Automotive Security

Automotive Security

Whitepaper 1 Automotive Security

Introduction

Until quite recently, automotive security was synonymous consequences. Therefore, vehicle manufacturers have to with theft prevention. But with the software pie in the make security as much a priority as safety. automobile growing exponentially to realize visions of the connected car and autonomous driving, security is now This paper gives an overview of security from an automotive becoming synonymous with safety. And safety is undoubtedly perspective touching upon the motivations of attackers and the primary concern of every vehicle manufacturer. Recent the attack surfaces that a modern-day vehicle presents. experiments by researchers have demonstrated unaltered This is followed by a brief discussion on the security vehicles being remotely hacked into via their connected characteristics unique to the automobile and mechanisms to telematics unit and commanded to execute malicious code address some, if not all of them. The paper concludes with a that allows the attacker to remotely control the vehicle. few approaches for the automotive industry to address the Thus, it has been proven beyond a shadow of doubt that security requirement and Sasken’s involvement in this area. security breaches in automobiles can have serious safety

Author: Vinod Vasudevan, Senior Architect 2 Automotive Security

Table of Content

Motivation for attacks ...... 04 Automobile attack surfaces ...... 06 Automotive-specific security considerations ...... 10 Security mechanisms and techniques ...... 11 Approach for addressing security in the automotive industry ...... 18 Conclusion and future work ...... 20

3 Automotive Security

Motivation for attacks

Among the many motivations for hacking a vehicle, theft ranks highest. Theft is not new to automobiles. Being a high-value asset, thieves have long targeted vehicles. What the recent explosion of software in automobile and its increasing cyber-physical nature (like keyless entry and ignition) has done is unwittingly make stealing easier and less conspicuous. The increasing amount of sensitive, private information that vehicles are going to store (like credit card information) to enable ‘smart’ features in the near-future including automatic payments, are likely to become new targets for theft apart from the vehicle itself.

4 Automotive Security

Next, would be espionage. Infotainment Research and ‘hacktivism’ have the systems in vehicles track and record sensitive more benign motive of exposing security information like current location, location vulnerabilities to get manufacturers and history, call history, contacts and addresses regulators to act. Pranksters and ‘black-hat’ and with telematics becoming increasingly hackers may indulge in it for the thrill or to popular (mandatory in some countries), show-off their technical prowess, though less targeted exploits can be used to track likely given the high investment both in terms people, eavesdrop on their calls and in-cabin of time and funds required to craft a serious conversations. It would be possible to even vehicle exploit. visually monitor them through compromised ADAS cameras intended for driver distraction Finally, nation-states, the underworld and detection. terror organizations would have more sinister motives including espionage, physical harm Owners themselves may have motives using and wide-spread damage. They are also likely exploits to subvert regulatory constraints like to be the well-funded among the lot. emission controls for better fuel efficiency and performance. Used-car dealers might use exploits to hide faulty components by suppressing its notifications and avoid incurring replacement expenses. Depending on the ECUs targeted, such motives can affect the safety of the vehicle.

5 Automotive Security

Automobile attack surfaces

Attack surfaces refer to potentially vulnerable Telematics USB, entry-points in the vehicle that can be tapped ECU CD/DVD and exploited to gain unauthorized access. DSRC-Based Windows, doors, exposed brake wires were Bluetooth, Receiver (V2X) OBD-II WI-FI, FM the common attack surfaces in the bygone era of largely mechanical cars. The increased use of software and the introduction of different wireless connectivity technologies have significantly expanded the attack Keyless entry surface of a vehicle and the attendant risk and ignition of exploitation. In general, the larger the software content, the larger the attack surface owing to the higher probability of security- related bugs. TPMS

