Program Design by Prateek Suri and Christian Williss
Connected Car Security
1. CONNECTED CAR SECURITY
Threat landscape and Potential Mitigation Strategies
Suresh Mandava
Cyber Security Lead
for IoT/BigData Practice
August 4, 2015
@sureshmandava
2. Hackers Remotely Kill a Jeep on the Highway—With Me in It
July 21, 2015
We Drove a Car While It Was Being Hacked, May 29, 2014
http://motherboard.vice.com/read/we-drove-a-car-while-it-was-being-hacked
Almost Year Before
3. Before Matrix there was Speed
The film tells the story of the LAPD cop who tries to
rescue civilians on a city bus rigged with a bomb
programmed to explode if the bus slows down or if
civilians try to escape.
Trapped aboard the ship, Annie and Alex
work with the ship's first officer to try to
stop the ship, which they discover is
programmed to crash into an oil tanker.
1994
1997
6. SpyCarACT
(July 21, 2015)
SPY Car Act, the legislation introduced by Markey and Blumenthal
The Security and Privacy in Your Car Act (the SPY Car Act) specifies that the
NHTSA and FTC together issue
• Notices of Proposed Rulemaking within 18 months, and final regulations
within three years of the act’s enactment.
• The SPY Car Act will apply to vehicles made two years after final
cybersecurity and privacy regulations are issued.
7. SpyCarACT : Cybersecurity Standards
• Vehicle System Security. All entry points to a vehicle’s electronic systems must be equipped with
reasonable measures to protect against cyberattacks, including isolation measures to separate critical and
non-critical software systems;
• Vulnerability Testing and Remediation. Such reasonable security measures shall be evaluated for
vulnerabilities following best security practices, including appropriate applications of techniques such as
penetration testing, and must be adjusted and updated based on the results of such evaluation;
• Data Security. All driving data9 collected by a vehicle’s electronic systems must be reasonably secured
from unauthorized access while data is stored onboard the vehicle, in transit from the vehicle to another
location, and in any offboard storage or use; and
• Real-Time Attack Mitigation. All entry points to a vehicle’s electronic systems must be equipped with
capabilities to immediately detect, report, and stop unauthorized attempts to intercept driving data or control
the vehicle.
Violation of such cybersecurity standards would result in liability to the federal government for civil penalties of
no more than US$5,000 per violation.
8. SpyCarACT : Privacy Standards
• Transparency. Foreclosing other notice mechanisms as legally viable, the act would require that
each vehicle provide clear and conspicuous notice, in clear and plain language, to owners or
lessees of a vehicle of the collection, transmission, retention, and use of any driving data collected;
• Consumer Control. Owners or lessees must be given the option to terminate the collection and
retention of driving data without losing access to navigation tools or other features or capabilities, to
the extent technically possible (with the exception of driving data stored as part of the electronic
data recorder system or other safety systems required for post-incident investigations, emissions
history checks, crash avoidance or mitigation, or other regulatory compliance);
• Limitations on Driving Data Use. Manufacturers may not use any driving data collected by a
vehicle for advertising or marketing purposes without the affirmative and express consent of the
owner or lessee, which must be obtained using a clear and conspicuous consent request in clear
and plain language that does not make use of the driving data a condition for the consumer’s use of
any nonmarketing feature, capability, or functionality of the vehicle.
9. With 'recall,' Fiat Chrysler makes its car hack worse
The decision of Fiat Chrysler to mail out USB sticks to customers directly to patch the
recent vulnerability is the security equivalent of waving a red rag to a bull
"It's like if after surgery the doctor forgets a pair of scissors in your stomach, and when you find out, he just sends you a
scalpel to fix it yourself."
July 27, 2015
Why Chrysler's car hack 'fix' is staggeringly stupid
http://www.zdnet.com/article/chryslers-response-to-car-hack-was-slow-and-incredibly-stupid/
10. Recall Costs.
GM's total recall cost: $4.1 billion
U.S. Department of Transportation's National Highway Traffic Safety Administration
(NHTSA) sets the national safety standards and can influence -- or in some cases order
-- an auto manufacturer to repair safety-related defects at no cost to the consumer. Even
if the fix is something as minor as a missing washer or a faulty electrical connection, the
manufacturer stands to lose millions of dollars in the process
In their interviews with manufacturers, some identified difficulties in notifying vehicle owners about
safety defects. For example, there was mention that not all vehicle owners keep their address
information up to date with state motor vehicle registration offices. In addition, the older the vehicle,
the more changes of ownership and mailing addresses occur, making it more difficult to identify the
current address of the current owner.
Toyota's Out-of-Control Gas Pedals, cost of the blunder $5 billion
11. WillAutonomous Cars Be the Insurance Industry’s Napster Moment ?
Autonomous vehicles will make commuting a lot safer.
Consumers have to pay out a lot less money with the lower number of claims,
but premiums will necessarily drop as well and the overall amount of money
within the car insurance system will dwindle.
