Cross-Domain Security Issues for Connected Autonomous Vehicles Anthony Lopez, Mohammad Al Faruque Advanced Integrated Cyber -Physical Systems Lab 1
Outline Overview on Connected Vehicle Security Ongoing Work Future Work 2
Attack Domains Cross-Domain Security Framework C Cyber Impact Domains P Physical C Virus/ SQL Injection/ Buffer Overflow/ Etc. Cyber Remote vehicle access P Emitted sounds from 3D printer Physical Physical sabotage 3
Connected Autonomous Vehicles Requirements Strong Winds o Functionality o Extensibility o Security Smart Transportation (combination of collaborative and autonomous actions) 4
Attack Model Attacker is knowledgeable about the targeted components o Understands networking protocols, hardware, software, vulnerabilities, control mechanisms Attacker has sufficient (but not infinite) resources (vehicle, computing device, packet sniffer, etc.) o To communicate with legitimate vehicles o To inject code, packets and/or spoofed signals o Quantifying this is a challenge! 5
Access Points Applications o Infotainment (Media, Bluetooth, 3G), Navigation, Cruise Control, Platooning Internal Network Sensors Telematics Infotainment o CAN, LIN, MOST, FlexRay, TPMS External Network o Key Fobs, OTA Updates, V2X (V 2 LC,DSRC,WAVE, Toll, IoT) Hardware Internal Network V2X Comm. Sensors Abstracted View of Automotive System o ECUs, Sensors, Electro-Mechanical Components, Signals 6
Cyber Domain Attacks Intrusive: Message Falsification/Replay/ Spoofing/Fuzzing DSRC/WAVE/Telematics/LIDAR/RADAR/TPMS [1-4] Intrusive: Remote Control of Vehicle Infotainment/Telematics/Internet/OTA Update [1-4] Nonintrusive: Eavesdropping DSRC/WAVE/TPMS/CAN (over EV charging station) [1-4] 7
Physical Domain Attacks Spoofing/Jamming/DoS/Delay/Replay o Tire Pressure Monitoring System (TPMS) [6], MEMS accelerometers and gyroscopes (with acoustics) [7] o Telematics: GPS (on boats and UAVs), LIDAR (with laser pointer), RADAR, camera [1-4] o Mechanical and Electrical Components (e.g., brakes, battery system) [8-11] 8
Our Work Case Study: Physical Layer Key Generation for V2X Communication More Work: Security-Aware Functional Modeling EV Battery System Security Future Work 9
Physical Layer Key Generation for Automotive Cyber-Physical Systems Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 1
Symmetric Key Algorithm Examples o AES Advantages o Fast Disadvantages Symmetric Key Messages o Deterministic Alice Decrypt Encrypt Bob o Key Management Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 11
Asymmetric Key Algorithm Examples Decrypt A A B B o ECC o RSA Advantages Alice A B Messages A B Bob o Key Management Disadvantages o Slow Encrypt Public Key Private Key Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 12
Hybrid Solution Advantages Decrypt A A B B o Efficient after key exchange o Key management Disadvantages o Slow key exchange o Memory overhead Alice A B Encrypt A B Public Key Private Key Symmetric Key Bob o Deterministic symmetric key Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 13
Related Work Key Generation Based on Indoor Wireless Channel o Static environment Room 1 Room 2 No Variation Some Variation o Low entropy MobiCom 2008: Mathur et al., MobiCom 2009: Jana et al., TIFS 2010: Ye et al., MobiCom 2010: Patwari et al. InfoCom 2010: Zeng et al., IEEE Wireless Communications 2011: Ren et al Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 14
Our Contributions Novel Security Solution for Automotive Applications Automotive Model o Wireless channel o Attack model Key Generation Algorithm o Reduces overhead o Keys with more entropy Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 15
Attack Model Non-Intrusive Eavesdropper o Knowledgeable o Wants to derive key Alice Bob o More than few wavelengths apart Eve Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 16
Algorithm Probe Signals Upper Threshold Alice o Number of Samples in Group: G size o Coherence Time: T c o Sampling Period (Step): τ step T c Lower Threshold Samples. Same Key Bob o τ step T c o G size Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 17
Experiments RC Cars Car 1 Car 0 Car 2 Bluetooth Wifi Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 18
