The Five Principles of System Engineering
Download
Report
Transcript The Five Principles of System Engineering
2012 BSides Detroit Security
Presentation: Vehicle Hacking
Michael Westra, CISSP
June 2012
“If you think technology can solve your security problems, then you
don’t understand the problem and you don’t understand the
technology.” - Bruce Schnieier
June 2011
Agenda
Unique challenges that automotive faces
Overview of CAN (Controller Area Network)
SYNC, a real world example of security thinking that went
into a product on the market
Security Posture
Sample features within a security framework
OEM perspective on where industry is going
Auto security industry in review
Technology trends
Page 2
June 2011
Automotive Challenges
Automotive is very long lived
Development 2-5 years
Lifetime 3-5+ years
Often in service for 10+ years
Vehicles in design today will be on the road 20 years from now
Collection of discrete modules from many vendors
Includes variety of hardware from 8-bit microcontrollers to 32-bit
ARM processors connected
Unique service requirements
Right to service laws mandate that non-OEM locations have access
to tools and mechanisms to perform service and update modules
Disconnected service scenarios
Page 3
June 2011
CAN (Controller Area Network)
Mental Model
Based on broadcast virtual electrical signals, not traditional
network model
No authentication, assumed trusted, does not check source ID
Heavily affects how development proceeds
Structure
11-bit ID on broadcast
8 bytes of data per message
Multiple “slow” buses (500kbps)
Applications layered on this like TP (streaming), Diagnostics,
Programming
Page 4
June 2011
SYNC Background
SYNC first generation:
Launched in fall of 2007
4 million units earlier this year
MyFord Touch, second
generation of SYNC:
Launched in fall of 2010
No subscription required
Both products scheduled to be
launched in all global markets
within the next 18 months
Includes E911, Vehicle Health,
and Traffic, Directions, and
Information
Applink provides mobile phone
application integration with the
Sync UI
Page 5
June 2011
Current SYNC Features/Security Challenges
External interfaces
Bluetooth
Wi-Fi / USB Broadband / Network
connectivity
Mobile Application Integration
Telematics
USB
Software Updates
Wireless Factory Provisioning
USB Updates
Large external attack
surface.
Application Validity
Software Integrity
Assurance
DRM/ Licensing
Protect the Vehicle Bus
Personally identifiable
information (PII)
considerations
Playback of protected Media Content
CAN Interaction
Phonebook Integration
Page 6
June 2011
General Security Lessons
Start by defining your product’s security posture.
Every device can be hacked with sufficient time, expertise, and motivation
Define what is worth protecting and to what level
An example from SYNC
A successful attack should require physical access to the internals of the
module
A successful attack of one device should not be transferrable to
immediately hack all devices
A general perimeter security architecture including hardware should be
used to protect the most sensitive components
External non-hardwired or user accessible interfaces should be hardened
as much as possible with multiple levels of protection
Page 7
June 2011
SYNC Security Challenges (continued)
Protect the Vehicle interface at all costs
…or to the same level as physical interfaces for serviceability
currently mandated by law
SYNC
CCPU
Display/Touch
I-CAN
VMCU
FreeScale System on Chip
FreeScale Star 12
Series
MS-CAN
HS-CAN
8" LCD/Touch
Screen
RTOS Based
CAN Gateway
Power Master
Diagnostics
MS Auto based
Secure Inter Processor
Communication
Applications Host
Graphic/Voice Interface
Gateway to External Interfaces
Bluetooth/WiFi
Media Hub
USB Analog Audio/Video
USB Ports
SD Card Slot
RCA Jacks AV
Page 8
June 2011
Wi-Fi Provisioning
First in industry to dynamically download large volumes of
data on the moving assembly line
Configure SYNC with language and other unique configuration on
the moving assembly line
This completely automated process results in the conversion of
labor-related expenses, allows for flexibility of future application
upgrades
Page 9
June 2011
Mobile Application Integration
Different Application Integration Models
MirrorLink
Applink
Signature/Gateway Application
Security Implications
Each model has different going-in security assumptions
• Apps are trusted or untrusted
• Assumptions about spoofing applications
• Apps are hosted, directly displayed, interact via an API
Not just security, Driver Distraction is an even larger concern (but
ties back to first concern)
Page 10
June 2011
Auto security in review
UW papers
What could be controlled via CAN with physical
access
How might remote access be achieved
TPMS hacks
Various demonstrations for keyless entry
transponders
Page 11
June 2011
Where this technology is going…
Car industry is where PC industry was 15 years ago
But can benefit from their security learning
Fully Internet addressable fleets of automobiles
Increased integration with mobile applications
Continued democratization of technology
Global view, All vehicle levels (not just high-end)
Vehicle environment is different than mobile
Eyes on the road, Hands on the wheel
Safety around vehicle interfaces
Page 12
June 2011
Where the industry is going…
Security of major interfaces is getting a lot more
attention (and press)
OEMs also have legal serviceability requirements that
force a certain level of openness and commonality
It makes sense for more collaboration between OEMs,
suppliers, academia
Anyone’s failure gives everyone a black-eye
Active work starting with a new SAE working group and
others forums
Page 13
June 2011
Thank-you
Page 14