One opportunity for the industry could be selling more coverage to carmakers
and other companies developing the automated features for cars.
When the technology fails, manufacturers could get stuck with big liabilities
that they will want to cover by buying more insurance.
There's also a potential for cars to get hacked as they become more
networked.
12. 1996+ : Year the Matrix Started.
Modern automobiles are laced with a number of microcontrollers
and sensors that monitor and control everything from the throttle
position to the ambient air temperature.
These devices typically communicate over a wired in-vehicle
network like a CAN bus.
CAN bus is one of five protocols used in the on-board diagnostics
(OBD)-II vehicle diagnostics standard.
The OBD-II standard has been mandatory for all cars and light trucks sold in the United States since 1996
13. Network technology existed in E/E architecture
Mixoflowdataratecontrolorhigh-cost/proprietarysolutions
Technology Data Rate IP Ownership Media Topology Usage
LIN 40kbps LIN Consortium Single wire P2P Body electronics
CAN 1Mbps ISO-11898
Bosch
UTP Shared Power train
(Engine, transmission, ABS)
CAN-FD 2.5Mbps Bosch UTP Shared Power train
(Engine, transmission, ABS)
FlexRay 10Mbps ISO-17458
FlexRay
Consortium
UTP Shared High-perf power train,
(Safety, drive-by-wire, active
suspension, ACC)
• Low data rate control
Technology Data Rate IP Ownership Media Topology Usage
MOST 150Mbps SMSC POF Ring infotainment
FPDLink
LVDS
655Mbps
– 3Gbps
TI/National Shield coax P2P Camera/display
• High cost/proprietary
18. Can Topology
Two twisted differential wires, CAN high and CAN low, with two termination resistors of 120
ohm each. The bus has a maximum signaling rate of 1 Mbps with a bus length of 40 m with
a maximum of 30 nodes.
http://www.cowfishstudios.com/blog/canned-pi-part1
19. CAN specifies only the two basic layers: Data Link and Physical layer.
Only 2 Layers
28. FlexRayArchitecture
FlexRay Host Controller
• Execute Main Application
• Decide what needs to be send to Communication Controller
FlexRay Communications Controller
• Realizes all functions of the FlexRay protocol
• Channel between Bus Driver and Host Controller.
FlexRay Bus Guardian
• Prevents the node from sending and receiving outside it’s time slots.
• Recognize synchronization and communication errors
• Monitors changes in the supply which could cause defects in bus
• Important Fault tolerance of the FlexRay.
FlexRay Bus Driver
• Send/Receive Data from Bus
29. Automotive Open SystemArchitecture
• A global partnership of carmakers, car component, electronics,
semiconductor and software industries founded in 2003.
Ø Defines methodology that supports distributed, function driven development process
Ø Standardizes the Software Architecture for ECU’s
• 9 Core Partners
• BMW, Bosch, Continental, Daimler, Ford, General Motors, Peugeot, Toyota, and Volkswagen
• About 50 Premium Members
Ø OEMs: e.g. Fiat, Honda, Hyundai, Mazda, Porsche, Renault, TATA
Ø Tier1s: e.g. Delphi, DENSO, Magneti Marelli, Valeo
Ø Tool providers: e.g. dSPACE, Elektrobit, ETAS, TTTech, Vector
Ø Chip manufacturers: e.g. Freescale, Infineon, Renesas
• About 90 Associated Members
• About 20 Development Members
• Current Status
• Recent Version (Release 4.2 – Oct 2014) consists of 100+ Specifications and 80 related
documents
39. OBD2 Reader Car Diagnostic Tool
Price: $17.95 & FREE Shipping
http://www.amazon.com/Reader-Diagnostic-Check-Engine-Light/dp/B004IV58AY
Price: $99.95
Torque is an OBD2 performance and diagnostic
tool for any device that runs the Android
operating system. It will allow you to access the
many sensors within your vehicles Engine
Management System, as well as allow you to
view and clear trouble codes.
44. The general purpose Controller Area Network swiss army knife / development platform.
Canb.US Triple (3 CAN Controllers)
Read and Dispatch CAN packets Bluetooth 4.0 LE Programmable and Open
79.00 USD
46. “In the midst of chaos, there is also opportunity”
― Sun Tzu, A Arte da Guerra
“The art of war is of vital importance to the State. It is a matter of life and
death, a road either to safety or to ruin. Hence it is a subject of inquiry
which can on no account be neglected.”
― Sun Tzu, The Art of War
47. Ethernet Becoming a Standard
Ethernet is now being considered as a replacement for legacy bus protocols such as MOST and
FlexRay by car OEMs including BMW and Hyundai.
Ethernet could be the catalyst for
bringing the automotive industry a step
closer to connected vehicles,” says Frost
& Sullivan Senior Research Analyst,
Divya Krishnamurthy.
Broadcom has helped set up the OPEN
Alliance special interest group (SIG) to
promote BroadR-Reach as a de facto
automotive Ethernet standard.
