SlideShare una empresa de Scribd logo

Automotive OTA Security For The Connected Vehicle (ASRG Secure Our Streets 2022)

B
Benny Meisels

Over-The-Air (OTA) updates for vehicles are becoming the standard in 2022. Infotainment OTA updates have been available for over a decade; but now, multiple OEMs offer OTA updates for additional ECUs in the vehicle. This change introduces challenges in the form of new attack surfaces, and opportunities for improving automotive security, such as enabling the ability to fix security issues remotely. This session briefly introduces how Automotive OTA works. We examine some aspects of the design and implementation of an end-to-end secure Automotive Software Update solution. Based off actual findings in security reviews conducted by CYMOTIVE, we describe common security misconceptions and show how they cause vulnerabilities in automotive OTA update implementations. We conclude the session by presenting some ideas for improving the OTA development process.

Motor
1 de 49
Descargar para leer sin conexión
©2022 CYMOTIVE Technologies Ltd. All Rights Reserved. Unauthorized use, duplication, disclosure or modification of this document is strictly prohibited. CYMOTIVE Technologies makes no representations regarding the correctness or completeness of the content herein. Benny Meisels 99% Complete, Don’t Turn Off Your Car Automotive OTA Security For The Connected Vehicle
About Me • Benny Meisels • Lead Solution Architect @ CYMOTIVE • 9 years in IT and embedded security research • Enjoys working on electronic conference badges 2
Motivation • OTA adoption is on the rise • Automotive OTA is complicated • Complexity == Harder to secure • We believe regulations are the “minimum requirements” 3
Agenda • Classic And OTA Updates Intro • Design Security Considerations • Implementation Misconceptions • “The Server Is Always Authentic” • “Using A Signature Is Enough” • “Local Storage Is Secure” • And the resulting vulnerabilities • Suggestions For Process Improvement 4
Classic And OTA Updates Intro 5
ECU Update Objectives • Address recall / Fix issues • Safety • Compatibility • Usability • Security • Update function data (Maps, ...) • Add new features 6
ECU Flashing – Classic Approach • Diagnostic tester • UDS (ISO 14229-1) over CAN • DoIP (ISO 13400-2) over Ethernet • USB 7
ECU Flashing – Diagnostic Tester • Tester is connected to the OBD • Flashing SW uses the tester to send UDS messages according to the ISO 14229-1 standard • Mostly proprietary 8
Over The Air Updates • Updates are delivered from OEM cloud directly to the vehicle • Advantages • Remote recall • Lower cost • Rapid deployment 9
ECU Flashing – OTA Update Manager • Fetch updates from server • Match hardware and software • Cache update locally • Connectivity isn’t guaranteed • Flash individual ECUs • In The Correct Order • Harness existing classic solution (UDS) • Or develop OTA specific interface 10
Design Security Considerations 11
Design Security Considerations 12
Authorization • What permission do you need to update an ECU? • How do you verify the authorization? 13
Authentication • How to authenticate the backend? • How to authenticate the vehicle? • How can we ensure future proofing? 14
Integrity • Where should the integrity checks happen? • How is Key Management handled? • How can we store updates securely? 15
Reliability • Guarantee deterministic update result • Testing preconditions • Battery • Safety • Availability - User consent 16
Regulation • Homologation • How does this affect security updates? • Compliance with UN R156 • RxSWIN • Rollback 17
Misconceptions In Implementation 18
Misconceptions In Implementation • Let's assume you have the perfect design • You have written specifications and requirements • These now need to be realized in code • What can go wrong? 19
Simplified OTA Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 20
“The Server Is Always Authentic” 21
Insecure Backend Communication Example update_path = download_to_file( "https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 22
Insecure Backend Communication Example update_path = download_to_file( "https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 23
Insecure Backend Communication Example string download_to_file(string url, string path) { // ... Create X509_STORE X509_STORE_set_verify_cb(store, verify_callback); // ... Add certificates to store // ... Perform download and writing to file } // Called on verification failure int verify_callback(int ok, X509_STORE_CTX *ctx) { return 1; // Ignore Error } 24
Insecure Backend Communication Example • Turns out the certificate chain is tested using OpenSSL • A callback registered by the code is supposed to handle all errors • In the implementation we examined the callback returned 1 for most errors (no error) • An attacker can supply an invalid certificate 25
Additional Cases • Updates downloaded over HTTP • Specific updates downloaded over HTTPS without verifying the hostname in the certificate • Update downloaded from an FTP server 26
“Using A Signature Is Enough” 27
Broken Signature Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 28
Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 29
Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 30
Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 31
Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 32
Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 33
Broken Signature Example • Hash is extracted from the file • Hash is also calculated on file contents • Hashes are compared • No actual signature is checked • Attacker can create a file which will pass this check 34
Additional Cases • Skip signature check if no signature is present • CRC32 checksum as signature alternative • Hyundai default keys (Non-OTA) – by greenluigi1 35
“Local Storage Is Secure” 36
Insecure Storage Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 37
Insecure Storage Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { // First Read, Time-Of-Check flash_firmware(update_path); // Second Read, Time-Of-Use } else { // .... } 38
Insecure Storage Example • File is read twice • First for verification • Then for flashing • File can be changed in between being read • Requires some way to manipulate the file • Assume pre-existing limited code execution 39
Additional Cases • OTA files stored in unencrypted storage • OTA files accessible by other processes • Tesla GTW storage on SD Card – Blackhat USA 2017 – Tencent KeenLab 40
Suggestions For Process Improvement​ 41
Suggestions For Process Improvement​ 42
Design • Don’t reinvent the wheel • Learn from OTA in other industries • Write detailed requirements • Avoid mechanism duplication • Share design across ECUs 43
Implementation • Make no assumptions • Follow best practices • Defensive programming and multi-layered security • Use comprehensive testing suites, static analysis, and fuzzing • Share implementations across generations and variants • Perform code reviews and penetration tests 44
General • Standardization of software updates (AUTOSAR?) • Open-Source reference designs and implementations • Share your experience with the community 45
Special Thanks • CYMOTIVE • Ilay Levi (Security Researcher) • Ruben Bokobza (Vehicle Security Team Lead) • Dan Givon (HW Specialist Team Lead) • Gal Zaban (Security Researcher @ Armis) 46
Questions? 47
cymotive.com
References And Further Reading • Hyundai default keys (Non-OTA) – by greenluigi1 • Tesla GTW storage on SD Card – Blackhat USA 2017 – Tencent KeenLab • Cybersecurity of Firmware Updates - 2020 - NHTSA • Secure OTA Software Updates in Connected - 2019 - (Halder, Ghosal, Conti) • Introduction to UN Regulation No 156 and the Software Update Management System - Tobias Pilz • Uptane project - Linux Foundation 49

