Countermeasures against Cyber-attacks Case of the Automotive Industry
Agenda Automotive Basics ECU, domains, CAN Automotive Security Motivation, trends Hardware and Software Security EVITA, SHE, HSM Secure Communications Secure CAN Communications Network Isolation Secure gateways Secure External Communications Car-to-car communications
Bluetooth Audio Automotive Basics Electrical/Electronic Architecture Powertrain ECUs Safety, hard timing requirements / Lockstep CPUs Complex processing operations (partly) Chassis ECUs Safety, hard timing requirements / Lockstep CPUs Mixture of safety BM and non-safety ECUs (e.g., DAS) Partially MCU highend nodes ACC DAS Central Gateway C2C Head-Unit USS Cam WLAN Infotainment Multimedia- and communication devices No safety ECUs but partly safety cores integrated CCU Light High bandwidth communication SCU Door Climate Body-Domain Not safety critical Nodes do not require high bandwidth Mainly implemented by low cost parts TCU ABS HYD ESP Instrument Multimedia Immobilizer Powertrain Chassis Infotainment Body
Automotive Basics CAN (Controller Area Network) Broadcast protocol, all ECUs access the bus at the same time ECU 1 ECU 3 CAN ID Payload CR C 0 0 0 0 1 0 1 0 0 0 0 1 1 1 ACK EO F CAN ID 0 0 0 1 ECU 3 sends ACK Recessive bit: looses arbitration ECU 2
Automotive Basics What is an ECU? SoC JTAG RAM Variables Boundary scan Flash memory OS, data Boundary scan Sensor e.g. air flow meter Network interface e.g. CAN Option: Security hardware e.g. coprocessor, secure memory On-chip debugger CPU Actuator e.g. fuel injection
Automotive Basics Historical Development From closed system to an interactive communication Reason: more safety, more efficiency, Day before yesterday Yesterday Today Tomorrow
Automotive Basics Software Complexity Today, a modern premium-class vehicle executes complex software on 70 to 100 μp-based ECUs realizing between up to 3000 singular functions with approx. 100 million LOC* Premium-class vehicle 100 Mac OS X 10.4 86 Windows Server 2003 50 Linux Kernel 3.6 15.9 Boeing 787 Dreamliner F-35 Joint Strike Fighter F-22 Raptor OpenSSL 6.5 5.7 1.7 0.5 Assuming NASA error rates (1 defects per 10,000 LOC), results in approx. 10,000 SW defects for a modern premium-class vehicle 0 20 40 60 80 100 120 Million Lines of Code (LOC) for different products * Figures according to [IEEE09] and [LOC]
8
Automotive Security Example from Black Hat 2015 2 Control messages sent over the air CAN C (powertrain, chassis) Engine Park assist EPS ABS ACC CAN IHS (body) Doors V850 (CAN GW ) Amp Lessons Learned: protecting interfaces not sufficient anymore Head unit SPI ARM 1 Unauthorized remote reprogramming of V850 through multiple head unit security vulnerability
Automotive Security Four Layers of Security Secure connected vehicle Vehicle firewalls and security standards for external interfaces Secure E/E architecture Use separation and securely configured gateways to protect functional domains of E/E architecture Secure in-vehicle network Protect integrity of critical in-vehicle signals Standardized in AUTOSAR release 4.2.1 Secure individual ECU Protect integrity of software and data Hardware Security Module (HSM)) Deeply Embedded Automotive Hypervisor
Secure Hardware and Software EVITA Project Landmark European FP7 Project On-die security extension To decrease cost and increase security No strong tamper resistance To decrease cost Counterbalanced with key management Guaranteed performance AES for EVITA light and medium Automotive grade (unlike TPM) E.G. temperature, vibrations, safety... Derived from EVITA project Secure Hardware Extension (EVITA light) Bosch Hardware Security Module (EVITA medium) Hardware separation e.g. memory controller, independent busses EVITA Secure memory Application CPU Normal memory
Secure Communications AUTOSAR SecOC EG: Infotainment EG: ADAS Data Counter MAC EG: Brakes MAC AES MAC =? MAC Counter Data AES Counter Data >? Counter
Network Isolation Secure Central Gateway OBD Hacked telematics unit attempting to spoof radar Device connected through OBD-II attempting to spoof radar Radar Brakes
Secure External Communications Flashing and Diagnostics Secure environment Server room Database Key Key Key HSM Secure server ECU keys Authen tication Internet (HTTPS) Dealer
Secure External Communications Security Concept for Car-to-Car Communications Multiple certificates (=identities) Can download new certificates from road-side units Signed messages n cars in range = 10n signature verifications per second
Wrap-up Holistic Security Approach is necessary! Hardware security MAC authentication Key injection Firewall Secure diagnostics tester authentication with server
ESCRYPT Worldwide Service Wherever It Is Needed North America Ann Arbor Germany Berlin Bochum Munich Stuttgart Wolfsburg Korea Seoul China Shanghai Japan Yokohama
Camille Vuillaume ETAS Japan - Embedded Security Phone: 045-222-0913 Email: camille.vuillaume@etas.com www.escrypt.com