Here is a report about the VECS: Vehicle Electronics and Connected Services 2018 which was held back in April. Several interesting talks are reported by Chalmers as follows.
ALISSA KNIGHT, BRIER § THORN – PERFORMING RISK ASSESSMENT AGAINST CONNECTED CARS
Alissa is a professional penetration tester and works with risk assessment. She is writing a book, which will be published later this year, about hacking connected cars. A companion security tool will be made available for free to download. She described a complete risk assessment analysis, step by step, all the way to calculate a risk score. Her major points were:
- What has been built by humans, can be hacked by humans. Vulnerabilities will always be there. We are not able to build a risk-free system but risk assessment may at least make us aware of the problems.
- We must be aware of what assets we have in the cars and what to protect. You cannot protect something you don´t know you have. How can you hire penetration testers if you don´t know what you have? Start with risk assessment!
She continued with describing different ways of how the head unit could be hacked and explained that it is not uncommon that OEMs don’t even know what ports are used since 3rd parties implement lots of the functionality. This is of course not acceptable. When it comes to threat and risk assessment models, her advice was to just choose one. For example, STRIDE, EVITA, or OWASP, OCTAVE. The important task is to go through the process.
Her presentation is available at: https://www.youtube.com/watch?v=yi3LcGCYafk&feature=youtu.be
SAGAR BEHERE – TOYOTA RESEARCH, CYBERSECURITY FOR HIGHLY AUTOMATED DRIVING
How hard is it to hack a car? To find out, Sagar tried on his own car. It only took him three hours to be root on the telematics system and then it was possible to reverse-engineer the system. He then implemented some new features to the car that only more expensive models have.
His talk continued with why and how ECUs get compromised. Absent firewalls, the lack of verification, clear-text communications and little or no knowledge of cryptography were the main findings. Cryptography is well-known technology and he recommended to use it. He also argued that we need HSMs to store and protect the keys. There are many different to choose from: EVITA full/medium/light, HIS SHE, and TCG TPM/MTM.
He then mentioned, “The 80/20 rule of automotive cybersecurity” (20% of all problems cause 80% of the problems). All communications with external systems must be encrypted and signed, ECUs should execute cryptographically signed and authenticated software, larger systems such as Linux must be secured with “standard well-known” techniques, gateways should be in place to enforce strong partitioning and implement firewall functionality. Layering and partitioning are very important: the MP3 player should not be able to control the steering!
IDS systems is a technology we should investigate, both network-based but also software flow-control checks in ECUs. We know at compile time how programs execute and can, therefore, build software control flow graphs (CFGs) and any deviation from it is a possible intrusion. Buffer overflow attacks will, for example, be detected immediately.
Penetration tests must be done as well as white box testing. Read SAE J3061 about safety and security overlap: it talks about how to deal with the management of cybersecurity in the complete V development process. His advice was also to read the NHTSA guide for cybersecurity.
CONNY BROBERG – NEVS: TODAY’S AND TOMORROW’S CONNECTED VEHICLES AND INFORMATION SHARING
We are now about to create “the digital car in the cloud”. In the future, we will have lots of car sharing and it would be desirable to have my personal data to be moved between the vehicles I use. His talk was about how data can be extracted from cars and be transferred between the cars we drive, for example, how I can access my personal apps when moving from one car to another, and how I can remove my personal data after leaving a shared car.
GUISEPPE SERIO, IBM: MANAGING RISKS FOR CONNECTED VEHICLES
Guiseppe presented lots of statistics from 700 organizations about IoT devices and security. Thirteen percent of cybersecurity incidents are IoT related. Forty-four percent says that patches (OTA) to connected objects is the greatest challenge to secure IoT deployments. Fifty percent of the automotive cybersecurity cost is personnel cost, only 30% goes to the security enhancing technology.
He also showed that 71% of known IoT vulnerabilities have not been addressed by security controls. Some of the problems we now are aware of are, for example, software security will degrade over time, shared secrets do not remain secrets forever, and problems with proprietary 3rd party software.
