The Remote Exploitation of Unaltered Passenger Vehicles Revisited 20 th October 2016 Mark Pitchford, Technical Manager, EMEA
Today s hot topic A few years ago, Lynx presentations at events such as this centred on why connected car security is important And then http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ https://electrek.co/2016/09/27/tesla-releases-more-details-on-the-chinese-hack-and-the-subsequent-fix/ 2
How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : Remote Attack Surface The following table is a list of the potential entry points for an attacker. While many people only think of these items in terms of technology, someone with an attacker s mindset considers every piece of technology that interacts with the outside world a potential entry point. In order to access the security critical systems, the hackers needed an entry point, and a vulnerability to get access from that entry point 3
How was the Jeep hacked? From Miller & Valasek s paper Remote Exploitation of an Unaltered Passenger Vehicle : there are no CAN bus architectural restrictions, such as the steering being on a physically separate bus. If we can send messages from the head unit, we should be able to send them to every ECU on the CAN bus. 4
Why Separation? Suppose we want a heart pacemaker to be able to report any irregularities back to a medical specialist The primary aim here is to separate the safe and unsafe sides of the network, and to tightly control communication between them Separation is key! 5
Separation through Hardware Separation of these different domains can be achieved in several different ways This Tesla example shows how separation is achieved through hardware in the Model S 6
So how was the Tesla hacked? https://electrek.co/2016/09/27/tesla-releases-more-details-on-the-chinesehack-and-the-subsequent-fix/ This Keen Laboratories hack was the second publicised attack on a Tesla Infotainment system accessed via a vulnerability in the WebKit based browser, and manipulated via a malicious Wi-Fi hotspot Access to the instrument cluster via vulnerabilities in its Linux OS allowed activation of doors, windows, and wipers but provided no access to the safety critical braking system That required them to replace the gateway software with their own.perhaps using a privilege escalation vulnerability highlighted by Rogers and Mahaffey in the earlier attack? https://iotsecurityfoundation.org/is-the-tesla-model-s-robust-against-hackers/ https://www.wired.com/2015/08/researchers -hacked-model-s-teslas-already/ 7
Separation is no silver bullet! As the Tesla example illustrates, separation alone is no guarantee of impenetrability But it is a key component in the defence of Cyber-Physical Vehicle Systems against an ever increasing number of threat vectors 8
Industrial Internet Security Framework Unlike our simplistic heart pacemaker example, the Industrial Internet Consortium s IISF highlights 15 Endpoint Vulnerabilities to be protected http://www.iiconsortium.org/iisf.htm 9
SAE J3061 While SAE J3061 make a similar, more industry specific point https://nmi.org.uk/wp-content/uploads/2016/06/4_sae-j3061-and-friends-for-nmi-jun-16.pdf 10
Cost effective separation Hardware separation is an expensive solution Hypervisors are widely held aloft as the cost effective alternative to provide separation in software But Hypervisor functionality is not the key factor 11
How safe is the separator? the separation mechanism is! Because this is a critical component, it is imperative that it be secure as possible 12
Protecting against Remote Exploitation If a vehicle is to be optimally protected, the attack surface exposed to would-be aggressors needs to be minimised. For example: Separate high ASIL systems from those of lower criticality Separate the TCP/IP stack away from the vulnerability of the gateway s OS If they are to truly be separated rather than conjoined, we also need to minimize the resources and hence the attack surface - shared between these entities 13
Typical Hypervisor Architecture Apps Services Guest OSs Monolithic Kernel CPU Scheduler API Application Access Control VM Monitor Virtual I/O Policy Resource Mgmt Interrupt Handler I/O Stack Exception Handler Device Drivers - Storage, Network, Graphics 14 Separate the TCP/IP stack away from the vulnerability of the gateway s OS Shared Resources = Large Attack Surface Applying Least Privilege principles addresses that
Separation Kernel Architecture Guest OSs Services Apps API API Application Access Control Virtual I/O Policy VM Monitor Drivers I/O Stack Separation Kernel CPU Scheduler Resource Mgmt Exception Handler Interrupt Handler 15
Trusted Computing Base (TCB) Still a Separation kernel NOT a cut down RTOS! 17
Separation Kernel based Distributed Vehicle Secure Update Gateway V2x Gateway Entertainment Gateway Firmware Server VM App Server App Server LSA. connect Tunneled Virtual Networks Network Gateway VM AUTOSAR VM V-NIC V-Disk LynxOS V2x VM V-NIC V-Disk V-NIC Linux VM V-Disk LSA.store Disk Manager VM Encrypted Disk Partitions VM Image VM Image VM Image 18
Separation Kernel and Virtualization Separation is a useful tool in the quest to design secure Cyber-Physical Vehicle Systems Separation in software is far more cost effective than separation in hardware For that separation to be optimal, the separation mechanism needs to present a minimal attack surface to the would-be hacker The combination of a least-privilege separation kernel hypervisor and a modern multi-core processor represents state-of-the-art separation in software 19
Thank You