Network and security trends in connected cars Alexios Lekidis alexis.lekidis@forescout.com a.lekidis@tue.nl

Why automotive security is challenging? Related to safety Complexity of in-vehicle networks

Overview of in-vehicle architectures Threat landscape Suggested security mechanisms

Overview of in-vehicle architectures Threat landscape Suggested security mechanisms

Automotive architecture Consists of different data networks: Legacy systems where new technologies are take many years to replace old ones Low cost technologies with multiple resource-constraints Changing a simple component requires possible changes and testing of the entire system

Entering the in-vehicle network central gateway GPS interface Diagnostic interface USB interface GSM/GPRS interface Bluetooth interface DSRC interface CAN MOST protocol FlexRay LIN Engine control Steering control Instrument cluster Head Unit Audio Video Transmission control Air Bag control Climate control Navigation Power train sensors Breaking system Door locking Telephone

In-vehicle protocol usage Abbreviation Description CAN Controller Area Network Inexpensive low-speed serial bus CAN FD With Flexible Data Rate Extension to CAN FlexRay N/A General purpose high speed protocol with safety-critical features LIN Local Interconnect Network Low cost in-vehicle sub-network MOST Media Oriented Systems Transport High speed multimedia interface Automotive Ethernet Ongoing development for infotainment and active safety

Background on Controller Area Network (CAN) Serial communication protocol Multi master message model Any node receives/transmits messages No addressing  use of ID CSMA/CA Priority determined by ID (low ID = high prio) Messages are sent/received: Periodically On request Also used in trucks, ships, railway systems, elevators, …

Overview of in-vehicle architectures Threat landscape Suggested security mechanisms

Attack surfaces OBDII Tire Pressure Monitoring Head Sensor Keyless Unit Keyless entry Medium observation in broadcasted messages Direct access Central Gateway Telematics Control Unit Short-range access Long-range access

Attack scenario OBDII Sniff the telematics system IP address Random generator of Bluetooth PIN / WiFi WPA password Brake Control Unit Central Gateway Telematics Control Unit Head Unit

Move to safety Bus from telematics system OBDII Move to safety Bus from telematics system Brake Control Unit Central Gateway Telematics Control Unit Head Unit

Disengage brakes or kill engine OBDII Disengage brakes or kill engine Brake Control Unit Central Gateway Telematics Control Unit Head Unit

Overview of in-vehicle architectures Threat landscape Suggested security mechanisms

Categories of security mechanisms Physical Security tampering protection mechanisms and tamper proof devices Digital signatures and Certificates Firewall Gateway Honeypot Software security Intrusion detection systems Intrusion prevention systems

Digital signatures and Certificates Pros: - Widely adopted as it provides a fast design/implementation security solution Cons: 1) Performance requirements can only be met when dedicated hardware is provided Accelerates the algorithmic execution 2) Infected ECUs can still send valid compromised messages

Firewall Based on the definition of CAN in Automation (CiA) 447 profile Pros: 1) Verification of message validity 2) Whitelist IP rules Cons: 1) Frequent rule update required Security update on the cars are not frequent 2) Bypassed by impersonation of legitimate ECU attacks

Intrusion detection/prevention systems (IDS/IPS) Monitoring V2X and in-vehicle activity and detection of suspicious and anomalous behavior Flow of data exchange Deep data inspection and analysis Can operate in the level of: Host application Communication network Pros: - Protection against zero-day attacks - Frequent update Cons: - Requires to learn the normal system behavior to detect anomalies Hybrid approach Signatures Behavior Normal network data parsed by IDS Abnormal network data parsed by IDS Alerts/logs

Vehicle cybersecurity in a glance Traffic encryption Firewall protection Anomaly detection (i.e. IDS) Misuse/threat distinction Incident response Vehicle cybersecurity in a glance

Reaction upon attack detection Turning the car into “limb” mode Partial networking functionality Main ECUs functioning with lower performance Car can be restored when any malicious activity is prevented Indications to the manufacturer Alarms to the driver?

Security research in automotive systems APPSTACLE: open standard APplication Platform for carS and TrAnsportation vehiCLEs Goals: open and secure cloud platform interconnecting a wide range of vehicles to the cloud via open in-car and Internet connection supported by an integrated open source software development ecosystem ForeScout IDS systems for end-to-end security in automotive environments Detection of known and unknown in-vehicle threats Support of different in-vehicle networks