He continued with that since vehicles contain approx. 2,000 functional components, it is not surprising that problems arise when they are connected. The vehicle needs a trusted environment as the basis for all security elements we add. The automotive industry also needs to improve when it comes to incident handling, the current average time to identify, respond and recover from an incident is 34.2 days!
He ended his presentation by highlighting that we currently seem to a focus on confidentiality, but availability and integrity should be way more important.
TOMMY SVENSSON, CHALMERS: INTEGRATING MOVING NETWORKS
Tommy described moving networks and base stations from the METIS project and showed different scenarios to utilize them, such as in emergency communications, traffic jams, for traffic efficiency and enhanced safety. He also showed a video of a future autonomous transport system.
In cellular communications, two antennas mean double speed, four mean quadruple speed, etc, and he also discussed how antenna placements affect the communication with lots of graphs and numbers. He argued that we should use direct beamforming to enhance performance, bandwidth and energy efficiency.
MARK RICHARDSSON, LDRA (UK): SECURING THE CONNECTED CAR: APPLICATION CODE MATTERS
Mark described how vehicles have been hacked earlier and mentioned the Jeep Cherokee hack. He argued that separation using hypervisors are necessary to secure the system. However, this still leaves us with the problem that modules need to communicate.
To reach a reasonably high level of security, he argued that we need to implement secure boot, domain separation, secure coding techniques, and last but not least, implement specific security testing. If the complexity of the software is high, security testing is virtually impossible. He showed some slides with good vs. bad code.
When coding, we should adhere to secure coding techniques: keep complexity down in the code and use Misra C as a secure coding standard. These are good rules to keep in mind to avoid problems. In addition, always validate all input from untrusted sources. The CERT secure coding standards should be considered.
TEDDY ZHAI: GREEN HILLS SOFTWARE: ESTABLISHING ROOT OF TRUST IN CONNECTED VEHICLES
Teddy showed that in v2x communications today, around 4,000 certificates that need to be downloaded to a car at production (US). To design a secure vehicle, we need communication authentication and encryption, access control and should strive to use only FIPS 140-2 approved cryptography.
Another problem is that we need to protect the signing keys for certificates. This may be obvious, he said, but in reality, it has been proven to be hard. The computer that contains it can be hacked by an attacker or be broken, and it is not easy to guarantee security over time. They have done audits where they were able to compromise the keys.
He summarized that we need to have a secure chain all the way from production to OTA updates and dealer offline updates during the full lifetime of the vehicle. Different keys are needed for the test, production, OTA, dealer/repair shops. He concluded that key management is a challenge that we need to work with.
SIDDARTH SHUKLA, ESCRYPT: CHALLENGES IN USING ETHERNET IN THE AUTOMOTIVE DOMAIN
During this presentation, we saw that Ethernet, when compared to traditional vehicular protocols, offers more protocol support such as TCP. This is both good and bad. The technology is well-known to everyone, both the designers and the attackers, meaning that ordinary hackers can join the game besides the automotive engineers. On the other hand, it enables the use of firewalls and more conventional IDS/IPS systems in our designs. Another drawback may be the complexity due to the involvement of more protocols.
With Ethernet, time synchronization is an issue. No standard solution exists today and many different working groups are active. He argued that we should also implement secure communications (e.g. IPSec) but the fulfillment of both security and performance requirements remains the major challenge.
He concluded that VLAN technology should be supported in vehicles. We should also implement separation on IP level, NAT, and strengthen the use of firewalls and IDS/IPS systems.
FREDRIK SKPÅE, CEVT: CONNECTED CAR AND GDPR
Fredrik talked about the recent Cambridge Analytica problem where personally identifiable information from 80 million people was collected. We need a strategy to protect us from this kind of situation. He argued that the client must feel that he/she owns the data. We must carefully think about how GDPR can affect the end-user experience. He argued that the goal should be that we try to be as transparent as possible about our data and always let the customer know what data we use and what we use it for.
Please contact Anne Faxér if you have any question.