Exposed Control wires ADAS sensors Smartphone

6 Automotive Security

From a safety perspective, the prime targets network but require physical access to the for attacks are the ECUs that control critical vehicle and, in the case of OBD-II, entry into vehicle components like the engine, brakes the vehicle. Accessing the exposed bus wires These protocols offer wide and steering. The vehicle network that would require an attacker to break open the attack surfaces owing interconnects these ECUs presents the ORVMs or the lights which is likely to set to their large code size attack surface. The most prevalent network off the burglar alarm. As such, they present and complexity and they technology in automobiles today is the a lesser risk of a cyber-physical attack extend the range of remote CAN bus, short for Controller Area Network. and are limited to the motives of people attacks to many tens of Designed primarily for efficiency and reliability with legitimate access to the vehicle like meters, even kilometers. in the harsh automotive environment, CAN technicians and owners. has very little provision for security. It is a broadcast bus where a message sent by one Modern infotainment and telematics systems ECU is received by every other one in the connect to the CAN bus to provide features network making it vulnerable to snooping. like touch-screen based climate and body Further, CAN’s use of functional addressing controls, remote diagnostics and remote means that messages have no information vehicle status and control. The wireless about the sending and receiving nodes connectivity features provided by these making it easy to spoof messages on the systems including Wi-Fi, Bluetooth and 3G/ network. LTE, present remote attack surfaces that do not require the attacker to have physical The diagnostic OBD-II port and exposed access to the vehicle. These protocols offer bus wires that control external vehicle wide attack surfaces owing to their large components like ORVMs and lights can code size and complexity and they extend be exploited to gain access to the vehicle the range of remote attacks to many tens

7 Automotive Security

of meters, even kilometers. Attacks on this any of the ECUs connected to the CAN bus. driver. Again, while these attacks are more surface typically exploit authentication bugs likely to be irritants than a safety threat, a in the protocol implementations to gain FM radio receivers in car radio systems well-timed attack could have indirect safety access to the infotainment or telematics ECU have been known to be attacked by fake consequences by distracting or alarming the and exploit further bugs like buffer overflows FM transmitters broadcasting RDS-TMC driver. and unprotected software updates to plant information that adversely influences the malicious code that can then control other navigation system. Similarly, media content With ADAS (advanced driver assistance safety-critical ECUs through spoofed CAN distributed via CDs and USB-sticks under the systems) taking more and more control of messages. guise of marketing offers have been known the vehicle away from the drivers, the sensor to exploit vulnerabilities in the media parsing technologies that these systems rely on like Key-less entry and ignition systems also code to plant malicious software in the radar, ultrasound, cameras and DSRC offer a remote attack surface. These systems infotainment ECU. While these exploits may (for V2X) present attack surfaces that could employ RF-based protocols for detection and not have directly compromised the safety of seriously impact the safety of a vehicle. authentication of owners to unlock the doors the vehicle, they did jeopardize the safety of One can easily imagine spoofed radar or and start the engine. These protocols lend the occupants by distracting, confusing or DSRC signals being used to confuse ADAS themselves to remote eavesdropping using alarming the driver. algorithms into braking hard and steering ‘sniffers’ and, as shown by the hacking of the away to avoid a non-existent obstruction or Megamos Crypto transponder, rather easy Tyre pressure monitoring systems (TPMS) signal jammers preventing algorithms from exploitation by spoofing. The attack surface use RF protocols to send pressure sensor detecting potentially dangerous driving is relatively small and is unlikely to contain information from within the tyre to an ECU situations. a back-door to more safety-critical systems in the vehicle. Similar to the key-less entry but a compromise grants an attacker access systems, these protocols have been shown to the vehicle’s OBD-II port which can be to be sniffed and spoofed to fool the ECU into exploited to plant safety-threatening code in reporting a false tyre-pressure warning to the

8 Automotive Security

Smartphones can also present a vehicle attack surface via downloadable Trojan Horse applications. An attacker could use these applications to gain entry through a paired Bluetooth or authenticated Wi-Fi connection into an otherwise secure infotainment system.

Lastly, compromised dealership or workshop infrastructure could open doors to attacks on vehicles brought in for repairs or regular maintenance. ‘Pass through’ devices used in workshops for access to a vehicle’s OBD-II port from a remote computer or laptop over a Wi-Fi connection are prime examples of The primary focus for IT such vulnerability. Weak IT security policies security is confidentiality in these workshops could lead to its Wi- of information whereas Fi network being compromised allowing for automotive it would be unauthorized computers remote access to a integrity and availability. vehicle’s OBD-II port.

Thankfully, cyber-security itself is not a new

9 Automotive-specific Automotive Security security considerations topic and the decades of research into it has yielded a wealth of solutions and strategies for many fields of application, e.g., IT security. As the compute and connectivity technologies of these fields make their way into the automobile along with their attendant security risks, it is instructive to study the security strategies and solutions employed in those fields for adaptation to the automotive context.

However, not all of it may be directly relevant. For example, the primary focus for IT security is confidentiality of information whereas for automotive it would be integrity and availability. As such, it is important to keep in mind specific characteristics of automotive security while adapting existing solutions and strategies. Some of these characteristics are:

Cyber-physical characteristics. Long product life. The operating Easy physical access. Vehicles Cost. The effort, and therefore A cyber-security breach in an life of an automobile is anywhere are regularly left unattended for the cost, of securing a feature is automobile could potentially have between 10-20 years, much long periods of time in public typically many times more than serious safety consequences longer than the average lifespan places like parking lots giving the effort required to add it to leading to injury and loss of life of most security mechanisms. To attackers relatively easy physical the system. Unofficial estimates and property. As such, it does exacerbate the problem, the long access to them. Owners may turn claim the delta to be in the share some similarity with other 2-3 year development life-cycle attackers and hack the vehicle region of 3-5 times. In a cost- fields like industrial automation, of an automobile means that the to get it to perform outside sensitive market, security being aerospace and healthcare. employed security mechanism is its permissible, safe limits for a non-differentiating feature, possibly obsolete almost as soon performance or fuel efficiency buyers may be unwilling to as it hits the roads. reasons inadvertently posing a shell out extra money to secure safety threat to themselves and the differentiating connectivity others on the road. features they desire.

10 Security mechanisms Automotive Security and techniques

The key tenets of automotive security in a Security mechanisms to achieve (most, if not a symmetric one for subsequent high volume rough order of priority are ensuring integrity, all) of the above goals fall broadly into two operations. authenticity, availability, confidentiality and categories: cryptography-based schemes, non-repudiation of the system. and intrusion detection and prevention (IDPS) Public key cryptography (PKI) is a • Integrity and authenticity of the hardware schemes. cryptographic technique based on and software in the system, including asymmetric algorithms and digital firmware upgrades and downloaded appli- Cryptography-based schemes. These certificates. cations. schemes use various cryptographic algorithms to verify authenticity and integrity • Authenticity, integrity and confidentiality and to ensure confidentiality. There are of internal as well as external communica- two types of cryptographic algorithms: tions. Confidentiality of stored information. symmetric and asymmetric. Asymmetric • Availability of the critical components of algorithms like RSA and ECC, which use a pair the system at all times to ensure func- of unidirectional keys, offer more reliability tional safety by preventing denial-of-ser- than symmetric algorithms like AES which vice attacks. use a single, shared secret key. However, • Tamper-proof ‘black-box’ collection of asymmetric algorithms are computationally digital forensic data to aid in security more intensive. For optimal resource usage, breach investigations. most schemes employ a combination of the two with an asymmetric algorithm for authentication and initial key exchange and

11 Automotive Security

Plaintext Ciphertext Plaintext

Encrypt Decrypt

Sender Recipient Different keys are used to encrypt and decrypt message

Recipient’s Recipient’s public key Private key

It is an effective mechanism for verifying using the OEM’s private key is stored on match. Once loaded, the software image the authenticity and integrity of the system the ECU. At start-up, the secure boot code can then verify the authenticity and integrity software. This is achieved using digitally of the ECU decrypts the stored digest of other components like the file system, signed software images which are verified using the OEM’s public key, computes the downloadable applications, and software by a secure boot mechanism on the ECU. digest of the stored software image, and upgrade packages thus establishing a chain A digest of the software image encrypted loads the image only if the two digests of trust rooted in the secure boot code.

12 Automotive Security

Similarly, transport layer security (TLS) The concepts of TLS can be adapted to protocols based on PKI can be effective secure internal communication over the in securing communications with external vehicle bus too. Asymmetric algorithms can entities including telematics service providers, be used to distribute a periodically-changing consumer smart devices and, in future, network secret key that is subsequently used other vehicles and ITS infrastructure. The by ECUs to encrypt communications using authenticity of the entities involved in the symmetric algorithms. Inclusion of a random communication is verified using digital number field in the payload of the network Achieving effective certificates and confidentiality is maintained packets combined with the encryption will be security with acceptable by encrypting all communication. Here, effective in preventing replay attacks. Since latency would require typically, a strong asymmetric algorithm the prevalent protocols for vehicle networks a major upgrade of all is employed for authentication and key like CAN (Controller Area Network) leave the ECU hardware with the exchange following which a symmetric specifications for the payloads open, such attendant complexity algorithm is used for encryption of the security mechanisms can easily be added of software re-design communication. For communications with as a layer above the protocol’s network layer smart phones and other devices, the built-in implementation. and re-validation, not to authentication mechanisms of the underlying mention the challenge of transport mechanism like Bluetooth and Wi-Fi PKI-based authentication mechanisms getting ECUs from different add a further layer of security by allowing only can also be effective in securing internal suppliers to talk the same authorized devices to connect to the vehicle’s communications between critical driver security language, all of personal-area network. assistance systems and vehicle sensors, which will translate to like cameras and radar, against man-in-the- higher costs and delays. middle attacks by counterfeit replacements. MirrorLink, a smartphone connectivity

13 Automotive Security

protocol that allows drivers safe access to are options that can be explored for such all of which will translate to higher costs and their mobile applications by mirroring the sensors. However, a trade-off between CPU delays. phones screen on the head-unit, uses one capabilities and the degree of security is such mechanism to authenticate MirrorLink- inevitable. Intrusion detection and prevention certified phones and validate the integrity schemes (IDPS). IDPS schemes work by of the frame-buffer data streamed by them. Cryptographic algorithms are generally continuously monitoring the system for In MirrorLink, authentication is done using compute-intensive and would require support abnormal or unusual behavior (anomaly digital certificates and a session key is on the ECU platform for hardware acceleration detection) and, on detection of such behavior, securely exchanged using an asymmetric to achieve strong security within acceptable initiating processes to bring the system to algorithm. While streaming the frame-buffer latency limits, especially when used for time- a ‘safe mode’ and prevent further damage. data, the phone encrypts some property critical communication on the vehicle bus. These schemes can be an alternative, or of each frame, e.g. frame-size, sequence Further, support in the hardware for secure, used in conjunction with, cryptographic number or a SHA-256 digest of the entire tamper-proof storage of keys, certificates and techniques for verification of the authenticity frame, using the shared, secret key which is user credentials would be required to protect of the vehicle’s internal and external subsequently validated by the head-unit. An their confidentiality. These requirements are communication. As opposed to cryptographic adaptation of this mechanism can be used to beyond the capability of the typical micro- methods, IDPS mechanisms are not as prevent similar attacks on the data feed from controllers used in majority of the ECUs in a computationally intensive and do not require the vehicle’s camera and radar sensor ECUs. vehicle today. Achieving effective security hardware support beyond what is available Sensors with analog front-ends and exposed with acceptable latency would require a in typical automotive micro-controllers. This analog connectivity, however, present an major upgrade of all ECU hardware with makes them an attractive proposition for attack surface immune to digital protection the attendant complexity of software re- securing the vehicle bus, especially the CAN mechanisms. Key-based signal modulation design and re-validation, not to mention bus. and watermarking in the invisible spectrum the challenge of getting ECUs from different (similar to Cinavia watermarking for audio) suppliers to talk the same security language,

14 Automotive Security

As mentioned earlier, the design of the CAN bus makes it very easy for a rogue ECU to spy on all bus communications and also spoof messages from other ECUs. IDPS techniques offer a cost-effective alternative to cryptographic methods for preventing such attacks on the CAN bus. Some of these techniques include: • Monitoring all broadcast messages on the CAN bus for anomalies with respect to the original OEM network design. Since rogue ECUs can only add messages to the bus and not remove messages from it, the typical modus operandi to spoof an ECUs message would be to flood the bus with the counterfeit message effec- tively ‘drowning out’ the authentic ECU. This would, however, imply a sudden spurt in the message frequency which can be detected as an anomaly by the monitor. Other parameters that can be monitored include the range of values of message fields, appropriateness to the current state of the vehicle, etc.

