Approaches for Connected Vehicle Security for Connected Vehicle Security Manabu Nakano, Ph.D....
Transcript of Approaches for Connected Vehicle Security for Connected Vehicle Security Manabu Nakano, Ph.D....
Approaches for Connected Vehicle Security
Manabu Nakano, Ph.D. September 9, 2013
Security Engineering Laboratory, IT Security Center,
Technology Headquarters
Information-technology Promotion Agency, Japan (IPA)
APCOSEC 2013
Contents
・Introduction
・IPA’s Activities
・Analysis of Vehicle Security
・Proposals for Secure Vehicle
・Conclusion
2
Introduction
3
Background of the needs for vehicle security
Vehicle-Internet collaboration
through new media such as “Smartphones”
“Standardization”
of on-vehicle systems
Emergence of new use models,
such as “electric vehicles” and
“car sharing services”
・Environment is becoming easier for crackers to attack vehicle systems.
・IPA conducted a threat analysis using the concept of ”IPA Car”.
Information-technology Promotion Agency,
Japan (IPA)
Government Organization under the Ministry of Economy, Trade and Industry (METI)
Chairman : Kazumasa Fujie
In IT Security Center, our missions are…
・Information Security Vulnerability Mitigation
・Viruses Mitigation and Unauthorized Access Prevention
・Cryptography Research and Evaluation
・Technology Development and Research
・IT Security Evaluation and Certification
http://www.ipa.go.jp/security/vuln/doc
uments/10threats2011_en.pdf
http://www.ipa.go.jp/security/vuln/d
ocuments/website_security_en.pdf
Deliverable
Promoting Security in JAPAN
4
IPA’s Activity to Raise Security Awareness
of Embedded Systems including Vehicle
Internet of Things More devices are connected with
the Internet than ever. More threats
are beginning to show up everywhere.
Security Awareness Initiatives for
Embedded Systems
・Study of Security Improvement with
Embedded Device Makers
・Publication of Security Guidelines for
Embedded Systems
・Seminars for Embedded System
Security
http://www.ipa.go.jp/security/fy22/re
ports/electronic/electronic1102_en.
http://www.ipa.go.jp/security/fy2
2/reports/emb_app2010/emb_gu
ide_fy22_eng.pdf
Vehicle SmartPhone
Internet
Digital TV
Game Machine
5
Analysis by IPA
• IPA has released “Approaches for Vehicle Information
Security” in this March.
• To analyze security issues in vehicles, IPA looked at
them from two perspectives:
– 1. ”What kind of attacks and countermeasures for
vehicles are feasible?”
– 2.”How to approach the security
in vehicle’s Lifecycle?”
6
• Procedure of Vehicle Security Analysis in IPA
– 1.Organize Things connect with Vehicle
– 2.Analysis of functions of the Vehicle
• We have defined “IPA car” to consider Vehicle’s Threats
– 3.Organize Information in the Vehicle
– 4.Analysis Vehicle’s Threats
– 5.Study countermeasures that can be used in the Vehicle
Analysis similar approach also performed in
“Information Appliances".
IPA Analysis of Threats against
Vehicles (1/11)(First Perspective)
We have to organize anything that could connect to the Vehicle.
Vehicle connect to any services and devices, the attacker and malware
could appear in various places. When the development of technology, it is
possible that connect shall not be assumed at present.
IPA Analysis of Threats against
Vehicles (2/11)(First Perspective)
Malware
Attacker
Attacker
Drive
(Power Train)
(Engine,
Transmission etc.)
Automobile Body
(Body)
(Mater,
Air Conditioner,
Window etc.)
Infotainment
(AV,
Car Navigation
System、ETC.
Real-time traffic
information etc.)
General-Purpose
Network
Wi-Fi,
Internet etc.
In-Car Network for Control Purpose
CAN(A/B/C)/LIN、FlexRay etc.
Dedicated Network
Beacon (VICS),DSRC(ETC) etc.
Safety Controller
(Chassis)
(Brakes, Steering,
Collision-Avoidance
Feature etc.)
In-Car
Network
for
Multimedia
MOST etc.In-Car
Fault Diagnosis
Equipment
(ODB)
Drive
(Power Train)
(Engine,
Transmission etc.)
Automobile Body
(Body)
(Mater,
Air Conditioner,
Window etc.)
Infotainment
(AV,
Car Navigation
System、ETC.
Real-time traffic
information etc.)
General-Purpose
Network
Wi-Fi,
Internet etc.
In-Car Network for Control Purpose
CAN(A/B/C)/LIN、FlexRay etc.
Dedicated Network
Beacon (VICS),DSRC(ETC) etc.
Safety Controller
(Chassis)
(Brakes, Steering,
Collision-Avoidance
Feature etc.)
In-Car
Network
for
Multimedia
MOST etc.In-Car
Fault Diagnosis
Equipment
(ODB)
2. Potential threats in
carry-on equipment.
(computer virus etc.)
1. Approaches the automobile and directly attacks it.
(owner or masquerading as a security guard etc.)
3. Enters into the system or the device
via an external network and attacks it.
IPA classified attacks against vehicles into the following three categories:
– 1 “Proximity" Attack
– 2 “Intermediate” Attack (through carried-in devices)
– 3 “Network" Attack
(OBD)
1. Approaches the vehicle and directly attacks it.
(Pretending to be the owner or masquerading as a security
guard etc.)
1
Vehicle Body
(Body)
9
2. Potential threats in
carry-on equipment.
(carried-in device)
2
3. Intrude into the system or the device
via an external network and attacks it.
3
IPA Analysis of Threats against
Vehicles (3/11)(First Perspective)
IPA Analysis of Threats against
Vehicles (4/11)(First Perspective)
*1 Inspection & Maintenance: Can be embedded in onboard devices, such as ECU.
Drive Train
System
1.Basic Control Functions
Telematics
2.Extended Functions 3.Common Functions
Chassis
System
Inspection &
Maintenance*1
ITS
Functions
A. B.
F. G.
E.
Safety &
Comfort Body
C. D.
Infotainment
Plug-In
Devices
Smartphone
PND
PC
Tablet
Player
Memory/HDD
Hands-Free
Remote Control
Diagnostic Tool
Ecometer
Custom Meter
I. H.
Bluetooth
Wireless LAN
USB
OBD-II etc
When thinking about threats against vehicles, it’s necessary to sort out the functions in a vehicle.
However, there’re various methods to classify the functions in a vehicle depending on the
manufacture or type of vehicle.
→ IPA performed threat analysis on a hypothetical vehicle, named “IPA Car ”
IPA Analysis of Threats against
Vehicles (5/11)(First Perspective)
*1 Inspection & Maintenance: Can be embedded in onboard devices, such as ECU.
Drive Train
System
1.Basic Control Functions
Telematics
2.Extended Functions 3.Common Functions
Chassis
System
Inspection &
Maintenance*1
ITS
Functions
A. B.
F. G.
E.
Safety &
Comfort Body
C. D.
Infotainment
Plug-In
Devices
Smartphone
PND
PC
Tablet
Player
Memory/HDD
Hands-Free
Remote Control
Diagnostic Tool
Ecometer
Custom Meter
I. H.
Bluetooth
Wireless LAN
USB
OBD-II etc
Basic Control Functions
・The most basic functions for a car that control the car to move, turn and stop
・The cyber attacks against these functions will directly result in car accidents, thus they must be
the most secure among the functions
・If necessary, they should be protected by blocking the communications with other functions
using a firewall
*1 Inspection & Maintenance: Can be embedded in onboard devices, such as ECU.
Drive Train
System
1.Basic Control Functions 2.Extended Functions 3.Common Functions
Chassis
System
ITS
Functions
A. B.
F. G.
E.
Body
C. D.
Plug-In
Devices
Smartphone
PND
PC
Tablet
Player
Memory/HDD
Hands-Free
Remote Control
Diagnostic Tool
Ecometer
Custom Meter
I. H.
Bluetooth
Wireless LAN
USB
OBD-II etc
Telematics
Safety &
Comfort
Infotainment
Inspection &
Maintenance*1
Extended Functions
・The functions that improve comfort and convenience in driving for the driver
・Due to their nature, they often communicate with the outside world and are likely standardized
・As ITS develops further, various changes will be made and security measures need to be
implemented accordingly
IPA Analysis of Threats against
Vehicles (7/11)(First Perspective)
*1 Inspection & Maintenance: Can be embedded in onboard devices, such as ECU.
Drive Train
System
1.Basic Control Functions
Telematics
2.Extended Functions 3.Common Functions
Chassis
System
Inspection &
Maintenance*1
ITS
Functions
A. B.
F. G.
E.
Safety &
Comfort Body
C. D.
Infotainment
Plug-In
Devices
Smartphone
PND
PC
Tablet
Player
Memory/HDD
Hands-Free
Remote Control
Diagnostic Tool
Ecometer
Custom Meter
I. H.
Bluetooth
Wireless LAN
USB
OBD-II etc
Common Functions
・The devices carried in by the drivers, such as smartphones and PCs
・Since many kinds of services are available and they process various information, these
functions are likely targeted by attackers and used as intrusion points to the on-vehicle system
・Common security measures will be effective and how much they can be implemented will be the
key
IPA Analysis of Threats against
Vehicles (8/11)(First Perspective)
• To clarify the object to protect
– What do you want to protect from the Attacker.
– Value for which you want to protect leads to the cost of measures.
• Difference between vehicle systems and information systems
– Availability is more important than Confidentiality.
– "Safe stop" is prerequisite for life focus
Objects that should be protected Description
Operation of functions execution environment of "Basic control functions”.
Information unique to the vehicle Information which is unique to the car body (vehicle ID, device
ID, etc.), authentication code.
