© F
raun
hofe
r-G
esel
lsch
aft
2016
A CRISP Member
Automatisiertes Fahren – Datenschutz und Datensicherheit: Stand der Technik und weitere technologische Entwicklung
Prof. Dr. Michael WaidnerFraunhofer-Institut für Sichere Informationstechnologie SIT, InstitutsleiterCenter for Research in Security and Privacy CRISP, Sprecher
Automatisiertes Fahren – Datenschutz und DatensicherheitVereinigung der Bayerischen Wirtschaft eV, München, 1. August 2016
– 2 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Fraunhofer Institute for Secure Information Technology SITLeading Institute in Germany for Applied Cybersecurity Research
Applied cybersecurity R&D for industry, government, society
»Security by Design« & »Security at Large«
Designs, analyses, tests, experiments and measurements
Cybersecurity, forensics, privacy, cloud, embedded, Internet, infrastructure, software, business/industrial IT
Facts and figures
1961: Foundation, 1996: Refocus on cyber,2001: Member of Fraunhofer-Gesellschaft
170 employees, 9 departments in Darmstadt and Birlinghoven(Bonn), project center in Jerusalem
On-campus labs: Airbus/Stormshield, SAP, Sirrix AG, Software AG
1/3 base funding, 2/3 contract research
Co-operation with industry and governments
Member of federal/state-fundedCenter for Research in Security and Privacy (CRISP)
https://www.sit.fraunhofer.de
– 3 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Cybersecurity
Automotive Cybersecurity
Examples
Conclusions
Outline
– 4 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Die Hightech-Themen 2016Die wichtigsten Technologie- und Markttrends aus Sicht der ITK-Branche
Source: https://www.bitkom.org/Presse/Presseinformation/Sicherheit-fuer-IT-Unternehmen-das-Thema-des-Jahres.html
– 5 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Source: https://www.bitkom.org/Presse/Presseinformation/Industrie-im-Visier-von-Cyberkriminellen-und-Nachrichtendiensten.html
Datenklau, Spionage, SabotageZwei Drittel der Industrie sind betroffen
– 6 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Prototypical CyberattacksTargeted, organized and economically or politically motivated. Many high-profile victims: everybody is vulnerable.
PRC Unit 61398, Shanghai (2013),NSA / GCHQ Programs (2013/14)
Stuxnet (2010)
German Bundestag (2015)
German Steel Mill (2014)
Saudi Aramco (2012)
DigiNotar (2011)
RSA/Lockheed-Martin (2011)
EADS (2012)
US Office of Personnel Management (2015)
– 7 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Key Sources of Insecurity
Insufficient engineering Ca. 8000 new vulnerabilities per year (IBM, 2016)
Ca. 100 – 1000 vulnerabilities in larger software
Insecure integration: no security design, unnecessarily large attack surface, wrong interface assumptions, no or insufficient authentication, …
Insufficient adoption of best practices and known technologies
Insufficient understanding of privacy and data minimization
Insufficient visibility and insight Ca. 140 days breach detection time (Mandiant, 2016)
Insufficient data, insufficient visibility across organizations
Limited readiness for emergency response
Insufficient systems management
Insiders, Social Engineering, Usability, …
– 8 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Source: https://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/
– 9 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Cybersecurity
Automotive Cybersecurity
Examples
Conclusions
Outline
– 10 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Information Technology as Key EnablerNew technology enables new business models and applications
Increased traffic safety and efficiency Emergency call (eCall), accident documentation
Infotainment Optimized maintenance processes Better diagnostics, predictive maintenance
New insurance tariffs (»Pay as you drive«) New car sharing and fleet management models Product improvement for OEMs
– 11 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Information Technology as Key EnablerNew interfaces and increased connectivity
GSM/UMTS/LTE,WiFi, Bluetooth
InterfacesOn-Board Diagnostics (OBD),
Tire Pressure Monitoring,EV Charging
Car-2-X Communication
Immobilizer,Remote Keyless Entry
E/E, ECU SecurityTachograph, Chip Tuning, Function
Activation
USBLightning GPS,DAB,
TMC,RDS
Infotainment
50-100 ECUs,10-100 millions lines of code
– 12 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Information Technology as Key EnablerIncreased impact of malfunctions and attacks
Terrorists & Criminals
Vehicle owner
Vehicle driver
Repair shops
Fleet owner
Service provider
Insurance companies
Government
Manufacturer
Damages to live and limb Influence brakes, engine,
advanced driver assistance
Financial Damages Vehicle theft Turn back odometer Illegal function activation
or chip tuning
Loss of Privacy Driving behavior profiles Movement profiles Driver identification
– 13 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Information Technology as Key EnablerIncreased attack surface and adversary incentives result in increased risk
