Connected Cars, how safe are they?

8
The Connected Car

description

The “Internet of Things” promises a future fuelled by the art of the possible. Connected Cars which can talk to each other and access the Internet will provide on-board features that we can’t imagine yet. Predictive systems which bypass traffic jams, reduce carbon emissions and improve safety could become the norm. Find out more about the industry here: http://www.globalservices.bt.com/uk/en/industry_category/automotive-manufacturing

Transcript of Connected Cars, how safe are they?

Page 1: Connected Cars, how safe are they?

The Connected Car

Page 2: Connected Cars, how safe are they?

The “Internet of Things” promises afuture fuelled by the art of the possible.Connected Cars which can talk to eachother and access the Internet will provideon-board features that we can’t imagineyet. Predictive systems which bypasstraffic jams, reduce carbon emissions andimprove safety could become the norm.

However, there is an alternate version ofreality. A version of reality that threatensthe privacy, security and safety ofeveryone who shares the road with this“Smart Car”. In this reality, remotelyconnected vehicles are compromised withmalware, subject to hijacking, untrustedand unsafe. Therefore, it is vital that theautomotive industry, the regulators andthought leaders not only consider thepotential of the Connected Car, but alsorecognise the vulnerabilities and thepotential for abuse.

Introduction

BT Whitepaper: The Connected Car 2

Page 3: Connected Cars, how safe are they?

Attack Surface andThreat LandscapeWhile the attack vectors of the Connected Car canmirror those of other networked computer systems,there are some unique challenges.

Here are a few of the key differences:

In fact, the Connected Car threat landscape closelyresembles the profile of critical infrastructure systemslike SCADA (Supervisory Control and Data Acquisition)networks or those used in manufacturing, the smartgrid and energy production & distribution. These allhave the following in common: embedded systemsfrom multiple vendors developed in isolation, areassumed to be deployed in “non-hostile” (secure)environments; can’t be patched.

Whenever mechanical and digital systems areintegrated or automated, new and novel threats mustbe considered, especially when human life is at stake.

Fact or FantasyAs defenders build their threat catalogues, they needto consider three things; the asset being protected,the known attack surface and adversary’s capabilities.Rarely can all of these be known to any degree ofcertainty at any given time. This forces defenders tobe pragmatic in their operations but forward thinkingin their architectural approach.

The defender is well advised to consider theoreticalvulnerabilities as part of its risk management practice,as a properly motivated and resourced adversary willdevelop a capability to exploit vulnerabilities. Thisallows for a more effective application of thepredicative threat assessment methodology expressedin the diagram below.

Defenders must temper the hype associated withtheoretical attack scenarios with the more likely generalsystem failure risks associated with infected software.

How can defenders determine the right mix given theunique challenges facing the connected car withoutcreating vehicles nobody wants to buy or trust? Oneapproach would be to consider the most relevanttheoretical vulnerabilities and current publishedresearch available to create a list of attack types.These can provided the necessary context for thevarious stakeholders to have an intelligentconversation about the specific threat agent. Whatfollows is not an exhaustive list but can provide astarting point for such conversations.

BT Whitepaper: The Connected Car 3

Connected Cars

Computing resources are fixed

for lifetime of vehicles – can’t

rely on car to protect itself

Updating vehicles software,

can’t rely on persistent

connectivity, some files 1.3Gb

can’t chop them up

Vehicle data could be

compromised and provide

untrustworthy information

Multiple CPUs all accessible via

OBD2 port, CPUs can share

same keys, some don’t even

support PKI

VPNs are not designed to

protect millions of entities

outside a firewall

Sub-systems in cars need to

be able to freely talk to each

other, even for Infotainment

High overheads to keep on-

board signature database up

to date, not all malware relevant

Typical Networked Computer

PCs and servers are replaced

every 3 years or less, and can

easily be upgraded

Virus guard updates run in

background daily, with no

disruption to end users

Computers are easier to

physically secure

Single CPU, with no physical

external access

VPN protects small numbers of

employees accessing systems

outside normal firewall

Provide physical network

separation

Existing tools mature, and

have little impact on computer

processing

Page 4: Connected Cars, how safe are they?

TPMS Attacks:

TPMS stands for Tyre Pressure Monitoring Sensor.They are plugs that are installed inside of tyres. Theycommunicate on a simple wireless communicationprotocol that sends a unique ID along with the tyrepressure, rotation and temperature. It is possible tocause unwarranted errors and send signals about thetyre pressure being low (or not being low) regardlessof the tyre's actual state. Not only can the unique IDbe used to monitor the location of the vehicle it couldbe used to trigger targeted kinetic attacks such asimprovised explosive devices that only detonate whenthe targeted vehicle is within the kill zone.

Car-Jacking

It is possible to hijack vehicles over the CAN Bussystem. The CAN (Controller Area Network) bus is avehicle bus standard that uses a simple protocolallowing devices to communicate with each otherwithout a host computer. CAN lines run throughoutthe entire vehicle and typically connect to around 150sensors per vehicle. If an attacker can tap into any ofthese lines they can communicate directly with thecar's other connected systems. In its crudest form,simply popping out a tail light to get to a CAN line,unlocking the door then running the signals to start acar, completely bypasses the immobiliser system. It’snot a stretch to believe that an adversary would desirethe ability to launch this type of attack remotely.Many vendors provide such capabilities as premiumservices, which make their management systems avery attractive target. Why take over a single vehiclewhen you can commandeer all of them?

Navigation & Infotainment systems

The motivation for much of the early research intomodifying navigation systems was to repurpose thenavigation screen to play movies and video games.One proof of concept changed the splash screen, theDVD warning message and modified the binaries toallow for "backup" copies of the mapping software.Navigation systems are the same as any desktopsystem except they are often directly connected to theCAN bus network. This makes them especiallysusceptible to attacks. Security of such systems israrely kept up to date.

ICSim

The Instrument Cluster Simulator was written as ateaching mechanism to understand and reverseengineer CAN bus packets. On the CAN Bus everysensor can see every packet with no indication of thesource. This tool teaches students how to RE CANpackets by giving them random Arbitration IDs andbytes for which the CAN bus system operates as wellas a game controller interface to control the car. Thestudent can then use the controller to operate thesimulated vehicle while sniffing the CAN bus packetsto practice finding and sniffing packets.

https://github.com/zombieCraig/ICSim

BT Whitepaper: The Connected Car 4

Page 5: Connected Cars, how safe are they?

Related Research

While not exclusively the domain of the ConnectedCar, smart phone hacking has implications for thesecurity and safety of smart cars. A compromisedphone connecting via Bluetooth, USB, Wi-Fi or someother method can become the delivery vehicle forcommon or custom malware. This can provide theattacker remote access to sensitive systems withoutthe risk of physically attacking the car. By using acompromised phone audio, video and locationsurveillance can also be affected. GPS spoofing isanother area of research to consider. By sendingspecially crafted GPS signals an attacker could reroutedrivers via the “trusted” navigation systems.

Reasonable ResponseAdversary’s Asymmetric Advantage

The asymmetric nature of the current attack & defendparadigm only adds to the defenders burden. Theymust be successful all of the time, while attackers onlyneed to succeed once to gain a beachhead or pivotpoint. By monitoring the current state of publicresearch one can track the shrinking gap betweentheoretical vulnerabilitties and a practical prototype.In many cases the hacking and open garagecommunity is outpacing (arms race) the multi-billiondollar automotive industry.

Since there is no such thing as 100% security, riskreward optimisation should be sought. This mustconsidered as part of the total cost of production andis closely related to safety and quality control throughthe vehicle life-cycle.

In parallel, a flexible capability to quickly detect [meantime to detection] and remediate [mean time tocontainment] from the inevitable exploitation of theConnected Car must be developed.

Safety & Security by Design

We know that bad things can and will happen. Weneed to ensure that we prepare for the most impactful“bad things” and continually improve our capabilitiesto properly respond to the evolving threat posed bymotivated adversaries.

Merging the discipline of car safety and cyber securityis not a trivial exercise. Its complexity represents asignificant threat in its own right. However, it isneeded as they are no longer mutually exclusivedomains! The engineering department needs to bedirectly connected to the security department. Inmany automotive firms engineering and electronicshave their own people who look at "security" but thedefinitions tend to vary and lean more towardsphysical safety than cyber security. The internal ITdepartment needs to ramp up its hardwarecapabilities and provide guidance to the engineersdesigning the components.

BT Whitepaper: The Connected Car 5

Modern automobiles arepervasively computerized, andhence potentially vulnerable toattack…remote exploitation isfeasible via a broad range of attackvectors (including mechanics tools,CD players, Bluetooth and cellularradio), and further, that wirelesscommunications channels allowlong distance vehicle control,location tracking, in-cabin audioexfiltration and theft....”

http://www.autosec.org/pubs/cars-usenixsec2011.pdf

Page 6: Connected Cars, how safe are they?

CAN Bus

The CAN (Controller Area Network) bus protocol usesarbitration ID’s. An arbitration ID is a number thatmore or less represent a category. Each packet has upto 8 bytes. The goal of a CAN packet is to quickly sendinformation to or from the appropriate sensor. Thesafety of CAN is focused on differential signalling, theidea of having a high and low signal to help eliminatenoise on the line. When these protocols weredeveloped the network was assumed to be closed andtrusted, outside attacks were not considered a realisticthreat to the protocol. Today there are many attackvectors: CAN bus, Navigations systems have wi-fi, XM,GPS, Bluetooth as well as other methods of wirelesscommunications, all attached to the CAN bus.

There are some fundamental architectural tenants andengineering practices we can adopt which can be verysuccessful against the most significant class of attacks(control affinity). These simple approaches andpractices can save lives in the connected car world andshould be carefully considered:

The Automobile “Blackbox”

This is a read-only logging mechanism that isphysically secure, resilient and tamper proof. Ideallythe secure data would also be easily accessible byauthorised parties, including the owner of the vehicle.This mechanism is great for forensics but vehicleowners need to know what is being recorded becauseof the potential for privacy abuse. The data collectedwould also be useful for the community. New toolsand capabilities could be developed by thecommunity further extending the value of the databeyond basic vehicle forensics.

A standardised logging format should be developed(see standards). Using the OBD (On-boardDiagnostics) is not recommended for Blackboxfunctionality, because of its exposure to abuse byvarious actors, including law enforcement. There is ahigh risk of having this system of recordinginaccessible to the owners of the vehicle and onlyaccessible to the car manufactures and/or lawenforcement. This is not the ideal situation. It is

important to start treating vehicles the same way wetreat other computing devices. The evidence needs tobe recorded so that an attack can be verified howeverthe owner of the vehicle needs a physical method tocontrol how this information is used if we expect thepublic to trust these systems. If the owner wishes toshare this information they can however in the end asit is *their* vehicle. If law enforcement requires accessto the data they can go through the appropriate legalchannels. This balances the needs of society andprotects the privacy of the owner.

Layer 1

We have to acknowledge that physical security (layer1) is now and will always represent a primary attackvector which will be exploitable. This should not comeas a surprise to the reader as car theft is an everydayoccurrence. Therefore tactics and controls that have ahigh degree of affinity and effectiveness whenexecuted properly should be considered in anyConnected Car play book. From a cyber-standpoint,physically protecting the CAN lines from easy outsideexposure should be a priority. We must make itdifficult to simply pop out a tail light to splice into theCAN bus to achieve an easy hack. Keep CAN lines awayfrom easy access from outside the vehicle. Full stop!

Standards

The industry should consider opening up vehicle specificprotocol information for owners and researchers. Thiswill crowd source findings and provide new solutions.Immobiliser systems need to be open and auditable.They should use the same standards developed for webbased authentication mechanisms. Proprietaryencryption did not work for network authentication andit will not work for automotive industry. Longer term,CAN needs to be updated to support a more standardsecure protocol. This protocol should have sender info,support encryption and have separate lines to use forlarger packets. Small quick packets will always benecessary but a new CAN bus protocol and/or additionalCAN buses could provide physical and virtualsegregation of data.

BT Whitepaper: The Connected Car 6

Page 7: Connected Cars, how safe are they?

BT Whitepaper: The Connected Car 7

M2M

Secure Machine to Machine (M2M) communicationspresent some unique challenges. In most sensornetworks, speed of communications and limitedprocessing power require very efficient communicationsprotocols. Security is often an afterthought. Machinescan’t enter passwords but they can use signedcertificates. The proper implementation of certificatesrequires Public Key Infrastructure (PKI) for the life-cyclemanagement of certificates. On the web we havelearned that using standards in encryption andauthentication methods is ultimately more secure thanthe outdated notion of security through obscurity.Besides authentication, certificates can also be used tosupport encrypted communications between devices.Another technique known as “white listing”, can beused to limit which devices are authorised tocommunicate with each other. This technique doesn’twork well in Internet security applications but can bevery effective in closed systems like the Connected Car.

Embrace the Community

Often new tools can be written by the communityfaster and with an “outside of the box” perspective.One only needs to look at the success and impact ofthe Open Source software movement to understandthe potential. The simple act of maintaining aResponsible Disclosure web page for securityresearchers to submit findings creates value. It showsa forward thinking attitude to modern securityresearch and provides a communication path to thecommunity. Public researchers should be consideredan asset to be cultivated and embraced. They are notthe enemy. The enemy wouldn't tell you about yourissues but instead would use them against you.

Comprehensive Correlation Engine

The Connected Car sensors provide limited securityrelevance by themselves, as CAN packets do not havestate. However, when combined with other contextualdata, correlation techniques and modelling predicativecapabilities can be developed. Therefore, some form ofautomated threat modelling should be developed. Bymodelling complex interactions in ways we haven’tpreviously can identify conditions that would causesystematic failure affecting security and safety.

Open Garages MovementAs the community of researchers, small independentgarages and general public interest in Connected Carsgrows so does the art of the possible. The followingcommunity contributions warrant further study tobetter understand their impact on safer connected cars;

• SocketCAN - Linux based CAN drivers/sniffers

• CAN in the Middle - HW CAN injection tool

• CANiBUS - Multiuser web based CAN monitoring tools

• rusEFI - Open source ECU system/replacement

• CHT - CAN Hacking Tool

• GoodThopter - CAN Bus Sniffing HW

• Arduiono CAN Shields - CAN Bus sniffing HW

• Kayak – CAN Bus diagnosis and monitoring

Call to ActionThe automotive industry must understand theevolving threat landscape. Bringing new features,services and amenities to market also introduces newrisks to security, privacy and safety. This is the natureof progress and intra-domain convergence.

The automotive industry should embrace thecommunity and even the odds of the adversary’s unfairadvantage. They must understand that cyber securityhas a direct impact on vehicle safety. Software andembedded security systems need to be tested the sameway we test other safety standards. On top of normalcrash tests we need to see if a malicious adversary canalso intentionally cause a remote crash.

The automotive industry needs to share the details ofthe CAN packets as well as the wiring diagrams.Embracing the maker movement will not only increasesales but also increase safety.

Page 8: Connected Cars, how safe are they?

About the AuthorsCraig Smith

Craig Smith is the CEO of Theia Labs, core founder ofHive13 Hackerspace and founder of OpenGarages. Hehas specialised in security and reverse engineering forover 20 years. He has spent the last 4 years workingwith the automotive manufacturers and researchcompanies on security vehicle infrastructure. He hastaught car hacking classes at the US Cyber Camps andis the author of the 2014 Car Hacker's Manual.

Bryan K. Fite

A committed security practitioner and entrepreneur,Bryan is currently the Global Innovations ProductManager for Assure Intelligence at British Telecom(BT). Having spent over 25 years in mission-criticalenvironments, Bryan is uniquely qualified to adviseorganisations on what works and what doesn’t.

Bryan has worked with organisations in every majorvertical throughout the world and has establishedhimself as a trusted advisor. “The challenges facingorganisations today require a business reasonableapproach to managing risk, trust and limited resourceswhile protecting what matters.”

Offices worldwide

The services described in this publication are subject to availabilityand may be modified from time to time. Services and equipmentare provided subject to British Telecommunications plc’srespective standard conditions of contract. Nothing in thispublication forms any part of any contract.

British Telecommunications plc 2014.Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000

27 June 2014