Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Oscar Sanchez, Automotive Security Application EngineerMarco Castellanos, Automotive Security Business DevelopmentOctober 2018
Securing the Connected Car Ecosystem
Agenda
Introduction – The Connected Car
Threat Analysis and Risk Assessment
Securing the Connected Car Ecosystem
Conclusion
1
2
3
4
22018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
The Connected Car – is no longer just about the car
32018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
What is a connected car?
6LowPan Home Network
Gateways
TLS
LTE/5G
42018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Attacks on vehicles are on the rise
January 2015 Lack of encryption in the cellular connection
July 2015 Open Head Unit port allowed access to the EE network
July 2015 Man in the middle attack (insufficient authentication)
August 2015 (physical access)
Only after physical access to the car network
More security breaches to come
Based on aggregated know-how
CCC Event December 2016
Invasive attack via board/voltage manipulation
› Most of the attacks have been based on software vulnerabilities
› Hardware attacks are just a matter of time
› The industry is starting to ask about side channel attacks and are concerned about operation lifetime (crypto agility, post quantum crypto, etc.)
› Infineon supports you in the search for new and innovative security solutions
52018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
TARA – Threat Analysis and Risk Assessment
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” ― Stéphane Nappo
The Threat Modeling/Threat and Risk Assessment process
Select a Vehicle Subsystem &
gather the team
Draw block diagram, identify subsystem limits
Perform Threat Model of the subsystem
Evaluate & rank Risk of each
identified vulnerability
For each risk: address, accept, avoid, or transfer
Identify countermeasures
to address top risks
72018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
The Threat Modeling/TARA process
Select a Vehicle Subsystem &
gather the team
Draw block diagram, identify subsystem limits
Perform Threat Model of the subsystem
Evaluate & rank Risk of each
identified vulnerability.
For each risk: address, accept, avoid, or transfer
Identify countermeasures
to address top risks
82018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Sample subsystem – Level 3 autonomous mode
User Interface(incl. “Start Autonomous
Mode” Button)
Power Generation
ECU
Transmission ECU
Steering ECU
Braking ECU
Sensor ECU (Radar, Camera,
Lidar, etc.)
GPS
Ethernet
Ethernet
PowertrainCAN
SafetyCAN
Ethernet
Studied Subsystem
Sensor Fusion ECU
92018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Building the Threat Model
Select a Vehicle Subsystem &
gather the team
Draw block diagram, identify subsystem limits
Perform Threat Model of the subsystem
Evaluate & rank Risk of each
identified vulnerability.
For each risk: address, accept, avoid, or transfer
Identify countermeasures
to address top risks
102018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Level 3 autonomous mode – data flow diagram
Sensor Fusion
Power Genera-
tion
Braking
User Interface
Trans-mission
Steering
…
A B
C
Sensor ECUs & GPS
112018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Identify Threats to the subsystem - STRIDE
› Experts can brainstorm
› How to do this without being an expert?
– Use STRIDE to step through the diagram elements
– Get specific about threat manifestation
https://download.microsoft.com/download/9/3/5/935520EC-D9E2-413E-BEA7-0B865A79B18C/Introduction_to_Threat_Modeling.ppsx
Threat Associated Property
Spoofing Authenticity
Tampering Integrity
Repudiation Nonrepudiation
Information Disclosure Confidentiality
Denial of Service Availability
Elevation of Privilege Authorization
122018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Risk assessment & evaluation
Select a Vehicle Subsystem &
gather the team
Draw block diagram, identify subsystem limits
Perform Threat Model of the subsystem
Evaluate & rank Risk of each
identified vulnerability
For each risk: address, accept, avoid, or transfer
Identify countermeasures
to address top risks
132018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Risk assessment & evaluation (OWASP “lite” method)
ID Vulnerability Description Attack Vector
Weakness Prevalence
Weakness Detectability
Technical Impact
Rating Risk
XYZ My vulnerability 2 1 3 3 6.0 Hi
Average x Impact = Rating
3 Easy
2 Average
1 Difficult
3 Widespread
2 Common
1 Uncommon
3 Easy
2 Average
1 Difficult
3 Severe
2 Moderate
1 Minor
≥6 High
≥3 Medium
<3 Low
142018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Countermeasures for top risks
Select a Vehicle Subsystem &
gather the team
Draw block diagram, identify subsystem limits
Perform Threat Model of the subsystem
Evaluate & rank Risk of each
identified vulnerability.
For each risk: address, accept, avoid, or transfer
Identify countermeasures
to address top risks
152018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Example – security countermeasures
StandardCountermeasures
Follow SecureCoding Best
Practices
Restrict access toresources on an
“as needed” basis
Store critical keysin a security certifiedcontroller (e.g. TPM)
Ship latestSoftware versions
and keep up todate
Use personalized& security certified
chips for keydeployment & lifecycle
Keep logs of keysecurity-related
actions & encryptthem
NVM decryption keys stored in a TPM will make it much harder to reverse engineer the ECU
Do code reviews in design, development, test & rollout phases
Check external inputs are within bounds
Use Access Control Lists or similar
Initial key deployment (asymmetric keys) is security-critical. It can be made easier and more secure by using a pre-personalized
certified security controller.
Logs can help with OEM/Tier 1 liability in case
of accidents/attacks.
Fuzz test. Pentest.
