Cybersecurity for Connected Vehicle with AGL (Automotive Grade … · 2018. 12. 5. · Recall 1.4M...
Transcript of Cybersecurity for Connected Vehicle with AGL (Automotive Grade … · 2018. 12. 5. · Recall 1.4M...
Cybersecurity for Connected Vehicle with AGL (Automotive Grade Linux)
Paris Dec/2018Fulup Ar Foll CEO & Lead Architect
Dec-2018Cybersecurity for Connected Vehicle with AGL 2
Who Are We ?
Lorient South Brittany
AGL
Dec-2018Cybersecurity for Connected Vehicle with AGL 3
Founded by Toyotaover 150 members
Dec-2018Cybersecurity for Connected Vehicle with AGL 4
Multi-Profiles Automotive Linux
● Today AGL Linux Profiles:● IVI● Telematics● Custer
● Native Cybersecurity● Security Foundation Inherited from Tizen● Fully Transparent to developers● Baked with the system, not removable
● Micro Architecture● Open API oriented● Service Oriented
● Natively Distributed● Agl to AGL● AGL to Cloud● AGL to RTos
Dec-2018Cybersecurity for Connected Vehicle with AGL 5
AGL 6.0 Funky Flounder
identity unicens
persistence
homescreen
geoloc
vr/speechvehicle 2 cloud
media
audio-4asupervision/log
radio
window-manager
signalling
weather
LINUX KERNEL
AG
L S
ecur
ity
Fram
ewor
k
Sys
tem
D/N
ameS
pace
/CG
roup
s
virt-io network ...
gpsdnfc, bluez alsa, gstreamer
...
DASHBOARD HOMESCREEN LAUNCHER
MEDIAPLAYER HVAC MIXER
SETTINGS RADIO NAVIGATION
PHONE POI ...
upstreamservices
AGLservices
AGL applications
Dec-2018Cybersecurity for Connected Vehicle with AGL 6
Connected car• Complex A/V• Remote maintenance• Real time navigation
Connected user
• Streaming music• Social network• Payment
Driving help
• Self park• Self driving• …
SW R&D Raising cost• 2015 ~ 35%• 2020 ~ 50%
Connectivity side effect• Cyber security• Mandatory SW maintenance• …
SW vs HW• HW is a one off• SW is an open complexity• SW maintenance ~70-80% of cost
Vehicle Software Becomes Critical
Dec-2018Cybersecurity for Connected Vehicle with AGL 7
● Automotive industry● limited knowledge and return of experience on being connected.
● Attacking cars is complex & expensive● Hackers have time & money● Betting on hacker lack of skill is a very risky bet● One single small security hole might be enough
● Attacking cars is a viable business● Expensive piece of equipment● Huge Mass market● Enough customers with little technical knowledge to steal from
Why Securing Connected Cars?
Dec-2018Cybersecurity for Connected Vehicle with AGL 8
Security Complexity Mitigation
● Security Mechanism might be short circuit● Lack of knowledge, Performances● Time-to-market, Cost concerns
● Embedded Security Expert is a rare animal● 9M Mobile Developers● 8M Web Developers● 0.5M Embedded Developers● How many Embedded Security Developers ?
● Security cannot be added after the fact ● Must consist in built-in APIs & be transparent to applications● Developers SHOULD not to be in charge of security● Baked in from day one: Architecture, Dev, QA, Maintenance,etc.
Dec-2018Cybersecurity for Connected Vehicle with AGL 9
Make sure we Run the Right Code
● Trusted Boot : a MUST Have Feature● Leverage hardware capabilities● Small series & developer key handling
● Application Installation● Verify integrity● Verify origin● Request User Consent [privacy & permissions]
● Update● Only signed updates with a trusted origin● Secured updates on compromised devices are a no-go option● Factory reset built-in from a trusted zone● Do not let back doors opened via containers/hypervisor● Strict control of custom drivers [in kernel mode everything is possible]
Dec-2018Cybersecurity for Connected Vehicle with AGL 10
Cyber Resilient Architecture
● Smart Multi Layers Security Architecture● Breaking an application should not break a full layer● Breaking a layer should not break the full system
● Compromised ID / keys are lost for good● Per-device unique ID ● Per-device symmetric keys● Use HW ID protection
● Non-Reproducibility of breakages● Breaking in one car should not extend to all cars● Dev/Debug I/O, Sockets, … should be disabled● No Root Password & No shared super-user RSA key● Password, when used, should not be easy to compute
Dec-2018Cybersecurity for Connected Vehicle with AGL 11
Data Privacy & Business
● Tag data at collection time● Segregate data path● Leverage existing Internet authentication● Provide control to users● Per Crypt User Persistent Store● Lazy Synchronization with Cloud● Filter data at Edge
Dec-2018Cybersecurity for Connected Vehicle with AGL 12
AGL Security Mechanisms
Protected Service
LINUX KERNEL
Legitimate application BlackHat application
Resource and data
The permission database
Cynara helps to protect services
Smack linux security module helps to protect resources and
data
DENIED
DENIED
GRANTED
GRANTED
Dec-2018Cybersecurity for Connected Vehicle with AGL 13
No Security Without Monitoring
● Monitor allows a client to debug and introspect itself
● Supervision is the extension that allows to inspect all binders, APIs and sessions
● Binders connect to the supervisor
● Access to supervisor are restricted
● Capabilities of supervisor are reduced on cars
BINDER
BINDER
BIN
DER
BIN
DER
BIN
DER
BINDER
BINDER
SUPERVISOR
Dec-2018Cybersecurity for Connected Vehicle with AGL 14
From Sensors to Infrastructure & Cloud
Dec-2018Cybersecurity for Connected Vehicle with AGL 15
Security: a Long Road to Go● Minimize attack surface area
● Control the code which is run
● Provide a bullet-proof update model
● Apply security patches within days rather than weeks
● Leverage HW security helpers
● Isolate & compartmentalize wherever possible
● Development and QA with security turned on
● Incidents analysis and reports
● Provide adequate tools to develop with security enabled
● Do not rely on humans but on platform for security
Real facts and consequences
● Recall 1.4M vehicles to fix vulnerabilities : estimate cost $1B
● Inestimable cost to automotive industry, many people are still afraid to buy connected vehicle
● NHTSA (Nat. Highway Traffic Safety Admin.) 2.8M navigation systems from the same manufacturer are in use in multiple cars
Dec-2018Cybersecurity for Connected Vehicle with AGL 16
Further Information
● Documentation:● http://docs.automotivelinux.org
● Publications:● https://iot.bzh/en/publications
● White Papers:● https://iot.bzh/en/publications/17-2016/29-tizen-security-
lessons-learnt● https://iot.bzh/en/publications/17-2016/22-automotive-gr
ade-linux-security-white-paper