cars

automotive, News, security October 26, 2017

Cybersecurity Engineering in the Automotive industry

A lot is happening in the Automotive industry these days. It has to do with connectivity, autonomous driving, autonomous parking, and so on. All these have one thing in common: they are producing extremely large amounts of data which needs to be processed in the backend by very powerful computers. When we talk connectivity, we MUST talk about cybersecurity.   This is why the Automotive industry has started to take this very seriously: We have the  ISO/SAE AWI 21434 : Road Vehicles — Cybersecurity engineering which is in the preparation stage We have the European Automobile Manufacturers’ Association (ACEA) who have released the “Principles of Automobile Cybersecurity“ ACEA represents currently the 15 Europe-based car, van, truck and bus manufacturers (Source): BMW Group, DAF Trucks, Daimler, Fiat Chrysler Automobiles, Ford of Europe, Hyundai Motor Europe, Iveco, Jaguar Land Rover, Opel Group, PSA Group, Renault Group, Toyota Motor Europe, Volkswagen Group, Volvo Cars, and Volvo Group ACEA and its members have identified a set of six key principles to enhance the protection of connected and automated vehicles against cyber threats. 1. Cultivating a cybersecurity culture 2. Adopting a cybersecurity life cycle for vehicle development 3. Assessing security functions through testing phases: self-auditing & testing 4. Managing a…

antivirus, automotive, Educational, General, security June 16, 2016

Do you actually need a security product in your car? Part 3 : Intrusion Prevention and Detection Systems

I ended part 2 with the promise that we will discuss about : 2) Intrusion detection and prevention systems (IDS/IPS or IDPS) From Wikipedia: Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address.   IDPS for cars? Once inside, an attacker can utilize the vehicle’s internal communication bus and take control of additional modules inside the vehicle, including safety critical systems like the ABS and Engine Electronic Control Units (ECUs). Therefore, there is no “trusted device” anymore. Everything has to be assumed to be compromised. The…

automotive, General June 10, 2016

Do you actually need a security product in your car? Part 2: the classical antivirus

I wrote in the first part of this article about Detection, Protection, Remediation and I stopped at the part where we analyze what kind of security products do you need in the car of tomorrow. 1)The classical antivirus We know it to be used mostly for files. But it can much more than that. a) Files There are many files that can enter the car and can produce damages: music video updates (binary or data) scripts configuration files for various subsystems html and javascript (plain text) for rendering Java compiled files (especially if you run Android) possibly Adobe Flash (not sure though) possible Microsoft Silverlight (not sure though) PDFs (reports, help files) Emails (MIME) SMSs Plenty of files to scan, isn’t it? These files can either contain malicious code (Java, JS) or may be specially crafted to exploit known vulnerabilities. This means that there has to be a kind of file checking, so classical antivirus is definitely not dead, despite the vehement comments of some executives and marketing people that wanted to advertise their newest technologies. However, it should be kept in mind that these scanners are mostly signature based. I say “mostly” because even though there are a lot of other detection…

antivirus, automotive, General June 8, 2016

Let the competition for “securing the car” begin!

I didn’t actually want to write such a post, but several press releases drew my attention. So, the competition to protect the car has begun. Big players are now on the hunt for customers. But, when you talk to customers like Daimler, VW, BMW, Nissan and others, the discussions  will take a while. I will maintain the list below with technologies I see in categories. Please note that I write here only vendors that actually have a technology that mitigates threats in the cars and not just any vendor that talks generic about IoT or embedded solutions. I also exclude solutions which address only encryption and/or authentication because this is not enough to protect vehicles. Feel free to contact me if you see a vendor is not here and it should be.     Classic security vendors Company Technology Symantec Symantec Embedded Security: Critical System Protection       Newcomers Company Technology Argus Security Partnered with CheckPoint IDS/IPS TowerSec ECUShield             Vendors that have only papers: Company  Link Intel/McAfee http://www.mcafee.com/us/solutions/embedded-security.aspx

antivirus, automotive, General, security June 7, 2016

Do you actually need a security product in your car? Part 1: Prevention, Detection, Remediation

Note: This is going to be a somehow longer article which I will finish in a couple of related posts.   A security product is a program that Prevents that malware enters the system Detects if previously unknown malware is running on the system Remediates the actions of detected malware on the system Note that it is not mentioned *how* PDR gets implemented in practice. There are many ways to implement them and it is out of the scope of this article how this gets realized.   Back to our question: Do you actually need a security product in your car? Today, no, you don’t. But in 1-2 years the situation will change. Remember that in the automotive industry innovations need time until they reach the end-customers. Why? Read on…   The “Today” Why not today? The cars today are just beginning to become connected. It is like it was in the 80′ with the PCs: have little to no attack surfaces. They are mostly closed systems or have a single encrypted connection to a backend from which they get the data they need. the entry points in the car are: the infotainment system the ODB2 port the in-car Wi-Fi network…

automotive, security February 25, 2016

Nissan’s connected car app offline after trivial to exploit vulnerability revealed

On Wednesday Nissan disabled an app that allowed owners of its electric Leaf car to control their cars’ heating and cooling from their phones, after the Australian researcher Troy Hunt showed he could use it to control others’ cars as well. The NissanConnect EV app, formerly called CarWings, enabled a remote hacker to access the Leaf’s temperature controls and review its driving record, merely by knowing the car’s VIN (vehicle identification number). The app will turn the climate control on or off—it decided not to bother requiring any kind of authentication. When a Leaf owner connects to their car via a smartphone, the only information that Nissan’s APIs use to target the car is its VIN—the requests are all anonymous. Those are the findings of Troy Hunt and Scott Helme, who published their findings on Wednesday. Thursday, Nissan took the service offline.   Conclusion In order to speed up the release, they had to cut corners. Well, they cut the wrong corners. These are the rules of connecting apps to a backend: always use encrypted connections authenticate the client authorize the client (which is different than the authentication) to access various functions filter and validate the incoming data   Sources: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html http://arstechnica.com/cars/2016/02/nissans-connected-car-app-offline-after-shocking-vulnerability-revealed/ http://www.usatoday.com/story/tech/news/2016/02/24/nissan-disables-app-hacked-electric-leaf-smart-phone-troy-hunt/80882756/

automotive, News, security February 11, 2016

Self-driving car: security and liability

I read about Google’s vision of driverless cars. I like it, but I can’t stop to ask myself a few questions. Before that, Google’s driverless car just got its driver license 🙂 The NHTSA letter isn’t a ruling; it’s a clarification about how the agency will interpret the law in the future. You can read the full thing here (warning: It’s a mess), but the key part is below: As a foundational starting point for the interpretations below, NHTSA will interpret driver in the context of Google’s described motor vehicle design as referring to the SDS, and not to any of the vehicle occupants. We agree with Google its SDV will not have a driver in the traditional sense that vehicles have had drivers during the last more than one hundred years. The trend toward computer-driven vehicles began with such features as antilock brakes, electronic stability control, and air bags, continuing today with automatic emergency braking, forward crash warning, and lane departure warnings, and continuing on toward vehicles with Google’s SDV and potentially beyond. … If no human occupant of the vehicle can actually drive the vehicle, it is more reasonable to identify the driver as whatever (as opposed to…

%d bloggers like this: