Connected Cars - Poster Child for the IoT Reality Check

Download Connected Cars - Poster Child for the IoT Reality Check

Post on 24-Jan-2017

306 views

Category:

Technology

2 download

TRANSCRIPT

PowerPoint Presentation

Connected Cars - Poster Child for the IoT Reality Check

Brian Witten, SymantecEd Adams, Security InnovationConference: April 6-7, 2016 Exhibit Hall: April 6-8, 2016Sands Expo, Las Vegas, NV

Building Comprehensive Security Into CarsMarch, 2016

Brian Witten

Ive spent 20 years building security into aircraft, military, and intelligence systems, and more recently helping embed security into aviation ground stations, cellular base stations, and roughly a million ATM machines per yearThis talk will focus on the unique needs of automotive vehicle security, including both business constraints and emerging technical standards, attempting to boil down the nearly intractable end-to-end set of challenges into something both reachable, and effective.2

Current Reality

Underestimated Adversary

Concept Proven

First, given all of the hype, let us ground ourselves in reality. This summer: -- We all saw the Concept Proven on what can be done digitally to moving vehicles from afar. -- Of course, we are not Yet seeing those attacks at scale. -- We are, however, seeing other attacks at scale, including rashes of vehicle stolen -- in Europe and North America, exploiting security mistakes in keyless entry systems. -- However, the vast majority of drivers still havent directly suffered any such attack, -- or even suffered any such attempted attacks.

http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/http://www.forbes.com/sites/josephsteinberg/2015/05/12/vulnerability-in-car-keyless-entry-systems-allows-anyone-to-open-and-steal-your-car/http://www.publicdomainpictures.net/view-image.php?image=158073

4

Hypothetical

Assuming single automaker targeted2% Market Share ~ 2M vehicles/year

US: 100M commuters, dailyUS: 4M vehicles on road at peak times( 2% of 4M ) = 200k vehicles driving at once

Generation of vehicles often > 3 model yearsUS: vehicles on road average 11 years old(200k x 3/11) = 54,000 vehicles driving at once

but vehicle safety has come a long wayFatality rate near 0.3% (0.003) per accident

For 54,000 vehicles(0.003 x 54,000) = 162Generation: 6M vehiclesAppendix lists sources.

Many of us in the room, though, are asked to scale the risk somewhere between sky is falling and head in the sand. I think some Math can help with that.

For an automaker with roughly 2% market share worldwide, I did a bit of research, and they often have roughly 200 thousand of their vehicles driving at once.

Now, if a well organized criminal cyber ops team wanted to short the stock of that automaker just before causing a large scale incident among those 200 thousand cars on the roadtheyd probably do it as soon as they could target a generation of cars, perhaps the last or next three years of cars from that automaker.

Thats only about 54,000 of this automakers vehicles all on the road at once.

Fortunately, vehicle safety has come a long way, so 50 thousand accidents isnt 50 thousand deaths. Instead, it would be about 160 fatalities.

To put that in perspective, -- an automaker of that scale probably sees over 700 deaths per year for their vehicles in accidents without any cyber attack. 160 is only a fraction of that, -- roughly half the number of deaths attributed to SUV tire/rollover issues more than a decade ago -- but that 160 deaths, and 50 thousand accidents, would all be in a single hour -- and then millions of owners would then fear driving their cars and trucks. -- Of course, multi-million vehicle recalls arent new, but most recalls address low probability risks as vehicles are built to run well most of the time. -- Its different when an aggressor can trigger those risks at will,

4

ThreatsA Quick RefresherCopyright 2014 Symantec Corporation

RTOSGSMTCU

RTOSI V I

TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: gateway chipOBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comms, aka a modem

(Architecture Simplified for Presentation)GWCBCMECUxxMxxMBCMOBD2UBI GSMCAN1CAN2Cellular (IP & GSM)Cellular (IP & GSM)Physical TamperingOther Wireless ( BT & Wifi )Other WirelessVulnerabilities Announced This SummerSupply ChainUnauthenticated CommandsUnauthenticated ConnectionsNo IP Port/Protocol RestrictionsInadequateCode SigningPotential MemoryCorruption VulnerabilitiesVulnerableBrowsers/AppsVulnerableModemsUnauthenticatedBus

So, lets dive into those risks. To understand those risks, lets start with - Telecommunications Unit TCU and In Vehicle Infotainment IVI - Lots of people dont realize that the TCU (by itself), though mostly a modem >>> has its own Real Time Operating System (RTOS) with its own vulnerabilities, in addition any vulnerabilities in the head unit.

- Of course, that modem is also a channel for attacks against the head-unit, and sometimes even the rest of the car. - Some cars even have a second modem plugged into the OBD-2 port, such as a Usage Based Insurance (UBI) dongle, >>> similarly vulnerable to both attacks against the GSM modem itself, as well as carrying IP based attacks.

- Of course, far more malicious tampering can be done through the OBD2 port, as well as to the rest of the vehicle,

- And vehicles today often have other wireless interfaces beyond GSM, including not only wifi and bluetooth for Infotainment, but other wireless interfaces such as for Tire Pressure Monitoring - and all of these attack vectors are of course atop the supply chain risks

**1 Security mistakes exploited through these attack vectors then include: -- execution of unauthenticated commands -- acceptance of unauthenticated connections -- and lack of IP address port/protocol restrictions** Those mistakes were then compounded by mistakes deeper in the architecture (a) lack of code signing in the gateway module, and (b) likely exploitable poor coding in the gateway module** These were all atop busses with inadequate authentication, plus browser and other infotainment app vulnerabilities along with modem vulnerabilities disclosed this summer as well. >>> Busy summer. Lets frame the big picture on how to fix it.

5

Cornerstones of SecurityAutomotive VehiclesCopyright 2014 Symantec Corporation

RTOSGSMTCU

RTOSI V I(Architecture Simplified for Presentation)GWCBCMECUxxMxxMBCMOBD2UBI GSMCAN1CAN2

TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: gateway chipOBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comms, aka a modem

AuthenticateManageProtectSecurity Analytics

TCU: Telecommunications Unit IVI: In Vehicle InfotainmentRTOS: Real Time OSECU: Engine Control UnitBCM: Body Control ModulexxM: Other ModulesCAN: Controller Area NetworkCAN1/2: Hi, Med, Lo Speed CANGWC: gateway chipOBD2: On Board Diagnostics portUBI: Usage Based InsuranceGSM: Global System for Mobile Comms, aka "a modem

CAMP: Crash Avoidance Metrics ProgramVSC3: Vehicle Safety CommsHIS: Hersteller Initiative SoftwareSHE: Secure Hardware ExtensionsEVITA: E-safety Vehicle Intrusion Protected Applications HSM: Hardware Security Module

OMA DM: Open Mobile Alliance (OMA) Device Management (DM)SCOMO: Software Component Management ObjectMLA: Multi Letter AcronymCAMP VSC3, HIS SHE, EVITA HSMOMA DM, SCOMOEmbedded (in-vehicle), GlobalCode-Signing (Boot Time)Host-Based (Run Time)Compiler Based (No-OS)Business Constraints:-- Consumers wont pay for security they assume-- OEM & Tier 1 Suppliers: extremely thin margins -- Security $ must be < few % of any car/moduleFor a copy of the slides, email bwitten@symantec.com

Unfortunately, there is no silver bullet. Effective security must be engineered, composed, from a short list of crucial ingredients. We frame them as cornerstones, and Ill be describing the emerging technical standards for each. *** Authentication, within the vehicle and authentication of remote services, as well as, and perhaps even more importantly than V2V or V2X. *** Building protection into each critical module of the vehicle, *** Managing the vehicle over time because Security is Never Done, and *** Security Analytics to detect the strategic threats able to overcome all of the above countermeasures. >>> For authentication within the vehicle, Im glad to see the progress in Europe that Ill describe on the next slide for both the EVITA Hardware Security Module standards along with the more widely known SHE Secure Hardware Extensions In the US, Im glad to see the CAMP VSC3 progress in V2V standards for Vehicle Safety Communications, but these groups in US and Europe have made some very different choices that Ill describe on the next slide. >>> For Over The Air (OTA) management of vehicle software and vehicle software inventory, most automakers city the Open Mobile Alliance (OMA) Device Management (OMA-DM) standards, along with the Software Component Management Object (SCOMO) standards. >>> For Protecting each of the critical modules in the car, this has to be done both at boot-time through code signing and secure boot, as well as run-time, which can be done with host based technologies for any with an Operating System or Real Time OS / RTOS. For modules with No-OS, it has to be done through compiler based techniques. >>> Last, since strategic threats can overcome all of these defenses, and it will take years to build some of these defenses into your vehicles -- you need to be deploying in-vehicle security-analytics, and instrumenting your vehicles to stream security telemetry for global analytics to manage risks against the most capable adversaries.

*** Of course, from a business perspective, all of this needs to be done in the context that (a) consumers wont pay more for security that they assume to be present, (b) carmakers have no margin to give, and (c) security for those reasons probably cannot cost more than a thin slice of the overall module cost for any module.

In that context, lets look quickly at each of these cornerstones, starting with authentication.6

Can extremely constrained devicesdo meaningful security?7

$0.25Early 80s grade chip

8 bit8 MHz2 k SRAM

25 seconds

AA Battery: 20+ years

Leading 10 year old chips16 bit, 16 MHz30 k SRAM

3 seconds

AA Battery: 20+ years

Current 32 bit chips32 bit, 84 MHz30+ k SRAM

150 ms

AA: 20 years

$0.50Benchmark: ECC/ECDSA256For a copy of the slides, email bwitten@symantec.com

Protect The Communications8Certificates:Over a Billion IoT devices chain to a world class Certificate Authority (CA)Roots of Trust:IoT Roots of Trust can helpidentify foreign devices

Devices& Sensors

HardwareOperating SystemsEmbedded Software

Required: Authentication

Helpful: Encryption

Note: Signing objects can avoid decrypt/re-encrypt burden

Crypto Libraries:Several good open-source and commercial optionsWhats needed?

For a copy of the slides, email bwitten@symantec.com

Automotive Authentication Schemes

9In-Vehicle & Vehicle to X (V2X)Vehicle to Vehicle (V2V)CAMP: Crash Avoidance Metrics ProgramVSC3: Vehicle Safety CommunicationsSLC: Short Lived CertificatesCRL: Certificate Revocation ListECC: Elliptic Curve CryptographyCAMP VSC3SLC with CRL; For additional privacy, rotation among a pool of SLC all within validity period

ECC 256HIS SHE: Hersteller Initiative Software, Secure Hardware ExtensionsEVITA: E-safety Vehicle Intrusion Protected Applications HSM: Hardware Security ModuleAUTOSAR: Automotive Open System ArchitectureCAL: Crypto Abstraction LibraryCSM: Crypto Service ManagerHIS SHEEVITA (HSM)AUTOSAR (CAL & CSM) HIS SHE, EVITA HSM Light & Medium (symmetric)

EVITA HSM Full(symmetric + asymmetric)AES 128 (all of above)

RSA 2048, 4096(AUTOSAR + EVITA Full)StandardsApproachUnderlyingCryptoFor a copy of the slides, email bwitten@symantec.com

As mentioned, in collaboration with automakers worldwide, US NHTSA and US DOT have made real progress defining the CAMP VSC3 standards for V2V communication.

Their approach uses Short Lived Certificates, built on Elliptic Curve Crypto with a 256 bit keylength.

In contrast, many of the EVITA and SHE efforts, started in Europe, but again collaborations with automakers from around the world, make heavier use of symmetric keys, with the higher layer AUTOSAR libraries supporting both symmetric and asymmetric crypto.

Of course, regardless of whether your using symmetric keys or asymmetric keys, youll want to make sure that you get the key management right, including unique keys per module, properly provisioned in-factory. Were happy to help with that as weve already done it for more than a Billion devices, including critical infrastructure and mass scale consumer electronics.

9

10

F. Network Monitor

G. Settings

A. Device Drivers

B. Network Stack

C. Operating System

E. OpenSSL

D. Primary App

Persistent Storage (if present)

A. Device DriversB. Network StackE. OpenSSLF. Network MonitorD. Primary App

Always sign settings & data if persisted locally!G. SettingsPlatform & binaries can be signed monolithically or individually.

F. Network Monitor

A. Device Drivers

B. Network Stack

C. Operating System

E. OpenSSL

D. Primary App

Code Signing & Secure BootProtect the Code that Drives The Car

Chipmaker Proprietary Boot Loader

Chipmaker POST

OEM Controlled Pre-Boot EnvironmentOS image

Supplier 3

Supplier 2

Supplier 1

Data Objects & Software Updates

Leading Certificate Authorities operate fortified, cloud-based, code-signing infrastructure to help OEM manage & protect code signing keys for hundreds or thousands of suppliers.For a copy of the slides, email bwitten@symantec.comCopyright 2015 Symantec Corporation

Of course, that run-time protection assumes that you booted into a clean state, so let me build that quickly from the ground up as they do in other verticals.

In many systems, you have (monolithically, granular, NoOS) and this is how its done several verticals, but automotive has an extra wrinkle.

Vehicles often have chips from many semi-conductor companies, and many, many suppliers of higher level firmware and software.

In many cases, the chipmakers control their Power-On-self-Test, and even control secure boot through proprietary tool chains.

If youre going to control the code running on that chip for a complex ecosystem of tiered suppliers, then, practically speaking, you need to create a standardized pre-boot environment that you can run atop all of those proprietary boot-loaders. From there, you can standardize code signing for all higher level firmware and software including the OS image, Tier-1 code, Tier-2 supplier code, and more, giving you control over All the code running on all the chips in all your (new) vehicles. Thatd be good news for most automakers, and some Certificate Authorities could even help you take it a step further helping manage and protect the keys for such code signing by entire ecosystems of suppliers. 10

Protect Devices: Update-less In-device SecurityManufacturer-embedded security

NetworkProtection(Host IPS)

ExploitPrevention(Host IPS)

SystemControls(Host IPS)

Auditing &Alerting(Host IDS)Restrict apps & O/S behaviorsProtect systems from buffer overflowIntrusion prevention for zero-day attacksApplication controlMonitor logs and security events Consolidate & forward logs for archives and reporting Smart event response for quick actionClose back doors(block ports)Limit network connectivity by applicationRestrict traffic flow inbound and outboundLock down settings & configurationEnforce security policyDe-escalate user privilegesPrevent removable media use11Copyright 2015 Symantec CorporationSymantec Embedded Security Critical System Protection

For a copy of the slides, email bwitten@symantec.com

11Of course, even if you have an Over The Air update/management capability, you still need to build into each module protection against the vulnerabilities that you havent seen yet. Such protection should be capable of being effective without requiring updates. >>> This can be done through host-based network-policy enforcement >>> host-based exploit-prevention >>> host-based lock-down technologies for enforcing policies such as principle of least privilege, sandboxing, and behavioral controls >>> of course, those enforcement technologies can also typically be configured to stream security telemetry to analytics with or without blocking the events in the vehicle.As implied, a couple of products in market do this. Ours is call Embedded Security for Critical System Protection.

12For a copy of the slides, email bwitten@symantec.comUpdates must be OTA near no effort.OTA update capability must bebuilt-in, from the beginning.

3 days :Average Time Between Vulnerability Discovery (Linux) Cars on the road today are 11 years old, on average

MSRPOver The Air (OTA) Vehicle UpdatesManaging Vehicle Software & ConfigurationManual Patching 1,300 times? Ridiculous.

Good Management: Not Just UpdatesTelemetry & Normal ControlSoftware Inventory, UpdatesConfiguration ChangesNew Functionality & PatchesSecurity Telemetry, ContentDiagnostics & RemediationAccess Control ListsPolicy UpdatesMonolithic Updates Kill BandwidthUpdates Must Be Granular

1 x

=

20 x=

Copyright 2015 Symantec Corporation

Of course, even if you build great crypto into each chip, security is never finished.

In fact, when you consider that the average car on the road today was purchased 11 years ago, and that complex systems like Linux as just one example, have so much code that vulnerabilities are found more than weekly, the notion of patching by USB sticks should be entirely laughable. Over The Air (OTA) update capabilities must be built in from the beginning such that updates cost nearly no effort.

Of course, one of the reasons companies cringe at doing updates Over The Air is the fear of the bandwidth cost for such updates. However, if you build the system to do _granular_ (fine grain) updates then you can do hundreds of updates for less bandwidth than a single monolithic update.

Last, just as important, if you have a good OTA management system, you can use it to manage far more than security updates. >> you can fix non-security issues Over The Air, and deploy new functionality as well as deploy new security policies and collect security telemetry.

http://www.pd4pic.com/computer-memory-usb-icon-disk-stick-disc-storage.html

http://www.clker.com/clipart-23413.htmlhttp://free-vector.cf/vectors/car-icon-vector12

Automotive Security AnalyticsNo matter how well you do everything else,some threats will still get past even the best defenses.

Detecting such threats requiresstrong understanding of normal system behavior.

Machine Learning (ML) analytics can distill models of normal CAN bus, small enough to run in a UBI dongle or IVI Single Board Computers (SBC).

Processing trillions of events, weve used these techniques in other verticalsto catch some of the most sophisticated threats every caught.

13

For a copy of the slides, email bwitten@symantec.comCopyright 2015 Symantec Corporation

Of course, as mentioned, no matter threats ever caught.

Our analytics solution will be in beta very (very) soon. If youre not signed up yet, just stop by the booth.13

Cornerstones of SecurityAutomotive VehiclesCopyright 2015 Symantec CorporationAuthenticateManageProtectSecurity AnalyticsCAMP VSC3, HIS SHE, EVITA HSMOMA DM, SCOMOEmbedded (in-vehicle), GlobalCode-Signing (Boot Time)Host-Based (Run Time)Compiler Based (No-OS)For a copy of the slides, email bwitten@symantec.com

But as mentioned, security analytics are just one cornerstone. -- Were also happy to help you protect all of the critical modules, -- and manage all of the credentials for all of your authentication. -- Wed also love to help you manage your OTA updates, but that part isnt tailored for automotive yet. In contrast, our analytics and host based protection are both built for automotive, and weve just signed our first automotive chipmakers for our authentication offerings.14

Building Comprehensive Security Into CarsBrian Wittenbwitten@symantec.comwww.symantec.com/iotThank You!^Internet of Things (IoT)

Thank You For Your Time! Im happy to answer questions on our offerings and recommendations for automotive, or take questions on how weve already helped protect over a billion other devices ranging from critical infrastructure to consumer electronics.15

16

16

Symantec OfferingsAutomotive VehiclesCopyright 2015 Symantec CorporationAuthenticateManageProtectSecurity AnalyticsDevice Certificates & Management Services

(Beta)Code-Signing Certificates & ServicesSymantec Embedded Security Critical System Protection (SES-CSP)For a copy of the slides, email bwitten@symantec.comNot Yet Available from Symantec for Automotive

But as mentioned, security analytics are just one cornerstone. -- Were also happy to help you protect all of the critical modules, -- and manage all of the credentials for all of your authentication. -- Wed also love to help you manage your OTA updates, but that part isnt tailored for automotive yet. In contrast, our analytics and host based protection are both built for automotive, and weve just signed our first automotive chipmakers for our authentication offerings.17

