WHITE PAPER
Securing the Connected Car
www.ixiacom.com
915-3513-01 Rev. A, June 2014
Table of Contents Securing the Connected Car........................................................................ 3 More Connected, Less Secure...................................................................... 3 Testing for Known Vulnerabilities................................................................ 4 Security Threats in Automotive .................................................................. 4 Testing for Unknown Vulnerabilities............................................................. 6 Fuzz Testing................................................................................................. 6 Testing for Stability and Resiliency.............................................................. 6 Ixia’s Automotive Security Test Solutions................................................... 7
2
Securing the Connected Car There are papers and presentations regarding automotive testing, but relatively few about how to ensure security in the connected car. This paper provides an introduction to security test methodologies that should be used to test the security of the connected car.
More Connected, Less Secure The benefits of connected car technologies are now an expected and convenient feature in modern vehicles. As the complexity and integration of vehicle systems increases, so does the range of risks and security threats.
Research has shown that hackers and “hacktivists” can mount serious attacks on automobiles.
Research has shown that hackers and “hacktivists” can mount serious attacks on automobiles. The increasing exposure of automotive systems to Internet and external networks with the proliferation of vehicle-to-network (V2N) and vehicle-to-vehicle (V2V) connectivity renders the internal vehicle network vulnerable. Automotive Ethernet and TCP/IP are familiar to hackers and this may increase the potential for attacks. It only takes a quick look at the publicly-available data found in the National Vulnerability Database (NVD) or the Common Vulnerabilities and Exposures (CVE) database to understand the severity of the current security threat landscape. Hackers are seekingout and exploiting network, device, and application vulnerabilities in record numbers and automotive is in their line of sight. Whether for political standing, monetary gain, or notoriety, these attacks can cause many problems for companies, including brand damage and revenue loss, and even injury or death for drivers. With such high stakes in automotive security, test strategies must become critical for automotive OEMs and suppliers. Automotive security is more important that typical IT security since compromising safety can be life threatening. Achieving a strong security posture for a moving vehicle may be harder than on a PC, since mobility can increase the attack vectors. A modern car may be
3
connected to multiple networks (cellular, V2V/V2I/V2X, Bluetooth, Wi-Fi, as well as wired Automotive Ethernet), each of which may be used as a target or entry point for an attack. Automotive software cannot easily be upgraded, so once a weakness is out in the open, it is more difficult to prevent an exploit of the weakness. Additionally, the attacker may have physical access to the vehicle, bypassing the protections built into the wireless networks. It is generally agreed that security requires a layered approach such that the system is protected even if one layer is compromised. To ensure optimal coverage of this comprehensive approach, each of these layers of security needs to be tested. The system needs to be designed to ensure that in the event of a security breach, the sub-systems (especially safety-related ones) retain their strong security posture and resiliency to an attack (for example, a denial of service, or DoS, attack should not affect the braking function of the car).
It is generally agreed that security requires a layered approach such that the system is protected even if one layer is compromised.
Testing for Known Vulnerabilities The CVE database maintained by MITRE (a not-for-profit company sponsored by the US government) lists common names for publicly-known vulnerabilities. It is database used by all security companies. Some of these vulnerabilities are specific to a platform, operating system (OS), application, or system, but some are generic and can apply to any system. There are currently over 50,000 vulnerabilities identified in the CVE system. The use of CVE has been standardized by the International Telecommunication Union (ITU), National Institute of Standards and Technology (NIST), and other standards bodies. Some vendors provide tools that test a device or system for known vulnerabilities. These tools vary in their approaches and coverage. For each vulnerability, the tool may implement tests that attempt to use the vulnerability in a similar way a hacker does to break into a system, stop a system from functioning, or make the system function in an undesired way. Automakers may need to modify some of these tools to work in the automotive environment (for example, automotive networks may have some static pre-configured parameters where IT networks would have these parameters negotiated or discovered). Additionally, automakers must individually test every system component, network infrastructure device, gateway, OS, and other integrated components. It is not enough to test the system as a whole as this violates the principles of a layered security. As cars are becoming increasingly connected it is essential to take a holistic view on security from inside the car, through the mobile network, to the IT back-end infrastructure.
Security Threats in Automotive But known security threats are just the low-hanging fruit for hackers. With a bit more effort and thought, they seek out new and yet-unknown vulnerabilities. Car hacking has been proven by several research-based hacks. Researchers have successfully hacked such things as the tire-pressure-monitoring systems (TPMS), which consists of sensors inside a car’s tires that monitor pressure and a wireless antenna. This, for example, would give false tire pressure readings to the dashboard. Another example is shown in data from security experts who received grants from DARPA to find the vulnerabilities of cars. After a year of research, they were able to hack a Ford Escape and Toyota Prius by taking control of the horn, cutting the power steering, and spoofing the GPS, along with any displays on the dashboard.
