7 Modern cars have become a lot more technologically sophisticated and different
8 than those of the past. We are seeing a wider range of new features and
9 functionality, with a lot more complex software. It is fair to say that the cars
10 being introduced to the market today have much more in common with computing
11 devices like cell phones, than their predecessors did. Modern car manufacturers
12 are also integrating support for a broad range of communication technologies for
13 these “connected” cars. With the advent of such vehicles, Linux has become a
14 natural choice for the software platform, with Automotive Grade Linux as a
17 From a security point of view, the remote capabilities of a connected car
18 results in a much larger attack surface. This opens a whole new world of
19 security vulnerabilities that need to be considered during the architectural
20 design. History shows that physical access to a device is sufficient for a
21 hacker to gain root privileges. This makes the car a hostile environment.
23 The Security Blueprint documents the security features that are included as part
24 of Automotive Grade Linux (AGL) and identifies areas that need to be addressed
25 from a security perspective as part of AGL. It also gives guidance around
26 existing technologies and solutions.
28 Security domains will allow us to create a set of tests verifying the security
29 of Automotive Grade Linux.
31 This document is firstly based on an existing AGL security-blueprint.
33 **For security to be effective, the concepts must be simple. And by default,
34 anything that is not allowed is forbidden.**
36 We will cover topics starting from the lowest level (_Hardware_) up to the
37 highest levels (_Connectivity_ and _Application_). We will move quickly on
38 _Hardware_ and _Connectivity_ because this is not supported at our level.
39 Solutions of connectivity problems concern updates and secured settings while
40 hardware securing is related to the manufacturers.
42 The document is filled with tags to easily identify important points:
44 <!-- section-config -->
46 - The _config_ tag quickly identifies the configurations and the recommendations
49 <!-- end-section-config --><!-- section-note -->
51 - The _note_ tag allows you to notify some additional details.
53 <!-- end-section-note --><!-- section-todo -->
55 - The _todo_ tag shows the possible improvements.
57 <!-- end-section-todo -->
59 In annexes of this document, you can find all the _config_ and _todo_ notes.
63 Adversaries and attackers within the Automotive space.
65 - Enthusiast Attackers
67 Enthusiast attackers have physical access to the Engine Control Units (ECUs) at
68 the circuit board level. They can solder ‘mod chips’ onto the board and have
69 access to probing tools. They also have information on ECUs that have been
70 previously compromised and have access to softwares and instructions developed
71 by other members of car modification forums. The goal of the enthusiast hacker
72 could be, but is not limited to, adding extra horse power to the car or hacking
75 - Corrupt Automotive Dealers
77 Corrupt automotive dealers are attackers that have access to the same
78 capabilities as enthusiasts, but also have access to the car manufacturer’s
79 (OEM) dealer network. They may also have access to standard debugging tools
80 provided by the car manufacturer. Their goal may be to support local car theft
81 gangs or organized criminals.
85 Organized criminals have access to all of the above tools but may also have some
86 level of control over the internal network at many dealerships. They may have
87 hacked and gained temporary control of the Over-The-Air (OTA) servers or the
88 In-Vehicle Infotainment (IVI) systems. This is very much like the role of
89 organized criminals in other industries such as paid media today. Their goal is
90 to extort money from OEMs and/or governments by threatening to disable multiple
95 Malware developers have developed malicious software to attack and compromise a
96 large number of vehicles. The malicious software is usually designed to spread
97 from one vehicle to another. Usually, the goal is to take control of multiple
98 machines and then sell access to them for malicious purposes like
99 denial-of-service (DoS) attacks or theft of private information and data.
101 - Security Researchers
103 Security researchers are ‘self-publicized’ security consultants trying to make a
104 name for themselves. They have access to standard tools for software security
105 analysis. They also have physical access to the vehicle and standard hardware
106 debugging tools (Logic Analyzers, Oscilloscopes, etc). Their goal is to
107 publicize attacks for personal gain or just to gain personal understanding with
108 a sense of helping make things more secure.
112 In today’s connected vehicle, more and more functionality is moving to software
113 control, meaning that the threat of attack becomes greater and greater. We see
114 car features like navigation and summoning, car access/engine start, and
115 motor/ECU upgrades all controlled through software and connections to the cloud.
116 The risk of attack is high because there are high value targets in play.
118 Here, we outline some of the major threats categories along with some sample
119 attackers, example attacks, and a relative importance. These threat categories
120 are intended to be general examples. There can be many nuances to threat types.
121 Additionally, there can be many sub-attacks that eventually lead to these higher
124 | Threat Category | Sample Attacker | Example Attacks | Relative Importance |
125 |-------------------------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
126 | Vehicle theft | Individual, organized criminals | Send the car to an unplanned destination, get a key for the car, gain control of the unlock mechanism | Reduced likelihood of future vehicle purchases (Profit Later), bad press (Brand Integrity) |
127 | Reduced vehicle functionality | Terrorist groups, disgruntled employees | Lock the driver out of the car, cause the car to crash, block access to infotainment system | Inability sell paid-for apps and content (Profit Now), bad press (Brand Integrity), possible loss of life (Physical Injury) |
128 | Vehicle hacking | Vehicle owner, competitor | Get content without paying, modify DRM licenses, unlock of after-market features, theft of IP | Loss of sales for content and features (Profit Now), lawsuits from content owners (Profit Later), loss of competitive advantage (Profit Later) |
129 | Sensitive asset theft | Organized criminals, blackmailers | Steal credit card numbers, health information, camera data, steal bandwidth | Bad press (Brand Integrity), lawsuits from vehicle owners (Profit Later) |
131 The Automotive Grade Linux (AGL) initiative builds upon open-source software
132 including Linux and Tizen to offer a flexible application framework. However,
133 the security provisions of the app framework, Cynara, and the security manager
134 only go so far in keeping the biggest threats at bay. As experience has shown,
135 providing a constrained app (like that in the Android Open Source Platform) and
136 store development flow, signature verification, DAC sandboxing, and MAC (SMACK)
137 controls over the platform can have a certain amount of success with the
138 security of the system. However, the openness of the system invites many
139 researchers, hobbyists and hackers and financially motivated attackers to
140 compromise the system for their own gains.
