Securing the Connected Car Ecosystem · The Threat Modeling/Threat and Risk Assessment process Select a Vehicle Subsystem & gather the team Draw block diagram, identify subsystem

Oscar Sanchez, Automotive Security Application EngineerMarco Castellanos, Automotive Security Business DevelopmentOctober 2018

Securing the Connected Car Ecosystem

Agenda

Introduction – The Connected Car

Threat Analysis and Risk Assessment

Securing the Connected Car Ecosystem

Conclusion

1

2

3

4

22018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary

The Connected Car – is no longer just about the car


What is a connected car?

6LowPan Home Network

Gateways

TLS

LTE/5G


Attacks on vehicles are on the rise

January 2015 Lack of encryption in the cellular connection

July 2015 Open Head Unit port allowed access to the EE network

July 2015 Man in the middle attack (insufficient authentication)

August 2015 (physical access)

Only after physical access to the car network

More security breaches to come

Based on aggregated know-how

CCC Event December 2016

Invasive attack via board/voltage manipulation

› Most of the attacks have been based on software vulnerabilities

› Hardware attacks are just a matter of time

› The industry is starting to ask about side channel attacks and are concerned about operation lifetime (crypto agility, post quantum crypto, etc.)

› Infineon supports you in the search for new and innovative security solutions


TARA – Threat Analysis and Risk Assessment

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” ― Stéphane Nappo

The Threat Modeling/Threat and Risk Assessment process

Select a Vehicle Subsystem &

gather the team

Draw block diagram, identify subsystem limits

Perform Threat Model of the subsystem

Evaluate & rank Risk of each

identified vulnerability

For each risk: address, accept, avoid, or transfer

Identify countermeasures

to address top risks


The Threat Modeling/TARA process


gather the team




identified vulnerability.





Sample subsystem – Level 3 autonomous mode

User Interface(incl. “Start Autonomous

Mode” Button)

Power Generation

ECU

Transmission ECU

Steering ECU

Braking ECU

Sensor ECU (Radar, Camera,

Lidar, etc.)

GPS

Ethernet

Ethernet

PowertrainCAN

SafetyCAN

Ethernet

Studied Subsystem

Sensor Fusion ECU


Building the Threat Model


gather the team









Level 3 autonomous mode – data flow diagram

Sensor Fusion

Power Genera-

tion

Braking

User Interface

Trans-mission

Steering

…

A B

C

Sensor ECUs & GPS


Identify Threats to the subsystem - STRIDE

› Experts can brainstorm

› How to do this without being an expert?

– Use STRIDE to step through the diagram elements

– Get specific about threat manifestation

https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx

Threat Associated Property

Spoofing Authenticity

Tampering Integrity

Repudiation Nonrepudiation

Information Disclosure Confidentiality

Denial of Service Availability

Elevation of Privilege Authorization


https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx

Risk assessment & evaluation


gather the team




identified vulnerability





Risk assessment & evaluation (OWASP “lite” method)

ID Vulnerability Description Attack Vector

Weakness Prevalence

Weakness Detectability

Technical Impact

Rating Risk

XYZ My vulnerability 2 1 3 3 6.0 Hi

Average x Impact = Rating

3 Easy

2 Average

1 Difficult

3 Widespread

2 Common

1 Uncommon

3 Easy

2 Average

1 Difficult

3 Severe

2 Moderate

1 Minor

≥6 High

≥3 Medium

<3 Low


Countermeasures for top risks


gather the team









Example – security countermeasures

StandardCountermeasures

Follow SecureCoding Best

Practices

Restrict access toresources on an

“as needed” basis

Store critical keysin a security certifiedcontroller (e.g. TPM)

Ship latestSoftware versions

and keep up todate

Use personalized& security certified

chips for keydeployment & lifecycle

Keep logs of keysecurity-related

actions & encryptthem

NVM decryption keys stored in a TPM will make it much harder to reverse engineer the ECU

Do code reviews in design, development, test & rollout phases

Check external inputs are within bounds

Use Access Control Lists or similar

Initial key deployment (asymmetric keys) is security-critical. It can be made easier and more secure by using a pre-personalized

certified security controller.

Logs can help with OEM/Tier 1 liability in case

of accidents/attacks.

Fuzz test. Pentest.

Fleet keys need max security


The threat modeling and risk assessment process

Threat Modeling Methodologies

• See SAE J3061 & ISO 21434• STRIDE (link)• Attack Trees (link)• Security FMEA (link)• Attack Libraries (CVE,

CAPEC, OWASP Top 10…)

Risk Evaluation Methodologies

• See SAE J3061 & ISO 21434• DREAD• OWASP risk rating• ETSI TVRA• MIL-STD-882E

Countermeasures• Use standard mitigations, industry best

practices, etc.• If new mitigations are absolutely needed,

get expert advice. Don’t invent your own!


https://web.archive.org/web/20070303103639/http:/msdn.microsoft.com/msdnmag/issues/06/11/ThreatModeling/default.aspx

https://www.schneier.com/academic/archives/1999/12/attack_trees.html

http://www.arrowhead.eu/wp-content/uploads/2013/03/FMVEA_camera_ready.pdf

Key takeaways – threat modeling and risk assessment

There are many threats &

threat actors out there

Not all risks need to be addressed

(some can be accepted or

avoided)

There is no “one size fits all” solution

Don’t create your own security

mitigations! Get expert

advice.

