Upload
iddan-halevy
View
747
Download
2
Tags:
Embed Size (px)
Citation preview
Feasible Car Cyber Defense
Arilou Information Security Technologies LTD.
Arilou Technologies
The modern car
• Sophisticated and computerized• Decentralized electronic system
Usually consists of dozens of computers (ECUs – electronic control units) and sensors
New functionalities – hundreds MBs of code Connected by one or more network segments
• Autonomous cars
The modern car
The rising threat
• ECUs controlled mechanisms Brakes Stability control Airbags …
• CAN bus connected• Rising wave of cyber attacks
Hacking a system
• Demonstrated by US researchers - hack using RDS, Bluetooth and more
• Hack a widespread infotainment system using hostile files With no prior knowledge No budget Goal: estimate the possibility of such scenario
Infotainment Hack
internet
Hacking process
• Understand inner working and get binaries• Reversing the binaries – focus on input parsing• Finding exploitable vulnerabilities
• Implementing the exploit
The result
Conclusion
Cars were designed for safety and functionality – not for Security
The challenge
• Huge number of suppliers• Lots of external interfaces• Every cent counts• Time critical communication• Legacy systems• Zero tolerance for mistakes
Possible solutions
Cryptography
• Confidentiality• Integrity• Authenticity
• Can solve some of the issues The automotive world is far from ideal for this
Cryptography Difficulties• Key exchange and management• Symmetric keys:
Identical to all units – vulnerable Not identical – complicated to manage
• Asymmetric keys: Time and computing complexity – cost PK infrastructure needed
• Maintenance nightmare – for a mission critical solution• Export restrictions• The industry is too decentralized• Does not solve vulnerabilities
Exploit can use the crypto mechanisms to encrypt The more sophisticated the system the larger the attack surface
CAN bus firewall• A rule based CAN bus Firewall
Whitelist Rate limit Authentication
• Independent device Single non-expensive chip aftermarket or integrated SOC Military grade Thoroughly tested
• Architecture As general rule does not require redesign of ECU’s
software or vehicle’s network
Questions?