Vehicle status information Data representing the vehicle's stratus such as location, running
speed, and destination.
User information Personal information, billing information, etc…
Software Software which is related to vehicles‘ functions.
Contents Data for applications for video, music, map, etc.
Configuration information Setting data for the behavior of hardware, software, etc.
IPA Analysis of Threats against
Vehicles (9/11)(First Perspective)
Drive Train
System
Telematics
Chassis
System
Inspection &
Maintenance
ITS
Functions
A. B.
F. G.
E.
Safety &
Comfort Body
C. D.
Infotainment
Plug-In
Devices
Smartphone
PC
Tablet
Player
Memory/HDD
Ecometer
Custom Meter
I.
H.
Bluetooth
Wireless LAN
USB
OBD-II etc..
Misconfiguration,
user information
leak, bugging,
DoS attacks
Information leak,
misconfiguration,
virus infection,
bugging,
unauthorized
access
Virus infection,
information leak,
unauthorized use,
malicious settings,
bugging, unauthorized
access
Misconfiguration,
information leak,
unauthorized
access
Misconfiguration,
information leak,
DoS attacks
Unauthorized
use
(Misconfiguration,
information leak,
unauthorized use,
malicious settings, virus
infection, bugging)
Unauthorized
use,
malicious
settings,
bugging
Virus infection, mis-
configuration,
misoperation,
unauthorized use,
malicious settings,
bugging,
unauthorized
access
Unauthorized
use, malicious
settings,
bugging
The functions that have port(s) to exchange data with the outside world are exposed to the security threats just
like PCs. The yellow boxes shows the kinds of attacks that seem feasible as of this moment.
On the other hand, as of today, no techniques to directly and remotely attack the vehicle control systems has
been reported.
As seen in overseas researches, there is a risk where an attacker may not attack the vehicle control
systems directly but impose impact on them exploiting a vulnerable system as a stepping stone.
IPA Analysis of Threats against
Vehicles (10/11)(First Perspective)
• How will implement the security measures?
– First, we consider the security technology common in the
information systems for vehicle security.
• Some useful in the knowledge of information systems
security.
• Security measures were not effective in information
systems may be effective in the vehicle.
→Several measures are introduced in the IPA’s Approaches
– Next, Study of security that specializes in vehicle
• Analysis of security measures appropriate to the
protocol of powered vehicles
IPA Analysis of Threats against
Vehicles (11/11)(First Perspective)
17
IPA’s Approach for Vehicle’s Lifecycle
(1/3)(Second Perspective)
Management: Thing to do always as manufacturer
• Drawing up Security Rules
• Providing Security Education
• Collecting and disseminating security information
Planning: Phase for planning of the entire life cycle
• Formulating Requirement Definition Considering Security
• Securing Security-Related Budge
• Security Consideration When Outsourcing System Development
• Responding to Threats Posed by the Adoption of New Technologies
Development: Phase to develop the system
• Designing
• Security Measures Phase
• Security Assessment and Debugging
• Preparing for Web Contents to Provide Information to Users
18
IPA’s Approach for Vehicle’s Lifecycle
(2/3)(Second Perspective)
Operation: Phase to be used as a product, after the embedded
systems in the hands of the user
• Handling Security Issues
• Providing Information to Users and Those Involved in Vehicles in Vehicles
• Leveraging Vulnerability Information
Disposal: Phase embedded systems is disposal or recycling, that reason
why replacement, failure
• Drawing up and Disseminating Disposal Policy
If you want to know more information,
Please check the
“Approaches for Vehicle Information Security” https://www.ipa.go.jp/files/000033402.pdf
• In order to automobile-related organizations working on
security, we were divided level 1-4, based on awareness
of security, whether the security rules in the organization,
and structure of the organization.
– Level1:No security effort is done.
– Level2:Security effort is relegated to the on-the-spot
personnel, and the security issues are dealt with separately
at each project.
– Level3:Security effort is considered as an organizational
issue, and a security policy is drawn up and enforced.
– Level4:Security effort is considered as an organizational
issue, and a security policy is drawn up and enforced.
19
IPA’s Approach for Vehicle’s Lifecycle
(3/3)(Second Perspective)
• Security analysis of products and services
of your organization :
• Understanding of their organization :
• Recognition of improvement points
20
How to use this Approach
Proposal :
Total & Continuous Security Countermeasures
Service Provider Car Maker
Driver Personal
information
Protection
Smart Phone
Security
Safety
and
Security
Secure Driving with IPA Car
21
・The threat analysis of vehicles has only just started
・It is necessary for various players work on the threats that vehicles face and
countermeasures against them from their respective view point
・To do that, the concept of the IPA Car will be useful
・IPA hopes to collaborate with various players like you and works on the threat
analysis further
Conclusion :
Safety & Secure Driving in ITS World Accidents Driver’s Mistakes Attackers
& Security Safety
22
IPA would like to present a concept of the
”IPA Car” as a basis to discuss vehicle security.