Automotive Security

Whitepaper 1 Introduction

Until quite recently, automotive security was synonymous consequences. Therefore, vehicle manufacturers have to with theft prevention. But with the software pie in the make security as much a priority as safety. automobile growing exponentially to realize visions of the connected car and autonomous driving, security is now This paper gives an overview of security from an automotive becoming synonymous with safety. And safety is undoubtedly perspective touching upon the motivations of attackers and the primary concern of every vehicle manufacturer. Recent the attack surfaces that a modern-day vehicle presents. experiments by researchers have demonstrated unaltered This is followed by a brief discussion on the security vehicles being remotely hacked into via their connected characteristics unique to the automobile and mechanisms to telematics unit and commanded to execute malicious code address some, if not all of them. The paper concludes with a that allows the attacker to remotely control the vehicle. few approaches for the automotive industry to address the Thus, it has been proven beyond a shadow of doubt that security requirement and Sasken’s involvement in this area. security breaches in automobiles can have serious safety

Author: Vinod Vasudevan, Senior Architect 2 Table of Content

Motivation for attacks ...... 04 Automobile attack surfaces ...... 06 Automotive-specific security considerations ...... 10 Security mechanisms and techniques ...... 11 Approach for addressing security in the automotive industry ...... 18 Conclusion and future work ...... 20

3 Automotive Security

Motivation for attacks

Among the many motivations for hacking a vehicle, theft ranks highest. Theft is not new to automobiles. Being a high-value asset, thieves have long targeted vehicles. What the recent explosion of software in automobile and its increasing cyber-physical nature (like keyless entry and ignition) has done is unwittingly make stealing easier and less conspicuous. The increasing amount of sensitive, private information that vehicles are going to store (like credit card information) to enable ‘smart’ features in the near-future including automatic payments, are likely to become new targets for theft apart from the vehicle itself.

4 Automotive Security

Next, would be espionage. Infotainment Research and ‘hacktivism’ have the systems in vehicles track and record sensitive more benign motive of exposing security information like current location, location vulnerabilities to get manufacturers and history, call history, contacts and addresses regulators to act. Pranksters and ‘black-hat’ and with telematics becoming increasingly hackers may indulge in it for the thrill or to popular (mandatory in some countries), show-off their technical prowess, though less targeted exploits can be used to track likely given the high investment both in terms people, eavesdrop on their calls and in-cabin of time and funds required to craft a serious conversations. It would be possible to even vehicle exploit. visually monitor them through compromised ADAS cameras intended for driver distraction Finally, nation-states, the underworld and detection. terror organizations would have more sinister motives including espionage, physical harm Owners themselves may have motives using and wide-spread damage. They are also likely exploits to subvert regulatory constraints like to be the well-funded among the lot. emission controls for better fuel efficiency and performance. Used-car dealers might use exploits to hide faulty components by suppressing its notifications and avoid incurring replacement expenses. Depending on the ECUs targeted, such motives can affect the safety of the vehicle.

5 Automotive Security

Automobile attack surfaces

Attack surfaces refer to potentially vulnerable Telematics USB, entry-points in the vehicle that can be tapped ECU CD/DVD and exploited to gain unauthorized access. DSRC-Based Windows, doors, exposed brake wires were Bluetooth, Receiver (V2X) OBD-II WI-FI, FM the common attack surfaces in the bygone era of largely mechanical cars. The increased use of software and the introduction of different wireless connectivity technologies have significantly expanded the attack Keyless entry and ignition surface of a vehicle and the attendant risk of exploitation. In general, the larger the software content, the larger the attack surface owing to the higher probability of security-related bugs. TPMS

Exposed Control wires ADAS sensors Smartphone

6 Automotive Security

From a safety perspective, the prime targets network but require physical access to the for attacks are the ECUs that control critical vehicle and, in the case of OBD-II, entry into vehicle components like the engine, brakes the vehicle. Accessing the exposed bus wires These protocols offer wide and steering. The vehicle network that would require an attacker to break open the attack surfaces owing interconnects these ECUs presents the ORVMs or the lights which is likely to set to their large code size attack surface. The most prevalent network off the burglar alarm. As such, they present and complexity and they technology in automobiles today is the a lesser risk of a cyber-physical attack extend the range of remote CAN bus, short for Controller Area Network. and are limited to the motives of people attacks to many tens of Designed primarily for efficiency and reliability with legitimate access to the vehicle like meters, even kilometers. in the harsh automotive environment, CAN technicians and owners. has very little provision for security. It is a broadcast bus where a message sent by one Modern infotainment and telematics systems ECU is received by every other one in the connect to the CAN bus to provide features network making it vulnerable to snooping. like touch-screen based climate and body Further, CAN’s use of functional addressing controls, remote diagnostics and remote means that messages have no information vehicle status and control. The wireless about the sending and receiving nodes connectivity features provided by these making it easy to spoof messages on the systems including Wi-Fi, Bluetooth and 3G/ network. LTE, present remote attack surfaces that do not require the attacker to have physical The diagnostic OBD-II port and exposed access to the vehicle. These protocols offer bus wires that control external vehicle wide attack surfaces owing to their large components like ORVMs and lights can code size and complexity and they extend be exploited to gain access to the vehicle the range of remote attacks to many tens

7 Automotive Security

of meters, even kilometers. Attacks on this any of the ECUs connected to the CAN bus. driver. Again, while these attacks are more surface typically exploit authentication bugs likely to be irritants than a safety threat, a in the protocol implementations to gain FM radio receivers in car radio systems well-timed attack could have indirect safety access to the infotainment or telematics ECU have been known to be attacked by fake consequences by distracting or alarming the and exploit further bugs like buffer overflows FM transmitters broadcasting RDS-TMC driver. and unprotected software updates to plant information that adversely influences the malicious code that can then control other navigation system. Similarly, media content With ADAS (advanced driver assistance safety-critical ECUs through spoofed CAN distributed via CDs and USB-sticks under the systems) taking more and more control of messages. guise of marketing offers have been known the vehicle away from the drivers, the sensor to exploit vulnerabilities in the media parsing technologies that these systems rely on like Key-less entry and ignition systems also code to plant malicious software in the radar, ultrasound, cameras and DSRC offer a remote attack surface. These systems infotainment ECU. While these exploits may (for V2X) present attack surfaces that could employ RF-based protocols for detection and not have directly compromised the safety of seriously impact the safety of a vehicle. authentication of owners to unlock the doors the vehicle, they did jeopardize the safety of One can easily imagine spoofed radar or and start the engine. These protocols lend the occupants by distracting, confusing or DSRC signals being used to confuse ADAS themselves to remote eavesdropping using alarming the driver. algorithms into braking hard and steering ‘sniffers’ and, as shown by the hacking of the away to avoid a non-existent obstruction or Megamos Crypto transponder, rather easy Tyre pressure monitoring systems (TPMS) signal jammers preventing algorithms from exploitation by spoofing. The attack surface use RF protocols to send pressure sensor detecting potentially dangerous driving is relatively small and is unlikely to contain information from within the tyre to an ECU situations. a back-door to more safety-critical systems in the vehicle. Similar to the key-less entry but a compromise grants an attacker access systems, these protocols have been shown to the vehicle’s OBD-II port which can be to be sniffed and spoofed to fool the ECU into exploited to plant safety-threatening code in reporting a false tyre-pressure warning to the

8 Automotive Security

Smartphones can also present a vehicle attack surface via downloadable Trojan Horse applications. An attacker could use these applications to gain entry through a paired Bluetooth or authenticated Wi-Fi connection into an otherwise secure infotainment system.

Lastly, compromised dealership or workshop infrastructure could open doors to attacks on vehicles brought in for repairs or regular maintenance. ‘Pass through’ devices used in workshops for access to a vehicle’s OBD-II port from a remote computer or laptop over a Wi-Fi connection are prime examples of The primary focus for IT such vulnerability. Weak IT security policies security is confidentiality in these workshops could lead to its Wi- of information whereas Fi network being compromised allowing for automotive it would be unauthorized computers remote access to a integrity and availability. vehicle’s OBD-II port.

9 Automotive-specific Automotive Security security considerations

Thankfully, cyber-security itself is not a new topic and the decades of research into it has yielded a wealth of solutions and strategies for many fields of application, e.g., IT security. As the compute and connectivity technologies of these fields make their way into the automobile along with their attendant security risks, it is instructive to study the security strategies and solutions employed in those fields for adaptation to the automotive context.

However, not all of it may be directly relevant. For example, the primary focus for IT security is confidentiality of information whereas for automotive it would be integrity and availability. As such, it is important to keep in mind specific characteristics of automotive security while adapting existing solutions and strategies. Some of these characteristics are:

Cyber-physical characteristics. Long product life. The operating Easy physical access. Vehicles Cost. The effort, and therefore A cyber-security breach in an life of an automobile is anywhere are regularly left unattended for the cost, of securing a feature is automobile could potentially have between 10-20 years, much long periods of time in public typically many times more than serious safety consequences longer than the average lifespan places like parking lots giving the effort required to add it to leading to injury and loss of life of most security mechanisms. To attackers relatively easy physical the system. Unofficial estimates and property. As such, it does exacerbate the problem, the long access to them. Owners may turn claim the delta to be in the share some similarity with other 2-3 year development life-cycle attackers and hack the vehicle region of 3-5 times. In a cost- fields like industrial automation, of an automobile means that the to get it to perform outside sensitive market, security being aerospace and healthcare. employed security mechanism is its permissible, safe limits for a non-differentiating feature, possibly obsolete almost as soon performance or fuel efficiency buyers may be unwilling to as it hits the roads. reasons inadvertently posing a shell out extra money to secure safety threat to themselves and the differentiating connectivity others on the road. features they desire.

10 Security mechanisms Automotive Security and techniques

The key tenets of automotive security in a Security mechanisms to achieve (most, if not a symmetric one for subsequent high volume rough order of priority are ensuring integrity, all) of the above goals fall broadly into two operations. authenticity, availability, confidentiality and categories: cryptography-based schemes, non-repudiation of the system. and intrusion detection and prevention (IDPS) Public key cryptography (PKI) is a • Integrity and authenticity of the hardware schemes. cryptographic technique based on and software in the system, including asymmetric algorithms and digital firmware upgrades and downloaded appli- Cryptography-based schemes. These certificates. cations. schemes use various cryptographic algorithms to verify authenticity and integrity • Authenticity, integrity and confidentiality and to ensure confidentiality. There are of internal as well as external communi- two types of cryptographic algorithms: cations. Confidentiality of stored informa- symmetric and asymmetric. Asymmetric tion. algorithms like RSA and ECC, which use a pair • Availability of the critical components of of unidirectional keys, offer more reliability the system at all times to ensure function- than symmetric algorithms like AES which al safety by preventing denial-of-service use a single, shared secret key. However, attacks. asymmetric algorithms are computationally • Tamper-proof ‘black-box’ collection of dig- more intensive. For optimal resource usage, ital forensic data to aid in security breach most schemes employ a combination of investigations. the two with an asymmetric algorithm for authentication and initial key exchange and

11 Automotive Security

Plaintext Ciphertext Plaintext

Encrypt Decrypt

Sender Recipient Different keys are used to encrypt and decrypt message

Recipient’s Recipient’s public key Private key

It is an effective mechanism for verifying using the OEM’s private key is stored on match. Once loaded, the software image the authenticity and integrity of the system the ECU. At start-up, the secure boot code can then verify the authenticity and integrity software. This is achieved using digitally of the ECU decrypts the stored digest of other components like the file system, signed software images which are verified using the OEM’s public key, computes the downloadable applications, and software by a secure boot mechanism on the ECU. digest of the stored software image, and upgrade packages thus establishing a chain A digest of the software image encrypted loads the image only if the two digests of trust rooted in the secure boot code.

12 Automotive Security

Similarly, transport layer security (TLS) The concepts of TLS can be adapted to protocols based on PKI can be effective secure internal communication over the in securing communications with external vehicle bus too. Asymmetric algorithms can entities including telematics service be used to distribute a periodically-changing providers, consumer smart devices and, in network secret key that is subsequently used future, other vehicles and ITS infrastructure. by ECUs to encrypt communications using The authenticity of the entities involved in symmetric algorithms. Inclusion of a random the communication is verified using digital number field in the payload of the network Achieving effective certificates and confidentiality is maintained packets combined with the encryption will be security with acceptable by encrypting all communication. Here, effective in preventing replay attacks. Since latency would require typically, a strong asymmetric algorithm the prevalent protocols for vehicle networks a major upgrade of all is employed for authentication and key like CAN (Controller Area Network) leave the ECU hardware with the exchange following which a symmetric specifications for the payloads open, such attendant complexity of algorithm is used for encryption of the security mechanisms can easily be added communication. For communications with as a layer above the protocol’s network layer software re-design and re- smart phones and other devices, the built-in implementation. validation, not to mention authentication mechanisms of the underlying the challenge of getting transport mechanism like Bluetooth and Wi-Fi PKI-based authentication mechanisms ECUs from different add a further layer of security by allowing only can also be effective in securing internal suppliers to talk the same authorized devices to connect to the vehicle’s communications between critical driver security language, all of personal-area network. assistance systems and vehicle sensors, which will translate to like cameras and radar, against man-in-the- higher costs and delays. middle attacks by counterfeit replacements. MirrorLink, a smartphone connectivity

13 Automotive Security

protocol that allows drivers safe access to are options that can be explored for such language, all of which will translate to higher their mobile applications by mirroring the sensors. However, a trade-off between CPU costs and delays. phones screen on the head-unit, uses one capabilities and the degree of security is such mechanism to authenticate MirrorLink- inevitable. Intrusion detection and prevention certified phones and validate the integrity schemes (IDPS). IDPS schemes work by of the frame-buffer data streamed by them. Cryptographic algorithms are generally continuously monitoring the system for In MirrorLink, authentication is done using compute-intensive and would require abnormal or unusual behavior (anomaly digital certificates and a session key is support on the ECU platform for hardware detection) and, on detection of such securely exchanged using an asymmetric acceleration to achieve strong security within behavior, initiating processes to bring algorithm. While streaming the frame-buffer acceptable latency limits, especially when the system to a ‘safe mode’ and prevent data, the phone encrypts some property of used for time-critical communication on the further damage. These schemes can be each frame, e.g. frame-size, sequence number vehicle bus. Further, support in the hardware an alternative, or used in conjunction with, or a SHA-256 digest of the entire frame, using for secure, tamper-proof storage of keys, cryptographic techniques for verification of the shared, secret key which is subsequently certificates and user credentials would be the authenticity of the vehicle’s internal and validated by the head-unit. An adaptation required to protect their confidentiality. These external communication. As opposed to of this mechanism can be used to prevent requirements are beyond the capability of cryptographic methods, IDPS mechanisms similar attacks on the data feed from the the typical micro-controllers used in majority are not as computationally intensive and do vehicle’s camera and radar sensor ECUs. of the ECUs in a vehicle today. Achieving not require hardware support beyond what Sensors with analog front-ends and exposed effective security with acceptable latency is available in typical automotive micro- analog connectivity, however, present an would require a major upgrade of all ECU controllers. This makes them an attractive attack surface immune to digital protection hardware with the attendant complexity of proposition for securing the vehicle bus, mechanisms. Key-based signal modulation software re-design and re-validation, not to especially the CAN bus. and watermarking in the invisible spectrum mention the challenge of getting ECUs from (similar to Cinavia watermarking for audio) different suppliers to talk the same security

14 Automotive Security

As mentioned earlier, the design of the CAN bus makes it very easy for a rogue ECU to spy on all bus communications and also spoof messages from other ECUs. IDPS techniques offer a cost-effective alternative to cryptographic methods for preventing such attacks on the CAN bus. Some of these techniques include: • Monitoring all broadcast messages on the CAN bus for anomalies with respect to the original OEM network design. Since rogue ECUs can only add messages to the bus and not remove messages from it, the typical modus operandi to spoof an ECUs message would be to flood the bus with the counterfeit message effec- tively ‘drowning out’ the authentic ECU. This would, however, imply a sudden spurt in the message frequency which can be detected as an anomaly by the monitor. Other parameters that can be monitored include the range of values of message fields, appropriateness to the current state of the vehicle, etc.