Car Electronics Autonomous Driving
Time
Car2X Communication
Increased use of IT (SW/HW)+ Increased design complexity+ Increased “software-defined everything”+ New interfaces and increased connectivity Increased attack surface
+ Increased use/generation of (personal) data+ Increased impact of malfunction/attack Increased risk
– 14 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Cybersecurity
Automotive Cybersecurity
Examples
Conclusions
Outline
– 15 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Car Hacking, Chip Tuning, Unauthorized Function ActivationClassical approach of hacking : standard vulnerabilities in SW [no Security by Design], HW [not tamper-resistant], crypto [weak keys, weak randomness]
Complete takeover of a regular 2014 Chrysler Jeep Cherokee through an update vulnerability in the UConnect infotainment system [Miller/Valasek, Blackhat 2015; Koscheret.al., IEEE SP 2010]
Needed: Security and Privacy by Design,Trusted HW, Secure Architectures
1. Find an open interface
2. Move and escalate rights
Take control, steal data
• OBD i/f• Wireless connection
w/ weak protection• EV Charging i/f• Infotainment i/f• Internet/mobile apps
• Weak isolation• Well-known exploits• Standard buses (CAN,
…) w/o security• Easy to flash firmware
• E.g., send arbitrary CAN messages
Sources: C. Miller, C. Valasek: Remote Exploitation of an Unaltered Passenger Vehicle; Blackhat 2015;K. Koscher et. al.: Experimental Security Analysis of a Modern Automobile; IEEE SP “Oakland” 2010;
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway
– 16 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Security and Privacy by Design:Relevant and Ongoing Standardization Efforts
AUTomotive Open System Architecture: Crypto Service Manager (CSM), Crypto Abstraction Library (CAL), Secure Onboard Communication, …, Adaptive Platform
Society of Automotive Engineers:SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (ongoing)
International Organization for Standardization:ISO/TC 22 WG »Automotive Security« (ongoing)
Gemeinsame Erklärung der Konferenz der unab-hängigen Datenschutzbehörden des Bundes und der Länder und des Verbandes der Automobil-industrie vom 26. Januar 2016
– 17 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Circumvent Remote Keyless Entry / ImmobilizerClassical failures of crypto designs: weak/proprietary algorithms, short keys, no update feature for broken systems, flawed proximity assumption
Source: https://www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/keyless/default.aspx
Straightforward man-in-the-middle attack on remote keyless entry systems [ADAC 2015]
Needed: State-of-the-art crypto design, standard crypto/RNG, distance bounding / relay-resistance
www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/keyless
– 18 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Reality Distortion and Tracing in Car2XLate stages of standardization. Several details and PKI operator still open.
– 19 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Privacy Violation through Data AnalysisWide range of driver-related data collected and accessible via unprotected on-board diagnostic interface
Driver identification using just velocity and rpm
Needed: Privacy by Design / by Default; effective controls and transparency, encryption, data masking, data minimization, data anonymization, pseudonyms
– 20 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Cybersecurity
Automotive Cybersecurity
Examples
Conclusions
Outline
– 21 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Conclusions (1/2)
Automotive digitization comes with new threats … most well known from other domains Typical »teething problems«
Proprietary crypto, weak or even fixed keys Open networks / interfaces, weak authentication Integration based on unjustified assumptions Unprotected hardware in »hostile« environments Direct inheritance of problems from other
domains (software, mobile systems, …) Exploding design complexity
– 22 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Conclusions (2/2)
Requires best practices; standards; testing guidelines, tools and labs, and »Security and Privacy by Design«
High awareness in industry and research
Data Minimization Data Sharing
Conjecture: there is no contradiction Industrial Data Spaces: architecture
supporting controlled, secure and privacy-friendly sharing
Privacy & Transparency Enhancing Technologies like end-to-end encryption, ABCs and cryptographic pseudonyms, data masking and anonymization
– 23 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Vielen Dank!
Thank you very much!
Merci beaucoup!
תודה רבה!谢谢
Dziękuję!
Dank je well!
ありがとうございますشكرا لك
– 24 –
© F
raun
hofe
r-G
esel
lsch
aft
2016
Prof. Dr. Michael Waidner
Fraunhofer Institute for Secure Information Technology SITDirector
www.sit.fraunhofer.de
Rheinstrasse 75, 64295 [email protected] +49 6151 869 250 (Office)+49 170 929 8243 (Cell)