Page 1
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
A holistic approach to Automotive Security
Dr. Frederic Stumpf
Karlsruhe, 11.07.2016
KIT – Karlsruhe Institute of Technology
Page 2
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
2006 Graduated in Computer Science at TU Darmstadt
2006 –
2009
Research Assistant at IT Security Group headed by Prof. Dr.
Claudia Eckert at TU Darmstadt
Research interests:
• Trusted Computing and Secure Operating Systems
• Security Protocols
• Embedded Security
2009 PhD in Computer Science (Dr. rer. nat.) with honors
2009 –
2010
Project Manager at Fraunhofer SIT, Munich
2010 –
2011
Head of Department “Embedded Security and Trusted OS”
at Fraunhofer SIT, Munich
2011 –
2013
Head of Department “Embedded Security and Trusted OS”
at Fraunhofer AISEC, Munich
2013 – Branch Manager and Product Manager at ESCRYPT GmbH,
Stuttgart
7/11/2016 2
Short CV
Page 3
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
ESCRYPT provides a
variety of products and
services suited to protect
devices and applications,
to secure the back-end
infrastructure, and to
protect business models.
ESCRYPT's products are
applicable to all industries
with a need for
embedded security.
7/10/2016
ESCRYPT – Embedded Security
Company Profile
3
ESCRYPT GmbH
Foundation: 2004
Shareholder: 100% ETAS GmbH (Robert Bosch Group)
Headquarter: Bochum, Germany
Employees: 100 security experts world-wide
Management: Martin Ridder, Dr. Thomas Wollinger
Locations
Germany (Berlin, Bochum, Munich,
Stuttgart, Wolfsburg), UK (York)
Europe
Location
USA (Ann Arbor)
America
Locations
Japan (Yokohama), Korea (Seoul)
Asia-Pacific
Portfolio
Security consulting
and services
Security products
Customized security
solutions
Page 4
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 4
An holistic approach to Automotive Security
Agenda
Motivation and Introduction to Automotive Security
Chrysler Hack – An example
Holistic Automotive Security Solutions
• Secure On-Board Communication
• Secure External Communication (Car-2X)
• Secure Platforms
Page 5
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.5
Automotive Security
Daily News on Cyberattacks
23.10.2015
Page 6
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Demonstrated attacks allow:
Control over safety-critical vehicle systems, e.g. to issue brake commands
Theft: to unlock doors and start engine without key
Surveillance: to track car, to record and transmit data from in-cabin microphone
() Koscher et al: Experimental Analysis of a Modern Automobile, S&P 2010
Rouf et al: Security and Privacy Vulnerabilities of In-Car Wireless Networks, USENIX Security, Aug. 2011
Checkoway et al.: Comprehensive Experimental Analyses of Automotive Attack Surface, USENIX Security, Aug. 2011
Miller, Vallasek.: Remote Exploitation of an Unaltered Passenger Vehicle, DEFCON 2015
ABS
ABSOBD
ECU
ECUInternet
Smart Phone
AppStoreHU
CAN
Demonstrated Attacks on Vehicle
Smart phone exploit of
Bluetooth stack
vulnerability
Malicious App on the user’s
(paired) smart phone can
execute arbitrary code on the
car’s telematics unit.
Exploit of media file
(WMA) parser vulnerability
Malicious WMA file plays fine
on PC but allows to send out
arbitrary CAN messages when
played in car’s media player.
Bluetooth Pairing
Sniffing telematics unit’s MAC
address and brute-forcing PIN
allows to pair attacker’s
Bluetooth device.
Exploit of vulnerabilities in
voice modem code
Dialing the car’s number from an
office phone and playing a
malicious MP3 file into the receiver
allows to compromise the car.
Hijacking Wi-Fi Pass-
Thru Device
Hijacking pass-thru device via
Wi-Fi lets pass-thru device
send arbitrary CAN messages
when connected to the car.
23.10.2015
Page 7
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Automotive security
7/8/2016
Infotainment System Compromise external network connections
Violate privacy (last trips, contacts..)