TARA is a process – keep your results, communicate and update

them continually


Securing the Vehicle Ecosystem“Security is always excessive until it's not enough.”

Robbie Sinclair

Many devices over many protocols increases attack surface


TLS

LTE/5GLTE/5G

5G

802.11p

1

Protect the Vehicle

Architecture

2

Secure OTA

3Portable device

Security

4Secure Cloud &

Services

In-vehicleInternet,

V2X,etc.

V2VV2I


EVcharging

Cellular3G/4G/5GWiFi

Bluetooth

V2X-DSRC

USB

HD Radio/DAB Mobile wireless charging

TPMS, RKE

Securing a mid range E/E architecture – up to the early 2020’s – 4 pillars of security

PowertrainCAN/

ENET

Chassis CAN

…

OBD

ESC

EPS

…

BodyCAN

EMS

TCU

…

SafetyCAN/ENET

Airbag

Safety DCU

…

Lights

Infotainment/ Head Unit

Telematics Control Unit

Secu

re

Netw

orks

– Message auth. & encryption (Secure Onboard Comm.)

– Denial of service protections (in each ECU)

Secu

re

EC

Us

– Secure boot with AURIX™ HSM

– E2E authenticated OTA updates

– Secure key storage in the HSM

– Vehicle access control

Central Gateway

…

Isola

te

Dom

ain

s – Intrusion Detection/Prevention System (IDPS) in AURIX™

– Whitelisting/traffic filter across networks (Firewall)

IDPS

– Firewalls (external, with GW)

– TLS/SSL SW in App. Processor

– eSIM for cell. network security

– Trusted computing (TPM)

– Application level security

– Secure storage of critical/fleet keys, user credentials, PII

– V2X security (SLI 97/SLI 37)Pro

tect

Exte

rn

al

In

terfa

ces

Firewall

BCM

1

Protect the Vehicle

Architecture


2 – Over-the-Air updates - threats

What if…− An attacker takes over the server? − Impersonates the server?

− An attacker prevents the vehiclefrom getting updates?

− An attacker gains control overthe Gateway ECU and sendsrogue updates to target ECUs?


2 – Secure OTA – mitigations

OTA Server(s)

Telematics/Gateway

Target ECU(s)

Target Vehicle

Update image repository

Store private keys in a TPM/Secure Element.Harden telematics & server with Sec. Boot

Secure Onboard Communication and end-to-end authenticated updates with AURIX™ HSM.

Use application-level security,secure timestamps & metadata, and ensure redundancy (DoS)(e.g. Uptane is an OEM/T1-driven framework to secure the OTA ecosystem)


3 – Portable device security

What if…− An attacker connects via Bluetooth?− Malware on a smartphone infects the vehicle

infotainment?

OBDDongle

− An attacker gets accessto CAN via the OBDIIport?

− A man-in-the-middle steals PII from the phone-vehicle connection?


3 – Portable device security

OBDDongle

Infotainment(IVI)

Target Vehicle

Harden mutual authentication and key storage with a Secure Element

Ensure authenticity of dongle & protect keys with a lightweight security chip.

Store private keys in a TPM/Secure Element.Harden Infotainment ECU with Secure Boot.


4 – Secure cloud & services

What if…− Someone

impersonates a vehicle?

− An attacker blocks connection to the cloud?

− A man-in-the-middle intercepts vehicle/user data or sends malicious packets to the vehicle?

− An attacker modifies the vehicle-side API to misuse the cloud connection?


4 – Secure cloud & services

Harden cloud-connected devices integrated with the vehicle using a Secure Element

Infotainment(IVI)

Target Vehicle

Provision & securely store private keys with a TPM/Secure Element.Harden Infotainment ECU with Secure Boot.


Conclusion“At the end of the day, the goals are simple: safety and security.”Jodi Rell

Many devices over many protocols increases attack surface


TLS

LTE/5GLTE/5G

5G

802.11p

1

Protect the Vehicle

Architecture

2

Secure OTA

3Portable device

Security

4Secure Cloud &

Services

In-vehicleInternet,

V2X,etc.

V2VV2I


Key takeaways – threat modeling and risk assessment

There are many threats &

threat actors out there

Not all risks need to be addressed

(some can be accepted or

avoided)

There is no “one size fits all” solution

Don’t create your own security

mitigations! Get expert

advice.

TARA is a process – keep your results, communicate and update

them continually


Final thoughts

› Find out what your company is doing in this area, and contribute!

› YOUR skills and knowledge are extremely valuable for Threat Modeling!

› Infineon is here to help you with your security needs & concerns!

› Talk to your local Infineon FAE

Contact us!

Get involved in Security!

Participate in the TARA process!


Documents

Securing the Connected Car Ecosystem · The Threat Modeling/Threat and Risk Assessment process Select a Vehicle Subsystem & gather the team Draw block diagram, identify subsystem