Data Security for IP-based Ethernet Communication in Automotive Networks Marko Wolf, Lars Wolleschensky ESCRYPT – Embedded Security 3rd Automotive Ethernet Technology Day, Leinfelden-Echterdingen, 26.09.2013

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

1

[email protected]

Hacking Cars is Already Real! What comes next with Ethernet and IP?

Video teaser (not available for PDF)

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

2

[email protected]

You probably already know…  Vehicle computerization & communication increase exponentially!

# interconnections

– Inside the vehicle, for instance: • Infotainment, rear seat TV • Software download • Park & maneuver cameras

– Outside the vehicle, for instance: • • • •

available bandwidth

Integration of consumer devices (Remote) diagnostics Internet access Car-2-X

Before yesterday

Yesterday

Today

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

Tomorrow 26.09.2013

3

[email protected]

Comparison: Today’s Multi-Bus vs. Future Ethernet-Based Networks Criteria

Todays multi-bus central gateway-controlled networks

Simplicity

-

complex, heterogeneous, multi-protocol gateways

++

very homogenous with (mostly) layer 2 switches

Flexibility

-

difficult to extend/adapt new subnet (within subnets easy)

++

easy to extend/adapt new or within subnets

Performance

+ ++

depends on bus type

up to several GBit/s

well-proven over decades

++ -

Costs

-

small-batch automotivespecific production

+

global mass production also for non-automotive

Standardization

+ --

standards w/ large diversity

standard with little diversity

CRC + bus specific measures

+ + +

none

o

add-ons (IPv4), IPsec (IPv6)

Real-time cap.

Direct connections Safety Security

only indirectly possible

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

Future Ethernet-based switched IP networks

capable b/ not invented for

possible CRC, block codes

26.09.2013

4

[email protected]

Vehicle security? Malware/Hackers via Bluetooth vulnerability

Malware via manipulated Audio-CD GSM modem attack to access car internals

Malware/Hackers via cellphone vulnerability

Hacking remote key fobs

Disable safety locks

Chip tuning, steal IP, manipulate mileage

Execute unauthorized commands

e-Call Module

Cloning remote key fobs

Head unit Car2X

Central Gateway

Attacks on remote diagnosis & telematics

OBD Diagnosis

Engine Control Drive Recorder

Delete, manipulate, disable logging, privacy infringement

Steal intellectual property

Brake Actuator

ESP

Install counterfeit parts

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

Manipulate brakes via fake/malicious CAN messages

5

[email protected]

Already an real-world impacts?  Some successful attack incidents: – University of California San Diego & University of Washington, Onboard (2010) & remote (2011) hacking of unnamed but realworld car (http://www.autosec.org) – Some successful real-world remote key attacks: DST40 (2005), KEELOQ (2008), or MEGAMOS (2013) – DefCon 21 (2013) Miller et al. published car hacking manual incl. all tools for Toyota Prius & Ford Focus (http://blog.ioactive.com/)

 Larger real-world impacts are still rare, but not deniable, e.g.: – – – –

Economic: odometer manipulation, chip tuning, car theft… Legal: digital tachograph, chip tuning, counterfeits… Privacy: On-Star eavesdropping, tracking via TPMS or GSM, eCall… Safety: Not yet, but you never know… c.f. M. Hastings car crash

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

6

[email protected]

Automotive Security Real-World Impact: Car Thefts in Germany Source: Gesamtverband der Deutschen Versicherungswirtschaft (GDV)

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

7

[email protected]

Status Quo: Out of the Box Security of (Automotive) Ethernet

Protection against message manipulations?  Limited (IPv6). Protection against message injections/spoofing?  No. Protection against message eavesdropping?  No. Protection against message repudiation?  No. Protection against message replay attacks?  No. Protection against message relay attacks?  No. Protection against denial of service attacks?  No. Protection against unauthorized access?  Limited (depends). Protection against endpoint attacks?  Limited (depends). Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

8

[email protected]

How to Secure the IP based Ethernet Channel? Some recommendations. Protection Measure

Realizes

Applicable for Automotive Domain?

Perimeter defense (router, firewall, etc.)

1st level access control

Yes, at gateway or at powerful ECU, basic ACL at all ECUs possible

Internal defense (host and network based IDS, etc.)

2nd level access control

Yes, at gateway or at powerful ECU, basic IDS reporting at all ECUs possible

IP based security protocols that realize various security goals on different layers e.g. IPsec, MAC filtering

message authentication, message confidentiality, endpoint authentication, …

Possible, use case depended, might need automotive adaptations and backend infrastructures (e.g., for key distributions)

Solution already exits

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

Solution still limited

9

[email protected]

How to Secure the IP based Ethernet Endpoints? Some recommendations. Protection Measure

Realizes

Applicable for Automotive Domain?

