Data Security for IP-based Ethernet Communication in Automotive Networks Marko Wolf, Lars Wolleschensky ESCRYPT – Embedded Security 3rd Automotive Ethernet Technology Day, Leinfelden-Echterdingen, 26.09.2013
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
1
[email protected]
Hacking Cars is Already Real! What comes next with Ethernet and IP?
Video teaser (not available for PDF)
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
2
[email protected]
You probably already know… Vehicle computerization & communication increase exponentially!
# interconnections
– Inside the vehicle, for instance: • Infotainment, rear seat TV • Software download • Park & maneuver cameras
– Outside the vehicle, for instance: • • • •
available bandwidth
Integration of consumer devices (Remote) diagnostics Internet access Car-2-X
Before yesterday
Yesterday
Today
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
Tomorrow 26.09.2013
3
[email protected]
Comparison: Today’s Multi-Bus vs. Future Ethernet-Based Networks Criteria
Todays multi-bus central gateway-controlled networks
Simplicity
-
complex, heterogeneous, multi-protocol gateways
++
very homogenous with (mostly) layer 2 switches
Flexibility
-
difficult to extend/adapt new subnet (within subnets easy)
++
easy to extend/adapt new or within subnets
Performance
+ ++
depends on bus type
up to several GBit/s
well-proven over decades
++ -
Costs
-
small-batch automotivespecific production
+
global mass production also for non-automotive
Standardization
+ --
standards w/ large diversity
standard with little diversity
CRC + bus specific measures
+ + +
none
o
add-ons (IPv4), IPsec (IPv6)
Real-time cap.
Direct connections Safety Security
only indirectly possible
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
Future Ethernet-based switched IP networks
capable b/ not invented for
possible CRC, block codes
26.09.2013
4
[email protected]
Vehicle security? Malware/Hackers via Bluetooth vulnerability
Malware via manipulated Audio-CD GSM modem attack to access car internals
Malware/Hackers via cellphone vulnerability
Hacking remote key fobs
Disable safety locks
Chip tuning, steal IP, manipulate mileage
Execute unauthorized commands
e-Call Module
Cloning remote key fobs
Head unit Car2X
Central Gateway
Attacks on remote diagnosis & telematics
OBD Diagnosis
Engine Control Drive Recorder
Delete, manipulate, disable logging, privacy infringement
Steal intellectual property
Brake Actuator
ESP
Install counterfeit parts
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
Manipulate brakes via fake/malicious CAN messages
5
[email protected]
Already an real-world impacts? Some successful attack incidents: – University of California San Diego & University of Washington, Onboard (2010) & remote (2011) hacking of unnamed but realworld car (http://www.autosec.org) – Some successful real-world remote key attacks: DST40 (2005), KEELOQ (2008), or MEGAMOS (2013) – DefCon 21 (2013) Miller et al. published car hacking manual incl. all tools for Toyota Prius & Ford Focus (http://blog.ioactive.com/)
Larger real-world impacts are still rare, but not deniable, e.g.: – – – –
Economic: odometer manipulation, chip tuning, car theft… Legal: digital tachograph, chip tuning, counterfeits… Privacy: On-Star eavesdropping, tracking via TPMS or GSM, eCall… Safety: Not yet, but you never know… c.f. M. Hastings car crash
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
6
[email protected]
Automotive Security Real-World Impact: Car Thefts in Germany Source: Gesamtverband der Deutschen Versicherungswirtschaft (GDV)
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
7
[email protected]
Status Quo: Out of the Box Security of (Automotive) Ethernet
Protection against message manipulations? Limited (IPv6). Protection against message injections/spoofing? No. Protection against message eavesdropping? No. Protection against message repudiation? No. Protection against message replay attacks? No. Protection against message relay attacks? No. Protection against denial of service attacks? No. Protection against unauthorized access? Limited (depends). Protection against endpoint attacks? Limited (depends). Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
8
[email protected]
How to Secure the IP based Ethernet Channel? Some recommendations. Protection Measure
Realizes
Applicable for Automotive Domain?
Perimeter defense (router, firewall, etc.)
1st level access control
Yes, at gateway or at powerful ECU, basic ACL at all ECUs possible
Internal defense (host and network based IDS, etc.)
2nd level access control
Yes, at gateway or at powerful ECU, basic IDS reporting at all ECUs possible
IP based security protocols that realize various security goals on different layers e.g. IPsec, MAC filtering
message authentication, message confidentiality, endpoint authentication, …
Possible, use case depended, might need automotive adaptations and backend infrastructures (e.g., for key distributions)
Solution already exits
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
Solution still limited
9
[email protected]
How to Secure the IP based Ethernet Endpoints? Some recommendations. Protection Measure
Realizes
Applicable for Automotive Domain?
