase 2. diagnose (request) 3. diagnose (report) 4. diagnose (submit) 5. diagnose (receipt) update check phase 7. update_check (request) 8. update_check (response) update phase update report phase 10. update (notification) 11. update (confirmation) 12. update (application) 13. update (report) 14. update_report (submit) 15. update_report (receipt) 19

Example of a message: diagnose (submit) Structure of diagnose (submit) message Practical expression of a diagnose (submit) message (example: XML) 20

Collaboration with industry This activity is highly required to collaborate with automotive industries and other standardization organizations (SDOs). ITU-T kindly ask automotive industry in the world to provide us their suggestions so that it can make the Recommendation practically useful for automotive industry. SG17 security SG16 multimedia International SDOs CITS Collaboration on ITS Internal coordination Car manufactures and suppliers * The copyrights of trademarks in this slide are reserved by each organization. 21

Current status Current status and the future plan Draft Recommendation of X.itssec-1 achieved a certain level of quality through discussions with some car manufactures and suppliers at the ITU-T SG17 meeting in Sep. 2015. Requesting for comments The draft Recommendation is under review within this year by ITU-T CITS (Collaboration on ITS Communication Standards) where relevant parties are involved. Future steps Jan, 2016: ITU-T SG17 Interim meeting (Q.6) at Seoul make disposition of comments from automotive industries, etc. Mar, 2016: ITU-T SG17 meeting at Geneva To be determined as a Recommendation 22

Conclusion Threat analysis in a general software update procedure Impersonation of entities, tampering of software in ECU, etc., Introduction of ITU-T draft Recommendation X.itssec-1 Secure software update capability for ITS communications devices Threat and risk analysis Security controls against threats of vehicles Protocol definition and data format of a practical procedure The standardization activity on this topic should be accelerated in corporation with automotive industries. This should be also supported by establishment of related regulation for each country and/or region. 23

Thank you for your attention! 24

Extra slides 25

Computerization of vehicle 50% 100 Proportion of electronic components of car production costs Number of ECUs (Electronic Control Unit) in luxury models 100 million Number of program lines of car software Number of networks in a car (average) 5 2 miles Length of cable in a car Software Development Volume Software Development Cost Multimedia Audio Vehicle body Air bag Assist Chassis HV Powertrain 26

Connected Vehicles Internet connection (LTE, 3G, Wi-Fi, Bluetooth ) via customer s smartphone, SIM embedded in the vehicle, etc. Autonomous car Control engines and brakes based on the information from roadside infrastructure as well as car-mounted sensors, cameras, and radars 27

Threats against networked vehicle More Attacks Surfaces! Adds a Potential Target!! Each New Connection or Device http://gigaom.com/2013/08/06/ciscos-remedy-for-connected-car-security-treat-the-car-like-an-enterprise/ 28

General model of networked vehicle Aftermarket Information Device Supplier Communication Path Car Manufacturer / Garage center....... Update Server / log database Communication Path Vehicle Mobile Gateway (Head Unit) On-board Information Device Power Management Control ECU Seat Belt Control ECU Driving Support ECU Parking Assist ECU Skid Control ECU etc., 29

Threat analysis: example case 1 Impersonation of VMG! DoS attack against ECUs by sending frequent requests Tampering / eavesdropping / replay of a message! An illegitimate request message is sent to ECUs by an attacker in order to illegally acquire software information! DoS attack against ECUs by sending frequent requests 30

The model of the TOE (Target of Evaluation) Update Server On-board Information Device OBD connector Update Target ECU1 CAN0 3G/LTE GPS/GLONASS Wi-Fi GPS Wi-Fi VMG CAN1 Update Target ECU2 USB User Interface CAN2 Update Target ECU3 Bluetooth CD/DVD USB SD 31

Threats for TOE with risk score more than a certain high value # Label Who When(phase) Why Where/What 1 2 T.DoS-Functions- From-OBD-Device T.Mulfunction- Functions-From- OBD-Device third party maintenance factory staff third party maintenance factory staff normal operation maintenance normal operation use / maintenance maintenance intentionally intentionally For asset functions of VMG, it impersonates an OBD connector connection device, sends a huge amount of data, interferes this function. For asset functions of VMG, impersonates an OBD connector connection device, sends unauthorized data, causes a malfunction of this functionality Risk score 6.6 6.6 3 4 T.MissDoS- Functions-From- OBD-Device T.DoS-Functions- From-ECU vehicle dealer staff maintenance factory staff third party maintenance factory staff maintenance normal operation/ use / maintenance maintenance accidentally intentionally For asset functions of VMG, sends a huge amount of data or unauthorized data from OBD connector connection device by mistake, and causes a malfunction of this functionality For asset functions of VMG, it uses reverse engineering of the same product as the ECU firmware connected to CAN0-2, update ECU firmware connected to CAN0-2 to an unauthorized firmware, in this way, sends a huge amount of data from ECU connected to CAN1-5, interferes this functionality 6.6 5.6 5 T.Mulfunction- Functions-From-ECU third party maintenance factory staff normal operation/ use / maintenance maintenance intentionally For asset functions of VMG, it uses reverse engineering of the same product as the ECU firmware connected to CAN1-5, update ECU firmware connected to CAN1-5 to an unauthorized firmware, in this way, sends unauthorized data from ECU connected to CAN1-5, causes a malfunction of this functionality 5.6 6 T.DoS-Functions- From-Mobile-Device third party normal operation/ use / maintenance intentionally For asset functions of VMG, it impersonates a server, sends a huge amount of data from mobile connection device, interferes this functionality 9.4 32

1 st Reason of Increase in Darknet Traffic Unique number of hosts / day www.nicter.jp Total number of Packets / day 33

Type of Messages Type Subtype From To Purpose request VMG ECU Request of diagnose of software status diagnose update _check update report ECU VMG Result of diagnose including software status submit VMG Usvr Report of results of ECUs in a vehicle receipt Usvr VMG Receipt for submit of diagnose report request VMG Usvr Request of update module response Usvr VMG Update module is provided notification VMG U/I confirmation U/I VMG Notification message to introduce update for the driver Confirmation message from the driver to apply update application VMG ECU Request message including update module result ECU VMG Result of application of the update module update _report submit VMG Usvr Report of application of the update receipt Usvr VMG Receipt of the report * Usvr: Update server * U/I: User Interface 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback