Security enhancing CAN transceivers. Bernd Elend Principal Engineer March 8 th, 2017

Similar documents
MIGRATING TO CAN FD. Tony Adamson. Marketing Director CAN / LIN / FlexRay

Development of Intrusion Detection System for vehicle CAN bus cyber security

Automotive Cyber Security

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

EB TechPaper. Combining the strengths of Elektrobit's SecOC with Argus IDPS. elektrobit.com

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

*NSTAC Report to the President on the Internet of Things.

Introduction to Information Security Dr. Rick Jerz

Car2Car Forum Operational Security

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Cyber security mechanisms for connected vehicles

Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Linux in the connected car platform

Securing IoT devices with STM32 & STSAFE Products family. Fabrice Gendreau Secure MCUs Marketing & Application Managers EMEA Region

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Secure Product Design Lifecycle for Connected Vehicles

Trusted Platform Modules Automotive applications and differentiation from HSM

Efficient testing of ECUs despite Security

DOMAIN NAME SECURITY EXTENSIONS

IPS-1 Robust and accurate intrusion prevention

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Architecture concepts in Body Control Modules

Automotive Cybersecurity: A steep learning curve

The case for a Vehicle Gateway.

A Better Space Mission Systems threat assessment by leveraging the National Cyber Range

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Securing IoT devices with Hardware Secure Element. Fabrice Gendreau EMEA Secure MCUs Marketing & Application Manager

13W-AutoSPIN Automotive Cybersecurity

Functional Safety and Cyber-Security Experiences and Trends

Automotive Attack Surfaces. UCSD and University of Washington

CyberFence Protection for DNP3

Cryptography and Network Security

Smart Grid Embedded Cyber Security: Ensuring Security While Promoting Interoperability

Cybersecurity in Data Centers. Murat Cudi Erentürk ISACA CISA, ISO Lead Auditor Gandalf Consulting and Software Ltd.

Automotive Gateway: A Key Component to Securing the Connected Car

ITU activities on secure vehicle software updates

Engineering Your Software For Attack

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Security of Embedded Hardware Systems Insight into Attacks and Protection of IoT Devices

Heavy Vehicle Cybersecurity Update. National Motor Freight Traffic Association, Inc.

DesignWare IP for IoT SoC Designs

Kinetis + mbed = the secure connection in IOT

Chapter 10: Security and Ethical Challenges of E-Business

Cryptography and Network Security Chapter 1

How Safe is Anti-Fuse Memory? IBG Protection for Anti-Fuse OTP Memory Security Breaches

Software Architecture. Definition of Software Architecture. The importance of software architecture. Contents of a good architectural model

AUTOSAR Software Design with PREEvision

Neustar Security Solutions Overview

Diagnostic Trends 2017 An Overview

ANATOMY OF AN ATTACK!

Safety & Cybersecurity of embedded softwares in product and process

Secure Development Lifecycle

ARM Security Solutions and Numonyx Authenticated Flash

DNA Intrusion Detection Methodology. James T. Dollens, Ph.D Cox Road Roswell, GA (678)

CSWAE Certified Secure Web Application Engineer

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Systems and Network Security (NETW-1002)

AUTOMOTIVE WAKEUP METHODS. Natalie Wienckowski September 2017 IEEE802.3 Interim

EcotronsCAN User Manual

Automotive Security: Challenges and Solutions

Multiple Independent Layers of Security (MILS) Network Subsystem Protection Profile (MNSPP) An Approach to High Assurance Networking Rationale

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

MASP Chapter on Safety and Security

Product Information ES582.1 Compact USB Device

Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

Product Information ES582.1 Compact USB Device

Compliance Verification Process for Ethernet ECUs

Basic Concepts in Intrusion Detection

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Achieving End-to-End Security in the Internet of Things (IoT)

OPEN ALLIANCE TC8. Compliance Verification for Ethernet ECUs. Stuttgart, May 3rd Georg Janker.

Introducing Cyber Resiliency Concerns Into Engineering Education

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Security in NFC Readers

USG2110 Unified Security Gateways

2. INTRUDER DETECTION SYSTEMS

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Securing the future of mobility

CIS 700/002 : Special Topics : Protection Mechanisms & Secure Design Principles

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Security of Mobile Ad Hoc and Wireless Sensor Networks

Protection against attack D.o.S. in CAN and CAN-FD vehicle networks

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

HACK MY CHIP: A RED TEAM BLUE TEAM APPROACH FOR SOC SECURITY. David HELY Grenoble INP Esisar LCIS, Valence

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Cyber Security of ETCS

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

A Taxonomy and a Knowledge Portal for Cybersecurity

Certified Secure Web Application Engineer

Transcription:

Bernd Elend Principal Engineer March 8 th, 2017

Introduction: SECURITY REQUIRES A LAYERED APPROACH NXP s 4 + 1 Layer approach for vehicle cyber security: Multiple security techniques, at different levels ( defense-in-depth ) Mitigate the risk of one component of the defense being compromised or circumvented 4 2 3 1

How can a CAN transceiver contribute to the cyber security of a vehicle?