Hardware security module (HSM)
Encapsulates security services into hardware + limited physical security
Yes, SHE, SHE+, HSM, EVITA full / V2X HSM
Secure data update
Enforce authenticity & confidentiality of original software
Yes, e.g., secure firmware update
Secure boot
Enforce platform authenticity & integrity
Yes, protecting critical ECUs (mostly SW only)
Mandatory access control
Enforce usage authorizations
Yes, e.g., secure debug, but sometime limited
Virtualization (with hardware support)
Runtime isolation to contain/prevent impacts of software executed in parallel
Yes, even real-time capable virtualization
Security auditing and risk assessment
Identifies and mitigates security risks
Security engineering
Complete security development process incl. lifetime support
Yes, already being done, but often not mandatory, proprietary, and not complete
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
10
[email protected]
Status Futurus: Security of an (Automotive) Ethernet
Protection against message manipulations? Embedded cryptography, e.g., using digital signature or message authentication codes (MAC) Protection against message injections/spoofing? Embedded cryptography, e.g., using mutual authenticated session tokens via CR-P Protection against message eavesdropping? Embedded cryptography, e.g., using symmetric data encryption/decryption with AES Protection against message replay attacks? Embedded cryptography, e.g., using mutually authenticated freshness counter values Protection against message relay attacks? Limited, e.g. logics with help of cryptography, e.g., distance-bounding or time-bounding protocols Protection against denial of service attacks? Very limited, e.g., IDS Protection against unauthorized access? Limited, e.g., Firewall & IDS Protection against endpoint attacks? Various, but seldom complete Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
11
[email protected]
Realization: Improvements & Chances vs. Risks & Costs Factors Improvements & Chances
Risks & Costs
Unified security approach (replace of existing proprietary solutions) Improve security against hackers & malware incl. modern protections Necessary security base for nextgen automotive technologies like V2X or autonomous driving Ensure / increase safety Fulfill legal requirements Improve privacy protection Smoothly integrate other security technologies such as HSM Leverage increased bandwidth and security to secure service like flashing and diagnostics
More proprietary island solutions Some performance decrease Data & protocol overhead Additional cost & complexity Backend infrastructure & some online connectivity needed
Use this opportunity to increase security as the whole! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
12
[email protected]
Next steps! 1. In a perfect world, create a global consortium (security should be OEM-wide compatible, no competition on security) of OEMs, suppliers and security experts 2. Analyze mandatory security requirements for application of automotive IP-based Ethernet communication networks 3. Design a automotive-capable Ethernet security solution a) b) c)
Look for synergies w/ existing / already planned security measures Find solutions for existing protection gaps, while learning & reusing as much as possible from other (embedded) domains (e.g., Linux network security, avionics with AFDX) Be prepared for parallel operation with existing bus systems
4. Review, simulate & ask for (external) evaluation regarding technical & financial impacts and security & privacy! 5. Standardize, merge w/ other security measures, promote! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
13
[email protected]
Conclusion & Outlook Vehicular (communication) security threats are real already. New on-board communication architectures & protocols are big chance to integrate in-vehicle communication security and to increase vehicle security in general. Many (automotive-capable) security protection measures are available already. Don’t repeat the bad security experiences from PC world becoming Internet-enabled in the 90s w/ little protection. Try to have a world-wide (Ethernet) security standard! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
14
[email protected]
Further readings… Checkoway, Stephen, et al. "Comprehensive Experimental Analyses of Automotive Attack Surfaces." USENIX Security Symposium. 2011. Bless et al. “A Security Model for Future Vehicular Electronic Infrastructures“ in Embedded Security in Cars Conference, 2012. Glas, Michael, et al. “SEIS — Security in Embedded IP-based Systems” in ATZelektronik 5(1) pg. 36-40, 2010. Bellovin, Steven M. "Problem Areas for the IP Security Protocols" in Proceedings of the Sixth Usenix Unix Security Symposium, 1996. Heer, Tobias, et al. "Security Challenges in the IP-based Internet of Things" In Wireless Personal Communications 61.3, pg. 527542, 2011. Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
15
[email protected]
Thank you for your attentation!
Dr.-Ing. Marko Wolf Senior Security Engineer
[email protected]
Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks
26.09.2013
16
[email protected]