Cybersecurity for Connected Vehicle with AGL (Automotive Grade Linux)

Paris Dec/2018Fulup Ar Foll CEO & Lead Architect

fulup@iot.bzh

Dec-2018Cybersecurity for Connected Vehicle with AGL 2

Who Are We ?

Lorient South Brittany

AGL

Dec-2018Cybersecurity for Connected Vehicle with AGL 3

Founded by Toyotaover 150 members

Dec-2018Cybersecurity for Connected Vehicle with AGL 4

Multi-Profiles Automotive Linux

● Today AGL Linux Profiles:● IVI● Telematics● Custer

● Native Cybersecurity● Security Foundation Inherited from Tizen● Fully Transparent to developers● Baked with the system, not removable

● Micro Architecture● Open API oriented● Service Oriented

● Natively Distributed● Agl to AGL● AGL to Cloud● AGL to RTos

Dec-2018Cybersecurity for Connected Vehicle with AGL 5

AGL 6.0 Funky Flounder

identity unicens

persistence

homescreen

geoloc

vr/speechvehicle 2 cloud

media

audio-4asupervision/log

radio

window-manager

signalling

weather

LINUX KERNEL

AG

L S

ecur

ity

Fram

ewor

k

Sys

tem

D/N

ameS

pace

/CG

roup

s

virt-io network ...

gpsdnfc, bluez alsa, gstreamer

...

DASHBOARD HOMESCREEN LAUNCHER

MEDIAPLAYER HVAC MIXER

SETTINGS RADIO NAVIGATION

PHONE POI ...

upstreamservices

AGLservices

AGL applications

Dec-2018Cybersecurity for Connected Vehicle with AGL 6

Connected car• Complex A/V• Remote maintenance• Real time navigation

Connected user

• Streaming music• Social network• Payment

Driving help

• Self park• Self driving• …

SW R&D Raising cost• 2015 ~ 35%• 2020 ~ 50%

Connectivity side effect• Cyber security• Mandatory SW maintenance• …

SW vs HW• HW is a one off• SW is an open complexity• SW maintenance ~70-80% of cost

Vehicle Software Becomes Critical

Dec-2018Cybersecurity for Connected Vehicle with AGL 7

● Automotive industry● limited knowledge and return of experience on being connected.

● Attacking cars is complex & expensive● Hackers have time & money● Betting on hacker lack of skill is a very risky bet● One single small security hole might be enough

● Attacking cars is a viable business● Expensive piece of equipment● Huge Mass market● Enough customers with little technical knowledge to steal from

Why Securing Connected Cars?

Dec-2018Cybersecurity for Connected Vehicle with AGL 8

Security Complexity Mitigation

● Security Mechanism might be short circuit● Lack of knowledge, Performances● Time-to-market, Cost concerns

● Embedded Security Expert is a rare animal● 9M Mobile Developers● 8M Web Developers● 0.5M Embedded Developers● How many Embedded Security Developers ?

● Security cannot be added after the fact ● Must consist in built-in APIs & be transparent to applications● Developers SHOULD not to be in charge of security● Baked in from day one: Architecture, Dev, QA, Maintenance,etc.

Dec-2018Cybersecurity for Connected Vehicle with AGL 9

Make sure we Run the Right Code

● Trusted Boot : a MUST Have Feature● Leverage hardware capabilities● Small series & developer key handling

● Application Installation● Verify integrity● Verify origin● Request User Consent [privacy & permissions]

● Update● Only signed updates with a trusted origin● Secured updates on compromised devices are a no-go option● Factory reset built-in from a trusted zone● Do not let back doors opened via containers/hypervisor● Strict control of custom drivers [in kernel mode everything is possible]

Dec-2018Cybersecurity for Connected Vehicle with AGL 10

Cyber Resilient Architecture

● Smart Multi Layers Security Architecture● Breaking an application should not break a full layer● Breaking a layer should not break the full system

● Compromised ID / keys are lost for good● Per-device unique ID ● Per-device symmetric keys● Use HW ID protection

● Non-Reproducibility of breakages● Breaking in one car should not extend to all cars● Dev/Debug I/O, Sockets, … should be disabled● No Root Password & No shared super-user RSA key● Password, when used, should not be easy to compute

Dec-2018Cybersecurity for Connected Vehicle with AGL 11

Data Privacy & Business

● Tag data at collection time● Segregate data path● Leverage existing Internet authentication● Provide control to users● Per Crypt User Persistent Store● Lazy Synchronization with Cloud● Filter data at Edge

Dec-2018Cybersecurity for Connected Vehicle with AGL 12

AGL Security Mechanisms

Protected Service

LINUX KERNEL

Legitimate application BlackHat application

Resource and data

The permission database

Cynara helps to protect services

Smack linux security module helps to protect resources and

data

DENIED

DENIED

GRANTED

GRANTED

Dec-2018Cybersecurity for Connected Vehicle with AGL 13

No Security Without Monitoring

● Monitor allows a client to debug and introspect itself

● Supervision is the extension that allows to inspect all binders, APIs and sessions

● Binders connect to the supervisor

● Access to supervisor are restricted

● Capabilities of supervisor are reduced on cars

BINDER

BINDER

BIN

DER

BIN

DER

BIN

DER

BINDER

BINDER

SUPERVISOR

Dec-2018Cybersecurity for Connected Vehicle with AGL 14

From Sensors to Infrastructure & Cloud

Dec-2018Cybersecurity for Connected Vehicle with AGL 15

Security: a Long Road to Go● Minimize attack surface area

● Control the code which is run

● Provide a bullet-proof update model

● Apply security patches within days rather than weeks

● Leverage HW security helpers

● Isolate & compartmentalize wherever possible

● Development and QA with security turned on

● Incidents analysis and reports

● Provide adequate tools to develop with security enabled

● Do not rely on humans but on platform for security

Real facts and consequences

● Recall 1.4M vehicles to fix vulnerabilities : estimate cost $1B

● Inestimable cost to automotive industry, many people are still afraid to buy connected vehicle

● NHTSA (Nat. Highway Traffic Safety Admin.) 2.8M navigation systems from the same manufacturer are in use in multiple cars

Dec-2018Cybersecurity for Connected Vehicle with AGL 16

Further Information

● Documentation:● http://docs.automotivelinux.org

● Publications:● https://iot.bzh/en/publications

● White Papers:● https://iot.bzh/en/publications/17-2016/29-tizen-security-

lessons-learnt● https://iot.bzh/en/publications/17-2016/22-automotive-gr

ade-linux-security-white-paper