Michael Westra, CISSPJune 2012

2012 BSides Detroit Security Presentation: Vehicle Hacking

“If you think technology can solve your security problems, then you don’t understand the problem and you don’t understand the technology.” - Bruce Schnieier

Page 2

June 2011

Agenda Unique challenges that automotive faces

Overview of CAN (Controller Area Network) SYNC, a real world example of security thinking that

went into a product on the market Security Posture Sample features within a security framework

OEM perspective on where industry is going Auto security industry in review Technology trends

Page 3

June 2011

Automotive Challenges Automotive is very long lived

Development 2-5 years Lifetime 3-5+ years Often in service for 10+ years Vehicles in design today will be on the road 20 years from

now Collection of discrete modules from many vendors

Includes variety of hardware from 8-bit microcontrollers to 32-bit ARM processors connected

Unique service requirements Right to service laws mandate that non-OEM locations

have access to tools and mechanisms to perform service and update modules

Disconnected service scenarios

Page 4

June 2011

CAN (Controller Area Network) Mental Model

Based on broadcast virtual electrical signals, not traditional network model

No authentication, assumed trusted, does not check source ID

Heavily affects how development proceeds Structure

11-bit ID on broadcast 8 bytes of data per message Multiple “slow” buses (500kbps) Applications layered on this like TP (streaming),

Diagnostics, Programming

Page 5

June 2011

SYNC Background

SYNC first generation: Launched in fall of 2007 4 million units earlier this

year MyFord Touch, second

generation of SYNC: Launched in fall of 2010

No subscription required Both products scheduled to

be launched in all global markets within the next 18 months

Includes E911, Vehicle Health, and Traffic, Directions, and Information

Applink provides mobile phone application integration with the Sync UI

Page 6

June 2011

Current SYNC Features/Security Challenges External interfaces

Bluetooth Wi-Fi / USB Broadband / Network

connectivity Mobile Application Integration Telematics USB

Software Updates Wireless Factory Provisioning USB Updates

Playback of protected Media Content CAN Interaction Phonebook Integration

Large external attack surface.

Application Validity Software Integrity

Assurance DRM/ Licensing Protect the Vehicle

Bus Personally identifiable

information (PII) considerations

Page 7

June 2011

General Security Lessons Start by defining your product’s security posture.

Every device can be hacked with sufficient time, expertise, and motivation

Define what is worth protecting and to what level An example from SYNC

A successful attack should require physical access to the internals of the module

A successful attack of one device should not be transferrable to immediately hack all devices

A general perimeter security architecture including hardware should be used to protect the most sensitive components

External non-hardwired or user accessible interfaces should be hardened as much as possible with multiple levels of protection

Page 8

June 2011

SYNC Security Challenges (continued) Protect the Vehicle interface at all costs

…or to the same level as physical interfaces for serviceability currently mandated by law

SYNC

VMCU

FreeScale Star 12 Series

RTOS Based

CAN GatewayPower MasterDiagnostics

CCPU

FreeScale System on Chip

MS Auto based

Applications HostGraphic/Voice Interface

Gateway to External Interfaces

I-CAN

HS-CAN

MS-CAN Secure Inter Processor Communication

Bluetooth/WiFi

USB Analog Audio/Video

Media Hub

USB PortsSD Card Slot

RCA Jacks AV

Display/Touch 8" LCD/Touch Screen

Page 9

June 2011

Wi-Fi Provisioning First in industry to dynamically download large

volumes of data on the moving assembly line Configure SYNC with language and other unique

configuration on the moving assembly line This completely automated process results in the

conversion of labor-related expenses, allows for flexibility of future application upgrades

Page 10

June 2011

Mobile Application Integration Different Application Integration Models

MirrorLink Applink Signature/Gateway Application

Security Implications Each model has different going-in security assumptions

• Apps are trusted or untrusted• Assumptions about spoofing applications• Apps are hosted, directly displayed, interact via an API

Not just security, Driver Distraction is an even larger concern (but ties back to first concern)

Page 11

June 2011

Auto security in review UW papers

What could be controlled via CAN with physical access

How might remote access be achieved TPMS hacks Various demonstrations for keyless entry

transponders

Page 12

June 2011

Where this technology is going… Car industry is where PC industry was 15 years

ago But can benefit from their security learning Fully Internet addressable fleets of automobiles Increased integration with mobile applications

Continued democratization of technology Global view, All vehicle levels (not just high-end)

Vehicle environment is different than mobile Eyes on the road, Hands on the wheel Safety around vehicle interfaces

Page 13

June 2011

Where the industry is going… Security of major interfaces is getting a lot more

attention (and press) OEMs also have legal serviceability

requirements that force a certain level of openness and commonality

It makes sense for more collaboration between OEMs, suppliers, academia

Anyone’s failure gives everyone a black-eye Active work starting with a new SAE working group

and others forums

Page 14

June 2011

Thank-you