Recomendados

Over-the-air (OTA) updates and the Connected car
Over-the-air (OTA) updates and the Connected carOver-the-air (OTA) updates and the Connected car
Over-the-air (OTA) updates and the Connected carPratik Desai, PhD
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...Embitel Technologies (I) PVT LTD
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
FOTA Upgrade on Automotive and IoT Industry
FOTA Upgrade on Automotive and IoT IndustryFOTA Upgrade on Automotive and IoT Industry
FOTA Upgrade on Automotive and IoT IndustryEmbitel Technologies (I) PVT LTD
 
Is cybersecurity protection of commercial vehicles harder?
Is cybersecurity protection of commercial vehicles harder?Is cybersecurity protection of commercial vehicles harder?
Is cybersecurity protection of commercial vehicles harder?Gilad Bandel
 
Red Bend Software: Optimizing the User Experience with Over-the-Air Updates
Red Bend Software: Optimizing the User Experience with Over-the-Air UpdatesRed Bend Software: Optimizing the User Experience with Over-the-Air Updates
Red Bend Software: Optimizing the User Experience with Over-the-Air UpdatesRed Bend Software
 

Recomendados

Over-the-air (OTA) updates and the Connected car
Over-the-air (OTA) updates and the Connected carOver-the-air (OTA) updates and the Connected car
Over-the-air (OTA) updates and the Connected carPratik Desai, PhD
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...
SEooC ISO 26262 | What is Safety Element Out of Context in Automotive Functio...Embitel Technologies (I) PVT LTD
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
FOTA Upgrade on Automotive and IoT Industry
FOTA Upgrade on Automotive and IoT IndustryFOTA Upgrade on Automotive and IoT Industry
FOTA Upgrade on Automotive and IoT IndustryEmbitel Technologies (I) PVT LTD
 
Is cybersecurity protection of commercial vehicles harder?
Is cybersecurity protection of commercial vehicles harder?Is cybersecurity protection of commercial vehicles harder?
Is cybersecurity protection of commercial vehicles harder?Gilad Bandel
 
