SlideShare a Scribd company logo

Hacking your Connected Car: What you need to know NOW

Download as PPTX, PDF
Kapil Kanugo
Kapil Kanugo

Cars these days are 90% controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code. Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions. What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home? The software does come with built in security but this is not enough and there is a need to offer a full Security package along with Car to guarantee Car's security. Life of people is more important than a gadget and people will pay and buy this package with a new car or upgrade to ensure that their car is not hacked by Hackers to malfunction or be used for other pervert interests.

Related slideshows

Building Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car ApplicationsBuilding Beautiful High Performance Connected Car Applications
Building Beautiful High Performance Connected Car Applications
 
Connected Car Security
Connected Car SecurityConnected Car Security
Connected Car Security
 
Connected Cars
Connected CarsConnected Cars
Connected Cars
 
1 of 30
Hacking Your Connected Car : What you need to Know Now Kapil Kanugo Twitter: @kapilkanugo
Smart Cars Cars these days are 90%controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code.
Connected Cars Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions.
Seriously?? What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home?
Connected Car Teardown
Connected Car Eco system •Drivers •Smartphone Revolution •Embedded Open Operating Systems and Application Stores •Innovation, Time-to-Market, and Cost •Third Party Developer Ecosystem •Electrical Vehicles •Barriers •Safety Concerns and Risks •Government Regulation •Cellular Connectivity Cost and Coverage •Telematics Applications •Emergency Calling (eCall) •Roadside Assistance (bCall) •Remote Control •Remote Diagnostics •Vehicle Tracking, Geofencing, and Driving Behavior Monitoring •Infotainment Applications •Multimedia •Turn-by-Turn Navigation •Social Location Applications •Information and Content •Communication •Safety and Security Applications •Emergency Calling (eCall) •Roadside Assistance/Breakdown Call (bCall) •Stolen Vehicle Tracking and Recovery/Geofencing •Driver Behavior Monitoring •Connected Infotainment Applications •Off-Board and Hybrid Navigation •Concierge Services •Online Services and Multimedia •Pay-as-You-Drive Insurance •Convenience Applications •Remote Diagnostics and Maintenance •Electronic Toll Collection and Congestion Charging •Remote Door Lock/Unlock •Smartphone Applications •Standalone Smartphone- Based Solutions •Smartphone Applications Linked with In-car Display, Audio, and User Interface Systems •Use of Smartphones as Remote Controls for Embedded Systems •Hybrid Systems •Embedded Applications Automotive Application Type Consumer Telematics Services Market Drivers and Barriers Automotive Application Categories
Types of attacks on smart cars What types of Attacks are Are possible on Smart Cars
Insider Attacks Attacker can be legitimate owner w/ extended access rights Attacker can prevent emergency protection mechanisms or security updates Attacker doesn’t care about legal penalties
Offline attacks Attacker has virtually unlimited time Attacker has virtually unlimited trials Attacker and attack are hard to detect
Physical Attacks Asset manipulation or reads via debug interfaces, probing, side channels, decryption Disabling, manipulating or any physical inputs, outputs and processing like brakes failure and force engine to not start
Logical Attacks Less securely validated software attack Less Validated hardware attack Over the network attack Over the application level attack
Privacy Attacks Track Vehicle movement Compromise Driver personal info or identity theft, credit card info Manipulate traffic and GPS info for traffic Jams or accidents
Services under Attack: eCall eToll Remote Car Control Remote Diagnosis Danger Warning Flashing Firmware
Where do they attack? Automotive Interfaces Direct Interfaces OBD-II CAN OEM and Hybrid Telematics Systems Cellular Bluetooth USB Wi-Fi
Connected Cars: Questions before us.. Ecosystem Drivers/Barriers ? Usage Models ? Case Studies? Security Arch ? 1. Data Security (credit card, personal info, location) 2. Privacy Protection and deployment of solution 3. Security as service Business models Risk Mitigation Strategy? Honeypots? Enable Businesses save cost ? Business Model ? Where are we today? Where do we have to go?
What YOU need to know Prevention •Privacy Theft • Disaster Deterrence •Cryptographic Encryption Detection •Intruder detection • Internal security and confidentiality Deflection •Honeypots Countermeasures Risk mitigation Recovery •Backups, •Updates, •self correcting Five Pillars of Security Management in Vehicles:
How to safeguard Car as a black box for defining Security and Privacy policies. Service oriented and Layered protocol design External data communication based on verification if its trustworthy Safeguard against malwares, rootkits, ROP for x86,ARM etc platforms
Connected Car Security Connected Car Vehicle Platform (ECU) Portal at Automotive company delivering services Communication link between portal and Vehicle
Scalability  Flexible configuration and secure updates Deployment of security policies and privacy
Security Architecture Identity Protocol • Key Pair • Certificate • Psedonyms • Security Manager • Key Management • Security Daemon • Application Layer • Network Layer • Device Layer Test Management Center • Certificate Management • Certificate Revocation TCP/IP Secure tunnel Internet Security Central Control Internet Roadside Stations Security Daemon Communication Control Layer IEEE 802.11g WPA2 protected Secure tunnel Secure tunnel Decision basis for Cryptographic Algorithms • Privacy • Key Distribution • Verification time • Security Overhead per message • Authentication • Active revocation necessary • Security Risk • Standards and Regulation • Security header in Message Payload transmitted
Encapsulation and abstraction Overall on-board security architecture Centralized maintenance of dedicated security modules. Security API for Application developers Static and Dynamic configuration of security policies and privacy credentials Addition of Security payload data for each MAC transaction.
Need Modular (cost-) efficient security for:  In vehicular devices: sensors, actuators, ECU’s  HW and SW architecture securing SW apps based on HW modules In order to  Enforce ECU s/w protection against SW attacks  Provide reliable ECU/ HW/SW configuration and protection Based on:  Hardware based security  Security software layer
Market Trend: Use cases
Facets of Connected Car Data Mobile Operating Systems 1. Open Source vs. Proprietary Operating Systems 2. iPhone and iPod Touch 1. Android 2. Nokia-Symbian and MeeGo 3. Blackberry 4. Java 5. Windows Mobile • Dock and Transfer of Credentials • Media Content • Web • Widgets • Audio • Conferencing • Facetime • Browsing • Searching • Maps 3G Service Provider, App Developer, HW/SW OEM, 3rd Party
Protection Services for Your Car 1.Multi-function security bundle 2.Privacy Protection Services 3.Protection services for Cloud farm 4.Self Managed and monitored firewall service 5.Identity Protection services 6.Intrusion prevention and detection service 7.Security services for unified threat management (mass attack)
Protect software security mechanisms by: Providing trustworthy security anchor for upper SW layers Secure generation, secure storage and secure processing of security critical material from all malicious SW Establish secure sessions between ECU and External entity over the network for secure communication
Reduce security costs and overhead on high volumes by: Applying highly optimized circuitry instead of costly general purpose hardware
Business Continuity and Resiliency Services Business continuity is vital to business success, and in today's interconnected world, virtually every aspect of a company's operation is vulnerable to disruption.
Managed Web security  Provide real-time scanning of traffic against known virus and spyware definitions  Provide an easy-to-use, Web-based policy administration that establishes appropriate usage and identifies prohibited sites, content and file types  Filter Web traffic according to your usage policy and helps block inappropriate traffic from reaching your network  Allow forwarding of "clean" Web traffic to the end user with no noticeable delay in performance  Help protect your network from new and undiscovered vulnerabilities using advanced analyses that identify suspicious activities  Include Help Desk services, security advisories, and access to the incident response team
Steps to Take  Help manage compliance with security initiatives by scanning for and classifying vulnerabilities  Provide remediation steps and data to assess and manage security risks to help reduce threat exposure  Help reduce cost and complexity of security maintenance through Intel cloud security services  Vulnerability management can detect vulnerabilities across network devices, servers, web applications and databases to help reduce risk and better manage compliance requirements. And because solution is cloud-based, customers can save on licensing fees and security operations maintenance costs