15 Automotive Security

• Using sequence numbers for each mes- effectively ‘drowning out’ all authentic mechanisms for multiple reasons. One of sage on the network. Since the rogue communication and seriously jeopardizing the primary reasons is cost. As mentioned messages would have to use incremented the functionality of safety and time-critical earlier, effective cryptography-based security sequence numbers to ensure that they are components in the vehicle. A bus monitor schemes in automotive dictate an overhaul of processed, subsequent communication can easily detect such a situation and initiate the ECU hardware which has significant cost from the authentic ECU is bound to carry a preventive safety measures. implications in terms of development and stale sequence number that can be detect- validation. A more practical approach would ed as an anomaly. Once an anomaly is detected, an IDPS be to use such schemes in a few, critical • Messages on the CAN bus usually origi- scheme has to initiate measures to mitigate ECUs that either already have the requisite nate from unique ECUs. Thus, each ECU the safety risk due to the suspected intrusion. horsepower or can be upgraded with minimal can monitor the bus for messages origi- In the automobile context, this could be impact on the overall cost. nating from that ECU but not sent by that broadcasting a special message on the CAN ECU indicating spoofing by a rogue ECU. bus to instruct all authentic ECUs to enter into a ‘safe mode’ with bare-minimum functionality Security, therefore, IDPS is effective in certain attack scenarios enabled to bring the vehicle safely to a halt. is a moving target where cryptography is ineffective. A good The system could also display, via a separate and a mechanism to ‘hot-line’ wiring, a warning on the instrument example is denial-of-service (DoS) attacks continuously upgrade panel, similar to the ‘Check Engine’ light, to that affect the availability of the system. the vehicle’s security inform the driver of a suspected attack. The CAN bus is especially prone to DoS measures during its attacks. Due to its unique, priority-based operational lifetime is bus arbitration scheme, the protocol can be Given the unique benefits of cryptographic crucial to its safety exploited by a rogue ECU to completely flood and IDPS mechanisms, a practical automotive the bus with high priority junk messages security framework is likely to employ a combination of cryptographic and IDPS

16 Automotive Security

The infotainment and telematics ECUs that Whatever the mechanism, the long product house all the external-facing wired and life of the automobile implies that the wireless connectivity services are good vehicle is more likely than not to outlive the examples. These ECUs typically use high- effectiveness of (some if not all) security end processors that already have advanced measures employed rendering it vulnerable hardware support and software interfaces to attacks eventually. Security, therefore, for security. Similarly, so-called gateway is a moving target and a mechanism to ECUs, that interface the sensitive vehicle bus continuously upgrade the vehicle’s security with the rest of the system, that are ideal measures during its operational lifetime is candidates for IDPS implementations, can be crucial to its safety. Firmware updates, either fortified with hardware enforced security to over-the-air or dealer distributed, as a result, ensure that the IDPS code is authentic and are bound to be an integral part of automotive not tampered with. Using such combinations security and safety. of cryptography and IDPS based schemes a reasonable level of security can be achieved at a much lower cost. Another reason for a combined approach would be to cover the limitations of individual approaches and address a wider range of attack scenarios, the DoS attack being a case in point. Finally, multiple, orthogonal, redundant security schemes provide additional rings of protection making intrusion much more difficult.

17 Approach for addressing Automotive Security security in the automotive industry

Eschew security by obscurity. The automotive of damage in case of a breach. Having automotive development, distribution and industry has traditionally been a ‘closed’ multiple, orthogonal and possibly redundant after-sales service eco-system. system relying heavily on proprietary mechanisms for security vastly reduces the solutions the design and implementation probability of a single breach compromising of which is not publicly available. This may the entire system. have lulled the industry into a false sense of security that needs to be abandoned as Holistic approach. Security has to be treated it is a well-established fact that security by on par with safety as it is clear that a obscurity is the least effective mechanism. security breach can seriously affect the safe Nowadays, sophisticated reverse engineering functioning of the vehicle. Just as safety tools like IDA Pro significantly ease the job considerations are woven into each step of of extracting the implementation logic from the automotive development fabric, security object code effectively making all code ‘open- considerations too must be deliberated at source’. The chosen security mechanism each step of the development process from It is not only about must be immune to scrutiny. PKI-based design to validation to procurement and securing the automobile mechanisms are a good example. vendor management. Security considerations but the entire automotive must also extend to the infrastructure, tools development, distribution Depth-in-defense. Rather than a secure- and processes of after-sales services like and after-sales service the-perimeter approach, which employs just dealerships, maintenance workshops and eco-system. one line of defense, a multi-level security telematics service providers. It is not only approach is recommended to limit the extent about securing the automobile but the entire

