security implications on ethernet networks for connected cars

© 2015 Excelfore. All rights reserved. Excellence in Connected Automotive Solutions

Security Implications on Ethernet Networks for

Connected Cars

Ethernet & IP @ Automotive Technology Day October 28, 2015

Shrikant Acharya, CTO [email protected]

Excellence in Connected Automotive Solutions 2 2

1. Security in Automotive Networks Security Variances Sources of Vulnerabilities

2. Making Automotive Ethernet Secure

Classes of Devices • Linux Headunit • RTOS Sub-Systems (Camera, Tuner) • Smaller Devices (AUTOSAR ECUs)

Security Requirements • Headunit to End-Nodes • Updating Devices to Keep them Secure • Securing OTA (Over the Air) Updates

3. Implementation Considerations

Security Challenges


LIN CAN Flex-Ray MOST EAVB Bandwidth 20-40 Kbps 125-1,000

Kbps 10 Mbps 25-150 Mbps 100 Mbps- 1 G

Cost Very Low Low High High Moderate

Security None Low Isolation-based High High

Application Simple sensors ( Roof, Seat, Climate, Mirror)

Sub-systems (ECU, Power-train, Transmission, Airbags, ABS, Power Steering Windows, Doors)

ECU to ECU, High-Performance Powertrain, Safety (Drive-by-wire, active suspension, adaptive cruise control)

Infotainment Connectivity (Media, Digital Radio, DVD, Front Displays, Rear Displays, Camera)

Lower-cost replacement for Flex-Ray and MOST

Security in Automotive Networks

Sweet Spot

Trending to EAVB due to Cost, Bandwidth, Security


Connected Car is Vulnerable Open to Threats

Potential Threats (sample list) Connectivity & Transmission Threat

USB OBD Bluetooth Wi-Fi V2V Cellular Telematics Manufacturing Plant Dealer Service Station EV Charging Station Supplier Black-box

Threat Types in an Open system Eavesdropping Malware Injection Time-Bomb Attack Cloud Server Attack Denial of Service (DOS) Distributed DOS (DDOS) Malware Attack Virus Attack Javascript Attack 3rd Party Apps, 3rd Party Appstore Adware System Upgrade Unauthorized Access

BT USB Wi-Fi Cellular OBD EV Charging


High-End OS Level: Linux, QNX Processors: 1+ GHz SoC Level: ARM

• Cortex A8, Cortex A15, Cortex A57/A53 • ARM TrustZone

SoC Level: Intel • I7 (Baytrail, Broxton) • Intel TXT (Trusted Execution)

RTOS Sub-Systems

OS Level: FreeRTOS, AUTOSAR, Nucleus, MQX Processors: 200-700 MHz SoC: Cortex R4, Cortex M5 based

• Camera, Tuner With Crypto-engines

Smaller Peripherals

SoC: Cortex M1 Processors: Under 200 MHz

Securing Varied Classes of Devices


Security is about Securing Individual Assets

CAN Gateway

Ethernet Switch

Securing Assets in a Connected Car

Asset 1: Camera

Asset 6 Asset 2: Smart

Antenna

Asset 5: Amplifier

Asset 7: Headunit

Asset 3: Instrument Cluster Asset 8: Rear Displays

Asset 4: Game Player

HMI Input


Hardware Security Modules (HSM)

AES DES/3DES SHA-1 SHA-224 SHA-256

Other Security Measures • Run-time Integrity Checker • Security Controller (including secure RAM and Security Monitor)

HSM

UID

Universal Unique ID

RAND

NIST SP 800-90

Cry

pto

Secure JTAG

Electrical Fuses

Memory Checker

Secure Real-time Clock

Secure Boot

High Assurance

Tamper Resistance

Internal Access

ARM/Intel Trust Zone


Communication Interface ISO17215 Interface for Camera and Tuner

Ethernet Physical Layer

Ethernet MAC + VLAN (802.1Q) + d

IPV6/IPV4

IEEE 1722 (AVTP)

IEEE 802.1AS (gPTP)

UDP

DHCP

API API

Application (layer 7) ISO 17215-3

Presentation (layer 6)

ISO 17215-2

Session (layer 5)

Transport (layer 4)

ISO 17215-4 Network (layer 3)

Data link (layer 2)

Physical (layer 1)

