Electronic Safety and Security - New Challenges for the Car Industry Ross Anderson Cambridge University

Vehicle Design and Infosec Until now, infosec mechanisms were added to vehicles piecemeal with new features Remote locking, digital tachographs, toll tags, stolen vehicle tracking, … They are now starting to interact - a systems view is needed They also interact with safety systems such as ABS, traction control, firmware upgrade … As more and more safety and security features are demanded, the problem will get worse There are also serious competitive issues

Outline of Talk Key entry, immobilisers - and carjacking Tachographs, speed limiters, lojack Road pricing Engine management unit hacking GPRS firmware update; platform issues Feature interactions and screen-of-death Aftermarket control and IP enforcement

First Crypto App - Key Entry Keys, RKE, immobilisers F -> E: {N, R}KF N is a ‘nonce’, for ‘number used once’ - a serial number, random number, or even a random challenge from E How do you manage the keys - especially with many criminals working in the garage trade? Details not trivial - can a thief use a grabber to record and replay? What about a valet parking attendant? Separate codes for lock and unlock?

Design detail …

Extending the technology Easy extension of remote key entry technology - home garage door openers Slightly further extension - access to municipal and company parking garages Chamberlain vs Skylink case - is it possible to use a patent or copyright on your crypto to block compatible products and control aftermarkets? So far - not (EU Software Directive) but being fought over (IP Enforcement Directive) Similar technology used in printer ink cartridges, mobile phone batteries, computer games …

Monitoring Systems Increasing number of monitoring systems for drivers’ hours, vehicle location, engine use, airbag deployment, … Many more being planned, for example for next-generation road pricing Introduce tensions between vehicle owner or driver, and some third party Is this a safety system, which helps me, or a control system which restricts me? The tension can undermine safety

Traditional Technology

Tachographs Falling asleep at the wheel causes 16% of accidents on normal roads, 23% on motorways This compares with alcohol causing 3.1% of accidents in the UK, 9.5% in Germany EU requires that heavy goods vehicles have tachographs to monitor drivers’ hours They are also used to investigate accidents and toxic waste dumping, and to deter theft of fuel They are commonly linked to speed limiters

Attacks on Tachographs (1) Survey of over 1000 convictions in 1998 Procedural exploits were 68% of all driver offences, 71% of all operator offences Typical method: ghosting Collusion between drivers and employers Even worse in places like Benelux, near many borders

Alice, Bob and Charlie

Attacks on Tachographs (2) 25% of driver offences and 21% of operator offences involved tampering with power, impulses, cables and seals Short the cable, or put a switch in it Replace the fuse with a blown one (with safety consequences for Iveco trucks!) State-of-the-art: the radio-controlled interruptor UK police view: the move from mechanical rotating cables to digital electronics had made tampering easier

Attacks on Tachographs (3) Tampering with the tachograph head itself accounted for only 5% of driver offences and 7% of operator offences Tricks: bend the stylus, insert a wire to jam the mechanism, reduce the supply voltage, wire a flasher unit in series, introduce Trojan circuitry in the instrument … This sort of manipulation can be made much harder with modern electronics - but it’s not the main problem!

Scope of the Problem If enforcement perfected, or abandoned, annual cost could be +-500 lives Some very capable opponents, e.g. firms with over 1000 trucks, many convictions Widely different national enforcement - e.g., Dutch do audits, Britain does roadside checks Secondary hazards, e.g. speed limiters lead vendors to de-rate tyres and brakes Drive to integrate electronics means that tachograph defeats will affect more other systems too, e.g. ABS

Knock-on effects EU Tachosmart project set up to replace paper-disk systems with smartcards Security solves the wrong problems - see my paper ‘On the Security of Digital Tachographs’. BSI agreed - but Britain and Germany lost the vote in Brussels New digital systems are easier to hack, and procedural defeats will be easier still during 10-year roll-out period UK government response - GPS-based road pricing to be mandatory for all trucks by 2006 Cars may have to install it by 2010

Public fears of Big Brother… Sunday Times August 3 2003

Firmware Issues People re-chip car engines - a legitimate aftermarket, or a threat to safety? Diesel engine controllers - drivers induce failure in de-rated engine controllers (so there’s a supply chain issue) Now manufacturers want to manage and upgrade firmware via GPRS Police want a law-enforcement-initiated engine deceleration command for any GSM cell But mobile phones are easy to hack - expect viruses, as with PCs. What could viruses do?

How are car and computer dependability different? Computer industry is young (50y vs 120y) and technology not stable yet Time-to-market is critical Design and implementation complexity are both high Products general rather than specific Result: most security failures due to opportunistic exploits of bugs, blunders See my paper ‘Why Cryptosystems Fail’

How are car and computer economics different? Customer lock-in has some importance for car makers (spare parts) but for computer companies it’s all-important Shapiro-Varian theorem: value of a software company = total switching costs of all customers E.g. law firm with 100 staff paying $500 a seat for Office - would cost $50,000 to train staff on OpenOffice, convert files … So controlling lock-in is critical. That’s why it’s harder to change from PC -> Mac than from Mercedes -> BMW

How do Information Security and Economics Interact? ‘Information Rights Management’ tools in Office 2003 / Trusted Computing move control of a file from the machine owner to the file creator So the law firm with 100 staff needs not just $50,000 in training to move to OpenOffice, but digital certificates from all its 5000 clients! Customer lock-in will increase; so will the value of Microsoft’s software business Also: big battle to extend control from PC platform to DRM, to mobile phone platform… See my ‘Trusted Computing FAQ’ and workshops on economics and infosec

Who has control? In one application after another, security has become a struggle for value chain control Mobile phones - will the user, network operator or DRM vendor control software? PCs - will ‘Trusted Computing’ give (even more) control to Microsoft? RFID - power to the brands, or to the retailers? I will cooperate with a security mechanism (works in my interest) but with a control mechanism (works in someone else’s interest)? And when a mechanism mixes safety and control (as with the Iveco ABS implementation)?

Franz-Josef Paefgen, who runs VAG’s Betley business, actually drives a 1956 Morris Minor

Security Engineering Security engineering is about building systems to remain dependable in the face of malice, error or mischance It focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt them as their environment evolves

Conclusions Until now, the various safety and security mechanisms in a car could be designed in isolation Even so, designers often reinvented the wheel Now that all the systems start to talk to each other, a systems approach is vital The issues are not just technical - business models are involved too Vehicle engineers should study the lessons available from other sectors