security in v2x communications
DESCRIPTION
Presented by Dr Paul Martin, CTO, PlextekTRANSCRIPT
Company confidential
Security in V2X Communications
Dr Paul Martin
CTO
Company confidential
Introduction – V2X and Security
• Definition
• Safety and Assurance
• Exceptions
• Summary
Company confidential
• Established 1989
• Privately owned
• Based near Cambridge
• Launched spin-outs
• Markets
– Automotive and Transport
– Defence and Security
– Healthcare
– Telecomms and Networks
– Energy and Environment
Winner of Queen’s Awards British Engineering Excellence Awards
Independent and Entrepreneurial
Company confidential
What is V2X?
• V2i – Vehicle to Infrastructure
• V2V – Vehicle to Vehicle
• V2P – Vehicle to Person
Company confidential
V2i and V2V
V2i
V2V
Company confidential
V2P
V2P
Company confidential
V2i - Scope
• V2i - Personal 1) Online purchasing smartphone to vendor
• V2i - Car 1) Purchasing from Android terminal in car eg
• Road tolls
• Car rental
• Track day performance improvement
2) Telematics data – used for
• Real time vehicle insurance
• Accident notification and investigation
• Fraud prevention
3) Vehicle assistance
• Find parking spaces
• Organise traffic flow
Company confidential
V2V - Scope
• V2V 1) Driver information
• Cascaded video – reason for queue
2) Vehicle safety assistance
• Braking assistance
• Erratic vehicle warning
3) Platoon control
• Real time vehicle control
• Maintenance of vehicle Platoons
• Joining/leaving Platoon
• Short note on Platoons – SARTRE trial
– Fuel saving between 7% to 16%,
– Safety – less driver fatigue and mistakes
– Ease road congestion – less gap between cars
Company confidential
V2V – Relationship Example
• V2V Platooning (TNO Demonstration)
TRUST
I trust the Platooning System
Each car has compatible systems
which are functioning correctly
Role is to ensure legislation
supports the required level of
safety for society as a whole
HMG
Regulator
Public
TRUST
TRUST
Company confidential
V2V Entity Relationships
1. Driver • Does the Platooning system work?
2. In-car platform • Is communication from each car valid?
• Is the information I am sending valid?
• Is my processing platform functioning
OK?
3. HMG, Regulator • Does the system work?
• Information Assurance, Anti-Tamper, Trust
• Information Assurance, Anti-Tamper, Trust
• Information Assurance, Trust
• Anti-Tamper
• Trust (Information Assurance)
Company confidential
Three Primary Functions
The Three Primary Information Security Functions
ANTI-TAMPER Protecting customers IP
(Reverse Engineering,
Cloning, etc)
INFORMATION
ASSURANCE Protecting customers information/data
through Cryptography and Fault
Tolerant Design
TRUST Silicon, software,
firmware and IP is
“trojan-free”
Company confidential
Exceptions
• What happens when things go wrong?
1) Dense fog contributed to the above
2) Public perception of this as rare
3) Media and government treated this as a one off
4) Probably no additional legislation will result
Company confidential
Safety and Assurance
Which transport model should be adopted?
1) Air
• Highly regulated (govt/corporate)
• Incidents rare but have national and international
significance
• High levels of responsibility on airlines and pilots
2) Rail (x12)
• Highly regulated (govt/corporate)
• Incidents rare but have national significance
• High levels of responsibility on TOCs and train drivers
3) Car (x62)
• Comparatively lightly regulated (Vienna Convention 1968)
• High number of fatal incidents
• Primary responsibility - the driver – responsible for 95% of
incidents
Deaths per billion passenger kilometres
Air: 0.05
Bus: 0.4
Rail: 0.6
Van: 1.2
Water: 2.6
Car: 3.1
Space Shuttle: 16.2
Bicycle: 44.6
Foot: 54.2
Motorcycle: 108.9
Company confidential
Safety and Assurance
Which transport model should be adopted?
1) V2X (x?)
• N lies between 0.05 and 3.1 but what value?
• Incidents likely to be rare?
• National/International importance?
• Corporate responsibility?
• Personal (driver) responsibility?
• Government/International regulation?
• Liability – Insurance models?
Deaths per billion passenger kilometres
Air: 0.05
Bus: 0.4
Rail: 0.6
Van: 1.2
Water: 2.6
Car: 3.1
Space Shuttle: 16.2
Bicycle: 44.6
Foot: 54.2
Motorcycle: 108.9
Company confidential
UK Government Position
Company confidential
Exceptions
• What happens when things go wrong?
1) What if this was caused by a software error in the Platooning system?
• Forensic evidence?
• Autonomous car action log?
Company confidential
Exceptions
• Operating System Exception?
Company confidential
Safety and Assurance
Which transport model should be adopted?
1) What value of Dpbpkm for a software error
• N lies between 0.05 and 3.1 but what value?
• Incidents likely to be rare?
• National/International importance?
• Corporate responsibility?
• Personal (driver) responsibility?
• Government/International regulation?
• Liability – Insurance models?
Deaths per billion passenger kilometres
Air: 0.05
Bus: 0.4
Rail: 0.6
Van: 1.2
Water: 2.6
Car: 3.1
Space Shuttle: 16.2
Bicycle: 44.6
Foot: 54.2
Motorcycle: 108.9
Company confidential
Exceptions
• What happens when things go wrong?
1) What if this was caused by a malicious cyber attack?
• Economic gain - eg extortion
• Impact - eg terrorism
• For “fun”
• By ethical hackers
Company confidential
Safety and Assurance
• Types of attack • Checkoway' et al demonstrated on a volume car
1) Compromise the ICE (which is on the CAN bus).
Subsequently upload firmware using a doctored
CD. This firmware then outputs CAN message of
choice.
2) Attack the diagnostic port using manufacturer
provided diagnostics – via the dealer WiFi
network. Run CAN bus commands at will.
3) Compromise and take control of the car’s cellular
communications hardware, cause it to dial out to
a server and poll for instructions, output CAN
messages, upload data (cabin audio).
4) Other delivery mechanisms – Bluetooth, car
owner’s compromised smartphone…..
Company confidential
Safety and Assurance
• Lessons • Key vulnerabilities
1) Occur due to complex vehicle architectures, many 10s to 100s of embedded
processing units
2) Supply is from a diverse supply chain
3) Occur when “glue software” implements bespoke functions between multiple
embedded units from different vendors
• Effort
1) Complex analysis, reverse compiling code, monitoring activity, takes time
2) Who is going to bother
3) Threats develop as opportunity arises
4) It is very difficult to retro fit security
Company confidential
Who Can Help?
• Other industries have the expertise and have
been solving analogous issues
1) An Example - FPGA SoC
• Xilinx Zynq SoC FPGA fabric plus 2xArm A9 embedded
processors
System architecture can be made very robust to many
forms of attack
Uses AES stored in secure hardware
• Can use Diffie Hellman key exchange to make secure
transfer of code
• This makes the design robust to spoofing, bitstream
decoding, trojan horse attack and fault insertion
Company confidential
Summary
• Covered wide range of viewpoints
– Questions
– Technology and risk?
– Societal view on risk?
– The need to look for the future attacks
• Guidance required for engineers
– Design in the appropriate level of safety and part of this is security
• Good news
– Solutions are available in industries which have been through these issues
– Components and architectures are available to use in designs today
Company confidential
Who Pays?
• Global Mobile Advertising
revenue (source IHS)
– 2011 - €3,769,000,000
– 2012 - €6,889,000,000
– Increase in 1 year of 82.8%
– Google’s share in 2012 – 53.4%
(source eMarketer.com)
• What proportion of this is
currently in-car?