Unauthorized feature activation
Engine ECU Tuning via
manipulated software
or parameter sets
Drive Recorder Tachograph forgery
Steal sensitive test results
Odometer Mileage tampering
ECU Circumvent restrictions (e.g.
speed locks)
Spy on intellectual property
Create and use counterfeit
parts
Steal a valuable component
Diagnostic Interfaces
(OBD, OBD2, Ethernet, …) Manipulate safety critical parameters
Tamper with internal communication
Steal intellectual property
Vehicle board network Inject spoofed messages
Harm passengers
Suppress safety mechanisms
7
Threats today
Destroy OEM‘s reputation
Page 8
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 8
Chrysler Hack
Page 9
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 9
Chrysler Hack
Chrysler Hack
Vehicle is addressable from within the network
of the mobile connection provider
HeadUnit (uConnect) was remotely
compromised by unauthenticated D-Bus
Messages (TCP Port 6667)− The HeadUnit is directly connected to both CAN buses (named CAN-C
and CAN-HIS)
− HeadUnit OS (OMAP chip) is only able to read from CAN; no write
access possible
− Integrated IOC (V850 chip) can be updated from HeadUnit and has
write access to CAN
Unsigned update of manipulated IOC firmware
was possible− Reverse Engineering of IOC firmware was required
− Build new firmware image including extended functionality (SPI-to-
CAN-proxy)
Send CAN messages to CAN-C and CAN-HIS− No secure communication
Page 10
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 10
Holistic automotive security solution
Secure E/E Platform
Software integrity
Hardware security modules
Secure Onboard Network
Authenticated communication
Security gateways
Firewalling, Intrusion Detection & Response
Access Control, Security Policy Management
Holistic Security Solution Defense-in-depth approach
Security building blocks on each layer
Secure External Communication
Firewalling, Intrusion Detection & Response
Secure Channel, Secure Endpoint Authentication
Key & Identity Management Solution
Holistic automotive security solutions required to conquer the threats of tomorrow
Page 11
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.11
Holistic automotive security solutions
Multi-Layered Security Concept:
Secure in-vehicle communication
Secure external communication
Secure platforms (HW and SW) Components/Technologies and Solutions:
Firewalls/Domain Isolation
Security Gateways (SG)
Runtime SW Integrity Protection
Secure Software Management
Secure Software Separation
Hardware Security Modules
SG
2 3
3
1
6
7
5 7
4
6
1
5
3Security Mechanisms and Approaches:
Strong isolation of CE domain
Inspection and Restriction of Traffic
Prevention and Detection of infections of both
vehicle bus and ECU domain
Hardening of Multimedia and Infotainment domain
End-to-End security of entities communicating with
vehicle via CE domain
Authentication of entities and bus communication
Maintaining a secure software state
1
2
3
4
5
6
7
Page 12
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.12
Secure and Sustainable E/E architecture
HU
Central Gateway with Firewalling Functionality
SG SG
SG
SGIn
fota
inm
en
t Do
ma
in
Page 13
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.13
In-Vehicle Bus Systems
Page 14
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Controller Area Network (CAN)
Reliable communication between control units
Up to 1 Mbit/s
Media Oriented System Transport (MOST)
In-vehicle multimedia services
Up to 24 Mbit/s
FlexRay
Safety-critical high speed communications
Up to 10 Mbit/s
7/9/2016 14
In-Vehicle Bus Systems
Page 15
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.15
ECUs exchange Critical Signals, e.g.
Brake signals
Adaptive Cruise Control
Secondary Collision Mitigation
Torque request signals
Sensor & actuator signalsECU
ECU
ECU
ECU
ECU
Requirements & Security Goals
Protect critical functionality, vehicle
safety and stakeholder assets
Authenticity & Integrity
protection for critical signals
Confidentiality to protect data
Constraints: bandwidth, latency,
performance, safety reqmnts,…
Solution
Sensor protection
by adding
Truncated MACs
Shared keys for
efficient
communication
15
Secure In-Vehicle Communication
Page 16
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.4/2015 16
Message Authentication &
Freshness Verification
Sender Receiver
Monotonic
counter
Monotonic
counter
sync
CNT
MAC
MAC
generation
MAC
verification
Secret
key K
Secret
key K
Data Data
CNT
full MAC
(128 bit)Input
Data
(arbitrary
length)
TruncationLast rcv.
