Securing the Connected Car. Eystein Stenberg CTO Mender.io

Similar documents
Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

Software Updates for Connected Devices

Birds of a Feather Session - OSS Vancouver Eystein Stenberg, Mender.io

18-642: Security Mitigation & Validation

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

An Experimental Analysis of the SAE J1939 Standard

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Open Source in Automotive Infotainment

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Fast and Vulnerable A Story of Telematic Failures

Secure Software Update for ITS Communication Devices in ITU-T Standardization

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Linux in the connected car platform

Connect Vehicles: A Security Throwback

BOSCH CASE STUDY. How Bosch Has Benefited from GENIVI Adoption

Security Concerns in Automotive Systems. James Martin

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

13W-AutoSPIN Automotive Cybersecurity

The Internet of Things. Steven M. Bellovin November 24,

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Heavy Vehicle Cyber Security Bulletin

Trusted Platform Modules Automotive applications and differentiation from HSM

A NEW CONCEPT IN OTA UPDATING FOR AUTOMOTIVE

Connected Car Solutions Based on IoT

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Countermeasures against Cyber-attacks

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

Automotive Cyber Security

SECURITY TESTING. Towards a safer web world

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Uptane: Securely Updating Automobiles. Sam Weber NYU 14 June 2017

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Christoph Schmittner, Zhendong Ma, Paul Smith

Security and Performance Benefits of Virtualization

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

10 FOCUS AREAS FOR BREACH PREVENTION

SMART DELTA: SECURE OVER-THE-AIR (OTA) TECHNOLOGY FOR REMOTE MANAGEMENT OF IOT SOLUTIONS

Hardening Attack Vectors to cars by Fuzzing

Sierra Wireless. Corporate Overview. May 2017

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

The Future of Network Infrastructure & Management

How to protect Automotive systems with ARM Security Architecture

Protect Your End-of-Life Windows Server 2003 Operating System

SECURING THE CONNECTED ENTERPRISE.

Experimental Security Analysis of a Modern Automobile

Security: The Key to Affordable Unmanned Aircraft Systems

Car hacks 2018 (BMW, Audi) for the "not so hands-on"

Service Provider View of Cyber Security. July 2017

Protect Your End-of-Life Windows Server 2003 Operating System

Building Trust in the Internet of Things

Secure coding practices

The ultimate guide to software updates on embedded Linux devices

IT & DATA SECURITY BREACH PREVENTION

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Lookout's cybersecurity predictions

OTA and Remote Diagnostics

The case for a Vehicle Gateway.

Improving Security in Embedded Systems Felix Baum, Product Line Manager

ivilink Automotive Connectivity Framework Overview

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION. Görkem Batmaz, Systems Engineer Ildikó Pete, Systems Engineer 28 th March, 2018

How to Introduce Virtualization in AGL? Objectives, Plans and Targets for AGL EG-VIRT

CSWAE Certified Secure Web Application Engineer

Securing the future of mobility

Automating the Top 20 CIS Critical Security Controls

Connected Cars as the next great consumer electronics device

How To Make Threat Modeling Work For You

90% of data breaches are caused by software vulnerabilities.

June 2 nd, 2016 Security Awareness

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

INSPIRING IOT INNOVATION: MARKET EVOLUTION TO REMOVE BARRIERS. Mark Chen Taiwan Country Manager, Senior Director, Sales of Broadcom

Securing Vehicle ECUs Update Over the Air

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Examining future priorities for cyber security management

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Fending Off Cyber Attacks Hardening ECUs by Fuzz Testing

Certified Secure Web Application Engineer

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Virtualizaton: One Size Does Not Fit All. Nedeljko Miljevic Product Manager, Automotive Solutions MontaVista Software

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Vehicle & Transportation Infrastructure Cyber Security Discussions. IQMRI

Automotive Gateway: A Key Component to Securing the Connected Car

Transcription:

Securing the Connected Car Eystein Stenberg CTO Mender.io

The software defined car Electronics Telematics Infotainment Connected Assisted driving Autonomous Hardware enabled Software enabled Software defined 1990 2000 2010 2020

About me Eystein Stenberg Mender.io 7 years in systems security management Over-the-air updater for Linux, Yocto Project M. Sc., Computer Science, Cryptography Open source (Apache License, v2) eystein@mender.io Dual A/B rootfs layout (client) Remote deployment management (server) Under active development

Session overview Opportunities with the software defined car Anatomy of an attack: security risks of the connected car The patching problem & solution designs

Software defined car: New revenue streams Automakers could add up to $27.1B annually from services such as car sharing and more - Navigant Research Tesla An OTA update system allows for easy additional software purchases after buyers drive their cars off the lot Semi-autonomous Autopilot feature allows current Model S owners to add the feature for $2,500 USD when they order the vehicle or they can pay $3,000 USD to upgrade later

