Under the hood – the automotive challenge

Under the hood – the automotive challenge


all right we’ll get started there are a lot of presentations happening right now and you guys chose to be here so thank you for that I think we’ll have a fun fun room with two fantastic presentations I want to introduce the first speaker my friend in borås one of my favorite speakers I’ve seen him present at many many conference you guys are in for a treat because n/bar usually presents bare feet and he’s wearing shoes today so no no I’m gonna she was off it was too cold the air conditioning if you guys never taken your shoes off on stage it’s really nice it’s a it’s a good Zen moment and it helps you uh it started as a as a joke a long time ago and I would just do it for fun well due to your introduction all right let me unlock my computer so you could all enjoy the presentation if I remember there you go all right so under the hood the automotive challenge right okay so the problem what is the problem we all drive cars right and we use cars to carry the things we care about the most right our family friends are expensive stuff and we also know that if a car gets hacked because we’ve been reading about that little we know that something bad can happen but what we don’t know is why is it like that I mean we know IT security what we’ve all been doing that for many years and we’ve come to understand why things are the way they are but the automotive world we’re now all very familiar with and we don’t really know why we keep seeing things or why is it car hackable or why is it even connected to the Internet and what I’m going to do is try to explain to you not about one hacker or another you’re gonna hear a lot about that even the talk after me that sounds very interesting you should stick around for it I’m gonna try to explain to you why cars are hackable and how long it’s going to take until it gets fixed and what are the real risks this is a partial list of the manufacturer firms in the car a car is a very complex project in fact it’s also an outsourced project when you buy a car from let’s say howdy-howdy doesn’t make the whole car right sometimes it’ll only make about 30 percent of it and the rest come from these manufacturers called tier 1 and tier 2 and tier 3 they make different parts and then outages puts them all together and builds a car so a car is a very complex product okay and it’s not just that car all new cars and for a while back or like that this is just a partial list right you have about 30 of each each of them manufacturer has about 30 subcontractors so a car is a complex product so that’s one thing to remember as far as code goes it is estimated today that about 100 maybe 150 million lines of code go into a new car the chips out and just for a reference this is more code than was needed to fly the space show right to give you perspective and this is something we use every day now based on rough estimations okay you know that you have a lot of code you also have a lot of bugs it is estimated that the known number of bugs in a car that ships out roughly 10,000 okay because you know what it’s like you have a product release date and you have bugs and some of them you fix and some of them you don’t and some of them you fix later so about ten thousand bucks in a car that you buy brand new like we say in Israel with the nylon wrapping okay but from talks that we’ve had in the industry it is estimated that the number of unknown bugs might be five times higher than that okay bug that the manufacturers are not aware of and will later be found by researchers or anybody right so that’s a lot of stuff okay now if you ask the people to write that code okay three years ago there was a nice survey asking software development people in car companies about you know code security did they think their code was secure was there company aware of it so only 41% said secure software is a priority for my company and that’s the people that make the cars right it’s not people like me who stand on a stage and you know maybe I what I say is my opinion these are the people that work there and 69% said that I believe that securing the applications needed is difficult or very difficult so they know that that’s not that’s not even the worst thing when asked I believe that automakers are as knowledgeable about secure software development as our other industries a whopping 72% said that no so even the people that write the code for the cars admit that it’s difficult and they don’t know as much about security as they would like to know and maybe the companies that make the products they’re not all that security aware right this is this is three years ago the numbers are probably a little bit better now but this comes from the people that make the cars ECU’s is the electronic control unit it’s the one of the devices that is inside the car it used to be called engine control unit and then it became electronic control unit and every little thing that your car does every little functionality is controlled by one of these devices this is from the internet this is what a car looked like about a decade ago a little bit more even 2006 each one of these boxes does something in your car it can be a sensor it can be an actuator it can be a computer that calculates the if you’re skidding and then starts the ABS it can be the crash control the ABS every one of those is an ECU and you can already see that 12 years ago you had about I can tell you about 60 different ECU’s right and each one of them has code but this and I’m sorry for the lack of details but this is one of our customers gave us permission to use this information under restrictions this is an estimation of what the same map looks in a brand new car the grit gets rolled out today right we have close to 200 different ECU’s in various arrangements so car is also complex in the term that it has a very big collection of different parts and they only to work with each other now it’s true not all of them are as complex as sophisticated on one end of the scale you can find this this is called the TPMS tire pressure measurement system and that’s the little thing that when you lose tire pressure there’s a little yellow you know light on your panel okay still by the way this thing is an IOT device with firmware and a transceiver it can transmit and receive okay so even this little thing is still an IOT device with connectivity on the far end of the scale you have the infotainment or the head unit or other names for that and we all know that these are multi core multi CPU computers full-fledged like a laptop like a tablet they run Linux or Android and they have a lot of connectivity and in many times they’re connected to the Internet right so that’s a whole new different story now as far as networks ago at home you have one it’s the Internet and if you have a wireless then it’s another one but basically that’s it and there are more or less even the same protocol but a car has a large number of different protocols because some of them have an emphasis on latency for example if you crash your car then it should take a few microseconds before the decision is made to open the the airbag whereas if you’re driving in Reverse thank you and you’re looking at the camera then you know if it takes 100 millisecond you’re a human being you’re not gonna pay attention right so you have up to up to six different kinds of networks including by the way Ethernet which is now moving into cars because it’s very useful it can transfer a law a large large amounts of data relatively quickly right now this is the canvas canvas the controller area work is the dominant protocol and the wiring in your car in the beginning it was almost just this and then things were added today this is still the most common bus and you know you don’t need to jump into the this whole thing but I’ll just tell you that this arbitration field serves two purposes one it it is sort of the user ID when you send a message you say hello my user ID is 1 2 3 but this number has significance the lower the number the higher the priority so if let’s say someone who is priority 3 speaking and I have an urgent message in my priorities 1 then they will stop transmitting and then I will transmit but here’s the thing canvas has no security whatsoever there is no form of authentication that lets you know that if someone just sent a message on the bus claiming that they were ID 1 that they are in fact ID 1 so if you put all these two users on the same bus what we call a flat architecture which you know as IT people we know it’s bad ID security same here I could pretend to be any ECU on the bus and no one could know the better now a car also takes a long time to make it’s not just with a lot of parts a lot of networks and a lot of code it takes roughly 5 years between someone starts design the car and until it rolls out a lot of processes to go a lot of checks that you have to make like I said it’s a big outsourcing project and there’s also a lot of regulation you can’t just do whatever you want you have read you a regulation for software and for hardware and how things are done and built and it’s different in some countries so this makes the whole thing again a very complex product and it’s not enough that it’s complex let’s look at how long it has to run when you buy a cellphone today then let’s assume you didn’t drop and break it like half of us do it’ll last or you will use it more or less about a year and a half before you retire it it’s not like the old Nokia’s you could no hammer nails with that it would last forever battery for six days no no today you have an iPhone within a year and a half to slow the battery’s dead whatever if you look at a computer then it’s slightly more right you can keep used to keep using the same computer five six maybe seven years depending on what you do but that’s a reasonable amount of time and it gets updated but a car you buy a car that car will stay about 15 years on the road and it will probably change owners so you bought the car and then somebody else is going to have the car and then somebody else is going to have the car and when they make that product it needs to be really really good because it needs to last fifteen years after being released to the market so that’s a lot of requirement and what happens if you have a problem it’s not like Windows that you can have you know remote update with the exception of one or two vendors that allow remote software update all the vendors if they need to fix something you have to go back to the shop with your car so you lose time maybe even money the car shop loses time because instead of fixing people people’s cars and charging them they now have to replace something that’s not even their problem and of course the vendor needs to pay for all that and it’s a big thing a big thing now let’s look at the thing as an attacker when you look at it at a target you’re looking at attack vectors when we look at cars anything that connects the car to the outside world anything at all is an attack vector and it goes from GPS right which is yes it’s only passive but there have already been demonstrated GPS spoofing attacks to the level of controlling your navigation software it’s been done remote keyless entry a research which is published I think last month about the team from Belgium that managed to crack and clone the key for Tesla okay vehicle to vehicle and vehicle to infrastructure communicating with the outside world onboard onboard diagnostics it’s a little port that you have in the car to connect diagnostic tire pressure measurement again supply chain attack this just came back to the news yesterday with the Chinese thing power line communication if you cars electric when you plug it in there’s data running there you need to identify yourself and get charged and all that and then there’s the infotainment as I said before the entertainment in itself is a full-fledged computer it has everything you would have in a normal computer and that brings a lot more attack vectors right some of them have been in fact exploited by people in this room which I will later mention right Wi-Fi USB Android apps SD card everything is an attack vector now the biggest problem that we are seeing is that and you see that pretty much every other product the market is rushing to connect things because it’s cool it’s cool you have connectivity it’s cool you can sell it to people and let’s face it security put aside usability it’s really nice I mean not necessarily your microwave oven I don’t know what Amazon is doing there but if you have stuff that’s connected to the Internet and you can control it from other places or maybe queried from your phone you know what’s going on like with your air conditioning it’s really nice but their first connecting and only later trying to see ok what are the implications and that is a problem now other thing that I told you is theoretical yeah I said that there is a