counter
OK
Data Data
Page 17
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.17
Secure Platforms
An automotive HSM
Main Security Goal
Integrity of ECU Firmware
Automotive Security Use-Cases
Secure Flashing
Secure Boot
Run-Time Tuning Detection
Secure Debug
Hardware Requirements: “Root of Trust”
Protection of integrity and confidentiality
of cryptographic keys
Secure storage (e.g. log entries)
Acceleration of cryptographic mechanisms
Secure execution environment for
cryptographic mechanisms, extendibility
Bosch HSM
Solution -
microcontroller
with integrated
Hardware Security
Module (HSM)
Realization
Specification of requirements
Implemented by several automotive
silicon vendors (Freescale, STM,
Infineon, Renesas)
4/2015
Page 18
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
IF Interface
AES Advanced Encryption Standard
DAP Debug Access Port
IRQ Interrupt ReQuest
OCI On-Chip Interconnect
RNG Random Number Generator
TRNG True RNG (physical)
PRNG Pseudo RNG (deterministic)
18
Bosch HSM Architecture
HSM
TRNG
PRNG
Secure
Core
Secure
Local
RAM
AESOCI IF
Dbg Com.
System
RAM
Host
Core
Flash
Code
Data
Register
Debug IF
Shared Area
Secure
HSM
Code
HSM
Data
IRQ
On-Chip Interconnect
Deb
ug
ger
DAP
On-ChipOff-Chip
23.10.2015
Page 19
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Development of HSM was initiated by Robert Bosch
Cooperation with silicon manufacturers: first HSM
now integrated in automotive micro-controllers
Implementations available from multiple sources
Infineon (Aurix),
Freescale/STM (JDP PowerPC),
Renesas (ICU-M)
Freely available to all suppliers (no Bosch license)
Used by newest Motor Control Unit (MDG1) from Bosch
12.09.2014 19
Status of Implementation
Page 20
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Hardware-
based Security
Engines
Internal
Hardware-based
Security Engines
Crypto
Accelerators
Bosch HSM
External
Hardware-based
Security Engines
Hardware
Security Modules
Secure
Authenticators
4/2015 20
Hardware Security Engines
A simple classification
Page 21
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.21
Automotive Challenges for HSMs
Automotive challenges
Sensitivity to costs
Temperature Range
Debug interfaces
Programmable
Processing power
Security challenges
Attack resistance
Attacks on interfaces
Automotive use cases
4/2015
vs
vs
Page 22
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.12.09.2014 22
Existing solutions
External security IC
Automotive challenges
Sensitivity to costs
Temperature Range
Debug interfaces
Programmable
Processing power
Security challenges
Attack resistance
Attacks on interfaces
Automotive use cases
✘ Temperature
✘ Debug interfaces
✘ Costs
✘ Attacks on interfaces
Non-automotive HSM,
e.g. TPM, Smart Card, Security IC
Page 23
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.12.09.2014 23
Existing solutions
On-chip security engines
Automotive challenges
Sensitivity to costs
Temperature Range
Debug interfaces
Programmable
Processing power
Security challenges
Attack resistance
Attacks on interfaces
Automotive use cases
On-chip security engines,
e.g. SHE, Crypto accelerators
(✔) , but not programmable
✘ Attack resistance
✘ Weak security for
Automotive use cases
Page 24
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.24
Bosch HSM
Automotive challenges
Sensitivity to costs
Temperature Range
Debug interfaces
Programmable
Processing power
Security challenges
Attack resistance
Attacks on interfaces
Automotive use cases
Bosch HSM
✔
✔
4/2015
Note: Physical attacks to reveal
cryptographic key (eg., Side
Channel Attacks, Fault Attacks)
only partly relevant in
automotive industry
Page 25
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.25
Hardware security engines
Comparison and classification
Sm
art
Card
s /
Secu
rity
IC
s
Bo
sch
HS
M &
safe
tyco
ntr
oll
er
Cry
pto
Accele
rato
rs1
1 w/o SHE
23.10.2015
Page 26
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/11/2016 26
Security Building Blocks
a.k.a Security Use-Cases
Main Goal: Protect integrity of automotive system during full
