Transcript The Five Principles of System Engineering

2012 BSides Detroit Security
Presentation: Vehicle Hacking
Michael Westra, CISSP
June 2012
“If you think technology can solve your security problems, then you
don’t understand the problem and you don’t understand the
technology.” - Bruce Schnieier
June 2011
Agenda
 Unique challenges that automotive faces
 Overview of CAN (Controller Area Network)
 SYNC, a real world example of security thinking that went
into a product on the market
 Security Posture
 Sample features within a security framework
 OEM perspective on where industry is going
 Auto security industry in review
 Technology trends
Page 2
June 2011
Automotive Challenges
 Automotive is very long lived
 Development 2-5 years
 Lifetime 3-5+ years
 Often in service for 10+ years
 Vehicles in design today will be on the road 20 years from now
 Collection of discrete modules from many vendors
 Includes variety of hardware from 8-bit microcontrollers to 32-bit
ARM processors connected
 Unique service requirements
 Right to service laws mandate that non-OEM locations have access
to tools and mechanisms to perform service and update modules
 Disconnected service scenarios
Page 3
June 2011
CAN (Controller Area Network)
 Mental Model
 Based on broadcast virtual electrical signals, not traditional
network model
 No authentication, assumed trusted, does not check source ID
 Heavily affects how development proceeds
 Structure
 11-bit ID on broadcast
 8 bytes of data per message
 Multiple “slow” buses (500kbps)
 Applications layered on this like TP (streaming), Diagnostics,
Programming
Page 4
June 2011
SYNC Background
 SYNC first generation:
 Launched in fall of 2007
 4 million units earlier this year
 MyFord Touch, second
generation of SYNC:
 Launched in fall of 2010
 No subscription required
 Both products scheduled to be
launched in all global markets
within the next 18 months
 Includes E911, Vehicle Health,
and Traffic, Directions, and
Information
 Applink provides mobile phone
application integration with the
Sync UI
Page 5
June 2011
Current SYNC Features/Security Challenges
 External interfaces
 Bluetooth
 Wi-Fi / USB Broadband / Network
connectivity
 Mobile Application Integration
 Telematics
 USB
 Software Updates
 Wireless Factory Provisioning
 USB Updates
 Large external attack
surface.
 Application Validity
 Software Integrity
Assurance
 DRM/ Licensing
 Protect the Vehicle Bus
 Personally identifiable
information (PII)
considerations
 Playback of protected Media Content
 CAN Interaction
 Phonebook Integration
Page 6
June 2011
General Security Lessons
 Start by defining your product’s security posture.
 Every device can be hacked with sufficient time, expertise, and motivation
 Define what is worth protecting and to what level
 An example from SYNC
 A successful attack should require physical access to the internals of the
module
 A successful attack of one device should not be transferrable to
immediately hack all devices
 A general perimeter security architecture including hardware should be
used to protect the most sensitive components
 External non-hardwired or user accessible interfaces should be hardened
as much as possible with multiple levels of protection
Page 7
June 2011
SYNC Security Challenges (continued)
 Protect the Vehicle interface at all costs
 …or to the same level as physical interfaces for serviceability
currently mandated by law
SYNC
CCPU
Display/Touch
I-CAN
VMCU
FreeScale System on Chip
FreeScale Star 12
Series
MS-CAN
HS-CAN
8" LCD/Touch
Screen
RTOS Based
CAN Gateway
Power Master
Diagnostics
MS Auto based
Secure Inter Processor
Communication
Applications Host
Graphic/Voice Interface
Gateway to External Interfaces
Bluetooth/WiFi
Media Hub
USB Analog Audio/Video
USB Ports
SD Card Slot
RCA Jacks AV
Page 8
June 2011
Wi-Fi Provisioning
 First in industry to dynamically download large volumes of
data on the moving assembly line
 Configure SYNC with language and other unique configuration on
the moving assembly line
 This completely automated process results in the conversion of
labor-related expenses, allows for flexibility of future application
upgrades
Page 9
June 2011
Mobile Application Integration
 Different Application Integration Models
 MirrorLink
 Applink
 Signature/Gateway Application
 Security Implications
 Each model has different going-in security assumptions
• Apps are trusted or untrusted
• Assumptions about spoofing applications
• Apps are hosted, directly displayed, interact via an API
 Not just security, Driver Distraction is an even larger concern (but
ties back to first concern)
Page 10
June 2011
Auto security in review
 UW papers
What could be controlled via CAN with physical
access
How might remote access be achieved
 TPMS hacks
 Various demonstrations for keyless entry
transponders
Page 11
June 2011
Where this technology is going…
 Car industry is where PC industry was 15 years ago
But can benefit from their security learning
Fully Internet addressable fleets of automobiles
Increased integration with mobile applications
 Continued democratization of technology
Global view, All vehicle levels (not just high-end)
 Vehicle environment is different than mobile
Eyes on the road, Hands on the wheel
Safety around vehicle interfaces
Page 12
June 2011
Where the industry is going…
 Security of major interfaces is getting a lot more
attention (and press)
 OEMs also have legal serviceability requirements that
force a certain level of openness and commonality
 It makes sense for more collaboration between OEMs,
suppliers, academia
 Anyone’s failure gives everyone a black-eye
 Active work starting with a new SAE working group and
others forums
Page 13
June 2011
Thank-you
Page 14