Support- Full

TCP

SOME IP/IP-SD

Support- Partial In Roadmap

HTTPS

CHAP (Authentication)

DoIP TFTP


Port Security USB, OBD, SD, …

Data-Link Security

Headunit to ECU Components Cloud to Headunit

Payload Security

Encryption

Security Updates through OTA

OTA Security

Layered Approach Certificate Verification Signature Verification Authorization Verification

Security Requirements

• Data Link Security, e.g. TLS • Payload Security, e.g. AES • Certificate Management


Developer

Authentication Trust Chain

Certificate Authority

OEM, Tier-1 Certificate Request

Issue Certificate

10001 00101 10001

00101

OTA Server

Verify Developer Certificate

Verify Developer Signature

Verify Developer Authorization

Sign

Developer Signature

Developer Certificate

Server Certificate

Database

Encryption Key

Binary

Create Key

Encrypt Binary

Vehicle

DMClient

Verify Server Certificate

Verify Server Signature

Verify Server Authorization

Meta Data

Decrypt

Encrypted and Signed

Binary Download

Binary

Trust Bundle

Upload Binary with

Certified Signature

Trust Bundle

Request Update

Get

Encryption

Key

Sign Binary

CDN

Update Agents


Excelfore EAVB Camera Module

Ethernet

EAVB Camera

HDR Imager

(22 bits

Resolution)

1M Pixel

Image Stripe Storage ( for Low Latency

encoding)

DMA

Cortex R4 Micro

Channel-1

MJPEG/H.264 (1722 EAVB) Channel-2

Optical Flow, Edge Detect UDP Control + Software Update

BroadR-Reach

Embedded GENIVI

Linux Platform Running

gStreamer

Or PC

Running VLC

Camera Stream Visualization

BroadR-Reach EAVB

Switch MIPI

OS: FreeRTOS SoC: STV0991, 400 MHz (Cortex R4) Stats:

• CPU Performance is 40% of J5 • CPU is low-power • H/W Accelerators for Video and Imager

consumer more power • Camera: 1.7W • 2-wire POD/4-wire BroadR-Reach

Cryptography Engine (AES)


EAVB Antenna/Tuner

AM/FM Tuner

DVB/XM

DSRC

LTE

GPS

Micro-Controller Cortex A5

RTOS

100 Mbps BroadR-Reach & POE

Android Headunit

I2S

RS232

SPI

USB

OS: MQX gStreamer: 1.x SoC: Cortex A5, 500 MHz (16 MB Flash, 1 MB RAM)



PC Talker H.264- 20 Mbit

HD Stream (1920x1080)

Rear-Seat Entertainment (RSE) Challenge: Video Clock Recovery

(Push-Pull of HDMI Video Encoder PLL)

gPTP Sync

EAVB Switch

MSRP Single VLAN (Xtreme X440)

gPTP Sync

H.264

gStreamer

Embedded Linux-

Cortex A9+ Listener

Vid Clock Recovery

gPTP Sync

H.264

gStreamer

Embedded Linux-

Cortex A9+ Listener

Vid Clock Recovery

Synchronized HDMI Screens

HDMIVGAVSync

HDMIVGAVSync

DHCP

OS: Linux Kernel 2.62 gStreamer: 0.1 SoC: TI Jacinto 5, 1 GHz

(Cortex A8, Cortex M3, DSP, HD Acc, HDMI-out, I2S Ports for Audio)





EAVB Audio

Audio Source

e.g. iPhone radio

Audio Capture Board Input

J5 Talker

AVB Ethernet Switch

Stereo Speakers

Samples Captured @ 48KHz, 2Ch, 16bit PCM

Analog Audio

OS: Linux Kernel 3.14 gStreamer: 1.x SoC: TI Jacinto 5 Entry, 1 GHz

(Cortex A8, I2S for Audio) Stats:

• AVB stack 100K bytes • 13% of CPU running at 1GHz • Effective base AVB stack takes about 100MIPS • Does not include A/V Codecs

Output


Audio Playback Board

J5 Listener



Making CAN Secure through Ethernet

Ethernet Switch

CAN-1

CAN-2

Xfer Buffer Encryption, Decryption Communication

Packet Sync

Authentication Parsing

Configuration

CAN, CAN-FD

Secure Ethernet-CAN Gateway


u

security implications on ethernet networks for connected cars

Documents