In a CAN network node A wants to send data to node B Node A Node B 4.

and also other nodes are present Node C Node D Node E Node A Node B Node F Node G Node H 5.

let us focus only on A, B and E for simplicity Node E Node A Node B 6.

and see what kind of other connections E might have USB Node E Node A Node B 7.

all of them do offer an attack surface Attack surface Node E USB Node A Node B 8.

finally the hacker succeeds to overcome the security measures Node E Node A Node B 9.

node E now pretends to be node A Spoofing attack! Node E Node A ID = 0x123 ID = 0x123 Node B 10.

Node B is now in a dilemma. Which message is the correct one? Both have the same CAN ID, but different data. B does not know who the sender of which message is. 11.

Drawback: Does not help in case node E is not under control of the OEM; e.g. after market device. 1 st Solution: Transmission whitelist The transceiver of Node E allows to send only CAN or CAN FD messages with an ID that is stored in a whitelist in the transceiver. Implications: The message occurs once the bus, and is invalidated in the end-of-frame field. After that node E is excluded by the transceiver from any further communication. Benefits: Only one error flag on the bus. This method can also be used to protect against flooding attacks that would lead to a denial of service, by limiting the transmitted bus load. 12.

Error flag 2 nd Solution: Spoofing protection The transceiver of Node A sends an active error flag, when it receives an identifier that it usually would sent. Drawbacks: Does not work, if A is not present (e.g. like an off-board tester) or node A is in Sleep mode or un-powered. Node E can be re-started by the hacker at any time. 32 error frames and peak busload do occur. Implications: The error flag send by node A causes 16 repetitions before node E enters error passive (with suspend transmission) and further 16 repetitions prior to entering bus off state. Benefits: Helps to protect in case of foreign node attachment; i.e. in case E is not under control of the OEM like aftermarket devices. This method also helps in case Node E starts tampering the message data, after A has sent the identifier and when node A is in error passive state. 13.

Error flag Features in receive path: Spoofing protection Tamper protection Features in transmit path: Transmission whitelisting Flooding prevention Intrusion detection Intrusion prevention Independent operation from a possibly compromised host! 14.

Error flag Features in receive path: Spoofing protection needs list of identifiers Tamper protection does not need configuration Features in transmit path: Transmission whitelisting needs list of identifiers Flooding prevention needs limit, e.g. 6% bus load List of IDs for spoofing protection and transmission whitelist can be the same! Configuration is done at Tier-1: program test lock No update attack in the field possible 15.

How to get to such a security enhancing transceiver? CAN Transceiver Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell FULL 5 MBps PORTFOLIO CAN decoder CAN FD controller CAN BUS MONITOR PARTIAL NETWORKING CAN FD BUS MONITOR FD SHIELD ENERGY SAVING, FAST ECU FLASHING RE-USE CAN ECUs IN CAN FD NETWORKS Set of policies stored in memory CAN/ CAN FD Spoofing & Tampering protection TX control & Flooding protection Basic access prevention NETWORK SECURITY ECU and Network Security 16.

What could be next? CAN Transceiver Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell FULL 5 MBps PORTFOLIO CAN decoder CAN FD controller CAN BUS MONITOR PARTIAL NETWORKING CAN FD BUS MONITOR FD SHIELD ENERGY SAVING, FAST ECU FLASHING RE-USE CAN ECUs IN CAN FD NETWORKS HW Crypto Accelerators Programmable Core Secure Storage Security In built CAN PHY ECU and Network Security CAN/ CAN FD NETWORK SECURITY 17.

18. Feature summary: 1. Spoofing protection transceiver may issue an active error flag on reception of a CAN ID that is included in its transmission whitelist 2. Transmission whitelisting the sending transceiver has a transmission whitelist of CAN IDs that are allowed to be sent 3. Tamper protection If the node starts a transmission and a compromised node tampers the message, while the sender is error passive, then the transceiver is preventing message take over by sending an active error flag 4. Flooding prevention The transceiver ensures that the contribution to the bus load is limited Advantages to realize these features in a transceiver: 1. Drop-in replacement transceiver for standard transceivers, no other HW change 2. Quick fix for vulnerable modules, no host SW update necessary 3. No cryptography included, no key management necessary 4. Independent from host µc, physically isolated 5. Complementary to other security measures

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback