Approaches for Connected Vehicle Security for Connected Vehicle Security Manabu Nakano, Ph.D....

Approaches for Connected Vehicle Security

Manabu Nakano, Ph.D. September 9, 2013

Security Engineering Laboratory, IT Security Center,

Technology Headquarters

Information-technology Promotion Agency, Japan (IPA)

APCOSEC 2013

Contents

・Introduction

・IPA’s Activities

・Analysis of Vehicle Security

・Proposals for Secure Vehicle

・Conclusion

2

Introduction

3

Background of the needs for vehicle security

Vehicle-Internet collaboration

through new media such as “Smartphones”

“Standardization”

of on-vehicle systems

Emergence of new use models,

such as “electric vehicles” and

“car sharing services”

・Environment is becoming easier for crackers to attack vehicle systems.

・IPA conducted a threat analysis using the concept of ”IPA Car”.

Information-technology Promotion Agency,

Japan (IPA)

Government Organization under the Ministry of Economy, Trade and Industry (METI)

Chairman : Kazumasa Fujie

In IT Security Center, our missions are…

・Information Security Vulnerability Mitigation

・Viruses Mitigation and Unauthorized Access Prevention

・Cryptography Research and Evaluation

・Technology Development and Research

・IT Security Evaluation and Certification

http://www.ipa.go.jp/security/vuln/doc

uments/10threats2011_en.pdf

http://www.ipa.go.jp/security/vuln/d

ocuments/website_security_en.pdf

Deliverable

Promoting Security in JAPAN

4

IPA’s Activity to Raise Security Awareness

of Embedded Systems including Vehicle

Internet of Things More devices are connected with

the Internet than ever. More threats

are beginning to show up everywhere.

Security Awareness Initiatives for

Embedded Systems

・Study of Security Improvement with

Embedded Device Makers

・Publication of Security Guidelines for

Embedded Systems

・Seminars for Embedded System

Security

http://www.ipa.go.jp/security/fy22/re

ports/electronic/electronic1102_en.

pdf

http://www.ipa.go.jp/security/fy2

2/reports/emb_app2010/emb_gu

ide_fy22_eng.pdf

Vehicle SmartPhone

Internet

Digital TV

Game Machine

5

Analysis by IPA

• IPA has released “Approaches for Vehicle Information

Security” in this March.

• To analyze security issues in vehicles, IPA looked at

them from two perspectives:

– １． ”What kind of attacks and countermeasures for

vehicles are feasible?”

– ２．”How to approach the security

in vehicle’s Lifecycle?”

6

• Procedure of Vehicle Security Analysis in IPA

– 1.Organize Things connect with Vehicle

– 2.Analysis of functions of the Vehicle

• We have defined “IPA car” to consider Vehicle’s Threats

– 3.Organize Information in the Vehicle

– 4.Analysis Vehicle’s Threats

– 5.Study countermeasures that can be used in the Vehicle

Analysis similar approach also performed in

“Information Appliances".

IPA Analysis of Threats against

Vehicles (1/11)（First Perspective)

We have to organize anything that could connect to the Vehicle.

Vehicle connect to any services and devices, the attacker and malware

could appear in various places. When the development of technology, it is

possible that connect shall not be assumed at present.



Malware

Attacker

Attacker

Drive

(Power Train)

（Engine,

Transmission etc.）

Automobile Body

（Body）

（Mater,

Air Conditioner,

Window etc.）

Infotainment

（AV,

Car Navigation

System、ETC.

Real-time traffic

information etc.)

General-Purpose

Network

Wi-Fi,

Internet etc.

In-Car Network for Control Purpose

CAN（A/B/C）/LIN、FlexRay etc.

Dedicated Network

Beacon (VICS),DSRC(ETC) etc.

Safety Controller

（Chassis）

（Brakes, Steering,

Collision-Avoidance

Feature etc.）

In-Car

Network

for

Multimedia

MOST etc.In-Car

Fault Diagnosis

Equipment

（ODB）

Drive

(Power Train)

（Engine,

Transmission etc.）

Automobile Body

（Body）

（Mater,

Air Conditioner,

Window etc.）

Infotainment

（AV,

Car Navigation

System、ETC.

Real-time traffic

information etc.)

General-Purpose

Network

Wi-Fi,

Internet etc.

In-Car Network for Control Purpose

CAN（A/B/C）/LIN、FlexRay etc.

Dedicated Network

Beacon (VICS),DSRC(ETC) etc.

