While there was only one automotive specific talk on this year’s BlackHat Europe, several talks have relevance to the work done in the vehicle industry. RISE Viktoria reports about Toyotas testbed for security training and experimentation, HW supply-chain attacks, the introduction of security champions in organizations and a call for change in the security professionals’ mindset.
PASTA: Portable automotive security testbed with adaptability describes the collaborative work of researchers from Toyota InfoTechnology and Yokohama National University. While acknowledging that Car Hacking Village (ref: https://www.carhackingvillage.com/), as well as catch the flag competitions are, can be fun and to a certain level educational, the speakers find it doubtful that they can be used to systematically learn about automotive security. Thus, they see a need for a platform that simulates generic vehicles, and that anyone can use to learn about vehicle security, as well as experiment on and evaluate new security technologies.
PASTA is an 8kg testbed that fits into a briefcase. Today it includes an OBDII connection. Possibility to connect via USB, Bluetooth, Wi-Fi, and cellular will be added to the testbed soon. PASTA is open (based on non-proprietary technology), safe (general rather than real components), and portable. Further, it can be adapted by the users as they will be able to rewrite the firmware of the four ECUs included in the testbed, re-design architecture, and connect own devices. However, it might be out of reach for many practitioners due to its high price (component price estimated to €10 000).
More details can be found in the paper: https://i.blackhat.com/eu-18/Wed-Dec-5/eu-18-Toyama-PASTA-Portable-Automotive-Security-Testbed-with-Adaptability-wp.pdf
Open specifications will be available on https://github.com/pasta-auto, keep track of the progress at Twitter (@pasta_auto).
Security champions program
Ryan O’Boyle described the work that his company has done with the introduction of a security champion (SC) program with SCs that receive security training while remaining an active part of their development teams. Their job is to act as security conscience of their teams by making sure that security is taken into account early on (e.g. when discussing user stories), without having a negative effect on the teams’ velocity. There are one to three SCs per team and their job is not to replace the security team but rather act as the first line of defense.
Introduction of an SC program has to have management support since champions have to put time into achieving the right competence. Also, if security goals are not treated as other goals the program and champions will not be successful.
So how can the (automotive) industry begin building programs like this? To begin with, a security culture needs to be built – introduce lunch and learns, post-con summaries, and security challenges, and allocate time for your employees to participate. These activities can be used for recruitment to the program, where participants can have any type of role, as long as they have influence in their team (e.g. skills or seniority).
The SCs need to receive both theoretical and practical training, and they have to be allowed to increase their skills over time in order to be able to take on additional responsibility. However, their work also as to be monitored so that they stay true to the program directions. And finally, don’t forget to reflect and iterate – the program itself needs to be improved over time!
Two of the talks centered around supply-chain attacks. Ryan Kazanciyan focused on software components (Broken Links: Emergence and Future of Software Supply-Chain Compromises by) and Joe FitzPatrick talked about small hardware implants (A Measured response to a grain of rice). Neither of the talks focused on the automotive domain. I found Joe FitzPatrick’s talk most relevant of the two since Kazanciyan did not focus on embedded systems.
HW implants have historically been used for surveillance. Most commonly these have been distributed using social engineering, for example as giveaways that provide normal functionality while stealing data (e.g. fun USB gadgets). During the fall Bloomberg ran the “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” story (https://www.bloomberg.com/2018-the-big-hack) that describes a small chip added to the motherboards that have been used by several large US companies. The story has been disputed by Apple and Amazon, however, Bloomberg claims that their information came from a large number of interviews with the employees of the affected companies. Thus, it is difficult to know where the truth lies.
When it comes to the automotive industry where suppliers provide a large amount of HW components it would not be surprising if we saw this type of attacks in the future. We need to keep in mind that supply-chain attacks of this kind are very difficult to discover, which makes due diligence and the use of security techniques within the supply chain highly necessary. If you are interested in the topic, you can read the paper that Bozda et al published earlier this year. In their research, you can find proof of a small size hardware trojan that can disrupt the CAN bus communication. The authors show that an attack like this can be performed without physical access to the bus, which makes it undetectable via frame analysis and unpreventable via network segmentation. https://www.sciencedirect.com/science/article/pii/S2351978918312794
Lastly, Nathan Hamiel spoke of leveling up the security professionals’ security mindset (Level up your security mindset) noting that the security specialists are often being left out of conversations as many find them difficult to work with. Hamiel offered a number of ideas on how security professionals can make more impact in the future, here are a few:
- Align your mindset with the business goals – products need to be delivered and updated at an ever-increasing rate. Make sure you are not the showstopper – be flexible and agile!
- Show empathy for your colleagues and they will include you in their work early on. When they do, focus on realistic risk and risk reduction rather than catastrophes that are unlikely to happen and complete mitigation of those. Not everyone in the world is out to get us!
- Security teams should be given business education and understanding of how different units work together. Why not have business champions in security teams?
- Enable people who work around you. We don’t measure our success in enablement, but maybe we should?
- We cannot solve the problems of scale alone considering AI, increased connectivity, and supply-chain issues. Build communities and diverse teams. Hire developers, data scientists, etc. and see what they can contribute to. People from different disciplines think differently.
In conclusion – soft skills are not optional anymore, you cannot be successful by yourself!
Written by Ana Magazinius, RISE Viktoria
