Insert the title of your presentation here

Presented by Name Here Job Title - Date

Security Vulnerabilities of the Connected Car

Presented by Peter Vermaat Principal ITS Consultant 24/06/2015

Page 2

Agenda

About TRL

What is the issue?

Security Analysis

Consequences of a Cyber attack

Concluding remarks

1

2

3

4

5

TRL – Transport Research Laboratory www.trl.co.uk

Est. 1933 (RRL Harmondsworth)

Independent Privatised company since 1996

320+ staff including many world recognised experts

Head office in Crowethorne, UK

- Offices in Manchester, Scotland, Wales and the Middle East, Nigeria

TRL is an internationally recognised centre of excellence providing world-class research, consultancy, testing and certification for all aspects of transport.

TRF, which owns TRL, is a non-profit-distributing foundation with >80 sector members and no shareholders.

Early research

Page 4

Our Work

Safety

Environment

Vehicle Safety

and Engineering

International

Development

Infrastructure

Transportation

Investigations and

Risk Management

TRAFFIC STRESS IN 2016

Software

Simulators

Driver behaviour

Certification Blood alcohol

Ris

k

Track Tests

Page 6

What is the issue?

Page 7

Complexity of vehicles has increased dramatically, particularly in the last few years, for example…..

MM Wiring Diagramme

Page 8

MM Wiring Diagramme

Page 9

Ford Focus 2011 Page 10

Complexity

Page 11

Vehicles becoming externally connected

All have access via ODB port,

- But this requires physical access

Multiple radio channels

- Short range (Key access, Bluetooth, TPMS)

- Longer range (Cellular, Wi-Fi, ITS G5/WAVE, V2X)

- Increasingly connected vehicles provide multiple access opportunities

Diverse markets and technologies

Increasing loss of control by manufacturers

Timescale diversity

Connected vehicle applications

Page 12

“Day 1” applications

- Hazard Warnings (road works, incidents, weather etc)

- eCall

- ISA

- ADAS, LDWS, ACC

- Intelligent parking, logistics

- Emergency braking systems

Intersection warnings

Vulnerable road users

“Green” applications

Automated driving

- Platooning

- Increasing roll-out over time

Security Analysis

Page 13

Communications security

- Hackers attempt to Prevent, Intercept or Manipulate communications

- Motivated by

- Fame/Notoriety/Activism (black hat, anonymous)

- Enrichment (cyber criminals, fraudsters)

- Damage and destruction (cyber terrorists)

Requirements of Secure Communications

- Authentication

- Confidentiality

- Integrity

- Availability

Security Analysis

Page 14

Risk analysis – the following need to be assessed

- Attractiveness of target

- Technical weakness

- Threat surface – entry points to the system

- Threat vector – how the attack can take place

- Cost of attack

- Damage which can be inflicted by an attack

Defence options

- For each vector, consider where attacks can happen and how to mitigate and prevent

- Defence options include physical protection, encryption, authentication

Security Analysis - Vulnerabilities

Page 15

Vulnerability Analysis in Literature

- A small number of publications directly addressing connected vehicles

- Successful hacks so far have largely required physical access

- Though BMW remote vulnerability has been found

- Researchers have successfully accessed vehicles via GSM

- One study concluded connected car no more secure than internet connected computers

Security Analysis - Vulnerabilities

Page 16

Components

- Back doors, OBD port

Data

- Who owns data collected by vehicles?

- Personal information may not be collected

- Individual and cooperating vehicles

- Automated driving

- Financial manipulation

- Traffic disruption

Vehicle peripheral devices

- Remote locking, use of increasingly sophisticated attacks

Infrastructure

- Potential for misinformation

- eCall DDOS

Consequences of Cyber-attack

Page 17

Individual Vehicles

- Data

- Misinformation

- Control, particularly automated driving

Plenty of evidence that this is already possible

- Key fobs compromise

- Attacks into systems

Consequences of Cyber-attack

Page 18

Cooperative vehicles

- Data - potential for V2V extraction

- Misinformation – could be used to gain individual advantage, disrupt traffic flow

- Control – potential for serious incidents

First significant cooperative systems close to reality

Consequences of Cyber-attack

Page 19

Infrastructure

- Data

- Misinformation, particularly probe vehicle data

- Control, particularly as infrastructure becomes dynamically controlled

Some scope for financial gain

Concluding remarks

Page 20

Feasibility of remote access has been demonstrated

Future connected car solutions are evolving rapidly (Apple CarPlay, Google Auto…..)

Vehicle manufacturers losing control of the electronic subsystems within the vehicle

Specific areas of concern:

- Threats to platooning vehicles

- Threats to infrastructure as a result of V2I

- eCall vulnerabilities and variants

- Uses of data collected from vehicles

Page 21

Do You Have Any Questions?

Page 22

Thank you Cooperative vehicles ETSI Security Week

Presented by Peter Vermaat

Principal ITS Consujtant Tel: +44 1344 770561

Email: pvermaat@trl.co.uk