Safety Controller

（Chassis）

（Brakes, Steering,

Collision-Avoidance

Feature etc.）

In-Car

Network

for

Multimedia

MOST etc.In-Car

Fault Diagnosis

Equipment

（ODB）

2. Potential threats in

carry-on equipment.

（computer virus etc.）

1. Approaches the automobile and directly attacks it.

（owner or masquerading as a security guard etc.)

3. Enters into the system or the device

via an external network and attacks it.

IPA classified attacks against vehicles into the following three categories:

– 1 “Proximity" Attack

– 2 “Intermediate” Attack (through carried-in devices)

– 3 “Network" Attack

(OBD)

1. Approaches the vehicle and directly attacks it.

(Pretending to be the owner or masquerading as a security

guard etc.)

1

Vehicle Body

(Body)

9

2. Potential threats in

carry-on equipment.

(carried-in device)

2

3. Intrude into the system or the device

via an external network and attacks it.

3





*1 Inspection & Maintenance: Can be embedded in onboard devices, such as ECU.

Drive Train

System

1.Basic Control Functions

Telematics

2.Extended Functions 3.Common Functions

Chassis

System

Inspection &

Maintenance*1

ITS

Functions

A. B.

F. G.

E.

Safety &

Comfort Body

C. D.

Infotainment

Plug-In

Devices

Smartphone

PND

PC

Tablet

Player

Memory/HDD

Hands-Free

Remote Control

Diagnostic Tool

Ecometer

Custom Meter

I. H.

Bluetooth

Wireless LAN

USB

OBD-II etc

When thinking about threats against vehicles, it’s necessary to sort out the functions in a vehicle.

However, there’re various methods to classify the functions in a vehicle depending on the

manufacture or type of vehicle.

→ IPA performed threat analysis on a hypothetical vehicle, named “IPA Car ”




Drive Train

System


Telematics


Chassis

System

Inspection &

Maintenance*1

ITS

Functions

A. B.

F. G.

E.

Safety &

Comfort Body

C. D.

Infotainment

Plug-In

Devices

Smartphone

PND

PC

Tablet

Player

Memory/HDD

Hands-Free

Remote Control

Diagnostic Tool

Ecometer

Custom Meter

I. H.

Bluetooth

Wireless LAN

USB

OBD-II etc

Basic Control Functions

・The most basic functions for a car that control the car to move, turn and stop

・The cyber attacks against these functions will directly result in car accidents, thus they must be

the most secure among the functions

・If necessary, they should be protected by blocking the communications with other functions

using a firewall


Drive Train

System

1.Basic Control Functions 2.Extended Functions 3.Common Functions

Chassis

System

ITS

Functions

A. B.

F. G.

E.

Body

C. D.

Plug-In

Devices

Smartphone

PND

PC

Tablet

Player

Memory/HDD

Hands-Free

Remote Control

Diagnostic Tool

Ecometer

Custom Meter

I. H.

Bluetooth

Wireless LAN

USB

OBD-II etc

Telematics

Safety &

Comfort

Infotainment

Inspection &

Maintenance*1

Extended Functions

・The functions that improve comfort and convenience in driving for the driver

・Due to their nature, they often communicate with the outside world and are likely standardized

・As ITS develops further, various changes will be made and security measures need to be

implemented accordingly




Drive Train

System


Telematics


Chassis

System

Inspection &

Maintenance*1

ITS

Functions

A. B.

F. G.

E.

Safety &

Comfort Body

C. D.

Infotainment

Plug-In

Devices

Smartphone

PND

PC

Tablet

Player

Memory/HDD

Hands-Free

Remote Control

Diagnostic Tool

Ecometer

Custom Meter

I. H.

Bluetooth

Wireless LAN

USB

OBD-II etc

Common Functions

・The devices carried in by the drivers, such as smartphones and PCs

・Since many kinds of services are available and they process various information, these

functions are likely targeted by attackers and used as intrusion points to the on-vehicle system

・Common security measures will be effective and how much they can be implemented will be the

key



• To clarify the object to protect

– What do you want to protect from the Attacker.

– Value for which you want to protect leads to the cost of measures.

• Difference between vehicle systems and information systems

– Availability is more important than Confidentiality.

– "Safe stop" is prerequisite for life focus

Objects that should be protected Description

Operation of functions execution environment of "Basic control functions”.

Information unique to the vehicle Information which is unique to the car body (vehicle ID, device

ID, etc.), authentication code.

Vehicle status information Data representing the vehicle's stratus such as location, running

speed, and destination.

User information Personal information, billing information, etc…

Software Software which is related to vehicles‘ functions.

Contents Data for applications for video, music, map, etc.

Configuration information Setting data for the behavior of hardware, software, etc.



