+ All Categories
Home > Documents > Automotive Linux, Cybersecurity and Transparency Alison Chaiken [email protected] Jan 22, 2016.

Automotive Linux, Cybersecurity and Transparency Alison Chaiken [email protected] Jan 22, 2016.

Date post: 19-Jan-2016
Category:
Upload: jeremy-flynn
View: 220 times
Download: 2 times
Share this document with a friend
Popular Tags:
41
Automotive Linux, Cybersecurity and Transparency Alison Chaiken [email protected] Jan 22, 2016
Transcript
Page 1: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

Automotive Linux, Cybersecurity and Transparency

Alison [email protected]

Jan 22, 2016

Page 2: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

So much to gain,so much to lose

Page 4: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

4

July 2015: Miller and Valasek “state-sponsored” takedown of Jeep

source: http://illmatics.com/Remote%20Car%20Hacking.pdf

Page 5: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

5

Miller-Valasek: D-Bus service responding to an open 3G port

“To find vulnerable vehicles you just need to scan on port 6667 from a Sprint device. . . “

Page 6: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

6

Without Over-the-Air Updates, Jeep is stuck

Dec. 2015 view of Uconnect update

p0wn-to-own

Page 7: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

7

The Jeep was running QNX

QNX is outshipping Linux 6:1 according to analysts.

Many automakers plan cars that run Linux: GENIVI members: BMW, FAW, CMC, Great Wall,

Honda, Hyundai, JLR, Daimler, Nissan, Peugeot-Citroen, Renault, SAIC, Volvo

AGL members: Toyota, JLR, Mitsubishi, Nissan, Honda, Ford, Mazda,Subaru

So everything's fine, right?

Page 8: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

8

The fundamental problem with connectivity

“Shuttle bus withJ1939 air conditioning,”Metropolitan AtlantaRapid Transit Authority,http://can-newsletter.org

The “Thermo King Intelligaire III“

Page 9: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

9

Payment credentials + High Voltage + ConnectivityWhat could possibly go wrong?

Ozer Shezaf, http://xiom.com/2013/04/13/who_can_hack_a_plug_the_presentation

Page 11: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

11

Ambient Insecurity: the Internet of Threats“Alternative Web browser-based user interface allows

remoteprogramming and status observation”

(Safetran Cobalt brochure)

Background: Thinking Highways

Page 12: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

12

What about . . .

attaching your phone via USB to a rental car? leaving your car at a repair shop overnight?

How do we . . . do we opt out of automakers' data collection? reset a car for sale to factory defaults?

Should . . . an unpatched car automatically fail its safety

inspection?

Why . . . are owners manuals still provided as paper?

Page 13: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

13

Safety vs. Security Tradeoffs?

2-seconds to rear-view camera NHTSA rule enforces minimum boot time

Are we sacrificing security for fast-boot? Tire-pressure measurement systems (TPMS): worth the added

vulnerability?

Page 14: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

The surest approach to security:avoid being an attractive target

Page 15: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

15

The ONLY way that payment credentials should be stored in a car

Connectivity to car systems: double-stick tape

Page 16: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

16

Associating payment credentials with embedded car systems

puts lives in danger.

Page 17: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

Security and transparencyapproaches

Page 19: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

19

Preserving anonymity with PKE is Challenging

Courtesy B. Lehrmann, 32C3, “Vehicle2Vehicle Communication based on IEEE802.11p”

Page 20: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

Hardware-level security

x86: TPM, IMA . . .

ARM: Cortex-R, TrustZone

Image courtesy Chris Turner, ARM

Page 21: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

21

Familiar problems, familiar solutions

Global Logic: http://tinyurl.com/ojnrbr2

DOM0 and DOMU run on different cores of a processor.

Page 22: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

22

Multiple processor cores with multiple OSes

Courtesy Mentor Automotive

Driver Assistance, Navigation, Entertainment

Linux canbe AGL-GENIVIor Android, or onecore of each

Page 23: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

23

Copyright Renesas, “Introduction to CAN”, with permission.

Automotive LAN, 2015

>100 microprocessors on MOST, CAN-FD, LIN, FlexRay networks

Page 24: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

24

Copyright Renesas, “Introduction to CAN”, with permission.

Automotive LAN, 2025

Ethernet A/V-B (audio-video bridging) will displace FlexRay and MOST

Becomes apacket-filteringfirewall

EA/V-B

EA/V-B

Page 25: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

25

Current scantool connection

Proposal: scantool connection via DB only

Single-board server

CAN500 kbps

Let's get rid of hard connections to CAN that are accessible from passenger cabin.

Page 26: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

26

Linux kernel's watchdog timer guards against intrusion-caused slowdown

Critical application,normal state

/dev/watchdog

Critical application,failed state; or simple slowdown

/dev/watchdogX X

REBOOT

Must hit critical time windowint petdog(unsigned interval) {}

Page 28: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

28

CAN Industry Association newsletter, July 24, 2014

Automotive pen-testing

Page 29: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

Industry Best Practice: ChromiumOS's Verified Boot via FIT

Page 31: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

31

Driver drowsiness detection has great potential, but . . .

Source: Key Safety Systems

Page 33: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

33

Most exciting development of 2015: OSVehicle

Page 34: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

34

Open Street Map and Ubuntu uNav

H/T Linux Unplugged Episode 115

Page 36: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

36

Summary

Adding capability and automation to cars inevitably increases 'attack surface.'

Nonetheless, the FCA-Harman-Sprint installation was inexcusably insecure.

The industry as a whole is moving to OTA. Considerable open-source activity is underway. Traditional Linux security best practices apply

equally to cars.

Page 37: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

37

References

Smart Automotive special issue of Telematics Wire

Nate Willis' talk, “Linux and the Automotive Security Lab,” historical survey and recommendations for Linux

“Dieselgate” and V2V communication talks at CCC 2015

EPIC “Internet of Cars” Congressional testimony, 11/18/2015

escar Conference Proceedings

Ethernet A/V-B: Junko Yoshida, EE Times

Page 38: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

38

extra slides

Page 39: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

GENIVI Demo Platform

Qemu image plus BSPs for RPi, Minnowboard, Nvidia Jetson and Renesas R-Car

Page 40: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

40Source: RTKL blog

A typical automotive data center

Page 41: Automotive Linux, Cybersecurity and Transparency Alison Chaiken alison@she-devel.com Jan 22, 2016.

41

http://tinyurl.com/crbazg9

Chaos Computer Club 2012 video

Christie Dudley, Santa Clara University Law School


Recommended