RSS Value (dbm) Experiments RC Cars 0-5 -10-15 -20-25 -30-35 Received Signal Strengths Group Size Car 1 from Car 2 Car 2 from Car 1 Car 1 from Car 0 Car 0 from Car 1 RSSI measured in Car 0 from Car 1 RSSI measured in Car 2 from Car 1 Generated 64-Bit Keys RSSI measured in Car 1 from Car 0 0000001111111111_1111000000000000_ RSSI measured in Car 1 from Car 2 0000011111100000_0000011110000011 0000001111111111_1111000000000000_ 0000011111100000_0000011110000011 1100000110000000_0000000100000110_ 0000000010000000_0000011111111111 1100000110000000_0000000100000110_ 0000000010000000_0000011111111111 1 51 101 151 Numbers of RSS Values Pair 1: Car 1 and Car 2 Same Keys for Pair 1 Same Keys for Pair 2 Pair 2: Car 1 and Car 0 Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 19
Average minentropy Evaluation 100% 80% 60% 40% Security Comparison 20% 67% Min-Entropy 0% 0% 10X faster and 20X smaller than RSA Pre-dist. Latch-PUF DFF-PUF Our Tech. SRAM-PUF 1-2X Performance faster and and 10X Memory Faster smaller Smaller Comparison than ECC Security Strength Pre-Distributed Keys Performance Overhead (seconds) RSA ECC 39% Our Alg. (2 mi/h) Hardware PUF 50% Our Alg. (20 mi/h) 67.69% High Entropy 87% Code Size Overhead (bytes) RSA ECC Our Alg. 80 bits 11.42 1.62 1.725 0.95 6292 3682 331 112 bits 85.2 4.38 2.415 1.33 7736 4812 331 Jiang Wan, Anthony Lopez, Mohammad Al Faruque, Physical Layer Key Generation for Automotive Cyber-Physical Systems, ICCPS '16 20
Other Works: Security-Aware Modeling & EV Battery System Security 1
Security-Aware Functional Modeling 22
Electric Vehicle Battery System Security Figure Taken From Reference 8 23
EV Battery System Security Solutions? Battery Authentication o Deriving unique signature of the battery from measurements Intrusion Detection o Malicious behavior detection and verification Sensor Attack Prevention o Detecting anomalies Battery Authentication Abstraction 24
Future Work V2X Malicious Activity Detection and Prevention o Applications: Cooperative Adaptive Cruise Control and Platooning o Deriving a method to detect malicious behavior o Is game theory suitable? o Requires real-time decision making for security and functionality of the system 25
Questions? Thank You! 26
References 1. V. Thing and J. Wu. Autonomous Vehicle Security: A Taxonomy of Attacks and Defences, In ithings-greencom-cpscom-smartdata 2016. 2. K. Thomas, Hackers demo Jeep security hack, 2015, [online] Available: http://www.welivesecurity.com/2015/07/22/hackers-demo-jeep-security-hack 3. C. Miller, C. Valasek, Remote exploitation of an unaltered passenger vehicle, 2015, [online] Available: https://www.defcon.org/html/defcon-23/dc-23- speakers.html#miller. 4. S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Conference on Security, SEC 11, pages 6 6, Berkeley, CA, USA, 2011. USENIX Association 5. Sandip Ray, Wen Chen, Jayanta Bhadra, and Mohammad Abdullah Al Faruque. 2017. Extensibility in Automotive Security: Current Practice and Challenges: Invited. In Proceedings of the 54th Annual Design Automation Conference 2017 (DAC '17). ACM, New York, NY, USA, Article 14, 6 pages. DOI: https://doi.org/10.1145/3061639.3072952 6. Trippel, T., Weisse, O., Xu, W., Honeyman, P., & Fu, K. WALNUT: Waging doubt on the integrity of mems accelerometers with acoustic injection attacks. In In Proceeding of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017). To appear. 27
References 7. Rob Millerb Ishtiaq Roufa, Hossen Mustafaa, Sangho Ohb Travis Taylora, Wenyuan Xua, Marco Gruteserb, Wade Trappeb, and Ivan Seskarb. 2010. Security and privacy vulnerabilities of in-car wireless networks: A tire pressure monitoring system case study. 19th USENIX Security Symposium, Washington DC (2010), 11 13. 8. Lopez, A. B., Vatanparvar, K., Nath, A. P. D., Yang, S., Bhunia, S., & Al Faruque, M. A. (2017). A Security Perspective on Battery Systems of the Internet of Things. Journal of Hardware and Systems Security, 1-12. 9. Waszecki, P., Mundhenk, P., Steinhorst, S., Lukasiewycz, M., Karri, R., & Chakraborty, S. (2017). Automotive electrical/electronic architecture security via distributed in-vehicle traffic monitoring. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems. 10. Sagstetter, F., Lukasiewycz, M., Steinhorst, S., Wolf, M., Bouard, A., Harris, W. R.,... & Chakraborty, S. (2013, March). Security challenges in automotive hardware/software architecture design. In Proceedings of the Conference on Design, Automation and Test in Europe (pp. 458-463). EDA Consortium. 11. Shoukry, Y., Martin, P., Tabuada, P., & Srivastava, M. (2013, August). Noninvasive spoofing attacks for anti-lock braking systems. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 55-72). Springer, Berlin, Heidelberg 28