EXTERNAL USE

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners.© 2016 NXP B.V.

RICHARD SOJA

OTTAWA, CANADA20 MAY, 2016

INTERNATIONAL CRYPTOGRAPHIC MODULE CONFERENCE

CONNECTED CAR SECURITY FOR V2X

EXTERNAL USE1

THE CONNECTED CAR …A cloud-connected computer network on wheels

• A networked computer• up to 100 ECUs per car• and many sensors• inter-connected by wires• more and more software

• Increasingly connected to its environment

• to vehicles & infrastructure• to user devices• to cloud services NFC

802.11p

802.11p

Radar

LF, UHF

NFC

Portable Device Connectivity

V2I

V2V

Remote Keyless Entry

NFC

Ethernet, CANFlexRay, LIN

NFC

Digital RadioSatellite Radio

Radio Data Services

EXTERNAL USE2

Protect Privacy

Easy Access

• Fully Connected Car• External & internal interfaces• Wired & wireless interfaces

Prevent unauthorized Access

High Vulnerability & Impact

• Increasing number of nodes• More advanced features• X-by-Wire

Valuable Data

• Collection of data/info• Storage of data• Diagnostic functions

Increase Safety

Cloud Connection

In-Vehicle E&ECar2X

Consumer Device Integration

… IS AN ATTRACTIVE TARGET FOR HACKERS…

EXTERNAL USE3

The Scary Things Hackers Can Do to Your CarSource: BBC News

Source: CNN

Source: abc News

Source: NBC News

…WITH HIGH PUBLIC AWARENESS

Source: CBS NewsSource: The Wall Street Journal

EXTERNAL USE4

DEFENSE IN DEPTHSecuring the Vehicle’s Electronics Architecture

• Multiple security techniques, at different levels in the architecture• To mitigate the risk of one component of the defense being compromised or circumvented

Preventaccess

Detectattacks

Reduceimpact

Fix vulnerabilities

Authenticate code(secure boot)

Firewalls (context-aware message

filtering)Secure messaging

Separate / isolated domains within

network

M2M authenticationFirewalls (isolate access points)

Secure OTA firmware updates

Resource control(virtualization)

Intrusion detection systems (IDS)

Secure OTA policy updates (firewall,

IDS)

Run-TimeIntegrity Protection

SECUREPROCESSING

SECURENETWORK

SECUREINTERFACES

EXTERNAL USE5

NXP AUTOMOTIVE VEHICLE SECURITY ARCHITECTURE (4 +1 SOLUTION)

NXP #1 in Auto HW Security

4-Layer Cyber Security Solution

Plus ‘Best In Class’ Car Access Systems

Recognized Thought & Innovation Leader

Partner of Choice for OEMS, T1s & Industry Alliances

EXTERNAL USE6

CAR CONTROL SYSTEMS

Ethernet

Body CAN (HSCAN/FTCAN)Powertrain CAN / FlexRay (HSCAN/FlexRay)

Instrument CANLIN (LIN 1.3/2.x) Diagnosis CAN or Ethernet

Secure MCU

IVN security

No security

Secure Element

…

…

door controlfront left

door controlfront left

door controlfront left

…door control

front right

HVACmain

parkheating

top columnmodule

parkingsensors

rear powermodule

levelsensor

garageopener

Heaterfan

front powermodule left

front powermodule right

wipercontrol

steering sensors

enginecontrol

drive-by-wire

anti-lockbrake

transmissioncontrol

(adaptive) cruisecontrol

headlightcontrol

steer-by-wire

stability control

rain lightsensor

immobilizer

lightingswitch

flapper 1

flapper 7

startstop

key

antenna

roofmodule

interiorlighting

car accessmodule

AFS

AFS

energymanager

seatcontrol

LEDAmbient

LEDAmbient

infotainmentunits

powersteering

airbagcontrol

data recorder(EDR, tacho)

airbag

airbag

NFC

mPOSV2X dashboard

Gateway(s) / BCM(s)

ADAS

cloud services

3G4G

BLE NFC WPC

EXTERNAL USE7

SECURITY HARDWARE – what are the options?

ECU security requirements

(none)• secure IVN comm.• firewalling (shield)

• secure firmware• secure IVN comm.• firewalling (shield)

• tamper-resistant M2M authentication

• secure firmware• secure IVN comm.• firewalling (shield)• tamper-resistant

M2M authentication

Incremental cost*

(none) + ++ ++ +++

Applications Body & Comfort• HVAC• seat control• …

Stability & safety:• airbag• ABS/ESP• …

ADAS / self-driving• X-by-wire• valet parking• …

M2M authentication:• payment• car access via phone• …

Advanced interfaces:• V2X / Telematics• connected gateway• …

* compared to the non-secure configuration (leftmost)

ECU

MCU

TRX

IVN

ECU

MCU SE

TRX

IVN

ECU

Secure MCU SE

TRX

IVN

ECU

MCU

ST

IVN

Secure transceiver

ECU

Secure MCU

TRX

IVN

Secure MCU Hybrid securitySecure ElementNo security

ECU - Electronic Control UnitMCU - Microcontroller UnitTRX - Transmitter/Receiver InterfaceIVN - In Vehicle NetworkST - Secure TransceiverSE - Secure Element

EXTERNAL USE8

FUNCTIONAL vs. PHYSICAL SECURITY

Physical attacks are difficult… but they may lead to remote (scalable) attacks!

Functional Security–Standard crypto toolbox–Virtualization techniques–HW accelerators–Firewalls–…

Remote (Logical) Attacks

Attack Potential:(enhanced) basic

Physical Security–Protection against side-channel analysis (timing, power, em, etc…)–Protection against fault injection–Protection against reverse engineering–HW-SW co-design–…

Local (Physical) Attacks

Fault InjectionAttacks

Attack Potential:moderate to high

SE

HS

M

Information LeakageAttacks

EXTERNAL USE9

SECURITY HARDWARE FEATURES AND THEIR APPLICATION

Secure Boot

Chain of Trust

Symmetric Key Crypto Functions

Asymmetric Key Crypto Functions

EVITA 1, 2, 3 Compliance

SHE Protocol

FOTA updates

AES, RSA, ECC, SHA cryptographic hardware accelerators

True Random Number Generators

Pseudo Random Number Generators

Security Life-cycle Management

Password Protected Debug Access

Password Protected Flash Prog.

Secret Key Storage

Zeroised memory

Tamper proof flash reprogramming audit trail

Side Channel Attack Countermeasures

Trust Zone

Permanently Secure Flash Regions

EXTERNAL USE10

• A tamper-resistant platform, that protects against physical attacks− Proven security, via 3rd party evaluation and certification (Common Criteria)

• Securely hosts security applications and their confidential data− Banking cards, electronic passports, V2X, Telematics, …

• Provides secure crypto processing− AES, RSA, ECC, TRNG, …

• And secure key- and certificate handling− Generate and store secret keys− Store and validate Certificates− Manage security profiles

SECURE ELEMENT – OVERVIEW

Application

Processor

SIM

NFC

EXTERNAL USE11

• Increased security level at each stage of the development lifecycle

• Non-reversible, non-revocable• Enable application

development, debugging and failure analysis

• Without compromising security in the production vehicle

SECURITY THROUGHOUT THE ENTIRE LIFECYCLE

Sec

urity

Lev

el

Out of Fab

Application Development

In Field

Vehicle Production

Field Return

Vehicle Lifecycle

EXTERNAL USE12

V2X APPLICATION

EXTERNAL USE13

SECURING V2X COMMUNICATIONS

PRIVACY:

CAN OTHERS TRACK ME WHILE DRIVING?HIGH DEGREE OF ANONYMITY (IDENTITY HIDING)REQUIRED TO PREVENT TRACKING

SECURITY:

WAS THE MESSAGE NOT MODIFIED? DID IT REALLY ORIGINATE FROM CAR A? CAN I TRUST CAR A? CAR AND MESSAGE AUTHENTICATION REQUIRED TO PREVENT TRAFFIC DISRUPTION OR IMPERSONATION

Hazard WarningVehicle-to-Roadside

communication

Seeing around corners

Inter-vehicle communications

EmergencyVehicle Warning

Emergency Event

EXTERNAL USE14

SECURING V2X COMMUNICATIONSPerformance & Security requirements

• Digital signature: ECDSA P-256 (~ RSA 3072 / AES 128)− for authentication (sender identity, content integrity)

− and non-repudiation (no plausible deniability)

• Performance level:− broadcast (TX) up to 20 safety messages / s

− receive (RX) many more messages (100-1000 / s)

• Security level:− secret key material (pseudo-identities) involved in signature generation (TX)

− only public key material involved in signature verification (RX)

• Architecture driven by separation of concerns:− Secure Element: highly-secure message signing and ID management (TX)

− Verification accelerator: high-speed message verification (RX)

TX RX

Operation Signature generation Signature verification

Rate Low: ≤ 20 / s High: 100-1000 / s

Security level High: protection of private keys(=car identity)

Modest: only non-secret data

TX = 1:N RX = N:1

Public key exchange(can be part of message)

Hello!sign

Hello! Hello! Hello!verify

EXTERNAL USE15

CLOUD SERVICES

EXTERNAL USE16

OEMServer

FIRMWARE OVER THE AIR (FOTA) CHALLENGES

• Automobiles are cyber-physical devices− A bad FOTA can have dangerous consequences

• Security should be examined holistically from end-to-end− Perhaps modeled on PCI§ security standards

• Traditionally, security belonged in the IT domain− Embedded Systems Designers need to acquire this skill

set

• Legal restrictions on OEM access to private vehicle information− e.g. California denies OEMs access to DVM records

Central In-vehicle FOTA Server

e.g. Telematics Unit,

Gateway

In-vehicleFOTA Clients

e.g. Powertrain ECU

§ Payment Card Industry

CellularNon-repudiated

and SecureData Transfer

Secure NVM storageTamper Proof

Hardware Audit Trail

Authenticated Data Transfer

Secure NVM storageTamper Proof

Hardware Audit Trail

EXTERNAL USE17

• Security must be designed into the system architecture definition− Embedded Systems Designers need to acquire security skill sets

• End-to-end security solutions must be developed

− From sensor authentication to secure communication to the cloud.

• Hardware security accelerators and architectural components are needed

− For performance, but also to withstand more advanced (physical) attacks

• Security lifecycle management must be integrated

− Through the entire product lifecycle, from system development to end-of-life.

• Companies with a solid history and highly skilled workforce in both Automotive Electronics and Security Technology will have the greatest success in the Connected Car market

SUMMARY

EXTERNAL USE18

THANK YOU!

Securely!

Telematics Solutions(i.MX Applications Processors)

Embedded MCUs and Applications Processors (with integrated communication interfaces, e.g. CAN/CANFD, Flexray, LIN, MediaLB, Ethernet and Application layer Software stacks)

Automotive Gateway Solutions(MPC5xxx, S32G MCUs)

richard.soja@nxp.com

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners.© 2016 NXP B.V.