Red Bend Software: Optimizing the User Experience with Over-the-Air Updates
Red Bend Software: Optimizing the User Experience with Over-the-Air UpdatesRed Bend Software: Optimizing the User Experience with Over-the-Air Updates
Red Bend Software: Optimizing the User Experience with Over-the-Air UpdatesRed Bend Software
 
Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar YugandharPatil7
 
Model based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loopModel based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loopMahmoud Hussein
 
Diagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARDiagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARBernhard Wagner
 
AUToSAR introduction
AUToSAR introductionAUToSAR introduction
AUToSAR introductionELAbbasSalahHatata
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPDai Yang
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Bill Harpley
 
Multicore and AUTOSAR
Multicore and AUTOSARMulticore and AUTOSAR
Multicore and AUTOSARHansang Lee
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...Edge AI and Vision Alliance
 
ECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU ReprogrammingECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU ReprogrammingEmbitel Technologies (I) PVT LTD
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Infotainment system of car
Infotainment system of carInfotainment system of car
Infotainment system of carBrundha Sholaganga
 
CAN Bus
CAN BusCAN Bus
CAN Busmbedlabs Technosolutions
 
Morello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, ArmMorello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, ArmKTN
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car Real-Time Innovations (RTI)
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Webinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore SystemsWebinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore SystemsKPIT
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfAlex446314
 

Más contenido relacionado

La actualidad más candente

Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar YugandharPatil7
 
Model based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loopModel based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loopMahmoud Hussein
 
Diagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARDiagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARBernhard Wagner
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPDai Yang
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Bill Harpley
 
Multicore and AUTOSAR
Multicore and AUTOSARMulticore and AUTOSAR
Multicore and AUTOSARHansang Lee
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security Malachi Jones
 
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...Edge AI and Vision Alliance
 
ECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU ReprogrammingECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU ReprogrammingEmbitel Technologies (I) PVT LTD
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Morello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, ArmMorello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, ArmKTN
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Webinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore SystemsWebinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore SystemsKPIT
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system UrmilasSrinivasan
 

La actualidad más candente (20)

Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar Automotive safety systems - Yugandhar
Automotive safety systems - Yugandhar
 
Model based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loopModel based design-Hardware in loop-software in loop
Model based design-Hardware in loop-software in loop
 
Diagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSARDiagnostic in Adaptive AUTOSAR
Diagnostic in Adaptive AUTOSAR
 
AUToSAR introduction
AUToSAR introductionAUToSAR introduction
AUToSAR introduction
 
Scalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IPScalable Service-Oriented Middleware over IP
Scalable Service-Oriented Middleware over IP
 
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1Connected & Autonomous vehicles: cybersecurity on a grand scale v1
Connected & Autonomous vehicles: cybersecurity on a grand scale v1
 
Multicore and AUTOSAR
Multicore and AUTOSARMulticore and AUTOSAR
Multicore and AUTOSAR
 
Embedded Systems Security
Embedded Systems Security Embedded Systems Security
Embedded Systems Security
 
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
“Advancing Embedded Vision for an Autonomous World,” a Presentation from Qual...
 
ECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU ReprogrammingECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
ECU Flashing: Flash Bootloaders that Facilitate ECU Reprogramming
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 
Infotainment system of car
Infotainment system of carInfotainment system of car
Infotainment system of car
 
CAN Bus
CAN BusCAN Bus
CAN Bus
 
Morello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, ArmMorello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
Morello Technology Demonstrator Hardware Overview - Mark Inskip, Arm
 
Cyber Security for the Connected Car
Cyber Security for the Connected Car Cyber Security for the Connected Car
Cyber Security for the Connected Car
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Webinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore SystemsWebinar presentation on AUTOSAR Multicore Systems
Webinar presentation on AUTOSAR Multicore Systems
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Security in an embedded system
Security in an embedded system Security in an embedded system
Security in an embedded system
 

Similar a Automotive OTA Security For The Connected Vehicle (ASRG Secure Our Streets 2022)

Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfAlex446314
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsShapeBlue
 
System Administration: Introduction to system administration
System Administration: Introduction to system administrationSystem Administration: Introduction to system administration
System Administration: Introduction to system administrationKhang-Ling Loh
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementDefconRussia
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Mary Joy Sabal
 
