1. Michael Westra, CISSP June 2012 2012 BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then you don’t understand the problem and you don’t understand the technology.” - Bruce Schnieier

2. Page 2 June 2011 Agenda  Unique challenges that automotive faces  Overview of CAN (Controller Area Network)  SYNC, a real world example of security thinking that went into a product on the market  Security Posture  Sample features within a security framework  OEM perspective on where industry is going  Auto security industry in review  Technology trends

3. Page 3 June 2011 Automotive Challenges  Automotive is very long lived  Development 2-5 years  Lifetime 3-5+ years  Often in service for 10+ years  Vehicles in design today will be on the road 20 years from now  Collection of discrete modules from many vendors  Includes variety of hardware from 8-bit microcontrollers to 32-bit ARM processors connected  Unique service requirements  Right to service laws mandate that non-OEM locations have access to tools and mechanisms to perform service and update modules  Disconnected service scenarios

4. Page 4 June 2011 CAN (Controller Area Network)  Mental Model  Based on broadcast virtual electrical signals, not traditional network model  No authentication, assumed trusted, does not check source ID  Heavily affects how development proceeds  Structure  11-bit ID on broadcast  8 bytes of data per message  Multiple “slow” buses (500kbps)  Applications layered on this like TP (streaming), Diagnostics, Programming

5. Page 5 June 2011 SYNC Background  SYNC first generation:  Launched in fall of 2007  4 million units earlier this year  MyFord Touch, second generation of SYNC:  Launched in fall of 2010  No subscription required  Both products scheduled to be launched in all global markets within the next 18 months  Includes E911, Vehicle Health, and Traffic, Directions, and Information  Applink provides mobile phone application integration with the Sync UI

6. Page 6 June 2011 Current SYNC Features/Security Challenges  External interfaces  Bluetooth  Wi-Fi / USB Broadband / Network connectivity  Mobile Application Integration  Telematics  USB  Software Updates  Wireless Factory Provisioning  USB Updates  Playback of protected Media Content  CAN Interaction  Phonebook Integration  Large external attack surface.  Application Validity  Software Integrity Assurance  DRM/ Licensing  Protect the Vehicle Bus  Personally identifiable information (PII) considerations

7. Page 7 June 2011 General Security Lessons  Start by defining your product’s security posture.  Every device can be hacked with sufficient time, expertise, and motivation  Define what is worth protecting and to what level  An example from SYNC  A successful attack should require physical access to the internals of the module  A successful attack of one device should not be transferrable to immediately hack all devices  A general perimeter security architecture including hardware should be used to protect the most sensitive components  External non-hardwired or user accessible interfaces should be hardened as much as possible with multiple levels of protection

8. Page 8 June 2011 SYNC Security Challenges (continued)  Protect the Vehicle interface at all costs  …or to the same level as physical interfaces for serviceability currently mandated by law

9. Page 9 June 2011 Wi-Fi Provisioning  First in industry to dynamically download large volumes of data on the moving assembly line  Configure SYNC with language and other unique configuration on the moving assembly line  This completely automated process results in the conversion of labor-related expenses, allows for flexibility of future application upgrades

10. Page 10 June 2011 Mobile Application Integration  Different Application Integration Models  MirrorLink  Applink  Signature/Gateway Application  Security Implications  Each model has different going-in security assumptions Apps are trusted or untrusted Assumptions about spoofing applications Apps are hosted, directly displayed, interact via an API  Not just security, Driver Distraction is an even larger concern (but ties back to first concern)

11. Page 11 June 2011 Auto security in review  UW papers  What could be controlled via CAN with physical access  How might remote access be achieved  TPMS hacks  Various demonstrations for keyless entry transponders

12. Page 12 June 2011 Where this technology is going…  Car industry is where PC industry was 15 years ago  But can benefit from their security learning  Fully Internet addressable fleets of automobiles  Increased integration with mobile applications  Continued democratization of technology  Global view, All vehicle levels (not just high-end)  Vehicle environment is different than mobile  Eyes on the road, Hands on the wheel  Safety around vehicle interfaces

13. Page 13 June 2011 Where the industry is going…  Security of major interfaces is getting a lot more attention (and press)  OEMs also have legal serviceability requirements that force a certain level of openness and commonality  It makes sense for more collaboration between OEMs, suppliers, academia  Anyone’s failure gives everyone a black-eye  Active work starting with a new SAE working group and others forums

14. Page 14 June 2011 Thank-you