Cost savings by using open source platforms IVI stack Cost Differentiation HMI Apps Middleware 10% 30% Lower layers are expensive and provides no differentiation Use open source here to OTA updater Operating system 60% Shorten time-to-market Lower cost Board support pkg. Reallocate development to differentiating features Hardware Focus on open source here

The software defined car requires OTA updates Increased software complexity requires more frequent improvements 33% of current recalls are for problems that could be fixed OTA - ABI Research OTA updates will save carmakers $35B in 2022 - IHS Automotive Fiat Chrysler hack (next up) required a recall of 1.4 million vehicles that could have been avoided with an OTA update

Jeep Cherokee hacked in July 2015 August 2016: Extended to unauthorized ECU update via CAN Presented at Black Hat USA 2015 Charlie Miller Chris Valasek Remote exploit giving full control of the car Clearly demonstrates physical safety risk No way to fix remotely 1.4 million cars recalled

Jeep Cherokee Head Unit with Wifi Wifi hotspot offered as a service Cherokee customers can buy wifi subscription as an add-on (~$40/month) Head unit, IVI Connect devices in the car to the car s wifi to get online (phones, tablets, ) Wifi is password protected

Wifi-based breach: Short-range Guessable password Wifi password based on system time after provisioning January 01 2013 00:00 GMT +- 1 minute Software vulnerability Multimedia system breached due to software vulnerability Scope: Control music player/radio/volume and track GPS coordinates when within wifi range

Cellular-based breach: Country-wide Breach Sprint Cellular network Scope: Control music player/radio/volume and track GPS coordinates countrywide Software vulnerability Can also select a specific Jeep based on its GPS-coordinates

The Controller Area Network (CAN) bus Diagnostics The CAN bus connects ~70 electronic control units (ECUs), including engine control, transmission, airbags, braking V850 chip Read-only V850 chip is designed to only read from the CAN bus, to isolate components

CAN bus Malicious firmware update V850 chip The head unit can update the firmware of the V850 Firmware update authenticity not checked properly Full control

Putting it together Cellular breach Vulnerability FW update Lessons Wifi hotspot password was predictable Remotely accessible service (in head unit) was vulnerable (and not updated) Firmware update (for V850) did not have proper authenticity checks The only way to fix the vulnerabilities is through a manual update (by customer or dealership)

More complexity leads to larger attack surface 1-25 bugs per 1000 lines of code* Assume that all software components have vulnerabilities Rely on well-maintained software and keep it updated Open source vs. proprietary is a red herring Do not build all the software in-house Principle of least privilege Separation of privilege Kerckhoff s principle *Source: Steve McConnell, Code Complete

Security patching is done too late 110 days: remediation time avg. 60 days: >90% probability it is exploited 5-10 days: <10% probability it is exploited Source: How the Rise in Non-Targeted Attacks Has Widened the Remediation Gap, Kenna Security

Why security patching happens too late The value is invisible until too late Too costly or risky Manual? Too expensive to integrate updater? Requires downtime of production? Risk of breaking production? Politics How often do you patch? Do you have a way to do it? A process? Often not a core competence and not a priority to develop updater

Patching connected devices is harder No/expensive physical access Need failure management Unreliable power What if power disappears in the middle of patching? Unreliable (wireless) network connectivity Handle partial downloads Ideally resume downloads in expensive networks like 3G Public and insecure (wireless) networks Can someone inject arbitrary code during the update process? Verify authenticity of update

Generic embedded updater workflow Detect update (secure channel) Compatibility check Download (secure channel) Integrity (e.g. checksum) Pre-install actions Extract Decrypt Authenticate (e.g. signature) Install Post-install actions Sanity checks Failure recovery (e.g. roll back) Choose a strategy Must-have Environment-specific

Choice of update type has tradeoffs Full image Package (opkg, ) tar.gz Docker/Containers Download size Large* Small Small Medium Installation time Long* Short Short Short Rollback Yes (dual partition) Hard Hard Yes Consistency Yes Medium Hard Yes Design impact Bootloader, Partition layout Package manager tar,... Kernel, docker * Can mitigate with compression or binary diffs

Strategies to reduce the risk of bricking Integrity checking This must be done Easy to implement What can go wrong? Rollback support This should be a requirement: power loss, installation error, etc. Could be hard depending on update type (tarball, package) Phased rollout I.e. don t deploy update to all devices in one go Most do this to some extent: test & production environments Can be more granular on device population (1%, 10%, 25%, 50%, )

Prepare for securing the software defined car Open source software where no differentiation Well-maintained software Over-the-air updates Apply well-known security design principles

The best way to respond to hacking? Fiat Chrysler said exploiting the flaw "required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code" and added manipulating its software "constitutes criminal action". Straubel [Tesla CTO] credits KeenLabs researchers [...] says Tesla will pay KeenLabs team a monetary reward for its work [...] They did good work, Straubel says. They helped us find something that s a problem we needed to fix. And that s what we did. Sources: BBC News, Wired

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback