Connected Cars - Poster Child for the IoT Reality Check

Connected Cars - Poster Child
for the IoT Reality Check
Brian Witten, Symantec
Ed Adams, Security Innovation
Conference: April 6-7, 2016
Exhibit Hall: April 6-8, 2016
Sands Expo, Las Vegas, NV

Building Comprehensive Security Into Cars
March, 2016
Brian Witten

Current Reality
Underestimated Adversary
Concept Proven

Threats
A Quick Refresher
Copyright © 2014 Symantec Corporation
RTOS
GSM
TCU
RTOS
I V I
TCU: Telecommunications Unit
IVI: In Vehicle Infotainment
RTOS: Real Time OS
ECU: Engine Control Unit
BCM: Body Control Module
xxM: Other Modules
CAN: Controller Area Network
CAN1/2: Hi, Med, Lo Speed CAN
GWC: “gateway chip”
OBD2: On Board Diagnostics port
UBI: Usage Based Insurance
GSM: Global System for Mobile
Comm’s, aka “a modem”
(Architecture Simplified for Presentation)
GWC
BCMECU
xxMxxM
BCM
OBD2
UBI
GSM
CAN1
CAN2
Cellular (IP & GSM)
Cellular (IP & GSM)
Physical Tampering
Other Wireless ( BT & Wifi )
Other Wireless
Vulnerabilities Announced This Summer
Supply Chain
Unauthenticated Commands
Unauthenticated Connections
No IP Port/Protocol Restrictions
Inadequate
Code Signing
Potential Memory
Corruption Vulnerabilities
Vulnerable
Browsers/Apps
Vulnerable
Modems
Unauthenticated
Bus

Cornerstones of Security
Automotive Vehicles
RTOS
GSM
TCU
RTOS
I V I
(Architecture Simplified for Presentation)
GWC
BCMECU
xxMxxM
BCM
OBD2
UBI
GSM
CAN1
CAN2
RTOS: Real Time OS
xxM: Other Modules
Comm’s, aka “a modem”
Authenticate Manage
Protect Security Analytics
RTOS: Real Time OS
xxM: Other Modules
Comm’s, aka "a modem”
CAMP: Crash Avoidance Metrics
Program
VSC3: Vehicle Safety Comm’s
HIS: Hersteller Initiative Software
SHE: Secure Hardware Extensions
EVITA: E-safety Vehicle Intrusion
Protected Applications
HSM: Hardware Security Module
OMA DM: Open Mobile Alliance
(OMA) Device Management (DM)
SCOMO: Software Component
Management Object
MLA: Multi Letter Acronym
CAMP VSC3, HIS SHE, EVITA HSM OMA DM, SCOMO
Embedded (in-vehicle), GlobalCode-Signing (Boot Time)
Host-Based (Run Time)
Compiler Based (No-OS)
Business Constraints:
-- Consumers won’t pay for security they “assume”
-- OEM & Tier 1 Suppliers: extremely thin margins
-- Security $ must be < “few %” of any car/module
For a copy of the slides, email bwitten@symantec.com

Can extremely constrained devices
do meaningful security?
7
$0.25
Early 80’s grade chip
8 bit
8 MHz
2 k SRAM
25 seconds AA Battery: 20+ years
Leading 10 year old chips
16 bit, 16 MHz
30 k SRAM
3 seconds AA Battery: 20+ years
Current 32 bit chips
32 bit, 84 MHz
30+ k SRAM
150 ms AA: 20 years$0.50
Benchmark: ECC/ECDSA256

Protect The
Communications
8
Certificates:
Over a Billion IoT devices chain to a
world class Certificate Authority (CA)
Roots of Trust:
IoT “Roots of Trust” can help
identify foreign devices
Devices
& Sensors
Hardware
Operating
Systems
Embedded
Software
Required: Authentication
Helpful: Encryption
Note: Signing “objects” can
avoid decrypt/re-encrypt burden
Crypto Libraries:
Several good open-source
and commercial options
What’s needed?

Automotive Authentication Schemes
9
In-Vehicle & Vehicle to “X” (V2X)Vehicle to Vehicle (V2V)
CAMP: Crash Avoidance Metrics Program
VSC3: Vehicle Safety Communications
SLC: Short Lived Certificates
CRL: Certificate Revocation List
ECC: Elliptic Curve Cryptography
CAMP VSC3
SLC with CRL;
For additional privacy, rotation among a
pool of SLC all within validity period
ECC 256
HIS SHE: Hersteller Initiative Software, Secure Hardware Extensions
EVITA: E-safety Vehicle Intrusion Protected Applications
HSM: Hardware Security Module
AUTOSAR: Automotive Open System Architecture
CAL: Crypto Abstraction Library
CSM: Crypto Service Manager
HIS SHE
EVITA (HSM)
AUTOSAR (CAL & CSM)
HIS SHE, EVITA HSM “Light” & “Medium”
(symmetric)
EVITA HSM “Full”
(symmetric + asymmetric)
AES 128 (all of above)
RSA 2048, 4096
(AUTOSAR + EVITA “Full”)
Standards
Approach
Underlying
Crypto

10
F.NetworkMonitor
G.Settings
A. Device Drivers
B. Network Stack
C. Operating System
E.OpenSSL
D.PrimaryApp
Persistent Storage
(if present)
A. Device Drivers
B. Network Stack
E. OpenSSL
F. Network Monitor
D. Primary App
Always sign settings & data if persisted locally!
G.Settings
Platform & binaries can be signed
monolithically or individually.
F.NetworkMonitor
A. Device Drivers
B. Network Stack
C. Operating System
E.OpenSSL
D.PrimaryApp
Code Signing & Secure Boot
Protect the Code that Drives The Car
Chipmaker Proprietary Boot Loader
Chipmaker POST
OEM Controlled Pre-Boot Environment
OS image
Supplier 3Supplier 2Supplier 1
Data Objects & Software Updates
Leading Certificate Authorities operate fortified, cloud-based,
code-signing infrastructure to help OEM manage & protect code
signing keys for hundreds or thousands of suppliers.

Protect Devices: Update-less In-
device Security
Manufacturer-embedded security
Network
Protection
(Host IPS)
Exploit
Prevention
(Host IPS)
System
Controls
(Host IPS)
Auditing &
Alerting
(Host IDS)
• Restrict apps & O/S
behaviors
• Protect systems from
buffer overflow
• Intrusion prevention for
zero-day attacks
• Application control
• Monitor logs and security
events
• Consolidate & forward
logs for archives and
reporting
• Smart event response for
quick action
• Close back doors
(block ports)
• Limit network connectivity
by application
• Restrict traffic flow
inbound and outbound
• Lock down settings &
configuration
• Enforce security policy
• De-escalate user privileges
• Prevent removable media
use
1Copyright © 2015 Symantec Corporation
Symantec
Embedded
Security
Critical System
Protection

12For a copy of the slides, email bwitten@symantec.com
Updates must be OTA “near no effort.”
OTA update capability must be
“built-in,” from the beginning.
3 days :Average Time Between Vulnerability Discovery (Linux)
… Cars on the road today are
11 years old, on average
Over The Air (OTA) Vehicle Updates
Managing Vehicle Software & Configuration
Manual Patching 1,300 times? Ridiculous.
Good Management: Not Just Updates
Telemetry & Normal Control
Software Inventory, Updates
Configuration Changes
New Functionality & Patches
Security Telemetry, Content
Diagnostics & Remediation
Access Control Lists
Policy Updates…Monolithic Updates Kill Bandwidth
Updates Must Be Granular
1 x =
20 x =

Automotive Security Analytics
No matter how well you do everything else,
some threats will still get past even the best defenses.
Detecting such threats requires
strong understanding of “normal” system behavior.
Machine Learning (ML) analytics can distill models of “normal” CAN bus,
small enough to run in a UBI dongle or IVI Single Board Computers (SBC).
Processing trillions of events, we’ve used these techniques in other verticals
to catch some of the most sophisticated threats every caught.
1For a copy of the slides, email bwitten@symantec.com

Cornerstones of Security
Automotive Vehicles
Authenticate Manage
Protect Security Analytics
CAMP VSC3, HIS SHE, EVITA HSM OMA DM, SCOMO
Embedded (in-vehicle), GlobalCode-Signing (Boot Time)
Host-Based (Run Time)
Compiler Based (No-OS)

Building Comprehensive Security Into Cars
Brian Witten
bwitten@symantec.com
www.symantec.com/iot
Thank You!
^Internet of Things (IoT)

Connected Cars:
What Could Possibly Go Wrong?
Ed Adams
CEO, Security Innovation
Research Fellow, The Ponemon Institute
March 23, 2016
IT Security Leaders Dallas

Cars are part of the Internet of Things (IoT)
• The network of physical objects or "things" embedded with
electronics, software, sensors, and network connectivity,
collecting and exchanging data
• Anything with an on/off switch and connection to the Internet
(or each other)
• Cell phones, coffee makers, washing machines, headphones,
lamps, wearable devices and almost anything else you can think of.

