The Connected car and Security 2016 Alan TatourianSecurity Architect, Advanced Driving Technologies, IntelFounding Member, Automotive Security Review Board (ASRB)Member, SAE VESS, TCG, and NIST Cyber-Physical Systems Groupsalan.tatourian@intel.com

October 6, 20167th Summit on the

Future of the Connected Vehicle

2

Vehicle Architecture Today and TomorrowCAN

Gateway

CAN FlexRay . . . . . .

Gateway

EthernetEthernet Ethernet Ethernet Ethernet

Vehicle Connectivity

Vehicle Automation

Data Analytics

Limited but Expanding(Telematics, Infotainment)

Developing/Immature(Partial/Semi-Autonomous)

Focus on Vehicle Performance/Location

Fully Connected Environment (V2V, V2I, V2X)

Pervasive/Highly Developed

Focus on Consumer Experience/Personal Data

Current State Low Complexity

Future State High Complexity

Risk is increasing and will continue to grow

Where we are Where we are heading

Image credit: Volvo

Image credit: Volvo

3

Connected, Autonomous CarCloud Services

Sensing

Planning

Radar, LIDAR Vehicle Platform Navigation

Error Management

Visualization

Situation AnalysisSituation Awareness

Vision FusionCameras, LIDAR, Radar … Data Fusion

LoggingVehicle Control

Localization

Automotive Bus

Traffic Maps

Distributed Services

Source: RTI

4

External Vehicle Connections

V2V

Radio DataSystem (RDS)

MobileDevices

Electric Chargers

External systems and networks support new services and interactions … and increase risk.

Ad-Hock Network

Trusted Network (e.g. Repair Shop)

Internet Backbone

AutomotiveCompany

Application Center

Local ServiceAP

Untrusted Network

Local Service

Open AP

Road Side Unit (RSU)

3rd PartyApplication

Center

ISP

BSBS

ISP

ISP

Uni-directional Communication

Bi-directional CommunicationAccess Point (AP)

GPS

4

5

Automotive Security Research

2006 2020

Today

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Security threats to automotive CAN networks —Practical examples and selected short-term countermeasures2008

Comprehensive Experimental Analyses of Automotive Attack Surfaces2011

Script Your Car!Using existing hardware platforms to

integrate python into your dashboard2013

A Survey of Remote Automotive Attack Surfaces2014

Remote Exploitation of an Unaltered Passenger Vehicle2015

CAN Message Injection2016

State of the Art: Embedding Security in Vehicles

2006

2017 2018 2019

6

What does Security Mean?

Security covers all the processes and mechanisms by which digital equipment, information and services are protected from unintended or unauthorized access, change or destruction. Wikipedia

Existing Definition, also used by NIST

1999 National Academies study “Trust in Cyberspace”

Security research during the past few decades has been based on formal policy models that focus on protecting information from unauthorized access by specifying which users should have access to data or other system objects. It is time to challenge this paradigm of “absolute security” and move toward a model built on three axioms of insecurity:

1. insecurity exists;

2. insecurity cannot be destroyed; and

3. insecurity can be moved around’.

7

Response from the Industry2. SAE J3061 – Cybersecurity Guidebook for Cyber-

Physical Vehicle Systemsa) Enumerate all attack surfaces and conduct threat

analysisb) Reduce Attack Surfacec) Harden hardware and softwared) Security Testing (Penetration, fuzzing, etc.)

1. SAE J3101 – Hardware-Protected Security for Ground Vehicle Applications

a) Secure Bootb) Secure Storagec) Secure Execution Environmentd) Other hardware capabilities…e) OTA, authentication, detection, recovery

mechanisms…

8

V2X antenna

Mobile Devices

ISPBS

BS

GPS

Electric Chargers

Occupant safetySurround sensorsBrake control systemElectric power steeringCAN bus

Fast cryptographic performanceDevice identification

Isolated execution(Message) Authentication

Hardware security services that can be used by applications

Platform boot integrity and Chain of TrustSecure Storage (keys and data)

Secure CommunicationSecure Debug

Tamper detection and protection from side channel attacks

Hardware security building blocks

Over-the Air UpdatesIDPS / Anomaly Detection

Network enforcementCertificate Management Services

Antimalware and remote monitoringBiometrics

Software and Services

Security features in the silicon, for example Memory Scrambling, Execution Prevention, etc.

