Cyberphysical Systems

Page ▪ 1

No Safety Without Security

EICAR WG 2, 2017, Bonn, Peter Stelzhammer

About Us

▪ Auditing of IT Security Solutions

▪ Detailed, High-quality Test Results

▪ Independent Tests

▪ Leader in Innovation

Our Customers

• Leading IT Security Vendors

• Leading Analysts

• Leading IT Security Magazines

Is there a secure car?

We found at least ONE secure car

▪ It is not safe, but it is secure, no hack known by today

Hacking is becoming a bigger issue, fact.

Page ▪ 8

Fifteen of the most hackable and exposed

attack surfaces on a next-generation car.

Page ▪ 9

Page ▪ 10

Ecosystem and infrastructure of the next-generation car

Who to fight

▪ Researchers and hobbyists

▪ Pranksters and hacktivists

▪ Owners and operators

▪ Organized crime

▪ Nation-states

▪ Automotive Industry – can you trust this industry?

Possible vulnerabilities and exposures

▪ Use of a publicly available communication infrastructure

▪ Networking with vehicle on-board systems

▪ Use of applications and services from third-party providers over the

Internet

▪ Running security-related applications (such as navigation) and third-

party applications in parallel

▪ The control over communication infrastructure and applications in

the vehicle thus moves from the vehicle manufacturer to new

providers of Internet access and applications.

▪ These circumstances make the vehicle a potential target for known

Internet threats such as viruses, worms, Trojans, DOS and buffer-

overflow attacks.

Supply Chain Security

▪ No electronic product today is created by a single company. Hardware and

software components, development tools, manufacturing, product

assembly, and verification testing may all be provided by one or more

suppliers.

▪ Counterfeiting of electronic parts and components is a big problem in the

automotive industry, with significant product security implications. Supplier

quality engineers are a common role in the automotive industry, and

supplier security engineers may soon join their ranks.

▪ Cost of security will likely join cost of quality in the decision-making

process. Detecting and avoiding infiltration of tainted or counterfeit parts is

necessary to maintain the trust and integrity of the security architecture.

▪ More specifically, it is necessary to prevent well-funded criminal or nation-

state groups from gaining physical access to hardware used in the car.

Page ▪ 14

Examples

▪ FAKE WIFI for OTA

and remote control

▪ Fake updates via USB

e.g. entertainment system

▪ Vulnerable 3rd party software

CAN LIN

FlexRAY

Ethernet

© Trillium

OTA – a major attack vector

▪ Tesla's OTA upgrade bumped up the all-electric Model S's 0-60mph

speed by about one-tenth (0.1) of a second.

▪ Tesla CEO Elon Musk tweeted about the upgrade, saying it was an

update to the inverter algorithm.

▪ An inverter changes direct current electricity to alternating current.

Remote Controlled Car

Page ▪ 17

Fake WIFI connection needed

Stealth DoS Attack Against CAN Bus

▪ A Stealth, Selective, Link-layer Denial-of-Service Attack Against

Automotive Networks

▪ A security flaw that could affect millions of cars has been identified, with

researchers warning that there may be no fix available to protect

susceptible vehicles. The exploit works by overloading the so-called CAN,

or “car device network”, which connects all of the different aspects of

modern vehicles together. With the right code, essential parts of the car’s

safety features – such as the airbags or antilock brakes – could be forced

offline.

▪ CAN Bus need to be overhauled

▪ Unfixable for existing cars!!!

▪ A Wireless Hack Can Unlock

100 Million Volkswagens and other brands

- They can’t fix it

▪ Teslas sensor-jamming

▪ Hackers Hijack a Big Rig Truck’s Accelerator and Brakes

▪ J1939 open standard

▪ If you wanted to hijack someone’s car you’d have to know the brand and

model and tailor the attack. With trucks, it’s all open, so you can just craft

one attack.”

Physical HackingSafety and security must be combined

SELF-DRIVING CARS CAN BY HACKED BY STICKERS

University of Washington, University of Michigan, Stony Brook University, and UC Berkeley

Defense

Adopting Existing Standards AndEcosytems

▪ Taking Advantage of Security Standards and Best Practices Standards and industry

best practices, developed in automotive and related fields, can contribute to more

secure automotive environments.

▪ Automotive and cybersecurity ecosystems need to engage in discussion and

development of best practices for designing, developing, and deploying security

solutions. The two systems need to understand the difference between safety and

security.

▪ Automotive safety is a probabilistic science with measured and identified risks and

components built to mitigate those risks. Production practices and repair practices

give customers confidence that the safety mechanisms are in place and operating

correctly. Computer security is not probabilistic.

▪ Threats come from a variety of sources, including intentionally malicious and

unintentionally malignant. The goal of security therefore is to mitigate threats both

before they occur and after they happen. The security landscape has to mitigate these

threats over the entire lifecycle of the product, from early design decisions through

manufacturing to operation and decommissioning

Leveraging Standards

▪ ISO/IEC 9797-1: Security techniques – Message Authentication Codes

▪ ISO/IEC 11889: Trusted Platform Module

▪ ISO 12207: Systems and software engineering – Software life cycle processes

▪ ISO 15408: Evaluation criteria for IT security

▪ ISO 26262: Functional safety for road vehicles

▪ ISO 27001: Information Security Management System

▪ ISO 27002: Code of Practice – Security

▪ ISO 27018: Code of Practice – Handling PII / SPI (Privacy)

▪ ISO 27034: Application security techniques

▪ ISO 29101: Privacy architecture framework

▪ ISO 29119: Software testing standard. IEC 62443: Industrial Network and System

Security

© Intel

Is it already real? Not now, but….

▪ August 2016: “Two researchers have found that they could plug their

laptop into a network cable behind a Tesla Model S's driver's-side

dashboard, start the car with a software command, and drive it,” Wired

reported.

Wouldn't you see that if you were in the driver's seat?

▪ No hacker has ever taken remote control of a stranger's car. Not once. It's

extraordinarily difficult to do. It takes teams working full-time to find a way

to do it. By Now.

▪ We can‘t prevent this, but we can make it more difficult.

All car models will be hacked, period

▪ Sources:

▪ TrendMicro

▪ Intel Security

▪ Trillium

▪ Brian Krebs

▪ University of Washington and Innsbruck,

▪ If you miss you as a source, let us know, we will add you immidiatly.