CAN network doesn’t have enough capacity to carry the encryption overhead necessary to carry and protect messages
effectively. From both angles, performance and security, we see a role for Ethernet in the eco networks
48.
49. 78% of car owners will demand connected features in their next vehicle
50. Diversity and complexity of ADAS applications
Demands high-performance and flexible compute platform
Vision
Rear View Camera
Vision Enhancement
Auto dimming headlights
Blind Spot Detection
360 View
Parking Assist
Sign Recognition
Traffic Signal Detection
Lane Detection
Rain/Fog Detection
Pedestrian Detection
Pedestrian Avoidance
Eye Focus Detection
Driver Monitoring
Sign Recognition
Vehicle Detection
Audio/Sound
Rear Object Detec,on
Parking Assist/Auto Park
Voice Recogni,on
Cabin Noise Reduc,on
Emergency Recogni,on
Radar
Front Collision Avoidance Braking
Adaptive Cruise Control
360 degree Hazard Awareness
Rear Collision Detection
52. V2V : US to push for mandatory car-to-car wireless communications
The government believes vehicle-to-vehicle data links will help improve
driver safety, and will push for legislation requiring it in "a future year."
53. NHTSA to require backup cameras on all vehicles
Start phasing in on May 1, 2016 models and be at 100% by May 1, 2018.
54. Over-the-air software coming soon to your next car
Tesla's OTA upgrade bumped up the all-electric
Model S's 0-60mph speed by about one-tenth (0.1)
of a second. Tesla CEO Elon Musk tweeted about
the upgrade, saying it was an update to the
inverter algorithm. An inverter changes direct
current electricity to alternating current.
We have a software and firmware team that packages
updates. The packages are matched to a VIN [vehicle
identification number] to ensure the car has the
required hardware to receive all relevant updates
57. ECU Module Consolidation
Adding a new ECU for new features is no longer sustainable.
Dedicated processors, memories and other electronic components for new features
increases cost and architecture complexity, says Thomas Wendt, Senior Partner in
Roland Berger’s North American Automotive Practice.
The solution he suggests is module consolidation. This approach would leverage modern
technologies to add speed and flexibility to vehicle electronic architectures, while saving
cost. The consultancy estimates at average $175 per vehicle for cockpit electronics.
Automotive electronics complexity at tipping point, study warns
http://www.automotive-eetimes.com/en/automotive-electronics-complexity-at-tipping-point-study-warns.html?cmp_id=7&news_id=222904403&vID=35&page=0
58. Ethernet streamlines automotive E/E architecture
From low BW, proprietary, control-centric to high BW, standard-based data network
Gateway
DLC
CAN
LIN
CAN-FD/FlexRay CAN-FD/FlexRay
MOST
1TPCE
Powertrain Chassis &
Safety
InfotainmentBody
Electronics
CAN-FD/FlexRay
Powertrain
DCU
CAN-FD/FlexRay
Chassis &
Safety
DCU
Gateway
DLC
1TPCE
CAN
LIN
Body Electronics
DCU
1TPCE
RTPGE
RTPGE
RTPGE
1TPCE/RTPGE
RTPGE
DCU
DCU
Infotainment
ADAS
Current
Future
Standardization
• Time synchronization
• QoS
• Redundancy
• VLAN isolation
• Power efficiency
• PHY
Bandwidth scalability
• 100Mbps – 1Gbps
• Scales up to 400Gbps
Large eco-system
• Wide deployment
• Long-lasting part supply
Low cost
• Design to drive UTP
• Volume drives down ASP
59. Zero Latency Encryption with FPGA’s
Secure FlexRay Communication Controller.
With a custom network interface, as in the case of an FPGA-based ECU, we can
integrate such data security transparently at the network layer, without affecting
the real-time guarantees of the time-triggered protocol
https://scholar.google.com/scholar?biw=1248&bih=714&um=1&ie=UTF-8&lr&q=related:x4ohntcdPq8OpM:scholar.google.com/
68. Security Processes Risks on Connected Cars
Service
Backend
Dealer
3rd Parties
Mobile
Connect
OBD
Bluetooth
Bus
ECUs
Infotainment
Key
Unauthorized
remote turn off of car
safety
Car Safety
Exploits
Maleware
Unauthorized
Usage of Apps
Unauthorized
Telediagnostic/
Telecoding
69. Security Processes
Countermeasures protecting Connected Cars
Service
Backend
Dealer
3rd Parties
WLAN
OBD
Bluetooth
GSM
Bus
ECUs
Infotainment
Key
Car Safety
Cryptography
Secure
Communicatio
n
Secure Onboard
Communication
ECU Hardening
Security Integration in Development Stages &
Enrollment & Service Processes
Security Concept /Security Policy Management &
Security Lifecycle
AV & Secure Proxy
Advanced
Backend Security
SW-
Activation
with
cryptography
Telemonitoring
Secure Apps&
Services with
cryptography
SecurityPolicy
Inspection
Pentesting
Lifecycle
Message Filter / IPS
Secure Patch
Management via
OTA