15 Automotive Security

• Using sequence numbers for each mes- communication and seriously jeopardizing mechanisms for multiple reasons. One of sage on the network. Since the rogue the functionality of safety and time-critical the primary reasons is cost. As mentioned messages would have to use incremented components in the vehicle. A bus monitor earlier, effective cryptography-based security sequence numbers to ensure that they are can easily detect such a situation and initiate schemes in automotive dictate an overhaul of processed, subsequent communication preventive safety measures. the ECU hardware which has significant cost from the authentic ECU is bound to carry a implications in terms of development and stale sequence number that can be de- Once an anomaly is detected, an IDPS validation. A more practical approach would tected as an anomaly. scheme has to initiate measures to mitigate be to use such schemes in a few, critical • Messages on the CAN bus usually origi- the safety risk due to the suspected intrusion. ECUs that either already have the requisite nate from unique ECUs. Thus, each ECU In the automobile context, this could be horsepower or can be upgraded with minimal can monitor the bus for messages origi- broadcasting a special message on the impact on the overall cost. nating from that ECU but not sent by that CAN bus to instruct all authentic ECUs to ECU indicating spoofing by a rogue ECU. enter into a ‘safe mode’ with bare-minimum functionality enabled to bring the vehicle Security, therefore, IDPS is effective in certain attack scenarios safely to a halt. The system could also is a moving target where cryptography is ineffective. A good display, via a separate ‘hot-line’ wiring, a and a mechanism to warning on the instrument panel, similar to example is denial-of-service (DoS) attacks continuously upgrade the ‘Check Engine’ light, to inform the driver of that affect the availability of the system. the vehicle’s security a suspected attack. The CAN bus is especially prone to DoS measures during its attacks. Due to its unique, priority-based operational lifetime is bus arbitration scheme, the protocol can be Given the unique benefits of cryptographic crucial to its safety exploited by a rogue ECU to completely flood and IDPS mechanisms, a practical automotive the bus with high priority junk messages security framework is likely to employ a combination of cryptographic and IDPS effectively ‘drowning out’ all authentic

16 Automotive Security

The infotainment and telematics ECUs that Whatever the mechanism, the long product house all the external-facing wired and life of the automobile implies that the wireless connectivity services are good vehicle is more likely than not to outlive the examples. These ECUs typically use high- effectiveness of (some if not all) security end processors that already have advanced measures employed rendering it vulnerable hardware support and software interfaces to attacks eventually. Security, therefore, for security. Similarly, so-called gateway is a moving target and a mechanism to ECUs, that interface the sensitive vehicle bus continuously upgrade the vehicle’s security with the rest of the system, that are ideal measures during its operational lifetime is candidates for IDPS implementations, can be crucial to its safety. Firmware updates, either fortified with hardware enforced security to over-the-air or dealer distributed, as a result, ensure that the IDPS code is authentic and are bound to be an integral part of automotive not tampered with. Using such combinations security and safety. of cryptography and IDPS based schemes a reasonable level of security can be achieved at a much lower cost. Another reason for a combined approach would be to cover the limitations of individual approaches and address a wider range of attack scenarios, the DoS attack being a case in point. Finally, multiple, orthogonal, redundant security schemes provide additional rings of protection making intrusion much more difficult.

17 Approach for addressing Automotive Security security in the automotive industry

Eschew security by obscurity. The automotive of damage in case of a breach. Having automotive development, distribution and industry has traditionally been a ‘closed’ multiple, orthogonal and possibly redundant after-sales service eco-system. system relying heavily on proprietary mechanisms for security vastly reduces the solutions the design and implementation probability of a single breach compromising of which is not publicly available. This may the entire system. have lulled the industry into a false sense of security that needs to be abandoned as Holistic approach. Security has to be treated it is a well-established fact that security by on par with safety as it is clear that a obscurity is the least effective mechanism. security breach can seriously affect the safe Nowadays, sophisticated reverse engineering functioning of the vehicle. Just as safety tools like IDA Pro significantly ease the job considerations are woven into each step of of extracting the implementation logic from the automotive development fabric, security object code effectively making all code ‘open- considerations too must be deliberated at source’. The chosen security mechanism each step of the development process from It is not only about must be immune to scrutiny. PKI-based design to validation to procurement and securing the automobile mechanisms are a good example. vendor management. Security considerations but the entire automotive must also extend to the infrastructure, tools development, distribution Depth-in-defense. Rather than a secure- and processes of after-sales services like and after-sales service the-perimeter approach, which employs just dealerships, maintenance workshops and eco-system. one line of defense, a multi-level security telematics service providers. It is not only approach is recommended to limit the extent about securing the automobile but the entire

