Cybersecurity for Connected Vehicle with AGL (Automotive Grade )

Paris Dec/2018 Fulup Ar Foll CEO & Lead Architect [email protected] Who Are We ?

AGL

Lorient South Brittany

Cybersecurity for Connected Vehicle with AGL Dec-2018 2 Founded by over 150 members

Cybersecurity for Connected Vehicle with AGL Dec-2018 3 Multi-Profiles Automotive Linux

● Today AGL Linux Profiles:

● IVI ● Telematics ● Custer ● Native Cybersecurity

● Security Foundation Inherited from ● Fully Transparent to developers ● Baked with the system, not removable ● Micro Architecture

● Open API oriented ● Service Oriented ● Natively Distributed

● Agl to AGL ● AGL to Cloud ● AGL to RTos

Cybersecurity for Connected Vehicle with AGL Dec-2018 4 AGL 6.0 Funky Flounder

DASHBOARD HOMESCREEN LAUNCHER s

MEDIAPLAYER HVAC MIXER p

AGL u k o r applications SETTINGS RADIO NAVIGATION r o G w C e PHONE POI ... / e m c a a window-manager persistence media r p F

S y e homescreen signalling radio t i

AGL r m u vehicle 2 cloud vr/speech weather a services c N e / S

supervision/log audio-4a geoloc D L m G identity unicens ... e t A s y

upstream nfc, bluez gpsd alsa, gstreamer S services virt-io network ...

LINUX KERNEL

Cybersecurity for Connected Vehicle with AGL Dec-2018 5 Vehicle Software Becomes Critical

Connected car • Complex A/V • Remote maintenance • Real time navigation

Connected user

• Streaming music • Social network • Payment

Driving help

• Self park • Self driving • …

SW R&D Raising cost SW vs HW Connectivity side effect • 2015 ~ 35% • HW is a one off • Cyber security • 2020 ~ 50% • SW is an open complexity • Mandatory SW maintenance • SW maintenance ~70-80% of cost • …

Cybersecurity for Connected Vehicle with AGL Dec-2018 6 Why Securing Connected Cars?

● Automotive industry

● limited knowledge and return of experience on being connected. ● Attacking cars is complex & expensive

● Hackers have time & money ● Betting on hacker lack of skill is a very risky bet ● One single small security hole might be enough ● Attacking cars is a viable business

● Expensive piece of equipment ● Huge Mass market ● Enough customers with little technical knowledge to steal from

Cybersecurity for Connected Vehicle with AGL Dec-2018 7 Security Complexity Mitigation

● Security Mechanism might be short circuit

● Lack of knowledge, Performances ● Time-to-market, Cost concerns ● Embedded Security Expert is a rare animal

● 9M Mobile Developers ● 8M Web Developers ● 0.5M Embedded Developers ● How many Embedded Security Developers ? ● Security cannot be added after the fact

● Must consist in built-in APIs & be transparent to applications ● Developers SHOULD not to be in charge of security ● Baked in from day one: Architecture, Dev, QA, Maintenance,etc.

Cybersecurity for Connected Vehicle with AGL Dec-2018 8 Make sure we Run the Right Code

● Trusted Boot : a MUST Have Feature

● Leverage hardware capabilities ● Small series & developer key handling ● Application Installation

● Verify integrity ● Verify origin ● Request User Consent [privacy & permissions] ● Update

● Only signed updates with a trusted origin ● Secured updates on compromised devices are a no-go option ● Factory reset built-in from a trusted zone ● Do not let back doors opened via containers/hypervisor

● Strict control of custom drivers [in kernel mode everything is possible]

Cybersecurity for Connected Vehicle with AGL Dec-2018 9 Cyber Resilient Architecture

● Smart Multi Layers Security Architecture

● Breaking an application should not break a full layer ● Breaking a layer should not break the full system ● Compromised ID / keys are lost for good

● Per-device unique ID ● Per-device symmetric keys ● Use HW ID protection ● Non-Reproducibility of breakages

● Breaking in one car should not extend to all cars ● Dev/Debug I/O, Sockets, … should be disabled ● No Root Password & No shared super-user RSA key ● Password, when used, should not be easy to compute

Cybersecurity for Connected Vehicle with AGL Dec-2018 10 Data Privacy & Business

● Tag data at collection time ● Segregate data path ● Leverage existing Internet authentication ● Provide control to users ● Per Crypt User Persistent Store ● Lazy Synchronization with Cloud ● Filter data at Edge

Cybersecurity for Connected Vehicle with AGL Dec-2018 11 AGL Security Mechanisms

Legitimate application BlackHat application

G RA NT D ED NIE DE LINUX KERNEL linux security module helps to protect resources and Resource and data data

GR NIED The permission ANTED DE database Cynara helps to protect services Protected Service

Cybersecurity for Connected Vehicle with AGL Dec-2018 12 No Security Without Monitoring

● Monitor allows a client to debug R

and introspect itself E D R

N E I D

● B Supervision is the extension IN B that allows to inspect all ER ND binders, APIs and sessions BI

● Binders connect to the SUPER BINDER supervisor VISOR

● BI Access to supervisor are ND ER B restricted I B N

I D

N E

● D Capabilities of supervisor are R

E reduced on cars R

Cybersecurity for Connected Vehicle with AGL Dec-2018 13 From Sensors to Infrastructure & Cloud

Cybersecurity for Connected Vehicle with AGL Dec-2018 14 Security: a Long Road to Go

● Minimize attack surface area

● Control the code which is run

● Provide a bullet-proof update model

● Apply security patches within days rather than weeks

● Leverage HW security helpers

● Isolate & compartmentalize wherever possible

● Development and QA with security turned on

● Incidents analysis and reports

● Provide adequate tools to develop with security enabled

● Do not rely on humans but on platform for security

Real facts and consequences

● Recall 1.4M vehicles to fix vulnerabilities : estimate cost $1B

● Inestimable cost to automotive industry, many people are still afraid to buy connected vehicle

● NHTSA (Nat. Highway Traffic Safety Admin.) 2.8M navigation systems from the same manufacturer are in use in multiple cars

Cybersecurity for Connected Vehicle with AGL Dec-2018 15 Further Information

● Documentation:

● http://docs.automotivelinux.org ● Publications:

● https://iot.bzh/en/publications ● White Papers:

● https://iot.bzh/en/publications/17-2016/29-tizen-security- lessons-learnt ● https://iot.bzh/en/publications/17-2016/22-automotive-gr ade-linux-security-white-paper

Cybersecurity for Connected Vehicle with AGL Dec-2018 16