Fleet keys need max security
162018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
The threat modeling and risk assessment process
Threat Modeling Methodologies
• See SAE J3061 & ISO 21434• STRIDE (link)• Attack Trees (link)• Security FMEA (link)• Attack Libraries (CVE,
CAPEC, OWASP Top 10…)
Risk Evaluation Methodologies
• See SAE J3061 & ISO 21434• DREAD• OWASP risk rating• ETSI TVRA• MIL-STD-882E
Countermeasures• Use standard mitigations, industry best
practices, etc.• If new mitigations are absolutely needed,
get expert advice. Don’t invent your own!
172018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Key takeaways – threat modeling and risk assessment
There are many threats &
threat actors out there
Not all risks need to be addressed
(some can be accepted or
avoided)
There is no “one size fits all” solution
Don’t create your own security
mitigations! Get expert
advice.
TARA is a process – keep your results, communicate and update
them continually
182018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Securing the Vehicle Ecosystem“Security is always excessive until it's not enough.”
Robbie Sinclair
Many devices over many protocols increases attack surface
6LowPan Home Network
TLS
LTE/5GLTE/5G
5G
802.11p
1
Protect the Vehicle
Architecture
2
Secure OTA
3Portable device
Security
4Secure Cloud &
Services
In-vehicleInternet,
V2X,etc.
V2VV2I
202018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
EVcharging
Cellular3G/4G/5GWiFi
Bluetooth
V2X-DSRC
USB
HD Radio/DAB Mobile wireless charging
TPMS, RKE
Securing a mid range E/E architecture – up to the early 2020’s – 4 pillars of security
PowertrainCAN/
ENET
Chassis CAN
…
OBD
ESC
EPS
…
BodyCAN
EMS
TCU
…
SafetyCAN/ENET
Airbag
Safety DCU
…
Lights
Infotainment/ Head Unit
Telematics Control Unit
Secu
re
Netw
orks
– Message auth. & encryption (Secure Onboard Comm.)
– Denial of service protections (in each ECU)
Secu
re
EC
Us
– Secure boot with AURIX™ HSM
– E2E authenticated OTA updates
– Secure key storage in the HSM
– Vehicle access control
Central Gateway
…
Isola
te
Dom
ain
s – Intrusion Detection/Prevention System (IDPS) in AURIX™
– Whitelisting/traffic filter across networks (Firewall)
IDPS
– Firewalls (external, with GW)
– TLS/SSL SW in App. Processor
– eSIM for cell. network security
– Trusted computing (TPM)
– Application level security
– Secure storage of critical/fleet keys, user credentials, PII
– V2X security (SLI 97/SLI 37)Pro
tect
Exte
rn
al
In
terfa
ces
Firewall
BCM
1
Protect the Vehicle
Architecture
212018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
2 – Over-the-Air updates - threats
What if…− An attacker takes over the server? − Impersonates the server?
− An attacker prevents the vehiclefrom getting updates?
− An attacker gains control overthe Gateway ECU and sendsrogue updates to target ECUs?
222018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
2 – Secure OTA – mitigations
OTA Server(s)
Telematics/Gateway
Target ECU(s)
Target Vehicle
Update image repository
Store private keys in a TPM/Secure Element.Harden telematics & server with Sec. Boot
Secure Onboard Communication and end-to-end authenticated updates with AURIX™ HSM.
Use application-level security,secure timestamps & metadata, and ensure redundancy (DoS)(e.g. Uptane is an OEM/T1-driven framework to secure the OTA ecosystem)
232018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
3 – Portable device security
What if…− An attacker connects via Bluetooth?− Malware on a smartphone infects the vehicle
infotainment?
OBDDongle
− An attacker gets accessto CAN via the OBDIIport?
− A man-in-the-middle steals PII from the phone-vehicle connection?
242018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
3 – Portable device security
OBDDongle
Infotainment(IVI)
Target Vehicle
Harden mutual authentication and key storage with a Secure Element
Ensure authenticity of dongle & protect keys with a lightweight security chip.
Store private keys in a TPM/Secure Element.Harden Infotainment ECU with Secure Boot.
252018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
4 – Secure cloud & services
What if…− Someone
impersonates a vehicle?
− An attacker blocks connection to the cloud?
− A man-in-the-middle intercepts vehicle/user data or sends malicious packets to the vehicle?
− An attacker modifies the vehicle-side API to misuse the cloud connection?
262018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
4 – Secure cloud & services
Harden cloud-connected devices integrated with the vehicle using a Secure Element
Infotainment(IVI)
Target Vehicle
Provision & securely store private keys with a TPM/Secure Element.Harden Infotainment ECU with Secure Boot.
272018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Conclusion“At the end of the day, the goals are simple: safety and security.”Jodi Rell
Many devices over many protocols increases attack surface
6LowPan Home Network
TLS
LTE/5GLTE/5G
5G
802.11p
1
Protect the Vehicle
Architecture
2
Secure OTA
3Portable device
Security
4Secure Cloud &
Services
In-vehicleInternet,
V2X,etc.
V2VV2I
292018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Key takeaways – threat modeling and risk assessment
There are many threats &
threat actors out there
Not all risks need to be addressed
(some can be accepted or
avoided)
There is no “one size fits all” solution
Don’t create your own security
mitigations! Get expert
advice.
TARA is a process – keep your results, communicate and update
them continually
302018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary
Final thoughts
› Find out what your company is doing in this area, and contribute!
› YOUR skills and knowledge are extremely valuable for Threat Modeling!
› Infineon is here to help you with your security needs & concerns!
› Talk to your local Infineon FAE
Contact us!
Get involved in Security!
Participate in the TARA process!
312018-10-17 Copyright © Infineon Technologies AG 2018. All rights reserved. Infineon Proprietary