What enables IoT?
Software runs the world (even hardware)

F22 RaptorS-Class Mercedes
1.7 Million
Lines of Code
6.5M Million
Lines of Code
100 Million
Lines of Code
IoT Reality Check: Software Runs the World
787 Dreamliner
and
100 ECUs
5 Networks
2 miles of cable
10+ Operating Systems
50% of total cost

• 35,000 US road deaths, and 3,800,000 injuries
• Fatalities and injuries = $300B/year
• Congestion = $230B/year
• Leading cause of death, people aged 15-34 in US
Let’s Talk About Traffic Safety
Technology Evolution
Passive Active Proactive

The Talking Cars Program (aka V2V or
V2X)

Connected Cars:
Putting our Theory to Test
• Basic Safety Message:
• All equipped vehicles broadcast 10 times/second
• On board logic detects hazards and alerts driver
• Here I am; Here’s my speed & direction; Brake status; (plus…??)
• Communications are V2X
• Vehicle-to-vehicle
• Vehicle-to-infrastructure
• Vehicle-to-RSE (road-side equipment)
• Vehicle-to-AMD (after-market device)
• VRUs (vulnerable road users)

• V2V is a Dept. Of Transportation mandate
• Driver awareness & notification of invisible dangers
• US DOT Mandate, EU OEM-driven
• V2V will prevent 76 percent of crashes (US DOT)
• “The most important safety improvement in automobiles
since the seatbelt”
– Transportation Secretary Anthony Foxx
• World’s largest Certificate Management System
V2V
V2I
Connected Cars:
Secure Vehicle to Vehicle/Infrastructure Communications (V2X)
Leveraging Technology to Save Lives

V2V: the worries
• Security
• Will hackers be able to take
control of my car?
• Will terrorists be able to cause
mass havoc
• Privacy
• Will the government be able to
track my every move?
• Will I be issued automatic
speeding tickets everywhere?
• Messages must be secure
– Authentication, Integrity, Availability, Timeliness
• The system must provide anonymity
– Individual messages don’t give away identity
– Messages can’t be determined (by their contents
alone) to have come from the same origin
– No anonymity requirement for public safety
vehicles
• Must be able to remove bad actors

V2X Progress
• Standards have been defined
• Technology has been successfully
field tested
• Security and Privacy proven resilient
• Projects are underway to build
infrastructure
• Ann Arbor, San Francisco, NYC
• Europe running parallel pilots
• Equipment in Europe and US are
hardware compatible

Government interest
“Drivers shouldn’t have to choose between
being connected and being protected,”

Cybersecurity Standards
Hacking protection
Data security
Hacking mitigation
Privacy standards
Transparency
Consumer choice
Marketing prohibition
Cyber dashboard
A window sticker showing how well the car
protects the security and privacy of the owner.
Government Takes Action
The Security and Privacy in Your Car (SPY) Act

Remaining challenges
• PKI governance and certification
• Privacy as certificates deplete
• Secure implementations / Cybersecurity
• Multi-application operations
• Cross-border issues and harmonization of trust

Reasons for optimism
• It is very hard to hack cars en masse
 And there are other juicier targets out there
• Useful parallels to traditional IT
• Car makers are being pro-active
• Standards under development
• The V2V program will save lives!

Connected Cars:
What Could Possibly Go Wrong?
Questions?
For a copy of the slides, email:
Ed Adams
eadams@securityinnovation.com

Connected Cars - Poster Child for the IoT Reality Check

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Connected Cars - Poster Child for the IoT Reality Check

Similar to Connected Cars - Poster Child for the IoT Reality Check (20)

More from Security Innovation

More from Security Innovation (20)

Recently uploaded

Recently uploaded (20)

Connected Cars - Poster Child for the IoT Reality Check