Hardware security module (HSM)

Encapsulates security services into hardware + limited physical security

Yes, SHE, SHE+, HSM, EVITA full / V2X HSM

Secure data update

Enforce authenticity & confidentiality of original software

Yes, e.g., secure firmware update

Secure boot

Enforce platform authenticity & integrity

Yes, protecting critical ECUs (mostly SW only)

Mandatory access control

Enforce usage authorizations

Yes, e.g., secure debug, but sometime limited

Virtualization (with hardware support)

Runtime isolation to contain/prevent impacts of software executed in parallel

Yes, even real-time capable virtualization

Security auditing and risk assessment

Identifies and mitigates security risks

Security engineering

Complete security development process incl. lifetime support

Yes, already being done, but often not mandatory, proprietary, and not complete

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

10

[email protected]

Status Futurus: Security of an (Automotive) Ethernet

Protection against message manipulations?  Embedded cryptography, e.g., using digital signature or message authentication codes (MAC) Protection against message injections/spoofing?  Embedded cryptography, e.g., using mutual authenticated session tokens via CR-P Protection against message eavesdropping?  Embedded cryptography, e.g., using symmetric data encryption/decryption with AES Protection against message replay attacks?  Embedded cryptography, e.g., using mutually authenticated freshness counter values Protection against message relay attacks?  Limited, e.g. logics with help of cryptography, e.g., distance-bounding or time-bounding protocols Protection against denial of service attacks?  Very limited, e.g., IDS Protection against unauthorized access?  Limited, e.g., Firewall & IDS Protection against endpoint attacks?  Various, but seldom complete Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

11

[email protected]

Realization: Improvements & Chances vs. Risks & Costs Factors Improvements & Chances

Risks & Costs

 Unified security approach (replace of existing proprietary solutions)  Improve security against hackers & malware incl. modern protections  Necessary security base for nextgen automotive technologies like V2X or autonomous driving  Ensure / increase safety  Fulfill legal requirements  Improve privacy protection  Smoothly integrate other security technologies such as HSM  Leverage increased bandwidth and security to secure service like flashing and diagnostics

    

More proprietary island solutions Some performance decrease Data & protocol overhead Additional cost & complexity Backend infrastructure & some online connectivity needed

 Use this opportunity to increase security as the whole! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

12

[email protected]

Next steps! 1. In a perfect world, create a global consortium (security should be OEM-wide compatible, no competition on security) of OEMs, suppliers and security experts 2. Analyze mandatory security requirements for application of automotive IP-based Ethernet communication networks 3. Design a automotive-capable Ethernet security solution a) b) c)

Look for synergies w/ existing / already planned security measures Find solutions for existing protection gaps, while learning & reusing as much as possible from other (embedded) domains (e.g., Linux network security, avionics with AFDX) Be prepared for parallel operation with existing bus systems

4. Review, simulate & ask for (external) evaluation regarding technical & financial impacts and security & privacy! 5. Standardize, merge w/ other security measures, promote! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

13

[email protected]

Conclusion & Outlook  Vehicular (communication) security threats are real already.  New on-board communication architectures & protocols are big chance to integrate in-vehicle communication security and to increase vehicle security in general.  Many (automotive-capable) security protection measures are available already.  Don’t repeat the bad security experiences from PC world becoming Internet-enabled in the 90s w/ little protection.  Try to have a world-wide (Ethernet) security standard! Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

14

[email protected]

Further readings…  Checkoway, Stephen, et al. "Comprehensive Experimental Analyses of Automotive Attack Surfaces." USENIX Security Symposium. 2011.  Bless et al. “A Security Model for Future Vehicular Electronic Infrastructures“ in Embedded Security in Cars Conference, 2012.  Glas, Michael, et al. “SEIS — Security in Embedded IP-based Systems” in ATZelektronik 5(1) pg. 36-40, 2010.  Bellovin, Steven M. "Problem Areas for the IP Security Protocols" in Proceedings of the Sixth Usenix Unix Security Symposium, 1996.  Heer, Tobias, et al. "Security Challenges in the IP-based Internet of Things" In Wireless Personal Communications 61.3, pg. 527542, 2011. Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

15

[email protected]

Thank you for your attentation!

Dr.-Ing. Marko Wolf Senior Security Engineer [email protected]

Marko Wolf and Lars Wolleschensky | Data Security for IP-based Ethernet Communication in Automotive Networks

26.09.2013

16

[email protected]