More Related Content

Hacking your Connected Car: What you need to know NOW

  • 1. Hacking Your Connected Car : What you need to Know Now Kapil Kanugo Twitter: @kapilkanugo
  • 2. Smart Cars Cars these days are 90%controlled by electronics and 10% using mechanics. The average new car already contains around 20 individual processors to monitor and control various functions — everything from the transmission’s shift points to the operation of the defroster — with about 60 megabytes of software code.
  • 3. Connected Cars Many new cars are as “wired” as a home office — with onboard GPS navigation and wireless communications networks including Bluetooth, Wi-Fi or Internet run on Embedded OS's which run on converged Electronics to control these actions.
  • 4. Seriously?? What if modern car’s onboard electronics be “hacked” or infected by a computer virus introduced through a wireless device that might corrupt or disable or controlled by a Hacker sitting at home?
  • 6. Connected Car Eco system •Drivers •Smartphone Revolution •Embedded Open Operating Systems and Application Stores •Innovation, Time-to-Market, and Cost •Third Party Developer Ecosystem •Electrical Vehicles •Barriers •Safety Concerns and Risks •Government Regulation •Cellular Connectivity Cost and Coverage •Telematics Applications •Emergency Calling (eCall) •Roadside Assistance (bCall) •Remote Control •Remote Diagnostics •Vehicle Tracking, Geofencing, and Driving Behavior Monitoring •Infotainment Applications •Multimedia •Turn-by-Turn Navigation •Social Location Applications •Information and Content •Communication •Safety and Security Applications •Emergency Calling (eCall) •Roadside Assistance/Breakdown Call (bCall) •Stolen Vehicle Tracking and Recovery/Geofencing •Driver Behavior Monitoring •Connected Infotainment Applications •Off-Board and Hybrid Navigation •Concierge Services •Online Services and Multimedia •Pay-as-You-Drive Insurance •Convenience Applications •Remote Diagnostics and Maintenance •Electronic Toll Collection and Congestion Charging •Remote Door Lock/Unlock •Smartphone Applications •Standalone Smartphone- Based Solutions •Smartphone Applications Linked with In-car Display, Audio, and User Interface Systems •Use of Smartphones as Remote Controls for Embedded Systems •Hybrid Systems •Embedded Applications Automotive Application Type Consumer Telematics Services Market Drivers and Barriers Automotive Application Categories
  • 7. Types of attacks on smart cars What types of Attacks are Are possible on Smart Cars
  • 8. Insider Attacks Attacker can be legitimate owner w/ extended access rights Attacker can prevent emergency protection mechanisms or security updates Attacker doesn’t care about legal penalties
  • 9. Offline attacks Attacker has virtually unlimited time Attacker has virtually unlimited trials Attacker and attack are hard to detect
  • 10. Physical Attacks Asset manipulation or reads via debug interfaces, probing, side channels, decryption Disabling, manipulating or any physical inputs, outputs and processing like brakes failure and force engine to not start
  • 11. Logical Attacks Less securely validated software attack Less Validated hardware attack Over the network attack Over the application level attack
  • 12. Privacy Attacks Track Vehicle movement Compromise Driver personal info or identity theft, credit card info Manipulate traffic and GPS info for traffic Jams or accidents
  • 13. Services under Attack: eCall eToll Remote Car Control Remote Diagnosis Danger Warning Flashing Firmware
  • 14. Where do they attack? Automotive Interfaces Direct Interfaces OBD-II CAN OEM and Hybrid Telematics Systems Cellular Bluetooth USB Wi-Fi
  • 15. Connected Cars: Questions before us.. Ecosystem Drivers/Barriers ? Usage Models ? Case Studies? Security Arch ? 1. Data Security (credit card, personal info, location) 2. Privacy Protection and deployment of solution 3. Security as service Business models Risk Mitigation Strategy? Honeypots? Enable Businesses save cost ? Business Model ? Where are we today? Where do we have to go?
  • 16. What YOU need to know Prevention •Privacy Theft • Disaster Deterrence •Cryptographic Encryption Detection •Intruder detection • Internal security and confidentiality Deflection •Honeypots Countermeasures Risk mitigation Recovery •Backups, •Updates, •self correcting Five Pillars of Security Management in Vehicles:
  • 17. How to safeguard Car as a black box for defining Security and Privacy policies. Service oriented and Layered protocol design External data communication based on verification if its trustworthy Safeguard against malwares, rootkits, ROP for x86,ARM etc platforms
  • 18. Connected Car Security Connected Car Vehicle Platform (ECU) Portal at Automotive company delivering services Communication link between portal and Vehicle
  • 19. Scalability  Flexible configuration and secure updates Deployment of security policies and privacy
  • 20. Security Architecture Identity Protocol • Key Pair • Certificate • Psedonyms • Security Manager • Key Management • Security Daemon • Application Layer • Network Layer • Device Layer Test Management Center • Certificate Management • Certificate Revocation TCP/IP Secure tunnel Internet Security Central Control Internet Roadside Stations Security Daemon Communication Control Layer IEEE 802.11g WPA2 protected Secure tunnel Secure tunnel Decision basis for Cryptographic Algorithms • Privacy • Key Distribution • Verification time • Security Overhead per message • Authentication • Active revocation necessary • Security Risk • Standards and Regulation • Security header in Message Payload transmitted
  • 21. Encapsulation and abstraction Overall on-board security architecture Centralized maintenance of dedicated security modules. Security API for Application developers Static and Dynamic configuration of security policies and privacy credentials Addition of Security payload data for each MAC transaction.
  • 22. Need Modular (cost-) efficient security for:  In vehicular devices: sensors, actuators, ECU’s  HW and SW architecture securing SW apps based on HW modules In order to  Enforce ECU s/w protection against SW attacks  Provide reliable ECU/ HW/SW configuration and protection Based on:  Hardware based security  Security software layer
  • 24. Facets of Connected Car Data Mobile Operating Systems 1. Open Source vs. Proprietary Operating Systems 2. iPhone and iPod Touch 1. Android 2. Nokia-Symbian and MeeGo 3. Blackberry 4. Java 5. Windows Mobile • Dock and Transfer of Credentials • Media Content • Web • Widgets • Audio • Conferencing • Facetime • Browsing • Searching • Maps 3G Service Provider, App Developer, HW/SW OEM, 3rd Party
  • 25. Protection Services for Your Car 1.Multi-function security bundle 2.Privacy Protection Services 3.Protection services for Cloud farm 4.Self Managed and monitored firewall service 5.Identity Protection services 6.Intrusion prevention and detection service 7.Security services for unified threat management (mass attack)
  • 26. Protect software security mechanisms by: Providing trustworthy security anchor for upper SW layers Secure generation, secure storage and secure processing of security critical material from all malicious SW Establish secure sessions between ECU and External entity over the network for secure communication
  • 27. Reduce security costs and overhead on high volumes by: Applying highly optimized circuitry instead of costly general purpose hardware
  • 28. Business Continuity and Resiliency Services Business continuity is vital to business success, and in today's interconnected world, virtually every aspect of a company's operation is vulnerable to disruption.
  • 29. Managed Web security  Provide real-time scanning of traffic against known virus and spyware definitions  Provide an easy-to-use, Web-based policy administration that establishes appropriate usage and identifies prohibited sites, content and file types  Filter Web traffic according to your usage policy and helps block inappropriate traffic from reaching your network  Allow forwarding of "clean" Web traffic to the end user with no noticeable delay in performance  Help protect your network from new and undiscovered vulnerabilities using advanced analyses that identify suspicious activities  Include Help Desk services, security advisories, and access to the incident response team
  • 30. Steps to Take  Help manage compliance with security initiatives by scanning for and classifying vulnerabilities  Provide remediation steps and data to assess and manage security risks to help reduce threat exposure  Help reduce cost and complexity of security maintenance through Intel cloud security services  Vulnerability management can detect vulnerabilities across network devices, servers, web applications and databases to help reduce risk and better manage compliance requirements. And because solution is cloud-based, customers can save on licensing fees and security operations maintenance costs