Michael Westra, CISSPJune 2012
2012 BSides Detroit Security Presentation: Vehicle Hacking
“If you think technology can solve your security problems, then you don’t understand the problem and you don’t understand the technology.” - Bruce Schnieier
Page 2
June 2011
Agenda Unique challenges that automotive faces
Overview of CAN (Controller Area Network) SYNC, a real world example of security thinking that
went into a product on the market Security Posture Sample features within a security framework
OEM perspective on where industry is going Auto security industry in review Technology trends
Page 3
June 2011
Automotive Challenges Automotive is very long lived
Development 2-5 years Lifetime 3-5+ years Often in service for 10+ years Vehicles in design today will be on the road 20 years from
now Collection of discrete modules from many vendors
Includes variety of hardware from 8-bit microcontrollers to 32-bit ARM processors connected
Unique service requirements Right to service laws mandate that non-OEM locations
have access to tools and mechanisms to perform service and update modules
Disconnected service scenarios
Page 4
June 2011
CAN (Controller Area Network) Mental Model
Based on broadcast virtual electrical signals, not traditional network model
No authentication, assumed trusted, does not check source ID
Heavily affects how development proceeds Structure
11-bit ID on broadcast 8 bytes of data per message Multiple “slow” buses (500kbps) Applications layered on this like TP (streaming),
Diagnostics, Programming
Page 5
June 2011
SYNC Background
SYNC first generation: Launched in fall of 2007 4 million units earlier this
year MyFord Touch, second
generation of SYNC: Launched in fall of 2010
No subscription required Both products scheduled to
be launched in all global markets within the next 18 months
Includes E911, Vehicle Health, and Traffic, Directions, and Information
Applink provides mobile phone application integration with the Sync UI
Page 6
June 2011
Current SYNC Features/Security Challenges External interfaces
Bluetooth Wi-Fi / USB Broadband / Network
connectivity Mobile Application Integration Telematics USB
Software Updates Wireless Factory Provisioning USB Updates
Playback of protected Media Content CAN Interaction Phonebook Integration
Large external attack surface.
Application Validity Software Integrity
Assurance DRM/ Licensing Protect the Vehicle
Bus Personally identifiable
information (PII) considerations
Page 7
June 2011
General Security Lessons Start by defining your product’s security posture.
Every device can be hacked with sufficient time, expertise, and motivation
Define what is worth protecting and to what level An example from SYNC
A successful attack should require physical access to the internals of the module
A successful attack of one device should not be transferrable to immediately hack all devices
A general perimeter security architecture including hardware should be used to protect the most sensitive components
External non-hardwired or user accessible interfaces should be hardened as much as possible with multiple levels of protection
Page 8
June 2011
SYNC Security Challenges (continued) Protect the Vehicle interface at all costs
…or to the same level as physical interfaces for serviceability currently mandated by law
SYNC
VMCU
FreeScale Star 12 Series
RTOS Based
CAN GatewayPower MasterDiagnostics
CCPU
FreeScale System on Chip
MS Auto based
Applications HostGraphic/Voice Interface
Gateway to External Interfaces
I-CAN
HS-CAN
MS-CAN Secure Inter Processor Communication
Bluetooth/WiFi
USB Analog Audio/Video
Media Hub
USB PortsSD Card Slot
RCA Jacks AV
Display/Touch 8" LCD/Touch Screen
Page 9
June 2011
Wi-Fi Provisioning First in industry to dynamically download large
volumes of data on the moving assembly line Configure SYNC with language and other unique
configuration on the moving assembly line This completely automated process results in the
conversion of labor-related expenses, allows for flexibility of future application upgrades
Page 10
June 2011
Mobile Application Integration Different Application Integration Models
MirrorLink Applink Signature/Gateway Application
Security Implications Each model has different going-in security assumptions
• Apps are trusted or untrusted• Assumptions about spoofing applications• Apps are hosted, directly displayed, interact via an API
Not just security, Driver Distraction is an even larger concern (but ties back to first concern)
Page 11
June 2011
Auto security in review UW papers
What could be controlled via CAN with physical access
How might remote access be achieved TPMS hacks Various demonstrations for keyless entry
transponders
Page 12
June 2011
Where this technology is going… Car industry is where PC industry was 15 years
ago But can benefit from their security learning Fully Internet addressable fleets of automobiles Increased integration with mobile applications
Continued democratization of technology Global view, All vehicle levels (not just high-end)
Vehicle environment is different than mobile Eyes on the road, Hands on the wheel Safety around vehicle interfaces
Page 13
June 2011
Where the industry is going… Security of major interfaces is getting a lot more
attention (and press) OEMs also have legal serviceability
requirements that force a certain level of openness and commonality
It makes sense for more collaboration between OEMs, suppliers, academia
Anyone’s failure gives everyone a black-eye Active work starting with a new SAE working group
and others forums
Page 14
June 2011
Thank-you