an attack on the USB but is it just theoretical because in the lab everything is possible no I’m going to share a few stories war stories of research that has been already done and published and you will see that pretty much no one is immune all the big manufacturers have already been hacked one way or another academia I started looking at hacking cars as back as 14 years ago you can see this security in automotive bus systems this is from 2004 all the way to a research from this year about electric cars and what sort of attack you can do if you drain their battery out but the thing that changed everything was these two guys Chris and Charlie in a chain of two researchers published a year apart this one in 2014 and this one in 2015 they showed that it was possible to remotely take over a car from the internet without any previous contact with the car and that changed everything the industry started paying attention other researchers started paying attention and saying oh this is interesting let’s do that where is the Stefan you here yeah so this guy here show that it’s not just about hacking car and taking control because people like to get this very narrow version of what the risks are Stefan and Gabriel showed that your privacy is also at risk they found that a car when you sync your phone to it the car takes all your information from the phone your messages your contacts your call lists and it stays there what if it’s a if it’s a rental car do you remember to disconnect your phone from the rental car and you erase your information if you don’t then your information is still there and that’s a big problem and that was before GDP are now it’s serious and then Tesla came out and Tesla that’s super cool it’s an electric car the most high-tech car and of course it attracted attention this research was published in 2016 I think hacking the Tesla Model S these guys basically took the car apart and look for physical access so they managed to get some control they found some problems but again they had physical access and then 2016 these guys that I think maybe some of them are in the conference because Tencent is in the conference they actually managed to show full remote control of a Tesla car but again it’s not just about taking control of the car because hacking cars is difficult this Norwegian company said something else they said well if you have a Tesla and you have the app on your phone then I can just hack your phone and then steal your car and they did that so it wasn’t even a problem with the car as much as it was with the trust that the car was putting into the phone right this team from the Netherland I think it was showed repeating problems that have already been found in other systems in the infotainment system of harman that was found to be now D and V W same problems open ports and shares and a lot of problems that were already reported in other places and then again the same team that hacked a Tesla did the same thing of BMW and the same problems keep coming up again and again so this is no longer theoretical now there are rumors in the industry and these are just rumors that there was a hack in the wild the got caught and it was silenced I don’t have any additional information on that if you have it if you’re willing to share I’d love to hear it I won’t change my presentation but there’s a rumor that this is already happening now just to give you a perspective one of the things that Argos the company are working in does is pen testing service we’ve had a hundred percent success okay there hasn’t been a single project that we said sorry it can’t be done this gives you a scale this is not ninety nine this is 100% success rate now you don’t need special tools you can buy this dongle for about eight and a half dollars on internet and connect it to your obd2 port in your own car and you can start seeing stuff you can see the agnostic information you can see error codes you can change stuff and maybe you know what you doing and maybe you don’t know what you’re doing but now every person for a box has an interface into changing things in the car and while there are some standards for let’s say secure onboard communication the seco see they’re not always implemented and sometimes even if they are implemented they’re implemented either partially or incorrectly so even though there are some solutions it’s still not as good as we want it to be so now okay we’ve seen that a car is a complex product we understand why it’s going to have a lot of bugs right we’ve seen that these bars have been researched and exploited so this is not theoretical and the question is what can we do if we look back on these things and try to draw conclusions we will see a few things we have published research that shows trivial problems recurring time and again same problem now you would think that if a research on BMW shows something in let’s say 2016 then you should not be having the same problem in another car in 2017 but it is this is what we see we have old an unpatched software rolling into new cars and part of it of course is because you have to meet regulations so you have to have a lot of tests and these tests were performed I don’t know three years ago because it takes five years to make a car so you have outdated software rolling out with cars all the time now it’s not always you know code execution or zero day sometimes these are logical vulnerabilities maybe there is an access that doesn’t need to be there Stefan’s research show that you can just use the USB drive and it gets Oda mounted and then you can just run shell so that’s not remote code execution or some zero-day basic stuff open ports that are still there and shouldn’t be there right so not everything requires top-notch research or exploits and basically you can be a script Kitty and have enough ability and tools to hack a car now it’s already been spoken of in this conference about cybercrime and the economics of it let’s look about the cost of operation and compare automotive to the IT security world that we’re already familiar with to find vulnerability in the IT security world well it’s trivial and up it depends on the platform sometimes it’s very easy sometimes it’s not very easy it is said that because of all the mitigations that the IT security world has been already putting into effect then now if some time if a few years ago it took you a few hours – maybe a day to find an exploit a vulnerability today it can take you a few weeks and sometimes