State of Security and Reliability
of Connected Car EcoSystem
Atul Prakash
Department of EECS
University of Michigan, Ann Arbor
Contact: [email protected]
Our Research & Expertise
● Security of IoT Frameworks
●Some recent accomplishments:
○ FlowFence: Practical Data Protection for Emerging
IoT Application Frameworks
■ USENIX Security, 2016
○ Analyzed security of Samsung's SmartThings IoT
framework and hub-based architecture.
■ IEEE Security and Privacy Distinguished Practical Paper, 2016
Lines of Code in an Automobile
Source: Inforamtionisbeautiful.net
Reliability concerns
• Software is complex. Real-time requirements in many
sub-systems.
• Large body of code implies existence of bugs
• Increasing attack surface over time
•
Network access,
•
Use of OBD-II port for tasks other than diagnostics
Do bugs have real-world impact?
• Unquestionably.
•
Ford Sync and Consumer Reports ratings
•
Toyota brake/accelerator issue?
•
Driver death when Tesla was in auto-pilot mode
•
Chrysler recall: remote attack vulnerabilities in 2015
Reliability Challenge
• Google/Facebook bug vs. bug in an automobile. Criticality?
• Size of software teams?
• Open source vs. closed source
• Where would top software engineering talent go today?
Facebook? Auto companies? Why?
• Bug bounty programs? How do they compare?
A Bay Area company's Bug Bounty program
Auto Companies Bug Bounty Program
• Great to see them come into existence
• Awards:
•
Chrysler: $150 to $1500
•
GM. Hall of Fame. Not sure if there is a reward
•
Ford? Not sure if one exists yet
One auto company: What bugs don't count?
• Denial of service attacks
• Report of insecure SSL/TLS ciphers
• Open ports which do not lead directly to vulnerability
• Open redirect vulnerabilities
• Publicly accessible login panels
• Content spoofing/text injection
Posture towards those reporting bugs
• A Bay Area company:
Posture towards those reporting bugs
One auto company
• X agrees to not pursue claims against researchers related
to the disclosures submitted through this website who: …
• publicly disclose vulnerability details only after X confirms
completed remediation of the vulnerability and not publicly
disclose vulnerability details if there is no completion date or
completion cannot be ascertained;
Which policy works for researchers?
• A driving force for top researchers: conference deadlines
• My own team's experience:
•
Vulnerabilities in SmartThings platform
•
Vulnerabilities on banking web sites
• At most a few months window for us to hold back public
disclosure
• Auto companies may need to adapt to such a time scale
Are connected cars risky?
• Remote Exploit of an
Unaltered Jeep
Cherokee, Black Hat
2014. 2015 demo
• (Chris Valasek and
Charlie Miller)
• 1.4M vehicle recall of
Chrysler Vehicles.
Multiple 2013-15 models
recalled.
Basics of the Hack
• WiFi (crack password) -> Head Unit (Linux)
• Alternative: Cellular network -> Head Unit
(Linux)
• From there, compromised Multimedia System
an then the CAN bus.
Was this the earliest attack?
• No. It just got a lot of attention since the identity of the vehicle
was revealed.
• Similar attack demonstrated earlier by a UCSD-UW team of
researchers in 2010-2011 on an unidentified car (at that time)
•
In 2010, at IEEE S&P, they showed that CAN bus is insecure.
Physical access to the OBD-II port, for example, allowed full compromise
of the car
•
In 2011, at Usenix Security, they showed remote exploits
Attacks on Car Platforms
• 2010-11 research by
UCSD & UW
Key takeaways
• Can cars be completely compromised if
attackers get access to the CAN bus?
• Yes. ECUs can be reprogrammed with new
firmware, commands can be injected to control
actuators and devices or to control ECUs. Also,
backup safety systems can be blocked from
communicating
Response time for security fixes
• For 2010-11 attack, according to a Wired article, it
was a GM Impala vehicle. Researchers shared the
attack details with GM, but not with the public (nor
the identity of the vehicle). It took GM
approximately 5 years to fix.
• For 2015 attack, identity of the vehicle was made
public. It led to a quick recall and fix by Chrysler.
Lesson? Reveal
• Did revealing the identity of the vehicle have to do with a
quicker response? Or differences in car companies?
• More likely that the auto industry were not ready to handle
security issues in 2010, but is now much better
• According to UW-UCSD researchers, it would have been a
bad idea to reveal the car's identity in 2010-11, given the
nascent state of automobile security at the time
How fundamental are the problems?
• CAN bus: 30-year old design. No security features.
• All bets off once a hacker accesses the CAN bus via any
component on the bus or via the OBD port
• Retrofitting security in the standard likely hard or impossible
(though companies are trying)
• Likely: CAN bus needs to be replaced by a more secure
standard
What about "air gap"?
• Car companies try to isolate infotainment systems
from safety-critical systems.
• In practice, air gap is often not a true air gap.
Shared components can breach the gap
• In exploited Jeep, the Multimedia Unit was not directly on
the CAN bus. Nevertheless, attackers were able to get on the
CAN bus
OBD-II port
• Law since 1996 requires a standard diagnostic
port for mechanics.
• Directly on the CAN bus
• Multiple of devices available that plug into the
port, some with apps.
Are security problems still there?
• Yes! Fundamentally, they never went away
• They continue to be discovered. Same 2014 Jeep was
attacked again at BlackHat 2016 via a different attack
vector
• Sevearl papers at IEEE Security and Privacy 2016 and
Usenix Security Symposium 2016 on automotive
security
Are attackers incentivized to exploit them?
• Jury is out, but history on other platforms
suggests Yes.
• Ransomware, creating nuisance,
eavesdropping and privacy leaks, and targeted
attacks: all theoretically possible
• State actors should not be ruled out
What can car companies do?
• Emulate software companies like Google, Facebook, Apple, and Microsoft
• Work closely with academic security researchers.
• Car communication infrastructure needs re-think.
• Be more open. Security by obscurity usually does not work
• Assume that motivated hackers will eventually be there as connected cars
become more popular and share software components. Some predictions:
•
Ransomware to allow car use
•
We will be getting weekly or monthly software upgrades