Defense in Depth

Hard

war

e Ro

ot o

f Tru

st

Analog security monitoring under the CPU

Defense in Depth

9

Hardware Security Building Blocks1. Verified boot2. Secure Storage (encrypted flash)3. Trusted Execution Environment (HSM)4. Cryptographic Acceleration5. Key Generation6. Secure Clock7. Monotonic Counters8. True RNG9. Unique device id10.Secure Debug11.Physical Tamper Detection and protection against side-channel

attacks

Platform boot integrity and Chain of TrustSecure Storage (keys and data)

Secure CommunicationSecure Debug

Tamper detection and protection from side channel attacks

Hardware security building blocks

Defense in Depth

Hard

war

e Ro

ot o

f Tru

st

10

Software Security ServicesBasic Cryptography Key Management MiscellaneousHash

SHA2, SHA3

Key Derivation Function (KDF)

NIST 800-108

Compression/Decompression

Message Authentication Code (CMAC, HMAC)

Generation Verification

Secure Key and Certificate Storage

Access Management Import/Export Services Generation Update

Checksum

Signatures

Generation Verification

Key exchange protocols  

Random Number Generation    

Encryption/Decryption

Symmetric (CBC, CTR) Asymmetric ECC (25519, P-256, P-384, P-512,

Brainpool)

   

Secure Clock

Time stamping Validity check for key data

   

Fast cryptographic performanceDevice identification

Isolated execution(Message) Authentication

Hardware security services that can be used by applications

Defense in Depth

Hard

war

e Ro

ot o

f Tru

st

11

Evolution of Technology and Security Solutions

1. Interactive computing.2. Time sharing.3. User authentication.4. File sharing via

hierarchical file systems.5. Prototypes of ‘computer

utilities’.

Emer

ging

conc

erns

1. Access controls2. Passwords3. Supervisor stateSe

curit

y Te

chno

logi

es

1960s

1. Packet networks (ARPANET)

2. Local networks (LANs)3. Communication secrecy

and authentication4. Object-oriented design5. Multilevel security6. Mathematical models of

security7. Provably secure systems

1. Public key cryptography2. Cryptographic protocols3. Cryptographic hashes4. Security verification

1. Adoption of TCP/IP protocols for the Internet

2. Exponential growth of Internet

3. Proliferation of PCs and workstations

4. Client-server model for network services

5. Viruses, worms, Trojans, and other forms of malware

6. Buffer overflow attacks

1. Malware detection (antivirus)

2. Intrusion detection3. Firewalls

1. World Wide Web2. Browsers3. Commercial

transactions4. Data repositories and

breaches5. Portable apps and

scripts6. Internet fraud7. Web-based attacks8. Social engineering and

phishing attacks9. Peer-to-peer (P2P)

Networks

1. Virtual private networks (VPNs)

2. Public-key infrastructure (PKI)

3. Secure web connections (SSL/TLS)

4. Biometrics5. 2-factor authentication6. Confinement (virtual

machines, sandboxes)

1. Botnets2. Denial-of-service attacks3. Wireless networks4. Cloud platforms5. Massive data breaches6. Ransomware7. Malicious adware8. Internet of things9. Surveillance10. Cyber warfare

1. Secure coding and development processes

2. Threat intelligence and sharing

3. Adware blocking4. Denial-of-service

mitigation5. WiFi security

1970s 1980s 1990s 2000s

12

The Evolution of Malware

1980 1985 1990 1995 2000 2005

Source: escrypt

Increasing digitalization and digital integration

Security Escalation:

Hypothetical vulnerabilities identified

Security threats become relevant in practice

Regular security breaches with severe damages

Auto

ICS

Mobile Phones

PC

Servers

ICS-CERT(2008)

20152010 2020

???

CAESS(2010)

GSM Interface Exploit (2015)

Stuxnet and Duqu

(2010/11)German Steel Plant (2014)

AS/1 Card Cracking (2009)

IMSI Catcher, NSA iBanking

(2014)

Cabir, Premium SMS Fraud

(2008)DOS via SMS

DoCaMo (2008)

I Love You(2010)

Heart Bleed(2014)

Sasser(2004)

Melissa(1999)

Michelangelo(1992)

Leandro(1993)

Brain(1986)

F. Cohen(1981)

Confliker(2008)

NSA, PRISM Reign(2014)

SQL Slammer(2003)

Code Red(2001)

Morris Worm(1988)

Tribe Flood DDOS(1998)

CCC BTX Hack(1984)

Creeper(1971)

13

Need for new Thinking about Security

Every 30 years there is a new wave of things that computers do. Around 1950 they began to model events in the world (simulation), and around 1980 to connect people (communication). Since 2010 they have begun to engage with the physical world in a non-trivial way (embodiment – giving them bodies).Butler Lampson, Microsoft Research

Emer

ging

conc

erns

Secu

rity

Tech

nolo

gies

Attacks against Cyber-Physical Systems (CPS):1. Autonomous vehicles2. Smart communities3. Aviation and transportation4. Robots5. Drones6. Infrastructure

1. Self-adaptive Systems which can evaluate and modify their own behavior to improve efficiency, and which can self-heal.

2. Multi-agent Systems, a loosely coupled network of software agents that interact to solve problems, are resilient and partition tolerant.

3. Artificial Intelligence (Genetic Algorithms)

2010/2020s

14

Summary

1. Absolutely secure systems are impossible, with enough money and commitment any system can be broken

2. Assume your system is compromised and build it so that it can recover

15

Thank you!

15

Alan TatourianSecurity Architect, Advanced Driving Technologies, IntelFounding Member, Automotive Security Review Board (ASRB)Member, SAE VESS, TCG, and NIST Cyber-Physical Systems Groups

alan.tatourian@intel.com