Sources for data used in theback of the napkin calculationOver 100M commuters commute by car daily (96M driving alone, 14M carpool, only 3M by bus, etc..); Half commute only 6-10 miles, or less. http://www.statisticbrain.com/commute-statistics/4M cars on road per hour, roughly 1 M cars on road at a time in peak hours

1.6M trips at rush hour in Los Angeles alone http://planning.lacity.org/cwd/gnlpln/transelt/TE/T2Bkgrnd.htm

Market share data: https://en.wikipedia.org/wiki/Automotive_industry#By_manufacturer

average age of a car today is rough 11 yearshttp://business.time.com/2012/01/18/jalopy-nation-the-average-car-on-the-road-has-never-been-older/

Accident/Fatality ratio (2009) near 0.003 (0.3%) 35,900 per 10.8Mhttp://www.census.gov/compendia/statab/cats/transportation/motor_vehicle_accidents_and_fatalities.html

Total US Motor Vehicle Crash Deaths in 2013 were 32,719; US Vehicle Occupant Deaths in 2013 were 21,268http://www.iihs.org/iihs/topics/t/general-statistics/fatalityfacts/passenger-vehicles

2,977 people died in 9/11 (wikipedia) additional data: http://inrix.com/scorecard/Napkin1: http://www.publicdomainpictures.net/view-image.php?image=3925&picture=napkins

Copyright 2014 Symantec Corporation18Appendix

Connected Cars:What Could Possibly Go Wrong?

Ed AdamsCEO, Security InnovationResearch Fellow, The Ponemon Institute

March 23, 2016

IT Security Leaders Dallas

Cars are part of the Internet of Things (IoT)The network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, collecting and exchanging data

Anything with an on/off switch and connection to the Internet (or each other)Cell phones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of.

20

IoT is vulnerable

What enables IoT?Software runs the world (even hardware)

Technological convergence and force multipliers are all coming into playShort-range communications technologies such as RFID, NFC, Bluetooth, and WiFiRecording devices, awareness algorithmsCloud storage and computing, big data, and analyticsIPv6 - the latest revision of the communications protocol is designed so that its impossible to ever reach its unique IP address limitations

22

F22 Raptor

S-Class Mercedes1.7 MillionLines of Code6.5M MillionLines of Code100 MillionLines of CodeIoT Reality Check: Software Runs the World

787 Dreamliner

and100 ECUs5 Networks2 miles of cable10+ Operating Systems50% of total cost

23

Connected Car different than computer?The next mobile platform?Networked ComputerConnected CarHardware replaced every 3 years and easily upgradedComputing resources are fixed for lifetime of vehicles. Lifetime > 10 yearsVirus and malware protection runs daily with no end user disruptionUpdating software cannot rely on persistence of connectivity. Car must be parked for safety.Easy to physically secure, single CPU and limited external accessHard to physically secure, multiple CPUs all accessible via OBD2 port. VPN protects small number of usersVPNs not designed for this scaleExisting tools are mature, little impact on processingImmature tools

Connected Car Market

Source: HIS Automotive

Vulnerable? Let me Count the Ways

Between vehicles:V2VV2IWireless

Internal:DVDUSBSDAuxODBCAN BusHSMBEthernetTouchscreen

External:BluetoothODB DongleInternetDealer Diagnostics WiFiKey fobTPMSPower plug

26

Application Security Practicesin the Automotive Industry

AgreeDisagreeMy company makes secure software a priority61%39%Hackers are actively targeting automobiles64%36%Automakers know less about security than others61%39%It is possible to build a nearly hack-proof car28%72%My company has automobile security experts 64%36%Software should be updated over the air 46%54%

July 2015 survey524 respondents OEM = 234 Tier 1 = 163 Tier 2 = 137How difficult is it to secure automotive applications ?

The Hacker Threat

New Hacks

A Sky News investigation finds that almost half the 89,000 vehicles broken into in London last year were hacked electronically.