it will even require a chain of vulnerabilities but in the automotive some of them are a lot easier than others so at least for finding vulnerabilities there are more or less the same but the exploitation different because the automotive world has a lot less if any mitigations so where today it’s becoming harder to exploit on the IT security world exploiting a vulnerability that you found in car is a lot simpler and that is the return on investment let’s say you do that how much can you get back so in the IT security world right the problem of monetization is solved we have cyber crime crime as a service you can make money out of pretty much anything from credit card information identity information a hijacking bandwidth CPU storage whatever you want it’s all you know how to do that now with automotive with the exception of ransomware and crypto war which are probably platform agnostic there is no good way to monetize on hacking a car right not not a good way to do that and even if you do find a way if you try if you look at the scale so again hacking at scale in the IT security world also solve problem with crime as a service you just buy a botnet that botnet generates infections and then you’re done you can get a few thousand infections for I don’t know a few dozens of dollars but hacking cars at scale has been proven in research right Christian Charlie showed in fact their research they estimated that they could hack about between three and four hundred thousand cars but the recall was 1.2 million ok so that shows you this is actual scale but we haven’t witnessed any attacks on cars that weren’t at scale now at this point usually someone raises their hands and says no but there was this in in the UK some car thieves were using RFC relays in stealing 4 million quid worth of cars well maybe for you and I 4 million pounds are a lot of money but that’s not scale ok if you look back at Chris’s chart at Chris and Charlie’s research 1.2 million cars that is scale and this is actually our luck the inability to hack cars at scale makes it not a profitable business for cybercrime but we are actually looking at the tipping point because it’s not gonna stay like this for long the cybercrime which is the I guess you could call it the growth engine for hacking and defenses and mitigations be sitting on the fence and just looking at us current type of connectivity prevents the Texas scale different cars use different protocols some are connected in one way and some in the other you have multiple different standards vendors use different things it’s not easy to do it at scale and the limited monetization once again it’s not a good business but this is all changing its changing because you start to have connected cars so they’re all going to have to speak the same language standardization is improving autonomous vehicles will create the ability to monetize on car because if it’s autonomous and I take over it then I can do things with it so now there is a new monetization solution for cars which we don’t have today right and there is something called ECU consolidation if today you have a bunch of different issues there they want to put them all into one big computer that will perform many many functions and then if you take over that computer it’s like taking over the hypervisor and then you know taking over all the virtual machines so I reminding you this is what the network looks in a car this is like an SMB small and medium business if you take a law firm or something this is about as complicated as their network is right and you have to treat it as such because they probably have an IT security guy maybe they have a CIS so maybe it’s just the IT guy and they told him to do security but someone is paying attention but in cars we don’t have that now the solutions already exist in the IT security world so what we need to do is adopt them migrate them we can take them as is you can’t just take some firewall from checkpoint and just put it in the car it doesn’t work like that you need to make the adaptations but the problems are identical so the principles to solve them are identical as well and the way we look at it the first stage is prevention you need to be able to prevent as much as you can make it harder to hack the and then because hackers will always succeed that’s the rule of nature you have to understand that you are being hacked and the next thing is you have to be able to act on it whether it is to report it back to fix maybe send a remote update because otherwise it’s a car that’s being hacked and no one can do anything now we talk about security by design and it’s easy to say security by design but if you don’t have a security person doing that security by design then you don’t get as much security as you think because it takes a security person to understand and apply the the principles of security and it’s okay to take a service if you don’t have someone that does your own security or that can do security by design for you then you get somebody else to do that and the last hope that we have is legislation in Europe and the United States there is legislation now that is starting to change things it’s going to force the manufacturers to be more secure and it will try to deter hackers by introducing penalties but it’s too early to say so summing up cars are complex products with networks that are as complicated as a little business and they need to be treated as such and the tools to do that are already there we just need to migrate them make adaptations and we’re good but there is no silver bullet okay there’s no one thing that will solve your problem if any company ever tells you my solution will solve prevent all hacking so something is wrong don’t do that it has to be layered security you have to detect you have to respond okay and we are that’s the the image that I thought I felt that we is the automotive security industry are the little kid with the finger in the dike were by extending this gap by keeping hacking cars at scale not at reach where I’m making it somewhere that we’re not there yet this is how we’re going to protect ourselves because if we don’t do that if car hacking at scale becomes possible then the floodgates will open cybercrime will dive in then we will have a lot more attacks people start being heard and we will enter this arms race which you already know from the security world thank you so we


Leave a Reply

Your email address will not be published. Required fields are marked *