life-time
Secure Platforms
Secure In-Vehicle
Communication
Security Gateways
Secure External
Communication
Secure Boot
• Ensures secure ECU state
• Executes during boot-up
Secure Flashing
• Secure Update of ECU SW
• Keeps software up-to-date
Secure Debug
• Enables failure analysis
• Keeps software debuggable
Runtime Integrity Protection
• Ensures integrity during runtime
• Prevents runtime attacks
Page 27
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Objective: Provide protection against executing unauthorized code
Tasks: Determination of code integrity by “measuring”
code integrity
Validation of integrity by comparing “measured” code with stored code
Execution of code after checks are passed
Realization: HSM directly involved in boot process
HSM halts the booting if code integrity verification fails
27
Secure Boot
Host Core
Stage 1
(Boot SW)
Stage 2
Host Boot
ROM
HSMHSM
Check
Stage 1
Check
Stage 2
Establishment of a chain of trust
7/11/2016
Page 28
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Valid Fingerprints are either stored1. Directly in HSM
2. In flash
Additional keys are stored for eachlayer of SW Protects valid fingerprints
Ensures that only trusted entitiescan generate fingerprints
Fingerprint of SW is computedusing: SWFingerprint = F(Software, Key)
SWFingerprint is compared with storedvalue
28
Secure Boot
Validation of Code Integrity
HSM
Secure MCU
Boot MAC key
App. MAC key AES
Compare
FW MAC keyMAC
SWBoot Fingerprint
Flash Memory
Bootloader
7/11/2016
Page 29
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Objective: Provide protection against unauthorized access into the microcontroller
Tasks: Open debugger during
development and production
Close debugger access when in the field
Reopen in case of failure analysis
Realization: HSM in control of debug access
Challenge-Response Authentication
Explicit involvement of HSM in authentication process
29
Secure Debug
HSM Host
CoreIRQ
System
RAMFlash
SoC
Deb
ug
ger
7/11/2016
Page 30
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.30
CycurHSM – Product Overview
A Security Stack Satisfying Safety Requirements
Main Goal Provide a standardized SW stack for
implementations of the Bosch HSM
Security Mechanisms Cryptographic libraries (AES, RSA, ECC)
Key generation functionality
(TRNG, PRNG)
(Hardware-shielded) protected storage
Characteristics Safety qualification (ASIL-D planned)
Modular Structure
Preemptive real-time scheduling of crypto jobs
Full compatibility to AUTOSAR, SHE,
and SHE+
Full support of HSM technology
(Infineon, Freescale/STM, Renesas)
Components & Elements AUTOSAR Interfaces
HSM Firmware
Drivers
Security Libraries
Customer-specific SW
Page 31
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Real time operating system to satisfy
automotive safety requirements
Characteristics:
Priority-based scheduling capabilities
Predictive worst-time execution
Preempting running tasks with very low latency
Full context saving capabilities of preempted tasks
31
Initial Idea and Approach
CPU
Crypto Peripheral
Task 1
Task 2
execution
stalling
4/2015
Page 32
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.32
CycurHSM – Product Overview
Architecture
(Application)
Software
HSM Core
Firmware Security AppsSecurity Apps
AES TRNG Flash
Crypto Service
Application
Interface
IRQ Timer
Real Time
Operating
System
HSM Host Interface
HSM MCALs
HSM Driver
App. 2 App. 3App. 1
AUTOSAR CSM CSAI
Job ManagerSecure Key
StoreCrypto Library
SHE+
Emulation Security Apps
Product Components
Tier 1 Application SW
Silicon Manufacturer
23.10.2015
Page 33
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.33
CycurHSM – Product Overview
BOSCH HSM Architecture
TRNG
PRNG
Secure
Core
Secure
Local
RAM
AES
OCI IF
Dbg Com.
System
RAM
Host
Core
Flash
Code
Data
Register
Shared Area
Secure
HSM
Code
HSM
Data
IRQ
On-Chip Interconnect
Page 34
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.34
CycurHSM – Product Overview
Integrated Architecture
TRNG
PRNG
Secure
Core
Secure
Local
RAM
AESOCI IF
Dbg Com.
