+ All Categories
Home > Documents > The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback...

The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback...

Date post: 13-Aug-2020
Category:
Upload: others
View: 0 times
Download: 0 times
Share this document with a friend
30
IOActive, Inc. Copyright ©2014. All Rights Reserved. The Current State of Automotive Security Chris Valasek Director of Vehicle Security Research
Transcript
Page 1: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

The Current State

of Automotive Security

Chris Valasek

Director of Vehicle Security Research

Page 2: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Introduction

Page 3: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Hello

• Chris Valasek• Director of Vehicle Security

Research• BS in CS from Pitt (2005)• Reverse engineer, Exploitation

research, Automotive security

Page 4: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Agenda

• External perspective

• Concerns and correlations

• Desired advancements

• Q & A

Page 5: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

My Perspective

Page 6: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Years of Research

Page 7: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Tools, Analysis, Methods

Page 8: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Outsider’s perspective

• The following presentation is from my perspective

– There’s a chance some issues are being resolved

• Regardless, I think outside assessments are valuable

– Example: Proof reading

http://www.carthrottle.com/post/gangs-are-stealing-17-luxury-cars-every-day-in-london-by-hacking-the-keyless-entry-system/

Page 9: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Concerns

Page 10: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

My Concerns

• Revolve around physical safety and remote exploitation

• Worried about remote wireless => ECU compromise

– As opposed to insider threats

• I think privacy is important, but I focus on physical safety

• Outsider threats to cars are difficult to cash in on, so I’ll talk

on physical controls

Page 11: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Concerns: Bus Systems

Page 12: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Bus communications I

• CAN: Invented before vehicle connectivity was even a thing• Trust issues

• Ethernet• Expensive

• Complications

• Fragmentation, out of order, etc

• Could have similar deficiencies as CAN

• Spoofing

• Broadcast communications

• Carry known diagnostic data

• Security limitations usually revolve around diagnostic routines• What about legitimate traffic?

Page 13: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Bus communications II

Page 14: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Bus communications III

• Remote compromise….

• Encryption• Keys will have to reside somewhere the attacker can acquire them

• Diagnostic software or ECU itself

• Authentication• Remote compromise will happen on a pre-authenticated ECU

• Authorization• Legitimate messages will most likely be authorized

• Example: Pre-Collision System messages

Page 15: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Concerns: Connected Devices

Page 16: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Interconnectivity

http://upload.wikimedia.org/wikipedia/commons/0/07/PandaBoard_described.png

Page 17: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Familiar attack surface

http://www.akhbarelyoum.dz/ar/images/ghoughl__tttlk_altttbik_alkhas_bndham_Android_Auto_llsiarat.jpg

http://motorburn.com/wp-content/uploads/2014/03/Apple-CarPlay.jpg

http://blogs-images.forbes.com/andygreenberg/files/2014/07/screen-shot-2013-02-05-at-7-35-23-pm-1024x547.png

Page 18: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

1-to-N

• Windows does not come

with a VPN to Redmond,

your vehicle does

• Owning 1 internal asset

may lead to N

compromised vehicles

http://electronicdesign.com/site-files/electronicdesign.com/files/uploads/2013/05/0606_Onthesafeside_fig3.gif

Page 19: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

No carrier restrictions

Page 20: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Bad at secure coding

https://www.youtube.com/watch?v=LuWKXsteTNY

Page 21: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Concerns: Architecture

Page 22: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

OBD-II connectivity

http://cdn2-

b.examiner.com/sites/default/files/styles/image_content_width/hash/95/b7/95b774c969717ef38e9d

b8e54b2404c1.jpg?itok=e0nlongg

Page 23: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

More data, more problems

http://www.zdnet.com/article/fords-big-data-experiments-can-it-transform-the-company/

http://vehicle-electronics.biz/sites/default/files/field/image/redbend.jpg

Page 24: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Desired Advancements

Page 25: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

VSDL

http://blogs-images.forbes.com/tonybradley/files/2014/03/Memo1.png

Page 26: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Patching

Page 27: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

IDS / IPS

Page 28: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Conclusions• Let’s admit things are possible and there is a problem

• A breach is bad for everyone, not just the specific vendor

• Hard to justify security when there is no immediate threat

– MSFT 2006 v. MSFT 2014

– Server v. Client side

• Vehicle security is even harder than regular software security

– And more scrutinized

– People are concerned due to the possibility of physical harm

– We need to work together to improve the products we all use

• V2V will bring additional complications

• Patching is a HUGE problem right now

– OTA updates will help address the issue

• I’m Chris and I’m here to help!

Page 29: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Q&A

Page 30: The Current State of Automotive Security · 2020-07-08 · Title: Automotive Security: A Throwback Author: cvalasek@outlook.com Created Date: 6/22/2015 9:21:00 AM

IOActive, Inc. Copyright ©2014. All Rights Reserved.

Thanks!

• Chris Valasek• Director of Vehicle Security Research | IOActive• [email protected]


Recommended