18 Automotive Security

Eliminate software bugs. The best security security scrutiny among member OEMs could due to security breaches will require the mechanisms can be subverted by bugs either emerge, reducing the overall cost of security vehicle to securely log non-repudiable in the implementations of these mechanisms – after all a non-differentiating feature – for forensic data in a tamper-proof location or in the software that they protect. Buffer each individual OEM. for use as evidence. As such, a system overflow bugs in implementations of the security design should consider the system pairing and authentication mechanisms of Reduce cost. Adopting a common, standard parameters that constitute forensic evidence Bluetooth and Wi-Fi have been shown to software platform does open up opportunities and provision for a digital ‘black-box’ for be exploited to gain access to the vehicle’s for cost reduction by sharing the cost of secure logging of such parameters. infotainment system. Even on platforms security validation with other manufacturers. protected by secure boot, such bugs can From a hardware architecture perspective, be exploited to load and execute malicious reducing the number of ECUs by consolidating code after boot-up with potential safety multiple functions into a single ECU can consequences. The only real answer to this make inclusion of hardware cryptography problem is to adopt processes, standards economically viable. For example, individual and tools like MISRA, JSF AV C++, etc. to ADAS algorithms typically reside in separate reduce the occurrences of such bugs during ECUs. The cost of securing all these ECUs development. Ethical, white-hat hackers must with hardware-assisted cryptography is be encouraged, enabled, even employed, by considerably more than securing one ECU the industry to find security holes before with all algorithms integrated. people with less noble motives do. As more and more manufacturers adopt standard Store forensic data. As the electronics in the open-source platforms, like GENIVI, for vehicle takes more and more control away their infotainment and telematics systems, from the driver to the point of autonomous favorable models for sharing the cost of this driving, investigations into safety incidents

19 Conclusion and future work Automotive Security

As vehicles become more connected and As part of our ‘Connected Car’ solution, Sasken has also forged strategic partnerships more autonomous, the distinction between featuring modern infotainment and telematics with industry leaders to integrate advanced security and safety becomes more blurred. capabilities, Sasken has actively been features like secure FOTA into our ‘Connected As recent investigations have shown, considering security issues and exploring and Car’ solution which, as identified earlier in security breaches can have serious safety experimenting with various mechanisms to the paper, is a critical component of effective consequences. The most recent event of mitigate them. Our immediate areas of focus automotive security. an unaltered vehicle being remotely hacked are the following: and brought to a complete halt in the middle • Secure boot of a Linux-based platform of a busy highway has caused not only the automotive industry but also governments • Secure communications over telematics to sit up and take notice. US Senator Ed transport protocols like MQTT and AMQP Markey’s ‘Tracking and Hacking’ paper clearly • IDPS mechanisms for securing the CAN outlines the threat to modern vehicles and bus mentions the need for NHTSA to come up with new standards and guidelines to protect the Our early work on secure boot of the Linux security of vehicles. Security, therefore, is as kernel has already been successfully adapted Sasken has actively been much a priority for the automotive industry as for use in a few of our customers products, considering security safety. The challenge is to find reliable, cost- including a mobile radio terminal from a issues and exploring and effective solutions to secure the vehicle over leading UK-based manufacturer. experimenting with various its long operational life. mechanisms to mitigate them.

20 Automotive Security

[email protected] | www.sasken.com Automotive Security

USA | UK | FINLAND | GERMANY | JAPAN | INDIA | CHINA

© Sasken Communication Technologies Ltd. All rights reserved. Products and services mentioned herein are trademarks and service marks of Sasken Communication Technologies Ltd., or the respective companies. 21 January 2017