18 Automotive Security

Eliminate software bugs. The best security security scrutiny among member OEMs could driving, investigations into safety incidents mechanisms can be subverted by bugs either emerge, reducing the overall cost of security due to security breaches will require the in the implementations of these mechanisms – after all a non-differentiating feature – for vehicle to securely log non-repudiable or in the software that they protect. Buffer each individual OEM. forensic data in a tamper-proof location overflow bugs in implementations of the for use as evidence. As such, a system pairing and authentication mechanisms of Reduce cost. Adopting a common, security design should consider the system Bluetooth and Wi-Fi have been shown to standard software platform does open up parameters that constitute forensic evidence be exploited to gain access to the vehicle’s opportunities for cost reduction by sharing and provision for a digital ‘black-box’ for infotainment system. Even on platforms the cost of security validation with other secure logging of such parameters. protected by secure boot, such bugs can manufacturers. From a hardware architecture be exploited to load and execute malicious perspective, reducing the number of ECUs code after boot-up with potential safety by consolidating multiple functions into a consequences. The only real answer to this single ECU can make inclusion of hardware problem is to adopt processes, standards cryptography economically viable. For and tools like MISRA, JSF AV C++, etc. to example, individual ADAS algorithms reduce the occurrences of such bugs during typically reside in separate ECUs. The cost development. Ethical, white-hat hackers must of securing all these ECUs with hardware- be encouraged, enabled, even employed, by assisted cryptography is considerably more the industry to find security holes before than securing one ECU with all algorithms people with less noble motives do. As more integrated. and more manufacturers adopt standard open-source platforms, like GENIVI, for Store forensic data. As the electronics in the their infotainment and telematics systems, vehicle takes more and more control away favorable models for sharing the cost of this from the driver to the point of autonomous

19 Conclusion and future work Automotive Security

As vehicles become more connected and As part of our ‘Connected Car’ solution, Sasken has also forged strategic partnerships more autonomous, the distinction between featuring modern infotainment and telematics with industry leaders to integrate advanced security and safety becomes more blurred. capabilities, Sasken has actively been features like secure FOTA into our ‘Connected As recent investigations have shown, considering security issues and exploring and Car’ solution which, as identified earlier in security breaches can have serious safety experimenting with various mechanisms to the paper, is a critical component of effective consequences. The most recent event of mitigate them. Our immediate areas of focus automotive security. an unaltered vehicle being remotely hacked are the following: and brought to a complete halt in the middle • Secure boot of a Linux-based platform of a busy highway has caused not only the automotive industry but also governments • Secure communications over telematics to sit up and take notice. US Senator Ed transport protocols like MQTT and AMQP Markey’s ‘Tracking and Hacking’ paper clearly • IDPS mechanisms for securing the CAN outlines the threat to modern vehicles and bus mentions the need for NHTSA to come up with new standards and guidelines to protect Our early work on secure boot of the Linux the security of vehicles. Security, therefore, is kernel has already been successfully adapted Sasken has actively been as much a priority for the automotive industry for use in a few of our customers products, considering security as safety. The challenge is to find reliable, including a mobile radio terminal from a issues and exploring and cost-effective solutions to secure the vehicle leading UK-based manufacturer. experimenting with various over its long operational life. mechanisms to mitigate them.

20 [email protected] | www.sasken.com

Automotive Security

USA | UK | FINLAND | GERMANY | JAPAN | INDIA | CHINA

© Sasken Communication Technologies Ltd. All rights reserved. Products and services mentioned herein are trademarks and service marks of Sasken Communication Technologies Ltd., or the respective companies. 21 January 2017