Michael Westra, CISSP June 2012 2012 BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.

Slides:



Advertisements
Similar presentations
Automotive Embedded System Development in AUTOSAR
Advertisements

May 7, VP-GB Dr. Stefan Vieweg Intelligent communication vehicles Vodafones ad hoc presentation at the eSafety Workshop June 10, 2002 Vodafone Dr.
12 October 2011 Andrew Brown IMu Technology EMu Global Users Group 12 October 2011 IMu Technology.
| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
TOOL OR TOY USING PERSONAL RESPONSE DEVICES IN INFORMATION LITERACY INSTRUCTION Patrick Griffis June 5, 2008.
Speaker Name, Title Windows 8 Pro: For Small Business.
From 0–60: Privacy and the New Generation of Connected Cars Josh Harris Director of Policy Future of Privacy Forum.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Global MP3 Geoffrey Beers Deborah Ford Mike Quinn Mark Ridao.
AASHTO Subcommittee on Maintenance Vehicle Communication Standards, Issues, & Potential Solutions July 19, 2011.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
© 2005 Mobile VCE Securing the Future: Device & Service Security Stephen Hope, FT R&D UK Ltd on behalf of Nigel Jefferies, Vodafone Chair.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Virtual Meetings Increasing Collaboration While Reducing Costs and Ensuring Business Continuity Ram Narayanaswamy CTO 8x8, Inc.
DAKNET Presented By: rreema.
University of Massachusetts Amherst InteLock TM Team: Emmanuel Seguin Josh Coffin Anh-Kiet Huynh Christos Tsiokos Remote Access and Proximity Key Advisor:
Welcome! Chicago Seminar Anton Hristov Sitefinity Product Strategy & Learn more at sitefinity.com Content Management System.
8/10/2015Windows 71 George South. 8/10/2015Windows Windows Vista Windows Vista was released in January 2007 some five years after Windows XP Vista.
Building an Application Server for Home Network based on Android Platform Yi-hsien Liao Supervised by : Dr. Chao-huang Wei Department of Electrical Engineering.
Solution Briefing Microsoft in the Enterprise Consumerization of IT.
For more notes and topics visit:
© Accenture 2002 April, 2002 European Telematics Survey Automotive OEMs at a Crossroad ?
9. Car-Borne Information System
1 Remote Management of Wireless Gateway Student Name: Dinesh D N (BITS ID: 2004HZ12158) MphasiS Technologies Ltd, Bangalore March 2006.
1. Windows Vista Enterprise And Mid-Market User Scenarios 2. Customer Profiling And Segmentation Tools 3. Windows Vista Business Value And Infrastructure.
Home API A Network-Independent Home Control Architecture Maurice Bizzarri Software Director Business Line Interconnectivity Philips Semiconductors.
Developing PC-Based Automobile Diagnostic System Based on OBD System Authors : Hu Jie, Yan Fuwu, Tian Jing, Wang Pan, Cao Kai School of Automotive Engineer.
STW’s Telematics for Mobile Equipment The Vehicle Data System (VDS) 31 July 2009, STW, Norcross, Bob Geiger.
Module 1: Server Roles and Initial Configuration Tasks
INTRODUCTION Bluetooth technology is code name for Personal Area Network (PAN) technology that makes it extremely easy to connect a mobile, computing device.
Copyright © 2011 EMC Corporation. All Rights Reserved. MODULE – 6 VIRTUALIZED DATA CENTER – DESKTOP AND APPLICATION 1.
Objectives Confirm our understanding of what host media processing is and is not Allow us to identify when it should be selected Save time by learning.
Module 7: Fundamentals of Administering Windows Server 2008.
Basic Concepts Of CITRIX XENAPP.
Mark J. Salamango Chief Pervasive Architect USA TACOM Tel: Fax: Pervasive Computing: Why did the logistics.
ITS Program Update Moving Towards Implementation of Wireless Connectivity in Surface Transportation Talking Freight Webinar January 19, 2011.
SAFETEXTER SAVING LIVES BEHIND THE WHEEL MICHAEL DOWDY DONOVAN HICKS KENNETH LEWIS DANNY THEPVONGSA.
ICT Strategy Intelligent Highways: Endpoint Adapters.
Consumerization of IT Microsoft in the Enterprise.
10/03/05 Johan Muskens ( TU/e Computer Science, System Architecture and Networking.
AVL Automatic Vehicle Locating Presented by WTH Technology, Inc.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Motivations for Innovations in Operational Excellence Bruce Rodin VP – Wireless Technology Bell Canada.
Wireless and Mobile Security
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted Module 7.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Internet of Things. IoT Novel paradigm – Rapidly gaining ground in the wireless scenario Basic idea – Pervasive presence around us a variety of things.
Module 9 Planning and Implementing Monitoring and Maintenance.
The Multilingual Web – Where Are We? Next Generation Localisation Josef van Genabith, CNGL & NCLT, DCU.
Cevgroup.org C utting E dge V isionaries. cevgroup.org TODAY’s TALK 1) Internet Of Things (IoT) 2) Wi-Fi Controlled Robots 3) Augmented Reality.
Cyber Security : Indian perspective. 22 Internet Infrastructure in INDIA.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6 - Essentials of Design an the Design Activities.
Connected and Autonomous Vehicles Supply Chain Security
IS3220 Information Technology Infrastructure Security
Top 10 Differentiators.
OBD Inspection Using SAE J2534.
Internet of Things – Getting Started
M IND Q S YSTEMS Leaders in Training /7, 2nd Floor, Srinivasa Nagar Colony (W) Above HDFC Bank, S.R.Nagar Hyderabad
Software Architecture of Sensors. Hardware - Sensor Nodes Sensing: sensor --a transducer that converts a physical, chemical, or biological parameter into.
Security of In-Vehicle Software
<The Future of IVI and CE Connectivity> Pavel Stankoulov
ITEA3 Project: ACOSAR Advanced Co-Simulation Open System Architecture
Monitoring Robot Prepared by: Hanin Mizyed ,Abdalla Melhem
ASSET - Automotive Software cyber SEcuriTy
CYBERSECURITY FOR AUTONOMOUS VEHICLES
Windows Embedded Smart, Connected, Service Oriented Devices
Final Conference in Paris WP6 – Protection Profiles Specification
Android Developer Fundamentals V2
Network and security trends in connected cars
ETSI Contribution to 3rd Meeting of EC Expert Group on RRS
Presentation transcript:

Michael Westra, CISSP June BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then you don’t understand the problem and you don’t understand the technology.” - Bruce Schnieier

Page 2 June 2011 Agenda  Unique challenges that automotive faces  Overview of CAN (Controller Area Network)  SYNC, a real world example of security thinking that went into a product on the market  Security Posture  Sample features within a security framework  OEM perspective on where industry is going  Auto security industry in review  Technology trends

Page 3 June 2011 Automotive Challenges  Automotive is very long lived  Development 2-5 years  Lifetime 3-5+ years  Often in service for 10+ years  Vehicles in design today will be on the road 20 years from now  Collection of discrete modules from many vendors  Includes variety of hardware from 8-bit microcontrollers to 32-bit ARM processors connected  Unique service requirements  Right to service laws mandate that non-OEM locations have access to tools and mechanisms to perform service and update modules  Disconnected service scenarios

Page 4 June 2011 CAN (Controller Area Network)  Mental Model  Based on broadcast virtual electrical signals, not traditional network model  No authentication, assumed trusted, does not check source ID  Heavily affects how development proceeds  Structure  11-bit ID on broadcast  8 bytes of data per message  Multiple “slow” buses (500kbps)  Applications layered on this like TP (streaming), Diagnostics, Programming

Page 5 June 2011 SYNC Background  SYNC first generation:  Launched in fall of 2007  4 million units earlier this year  MyFord Touch, second generation of SYNC:  Launched in fall of 2010  No subscription required  Both products scheduled to be launched in all global markets within the next 18 months  Includes E911, Vehicle Health, and Traffic, Directions, and Information  Applink provides mobile phone application integration with the Sync UI

Page 6 June 2011 Current SYNC Features/Security Challenges  External interfaces  Bluetooth  Wi-Fi / USB Broadband / Network connectivity  Mobile Application Integration  Telematics  USB  Software Updates  Wireless Factory Provisioning  USB Updates  Playback of protected Media Content  CAN Interaction  Phonebook Integration  Large external attack surface.  Application Validity  Software Integrity Assurance  DRM/ Licensing  Protect the Vehicle Bus  Personally identifiable information (PII) considerations

Page 7 June 2011 General Security Lessons  Start by defining your product’s security posture.  Every device can be hacked with sufficient time, expertise, and motivation  Define what is worth protecting and to what level  An example from SYNC  A successful attack should require physical access to the internals of the module  A successful attack of one device should not be transferrable to immediately hack all devices  A general perimeter security architecture including hardware should be used to protect the most sensitive components  External non-hardwired or user accessible interfaces should be hardened as much as possible with multiple levels of protection

Page 8 June 2011 SYNC Security Challenges (continued)  Protect the Vehicle interface at all costs  …or to the same level as physical interfaces for serviceability currently mandated by law

Page 9 June 2011 Wi-Fi Provisioning  First in industry to dynamically download large volumes of data on the moving assembly line  Configure SYNC with language and other unique configuration on the moving assembly line  This completely automated process results in the conversion of labor-related expenses, allows for flexibility of future application upgrades

Page 10 June 2011 Mobile Application Integration  Different Application Integration Models  MirrorLink  Applink  Signature/Gateway Application  Security Implications  Each model has different going-in security assumptions Apps are trusted or untrusted Assumptions about spoofing applications Apps are hosted, directly displayed, interact via an API  Not just security, Driver Distraction is an even larger concern (but ties back to first concern)

Page 11 June 2011 Auto security in review  UW papers  What could be controlled via CAN with physical access  How might remote access be achieved  TPMS hacks  Various demonstrations for keyless entry transponders

Page 12 June 2011 Where this technology is going…  Car industry is where PC industry was 15 years ago  But can benefit from their security learning  Fully Internet addressable fleets of automobiles  Increased integration with mobile applications  Continued democratization of technology  Global view, All vehicle levels (not just high-end)  Vehicle environment is different than mobile  Eyes on the road, Hands on the wheel  Safety around vehicle interfaces

Page 13 June 2011 Where the industry is going…  Security of major interfaces is getting a lot more attention (and press)  OEMs also have legal serviceability requirements that force a certain level of openness and commonality  It makes sense for more collaboration between OEMs, suppliers, academia  Anyone’s failure gives everyone a black-eye  Active work starting with a new SAE working group and others forums

Page 14 June 2011 Thank-you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.