Comptia a-220-902-exam-objectives
Comptia a-220-902-exam-objectivesComptia a-220-902-exam-objectives
Comptia a-220-902-exam-objectivesPaulo R
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toilAmbassador Labs
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...Daniel Bryant
 
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap VMworld
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Srinivasa Addepalli
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Simon Storm
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 

Similar a Automotive OTA Security For The Connected Vehicle (ASRG Secure Our Streets 2022) (20)

Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Oracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdfOracle_Patching_Untold_Story_Final_Part2.pdf
Oracle_Patching_Untold_Story_Final_Part2.pdf
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get DiagnosticsBoris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
Boris Stoyanov - Troubleshooting the Virtual Router - Run and Get Diagnostics
 
System Administration: Introduction to system administration
System Administration: Introduction to system administrationSystem Administration: Introduction to system administration
System Administration: Introduction to system administration
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
EFI Secure Key
EFI Secure KeyEFI Secure Key
EFI Secure Key
 
Comptia a-220-902-exam-objectives
Comptia a-220-902-exam-objectivesComptia a-220-902-exam-objectives
Comptia a-220-902-exam-objectives
 
Cloud native development without the toil
Cloud native development without the toilCloud native development without the toil
Cloud native development without the toil
 
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
GOTOpia 2/2021 "Cloud Native Development Without the Toil: An Overview of Pra...
 
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap
VMworld 2013: Failsafe at PCIe Level: Enabling PCIe Hot Swap
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keys
 

Último

Dubai Call Girls Size E6 (O525547819) Call Girls In Dubai
Dubai Call Girls Size E6 (O525547819) Call Girls In DubaiDubai Call Girls Size E6 (O525547819) Call Girls In Dubai
Dubai Call Girls Size E6 (O525547819) Call Girls In Dubaikojalkojal131
 
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCRsoniya singh
 
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kasba 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With Roomdivyansh0kumar0
 
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一hnfusn
 
BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024AHOhOops1
 
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualJohn Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualExcavator
 
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...Garima Khatri
 
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERUNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERunosafeads
 
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂Hot Call Girls In Sector 58 (Noida)
 
UNIT-1-VEHICLE STRUCTURE AND ENGINES.ppt
UNIT-1-VEHICLE STRUCTURE AND ENGINES.pptUNIT-1-VEHICLE STRUCTURE AND ENGINES.ppt
UNIT-1-VEHICLE STRUCTURE AND ENGINES.pptDineshKumar4165
 
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...shivangimorya083
 
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptx
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptxUNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptx
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptxDineshKumar4165
 
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHot Call Girls In Sector 58 (Noida)
 
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptx
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptxUNIT-V-ELECTRIC AND HYBRID VEHICLES.pptx
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptxDineshKumar4165
 
2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid
2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid
2024 WRC Hyundai World Rally Team’s i20 N Rally1 HybridHyundai Motor Group
 
John Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualJohn Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualExcavator
 
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607dollysharma2066
 

Último (20)

Dubai Call Girls Size E6 (O525547819) Call Girls In Dubai
Dubai Call Girls Size E6 (O525547819) Call Girls In DubaiDubai Call Girls Size E6 (O525547819) Call Girls In Dubai
Dubai Call Girls Size E6 (O525547819) Call Girls In Dubai
 
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Shaheen Bagh 🔝 Delhi NCR
 
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kasba 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kasba 👉 8250192130 Available With Room
 
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一
如何办理(UQ毕业证书)昆士兰大学毕业证毕业证成绩单原版一比一
 
BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024BLUE VEHICLES the kids picture show 2024
BLUE VEHICLES the kids picture show 2024
 
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service ManualJohn Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
John Deere 300 3029 4039 4045 6059 6068 Engine Operation and Service Manual
 
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
Call Girls in Shri Niwas Puri Delhi 💯Call Us 🔝9953056974🔝
 
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...
VIP Mumbai Call Girls Thakur village Just Call 9920874524 with A/C Room Cash ...
 
