Security Vulnerabilities of Insert the title of your the ......Future connected car solutions are...
Transcript of Security Vulnerabilities of Insert the title of your the ......Future connected car solutions are...
Insert the title of your presentation here
Presented by Name Here Job Title - Date
Security Vulnerabilities of the Connected Car
Presented by Peter Vermaat Principal ITS Consultant 24/06/2015
Page 2
Agenda
About TRL
What is the issue?
Security Analysis
Consequences of a Cyber attack
Concluding remarks
1
2
3
4
5
TRL – Transport Research Laboratory www.trl.co.uk
Est. 1933 (RRL Harmondsworth)
Independent Privatised company since 1996
320+ staff including many world recognised experts
Head office in Crowethorne, UK
- Offices in Manchester, Scotland, Wales and the Middle East, Nigeria
TRL is an internationally recognised centre of excellence providing world-class research, consultancy, testing and certification for all aspects of transport.
TRF, which owns TRL, is a non-profit-distributing foundation with >80 sector members and no shareholders.
Early research
Page 4
Our Work
Safety
Environment
Vehicle Safety
and Engineering
International
Development
Infrastructure
Transportation
Investigations and
Risk Management
TRAFFIC STRESS IN 2016
Software
Simulators
Driver behaviour
Certification Blood alcohol
Ris
k
Track Tests
Page 6
What is the issue?
Page 7
Complexity of vehicles has increased dramatically, particularly in the last few years, for example…..
MM Wiring Diagramme
Page 8
MM Wiring Diagramme
Page 9
Ford Focus 2011 Page 10
Complexity
Page 11
Vehicles becoming externally connected
All have access via ODB port,
- But this requires physical access
Multiple radio channels
- Short range (Key access, Bluetooth, TPMS)
- Longer range (Cellular, Wi-Fi, ITS G5/WAVE, V2X)
- Increasingly connected vehicles provide multiple access opportunities
Diverse markets and technologies
Increasing loss of control by manufacturers
Timescale diversity
Connected vehicle applications
Page 12
“Day 1” applications
- Hazard Warnings (road works, incidents, weather etc)
- eCall
- ISA
- ADAS, LDWS, ACC
- Intelligent parking, logistics
- Emergency braking systems
Intersection warnings
Vulnerable road users
“Green” applications
Automated driving
- Platooning
- Increasing roll-out over time
Security Analysis
Page 13
Communications security
- Hackers attempt to Prevent, Intercept or Manipulate communications
- Motivated by
- Fame/Notoriety/Activism (black hat, anonymous)
- Enrichment (cyber criminals, fraudsters)
- Damage and destruction (cyber terrorists)
Requirements of Secure Communications
- Authentication
- Confidentiality
- Integrity
- Availability
Security Analysis
Page 14
Risk analysis – the following need to be assessed
- Attractiveness of target
- Technical weakness
- Threat surface – entry points to the system
- Threat vector – how the attack can take place
- Cost of attack
- Damage which can be inflicted by an attack
Defence options
- For each vector, consider where attacks can happen and how to mitigate and prevent
- Defence options include physical protection, encryption, authentication
Security Analysis - Vulnerabilities
Page 15
Vulnerability Analysis in Literature
- A small number of publications directly addressing connected vehicles
- Successful hacks so far have largely required physical access
- Though BMW remote vulnerability has been found
- Researchers have successfully accessed vehicles via GSM
- One study concluded connected car no more secure than internet connected computers
Security Analysis - Vulnerabilities
Page 16
Components
- Back doors, OBD port
Data
- Who owns data collected by vehicles?
- Personal information may not be collected
- Individual and cooperating vehicles
- Automated driving
- Financial manipulation
- Traffic disruption
Vehicle peripheral devices
- Remote locking, use of increasingly sophisticated attacks
Infrastructure
- Potential for misinformation
- eCall DDOS
Consequences of Cyber-attack
Page 17
Individual Vehicles
- Data
- Misinformation
- Control, particularly automated driving
Plenty of evidence that this is already possible
- Key fobs compromise
- Attacks into systems
Consequences of Cyber-attack
Page 18
Cooperative vehicles
- Data - potential for V2V extraction
- Misinformation – could be used to gain individual advantage, disrupt traffic flow
- Control – potential for serious incidents
First significant cooperative systems close to reality
Consequences of Cyber-attack
Page 19
Infrastructure
- Data
- Misinformation, particularly probe vehicle data
- Control, particularly as infrastructure becomes dynamically controlled
Some scope for financial gain
Concluding remarks
Page 20
Feasibility of remote access has been demonstrated
Future connected car solutions are evolving rapidly (Apple CarPlay, Google Auto…..)
Vehicle manufacturers losing control of the electronic subsystems within the vehicle
Specific areas of concern:
- Threats to platooning vehicles
- Threats to infrastructure as a result of V2I
- eCall vulnerabilities and variants
- Uses of data collected from vehicles
Page 21
Do You Have Any Questions?
Page 22
Thank you Cooperative vehicles ETSI Security Week
Presented by Peter Vermaat
Principal ITS Consujtant Tel: +44 1344 770561
Email: [email protected]