System
RAM
Host
Core
Flash
Code
Data
Register
Shared Area
Secure
HSM
Code
HSM
Data
IRQ
On-Chip Interconnect
App. 2
HSM Driver
App. 2 App. 3
App. 1
AUTOSAR CSM
AUTOSAR RTE
Security AppsSecurity AppsReal Time
Operating
System
HSM Host Interface
HSM MCALs
Job ManagerSecure Key
StoreCrypto Library
SHE+
Emulation Security Apps
23.10.2015
Page 35
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.35
Comparison of Automotive Security Use-Cases
Use CaseLegacy µC
w/o SHE or HSMSHE
On-chip
security engine
HSM
TPM/
Security IC
Bosch HSM
Secure Boot
Secure Flashing
Secure Storage (i.e. Log)
Immobilizer Secret Key
Sensor Prot. Secret Key
Feature Activation (Usage)
Runtime Tuning Detection
Secure Debug
Secure external
communication
Secure in-vehicle
communication (MAC-based)
Secure
weak
impossible
or insecure
4/2015
Page 36
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.36
Vehicle Board Network in 2020
Hardware based security solutions
Head-Unit
Au
dio
Central Gateway
SCUUSS Cam
Powertrain BodyChassis Infotainment
Light
Instru-
ment
Door
CCUWLAN
DAS
ACC
ABS
ESP
BM
MCU
TCU
Climate
Multi-
mediaHYD
Blu
e-
too
th Immo-
bilizer
SHE/ Bosch HSM Smart Card IC/UICC On-chip security engine
Page 37
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.37
Vehicle Board Network in 202X
Hardware based security solutions
Head-Unit
Au
dio
Central Gateway
SCUUSS Cam
Powertrain BodyChassis Infotainment
Light
Instru-
ment
Door
CCUWLAN
DAS
ACC
ABS
ESP
BM
MCU
TCU
Climate
Multi-
mediaHYD
Blu
e-
too
th Immo-
bilizer
C2C
SHE/ Bosch HSM Smart Card IC/UICC On-chip security engine
Page 38
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.38
External communication via CCUs
Exchange of service data
Vehicle service data
Increasing driving efficiency
Flashing of Software
Internet Connectivity
Requirements & Security Goals
Protect critical functionality, vehicle
safety and stakeholder assets
Authenticity & Integrity
protection of incoming messages
Confidentiality to protect data
Vehicle Gateway: to ensure E2E
security
Solution
Vehicle Firewall to inspect
communication
Secure communication channels
Security Hardware to achieve secure
vehicle identities
Mechanisms to isolate vehicles
38
Secure External communication
ECU
ECU
ECUECU
Gateway
Page 39
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Secure cars require a Multi-Layered Security Concept:
Secure in-vehicle communication
Secure external communication
Secure platforms (HW and SW)
Security mechanisms on all layers
complement each other to provide
a holistic security concept for enabling
sustainable secure E/E architectures
Security mechanisms and techniques will start being employed in
next generation cars going in production 2020+
39
Conclusions
ECU
ECU
ECUECU
Gateway
Page 40
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 40
Jobs & Career
Jobs & Career
We are a dynamic, internationally-operating and emerging company in the area of
embedded security. As the leading system provider for embedded security world-wide,
we offer our expertise to all industries with security needs. We are looking for highly
motivated people with great ideas who want to realize those in any of our locations.
Please visit www.escrypt.com/company/jobs
You can also follow us on:
Page 41
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.7/8/2016 41
ESCRYPT Worldwide
Service Wherever it is Needed
Germany
Berlin • Bochum • Munich
Stuttgart • Wolfsburg
Korea
Seoul
Japan
Yokohama
USA
Ann Arbor
China
Shanghai
United Kingdom
York
Sweden
Lund
Page 42
[email protected] | ETAS/PSC-ECY | Frederic Stumpf | © ESCRYPT 2016. All rights reserved, also regarding any disposal, exploitation,
reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
ESCRYPT - Embedded Security
HeadquartersLise-Meitner-Allee 4
44801 Bochum
Germany
Phone: +49 234 43870-200
Fax: +49 234 43870-211
[email protected]
www.escrypt.com
Dr. Frederic StumpfBranch Manager Stuttgart
Phone: +49 711 342-32316
[email protected]