35,000 US road deaths, and 3,800,000 injuries Fatalities and injuries = $300B/yearCongestion = $230B/yearLeading cause of death, people aged 15-34 in USLets Talk About Traffic Safety

Technology EvolutionPassive Active Proactive

Image credits:

http://www.boston.com/cars/newsandreviews/overdrive/2010/07/volvo_s60_pedestrian_detection.html

http://jalopnik.com/5390032/2010-volvo-s60-can-detect-automatically-avoid-pedestrians

http://www.chrisleso.com/new-volvo-v60-station-wagon-variant/30

The Talking Cars Program (aka V2V or V2X)

The Talking Cars Program (aka V2V or V2X)

V2V wireless communications for always on warning300 meter range using 802.11p wireless protocolIEEE, ETSI, and SAE standardsOver 6,000,000 crashes, 35,000 road deaths, and 3,000,000 injuriesUS fatalities and injuries = $300B/yearCongestion = $230B/yearLeading cause of death, people aged 15-34 in US

V2VV2IState of Automotive Safety

How could technology possibly help?

Image credits:

http://www.boston.com/cars/newsandreviews/overdrive/2010/07/volvo_s60_pedestrian_detection.html

http://jalopnik.com/5390032/2010-volvo-s60-can-detect-automatically-avoid-pedestrians

http://www.chrisleso.com/new-volvo-v60-station-wagon-variant/33

Connected Cars:Putting our Theory to TestBasic Safety Message:All equipped vehicles broadcast 10 times/secondOn board logic detects hazards and alerts driverHere I am; Heres my speed & direction; Brake status; (plus??)

Communications are V2XVehicle-to-vehicleVehicle-to-infrastructureVehicle-to-RSE (road-side equipment)Vehicle-to-AMD (after-market device)VRUs (vulnerable road users)

V2V is a Dept. Of Transportation mandateDriver awareness & notification of invisible dangersUS DOT Mandate, EU OEM-drivenV2V will prevent 76 percent of crashes (US DOT)The most important safety improvement in automobiles since the seatbelt Transportation Secretary Anthony FoxxWorlds largest Certificate Management System

V2VV2IConnected Cars: Secure Vehicle to Vehicle/Infrastructure Communications (V2X)

Leveraging Technology to Save Lives

Image credits:

http://www.boston.com/cars/newsandreviews/overdrive/2010/07/volvo_s60_pedestrian_detection.html

http://jalopnik.com/5390032/2010-volvo-s60-can-detect-automatically-avoid-pedestrians

http://www.chrisleso.com/new-volvo-v60-station-wagon-variant/35

V2V: the worriesSecurityWill hackers be able to take control of my car? Will terrorists be able to cause mass havoc

PrivacyWill the government be able totrack my every move?Will I be issued automatic speeding tickets everywhere?

Messages must be secureAuthentication, Integrity, Availability, TimelinessThe system must provide anonymity Individual messages dont give away identityMessages cant be determined (by their contents alone) to have come from the same originNo anonymity requirement for public safety vehiclesMust be able to remove bad actors

V2X ProgressStandards have been definedTechnology has been successfully field testedSecurity and Privacy proven resilientProjects are underway to build infrastructureAnn Arbor, San Francisco, NYCEurope running parallel pilotsEquipment in Europe and US are hardware compatible

Government interest

Drivers shouldnt have to choose between being connected and being protected,

Cybersecurity StandardsHacking protectionData securityHacking mitigationPrivacy standardsTransparencyConsumer choiceMarketing prohibitionCyber dashboardA window sticker showing how well the car protects the security and privacy of the owner. Government Takes ActionThe Security and Privacy in Your Car (SPY) Act

Remaining challengesPKI governance and certificationPrivacy as certificates depleteSecure implementations / CybersecurityMulti-application operationsCross-border issues and harmonization of trust

Reasons for optimism

It is very hard to hack cars en masseAnd there are other juicier targets out thereUseful parallels to traditional ITCar makers are being pro-activeStandards under developmentThe V2V program will save lives!

41

Connected Cars:What Could Possibly Go Wrong?Questions?

For a copy of the slides, email: Ed Adamseadams@securityinnovation.com