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Jama Masjid (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHERUNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
UNOSAFE ELEVATOR PRIVATE LTD BANGALORE BROUCHER
 
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
꧁༒☬ 7042364481 (Call Girl) In Dwarka Delhi Escort Service In Delhi Ncr☬༒꧂
 
UNIT-1-VEHICLE STRUCTURE AND ENGINES.ppt
UNIT-1-VEHICLE STRUCTURE AND ENGINES.pptUNIT-1-VEHICLE STRUCTURE AND ENGINES.ppt
UNIT-1-VEHICLE STRUCTURE AND ENGINES.ppt
 
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...
Hot And Sexy 🥵 Call Girls Delhi Daryaganj {9711199171} Ira Malik High class G...
 
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptx
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptxUNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptx
UNIT-IV-STEERING, BRAKES AND SUSPENSION SYSTEMS.pptx
 
(NEHA) Call Girls Pushkar Booking Open 8617697112 Pushkar Escorts
(NEHA) Call Girls Pushkar Booking Open 8617697112 Pushkar Escorts(NEHA) Call Girls Pushkar Booking Open 8617697112 Pushkar Escorts
(NEHA) Call Girls Pushkar Booking Open 8617697112 Pushkar Escorts
 
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhiHauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
Hauz Khas Call Girls ☎ 7042364481 independent Escorts Service in delhi
 
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptx
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptxUNIT-V-ELECTRIC AND HYBRID VEHICLES.pptx
UNIT-V-ELECTRIC AND HYBRID VEHICLES.pptx
 
2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid
2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid
2024 WRC Hyundai World Rally Team’s i20 N Rally1 Hybrid
 
John Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair ManualJohn Deere Tractors 5515 Diagnostic Repair Manual
John Deere Tractors 5515 Diagnostic Repair Manual
 
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607
( Best ) Genuine Call Girls In Mandi House =DELHI-| 8377087607
 

Automotive OTA Security For The Connected Vehicle (ASRG Secure Our Streets 2022)

