State of Security and Reliability of Connected Car EcoSystem Atul Prakash Department of EECS University of Michigan, Ann Arbor Contact: aprakash@umich.edu

Our Research & Expertise Security of IoT Frameworks Some recent accomplishments: FlowFence: Practical Data Protection for Emerging IoT Application Frameworks USENIX Security, 2016 Analyzed security of Samsung's SmartThings IoT framework and hub-based architecture. IEEE Security and Privacy Distinguished Practical Paper, 2016

Lines of Code in an Automobile Source: Information is beautiful.net Source: Inforamtionisbeautiful.net

Reliability concerns Software is complex. Real-time requirements in many sub-systems. Large body of code implies existence of bugs Increasing attack surface over time Network access, Use of OBD-II port for tasks other than diagnostics

Do bugs have real-world impact? Unquestionably. Ford Sync and Consumer Reports ratings Toyota brake/accelerator issue? Driver death when Tesla was in auto-pilot mode Chrysler recall: remote attack vulnerabilities in 2015

Reliability Challenge Google/Facebook bug vs. bug in an automobile. Criticality? Size of software teams? Open source vs. closed source Where would top software engineering talent go today? Facebook? Auto companies? Why? Bug bounty programs? How do they compare?

A Bay Area company's Bug Bounty program

Auto Companies Bug Bounty Program Great to see them come into existence Awards: Chrysler: $150 to $1500 GM. Hall of Fame. Not sure if there is a reward Ford? Not sure if one exists yet

One auto company: What bugs don't count? Denial of service attacks Report of insecure SSL/TLS ciphers Open ports which do not lead directly to vulnerability Open redirect vulnerabilities Publicly accessible login panels Content spoofing/text injection

Posture towards those reporting bugs A Bay Area company:

Posture towards those reporting bugs One auto company X agrees to not pursue claims against researchers related to the disclosures submitted through this website who: … publicly disclose vulnerability details only after X confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained;

Which policy works for researchers? A driving force for top researchers: conference deadlines My own team's experience: Vulnerabilities in SmartThings platform Vulnerabilities on banking web sites At most a few months window for us to hold back public disclosure Auto companies may need to adapt to such a time scale

Are connected cars risky? Remote Exploit of an Unaltered Jeep Cherokee, Black Hat 2014. 2015 demo (Chris Valasek and Charlie Miller) 1.4M vehicle recall of Chrysler Vehicles. Multiple 2013-15 models recalled.

Basics of the Hack WiFi (crack password) -> Head Unit (Linux) Alternative: Cellular network -> Head Unit (Linux) From there, compromised Multimedia System an then the CAN bus.

Was this the earliest attack? No. It just got a lot of attention since the identity of the vehicle was revealed. Similar attack demonstrated earlier by a UCSD-UW team of researchers in 2010-2011 on an unidentified car (at that time) In 2010, at IEEE S&P, they showed that CAN bus is insecure. Physical access to the OBD-II port, for example, allowed full compromise of the car In 2011, at Usenix Security, they showed remote exploits

Attacks on Car Platforms 2010-11 research by UCSD & UW

Key takeaways Can cars be completely compromised if attackers get access to the CAN bus? Yes. ECUs can be reprogrammed with new firmware, commands can be injected to control actuators and devices or to control ECUs. Also, backup safety systems can be blocked from communicating

Response time for security fixes For 2010-11 attack, according to a Wired article, it was a GM Impala vehicle. Researchers shared the attack details with GM, but not with the public (nor the identity of the vehicle). It took GM approximately 5 years to fix. For 2015 attack, identity of the vehicle was made public. It led to a quick recall and fix by Chrysler.

Lesson? Reveal Did revealing the identity of the vehicle have to do with a quicker response? Or differences in car companies? More likely that the auto industry were not ready to handle security issues in 2010, but is now much better According to UW-UCSD researchers, it would have been a bad idea to reveal the car's identity in 2010-11, given the nascent state of automobile security at the time

How fundamental are the problems? CAN bus: 30-year old design. No security features. All bets off once a hacker accesses the CAN bus via any component on the bus or via the OBD port Retrofitting security in the standard likely hard or impossible (though companies are trying) Likely: CAN bus needs to be replaced by a more secure standard

What about "air gap"? Car companies try to isolate infotainment systems from safety-critical systems. In practice, air gap is often not a true air gap. Shared components can breach the gap In exploited Jeep, the Multimedia Unit was not directly on the CAN bus. Nevertheless, attackers were able to get on the CAN bus

OBD-II port Law since 1996 requires a standard diagnostic port for mechanics. Directly on the CAN bus Multiple of devices available that plug into the port, some with apps.

Are security problems still there? Yes! Fundamentally, they never went away They continue to be discovered. Same 2014 Jeep was attacked again at BlackHat 2016 via a different attack vector Sevearl papers at IEEE Security and Privacy 2016 and Usenix Security Symposium 2016 on automotive security

Are attackers incentivized to exploit them? Jury is out, but history on other platforms suggests Yes. Ransomware, creating nuisance, eavesdropping and privacy leaks, and targeted attacks: all theoretically possible State actors should not be ruled out

What can car companies do? Emulate software companies like Google, Facebook, Apple, and Microsoft Work closely with academic security researchers. Car communication infrastructure needs re-think. Be more open. Security by obscurity usually does not work Assume that motivated hackers will eventually be there as connected cars become more popular and share software components. Some predictions: Ransomware to allow car use We will be getting weekly or monthly software upgrades