4
Front Brake Secure Infotainment Vunerable
Side Camera Secure Rear Brake Secure
Front Brake Secure Side Camera Secure
Rear Camera Vunerable
Rear Brake Secure
While these hacks are very dramatic and scary, they are may be difficult to execute, but still possible. In the case of the TPMS hack, the wireless tire sensors communicate infrequently – about once every 60 to 90 seconds. This makes manipulating the system difficult, especially if a vehicle is moving. In the case of the DARPA experiment, the researchers required physical access to the car to take control. These hacks show that with enough time, resources, and expertise, hackers can find life-threatening security vulnerabilities in connected cars. It is critical that the auto manufacturers and suppliers are not dismissive of these projects, even if there does not seem to be an immediate threat.
Solid architecture, design, and review form a good first defense against unknown vulnerabilities, but even the best review will not find all vulnerabilities.
In the end, it does not matter that the average person cannot think of a legitimate motive for cyber attacking a car. The connected car is hackable. Solid architecture, design, and review form a good first defense against unknown vulnerabilities, but even the best review will not find all vulnerabilities. It is estimated that for every 1000 lines of well-written code, there is approximately 1 vulnerability. Even if unsuccessful, when an attack is attempted, component impact may include: •
Increase in the amount of network traffic or function calls
•
Increase in component response time
•
Deterioration in ability to communicate with external devices
•
Higher memory consumption
It is important to evaluate all layers and components in the system to assess their stability and resiliency under such conditions.
5
Testing for Unknown Vulnerabilities Fuzz Testing Fuzzing, or fuzz testing is the best automated (or semi-automated) technique for testing for unknown vulnerabilities. It involves providing invalid, unexpected, or random data to the inputs of a device, program, or system. Testing is typically done on interfaces that cross a “trust boundary”. Fuzz testing often finds defects that testers would not otherwise be able to find. With white-box testing, fuzzing can be focused based on the way the code is written. The recommendation is to do fuzz testing in a white-box fashion at the function- or component-level and to run it as a black-box test at the device- or system-level.
Testing for Stability and Resiliency Automakers and their original equipment manufacturers (OEMs) need to fully assess automotive security to ensure a stable and resilient system.
6
Complex software systems such as those found in cars today are prone to attacks. Automakers and their original equipment manufacturers (OEMs) need to fully assess automotive security to ensure a stable and resilient system. To test for stability and resiliency, several meth-odologies are used: •
Stress testing is used to drive components beyond normal operational capacity to observe how the system functions
•
Resiliency testing is used to validate operation under degraded or failure conditions (i.e. a sensor failure)
•
Impairment testing is used to validate performance when communication is impaired (typically testing with delayed, dropped, or erroneous packets)
•
Functional and performance tests are used to validate security components under valid-traffic and attack conditions (as attack conditions should be part of the “normal” testing for security components)
Ixia’s Automotive Security Test Solutions In today's world of crippling cyber-attacks and dynamic applications, car manufactures and networking suppliers need to know that their networks are secure enough to handle the worst that cyber criminals can throw at them. Ixia is a leader in providing test solutions to help automakers, enterprises, service providers, and equipment manufacturers: Optimize firewall and other intrusion prevention systems (IPS) and security devices •
Mitigate distributed denial of service (DDoS) and other attacks
•
Build networks and cloud infrastructures that are resilient to attacks
•
Perform "bake-off" evaluations on how next-generation firewalls and other security devices perform on a particular network
•
Validate and harden large 3G and 4G/LTE networks under the most realistic conditions
Don’t wait for an attack to expose your security holes, call Ixia today!
Ixia offers a complete test solution to test the performance, conformance, and security of the connected car. If you are short on staff or testing expertise, our professional services staff can get your tests systems up quickly. Don’t wait for an attack to expose your security holes, call Ixia today!
7
WHITE PAPER
Ixia Worldwide Headquarters 26601 Agoura Rd. Calabasas, CA 91302 (Toll Free North America) 1.877.367.4942 (Outside North America) +1.818.871.1800 (Fax) 818.871.1805
Ixia European Headquarters Ixia Technologies Europe Ltd Clarion House, Norreys Drive Maidenhead SL6 4FL United Kingdom
Sales +44 1628 408750 (Fax) +44 1628 639916
Ixia Asia Pacific Headquarters 21 Serangoon North Avenue 5 #04-01 Singapore 554864
Sales +65.6332.0125 Fax +65.6332.0127
www.ixiacom.com
915-3513-01 Rev. A, June 2014