  • 1. ©2022 CYMOTIVE Technologies Ltd. All Rights Reserved. Unauthorized use, duplication, disclosure or modification of this document is strictly prohibited. CYMOTIVE Technologies makes no representations regarding the correctness or completeness of the content herein. Benny Meisels 99% Complete, Don’t Turn Off Your Car Automotive OTA Security For The Connected Vehicle
  • 2. About Me • Benny Meisels • Lead Solution Architect @ CYMOTIVE • 9 years in IT and embedded security research • Enjoys working on electronic conference badges 2
  • 3. Motivation • OTA adoption is on the rise • Automotive OTA is complicated • Complexity == Harder to secure • We believe regulations are the “minimum requirements” 3
  • 4. Agenda • Classic And OTA Updates Intro • Design Security Considerations • Implementation Misconceptions • “The Server Is Always Authentic” • “Using A Signature Is Enough” • “Local Storage Is Secure” • And the resulting vulnerabilities • Suggestions For Process Improvement 4
  • 5. Classic And OTA Updates Intro 5
  • 6. ECU Update Objectives • Address recall / Fix issues • Safety • Compatibility • Usability • Security • Update function data (Maps, ...) • Add new features 6
  • 7. ECU Flashing – Classic Approach • Diagnostic tester • UDS (ISO 14229-1) over CAN • DoIP (ISO 13400-2) over Ethernet • USB 7
  • 8. ECU Flashing – Diagnostic Tester • Tester is connected to the OBD • Flashing SW uses the tester to send UDS messages according to the ISO 14229-1 standard • Mostly proprietary 8
  • 9. Over The Air Updates • Updates are delivered from OEM cloud directly to the vehicle • Advantages • Remote recall • Lower cost • Rapid deployment 9
  • 10. ECU Flashing – OTA Update Manager • Fetch updates from server • Match hardware and software • Cache update locally • Connectivity isn’t guaranteed • Flash individual ECUs • In The Correct Order • Harness existing classic solution (UDS) • Or develop OTA specific interface 10
  • 13. Authorization • What permission do you need to update an ECU? • How do you verify the authorization? 13
  • 14. Authentication • How to authenticate the backend? • How to authenticate the vehicle? • How can we ensure future proofing? 14
  • 15. Integrity • Where should the integrity checks happen? • How is Key Management handled? • How can we store updates securely? 15
  • 16. Reliability • Guarantee deterministic update result • Testing preconditions • Battery • Safety • Availability - User consent 16
  • 17. Regulation • Homologation • How does this affect security updates? • Compliance with UN R156 • RxSWIN • Rollback 17
  • 19. Misconceptions In Implementation • Let's assume you have the perfect design • You have written specifications and requirements • These now need to be realized in code • What can go wrong? 19
  • 20. Simplified OTA Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 20
  • 21. “The Server Is Always Authentic” 21
  • 22. Insecure Backend Communication Example update_path = download_to_file( "https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 22
  • 23. Insecure Backend Communication Example update_path = download_to_file( "https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 23
  • 24. Insecure Backend Communication Example string download_to_file(string url, string path) { // ... Create X509_STORE X509_STORE_set_verify_cb(store, verify_callback); // ... Add certificates to store // ... Perform download and writing to file } // Called on verification failure int verify_callback(int ok, X509_STORE_CTX *ctx) { return 1; // Ignore Error } 24
  • 25. Insecure Backend Communication Example • Turns out the certificate chain is tested using OpenSSL • A callback registered by the code is supposed to handle all errors • In the implementation we examined the callback returned 1 for most errors (no error) • An attacker can supply an invalid certificate 25
  • 26. Additional Cases • Updates downloaded over HTTP • Specific updates downloaded over HTTPS without verifying the hostname in the certificate • Update downloaded from an FTP server 26
  • 27. “Using A Signature Is Enough” 27
  • 28. Broken Signature Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 28
  • 29. Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 29
  • 30. Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 30
  • 31. Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 31
  • 32. Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 32
  • 33. Broken Signature Example bool verify_swupdate_package(string path) { unsigned char received_hash[SHA256_DIGEST_LENGTH]; unsigned char calculated_hash[SHA256_DIGEST_LENGTH]; // ... Read file contents into data and verify file length memcpy(calculated_hash, data.data(), SHA256_DIGEST_LENGTH); calculate_sha256( calculated_hash, data.data() + SHA256_DIGEST_LENGTH, data.length() - SHA256_DIGEST_LENGTH); return 0 == memcmp(calculated_hash, received_hash, SHA256_DIGEST_LENGTH); } 33
  • 34. Broken Signature Example • Hash is extracted from the file • Hash is also calculated on file contents • Hashes are compared • No actual signature is checked • Attacker can create a file which will pass this check 34
  • 35. Additional Cases • Skip signature check if no signature is present • CRC32 checksum as signature alternative • Hyundai default keys (Non-OTA) – by greenluigi1 35
  • 36. “Local Storage Is Secure” 36
  • 37. Insecure Storage Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { flash_firmware(update_path); } else { // .... } 37
  • 38. Insecure Storage Example update_path = download_to_file("https://XXX.YYY/...", SWUPDATE_PATH); // .... if(verify_swupdate_package(update_path)) { // First Read, Time-Of-Check flash_firmware(update_path); // Second Read, Time-Of-Use } else { // .... } 38
  • 39. Insecure Storage Example • File is read twice • First for verification • Then for flashing • File can be changed in between being read • Requires some way to manipulate the file • Assume pre-existing limited code execution 39
  • 40. Additional Cases • OTA files stored in unencrypted storage • OTA files accessible by other processes • Tesla GTW storage on SD Card – Blackhat USA 2017 – Tencent KeenLab 40
  • 41. Suggestions For Process Improvement​ 41
  • 42. Suggestions For Process Improvement​ 42
  • 43. Design • Don’t reinvent the wheel • Learn from OTA in other industries • Write detailed requirements • Avoid mechanism duplication • Share design across ECUs 43
  • 44. Implementation • Make no assumptions • Follow best practices • Defensive programming and multi-layered security • Use comprehensive testing suites, static analysis, and fuzzing • Share implementations across generations and variants • Perform code reviews and penetration tests 44
  • 45. General • Standardization of software updates (AUTOSAR?) • Open-Source reference designs and implementations • Share your experience with the community 45
  • 46. Special Thanks • CYMOTIVE • Ilay Levi (Security Researcher) • Ruben Bokobza (Vehicle Security Team Lead) • Dan Givon (HW Specialist Team Lead) • Gal Zaban (Security Researcher @ Armis) 46
  • 49. References And Further Reading • Hyundai default keys (Non-OTA) – by greenluigi1 • Tesla GTW storage on SD Card – Blackhat USA 2017 – Tencent KeenLab • Cybersecurity of Firmware Updates - 2020 - NHTSA • Secure OTA Software Updates in Connected - 2019 - (Halder, Ghosal, Conti) • Introduction to UN Regulation No 156 and the Software Update Management System - Tobias Pilz • Uptane project - Linux Foundation 49