Drive Train

System

Telematics

Chassis

System

Inspection &

Maintenance

ITS

Functions

A. B.

F. G.

E.

Safety &

Comfort Body

C. D.

Infotainment

Plug-In

Devices

Smartphone

PC

Tablet

Player

Memory/HDD

Ecometer

Custom Meter

I.

H.

Bluetooth

Wireless LAN

USB

OBD-II etc..

Misconfiguration,

user information

leak, bugging,

DoS attacks

Information leak,

misconfiguration,

virus infection,

bugging,

unauthorized

access

Virus infection,

information leak,

unauthorized use,

malicious settings,

bugging, unauthorized

access

Misconfiguration,

information leak,

unauthorized

access

Misconfiguration,

information leak,

DoS attacks

Unauthorized

use

(Misconfiguration,

information leak,

unauthorized use,

malicious settings, virus

infection, bugging)

Unauthorized

use,

malicious

settings,

bugging

Virus infection, mis-

configuration,

misoperation,

unauthorized use,

malicious settings,

bugging,

unauthorized

access

Unauthorized

use, malicious

settings,

bugging

The functions that have port(s) to exchange data with the outside world are exposed to the security threats just

like PCs. The yellow boxes shows the kinds of attacks that seem feasible as of this moment.

On the other hand, as of today, no techniques to directly and remotely attack the vehicle control systems has

been reported.

As seen in overseas researches, there is a risk where an attacker may not attack the vehicle control

systems directly but impose impact on them exploiting a vulnerable system as a stepping stone.



• How will implement the security measures?

– First, we consider the security technology common in the

information systems for vehicle security.

• Some useful in the knowledge of information systems

security.

• Security measures were not effective in information

systems may be effective in the vehicle.

→Several measures are introduced in the IPA’s Approaches

– Next, Study of security that specializes in vehicle

• Analysis of security measures appropriate to the

protocol of powered vehicles



17

IPA’s Approach for Vehicle’s Lifecycle

(1/3)（Second Perspective)

Management： Thing to do always as manufacturer

• Drawing up Security Rules

• Providing Security Education

• Collecting and disseminating security information

Planning： Phase for planning of the entire life cycle

• Formulating Requirement Definition Considering Security

• Securing Security-Related Budge

• Security Consideration When Outsourcing System Development

• Responding to Threats Posed by the Adoption of New Technologies

Development： Phase to develop the system

• Designing

• Security Measures Phase

• Security Assessment and Debugging

• Preparing for Web Contents to Provide Information to Users

18



Operation： Phase to be used as a product, after the embedded

systems in the hands of the user

• Handling Security Issues

• Providing Information to Users and Those Involved in Vehicles in Vehicles

• Leveraging Vulnerability Information

Disposal: Phase embedded systems is disposal or recycling, that reason

why replacement, failure

• Drawing up and Disseminating Disposal Policy

If you want to know more information,

Please check the

“Approaches for Vehicle Information Security” https://www.ipa.go.jp/files/000033402.pdf

• In order to automobile-related organizations working on

security, we were divided level 1-4, based on awareness

of security, whether the security rules in the organization,

and structure of the organization.

– Level1：No security effort is done.

– Level2：Security effort is relegated to the on-the-spot

personnel, and the security issues are dealt with separately

at each project.

– Level3：Security effort is considered as an organizational

issue, and a security policy is drawn up and enforced.

– Level4：Security effort is considered as an organizational

issue, and a security policy is drawn up and enforced.

19



• Security analysis of products and services

of your organization ：

• Understanding of their organization ：

• Recognition of improvement points

20

How to use this Approach

Proposal :

Total & Continuous Security Countermeasures

Service Provider Car Maker

Driver Personal

information

Protection

Smart Phone

Security

Safety

and

Security

Secure Driving with IPA Car

21

・The threat analysis of vehicles has only just started

・It is necessary for various players work on the threats that vehicles face and

countermeasures against them from their respective view point

・To do that, the concept of the IPA Car will be useful

・IPA hopes to collaborate with various players like you and works on the threat

analysis further

Conclusion :

Safety & Secure Driving in ITS World Accidents Driver’s Mistakes Attackers

& Security Safety

22

IPA would like to present a concept of the

”IPA Car” as a basis to discuss vehicle security.

IPA IT Security Center

e-Mail: [email protected]

Thank You !

23

Approaches for Connected Vehicle Security for Connected Vehicle Security Manabu Nakano, Ph.D....

Documents

Transcript of Approaches for Connected Vehicle Security for Connected Vehicle Security Manabu Nakano, Ph.D....