142 As AGL arrives on modern automobiles, this is inevitably inviting many capable
143 actors to modify, attack, and compromise these well thought-out systems and
144 their applications. With concerns like safety and security, the auto industry
145 cannot afford to go the way of consumer devices like phones and tablets where
146 security problems are encountered on a frequent basis. It is imperative to use a
147 layered approach and defense-in-depth to protect the system from inevitable
150 ## Assets and Security Categorization
152 This section outlines some of the assets that are likely to be found in the
153 vehicle and their relative sensitivity from an attack point of view.
154 Additionally, the final column on the right lists some of the recommended
155 protection types that can be applied to these types of assets (Note that the
156 empty cells refer to the cells above them). A good protection approach will give
157 priority to the most sensitive assets, using a defense-in-depth approach to
158 cover these assets. Less sensitive assets are treated at a lower priority,
159 typically protected with fewer protection techniques. A more fine-grained
160 prioritization of the the assets in a concrete vehicle network can be achieved
161 with detailed threat analysis which considers the topology of the vehicle
162 network and access-controls that are in-place. e.g. the EVITA framework for
165 | Asset Category | Examples | Sensitivity | Recommended Protection Types |
166 |-------------------|--------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
167 | Software | ECU software, infotainment software, OS images | Critical | Key Management, Mutual Asymmetric Authentication, HSM and WhiteBox Encryption, Message Integrity Checks, Hardening/SW Protection, Program Transforms/ Obfuscation, Integrity Verification, Secure OS |
168 | Car Access | Biometric data, car keys | | |
169 | Payment Data | Credit cards, User profile critical data | | |
170 | Recordings | Internal camera recording, internal audio recording, external camera recording | High | Encryption, Message Integrity Checks, Hardening/SW Protection, Program Transforms / Obfuscation |
171 | User Profile | Usernames and passwords, customization, calendar, contacts | | |
172 | Location | GPS coordinates, vehicle usage data | | |
173 | Purchased Content | Video, audio, licenses | | |
174 | Teleconference | Chat, audio, video | Medium | SW Protection, Program Transforms / Obfuscation, Authenticated encryption for transmission |
175 | Vehicle data | Vehicle info, sensor data | | |
176 | Navigation data | Static and dynamic maps | | |
177 | 3rd party data | Home automation commands, cloud game data | | |
181 The term Hardening refers to the tools, techniques and processes required in
182 order to reduce the attack surface on an embedded system, such as an embedded
183 control unit (**ECU**) or other managed devices. The target for all hardening
184 activities is to prevent the execution of invalid binaries on the device, and to
185 prevent copying of security related data from the device.
189 ## AGL security overview
191 AGL roots are based on security concepts. Those concepts are implemented by the
192 security framework as shown in this picture:
194 
196 --------------------------------------------------------------------------------
198 # Acronyms and Abbreviations
200 The following table lists the strongest terms utilized within all this document.
202 | Acronyms or Abbreviations | Description |
203 |---------------------------|-------------------------------------|
204 | _AGL_ | **A**utomotive **G**rade **L**inux |
205 | _ECU_ | **E**lectronic **C**ontrol **U**nit |
207 --------------------------------------------------------------------------------
213 - [security-blueprint](http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html).
215 docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html_
216 - **[2017]** - [kernel
217 security](https://www.kernel.org/doc/Documentation/security/).
218 - _https:// www.kernel.org/doc/Documentation/security/_
219 - **[2017]** - [Systemd integration and user
220 management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf).
221 - _http:// iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf_
222 - **[2017]** - [AGL - Application Framework
223 Documentation](http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf).
224 - _http:// iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf_
225 - **[2017]** - [Improving Vehicle
226 Cybersecurity](https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf).
228 access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf_
229 - **[2016]** - [AGL framework
230 overview](http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html).
232 docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html_
234 [SecureBoot-SecureSoftwareUpdates](http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf).
236 iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf_
237 - **[2016]** - [Linux Automotive
238 Security](http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf).
240 iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf_
241 - **[2016]** - [Automotive Security Best
242 Practices](https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf).
244 www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf_
245 - **[2016]** - [Gattacking Bluetooth Smart
246 Devices](http://gattack.io/whitepaper.pdf).
247 - _http:// gattack.io/whitepaper.pdf_
248 - **[2015]** - [Comprehensive Experimental Analysis of Automotive Attack
249 Surfaces](http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf).
251 www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf_
252 - **[2015]** - [Security in Automotive Bus
253 Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf).
255 citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf_
256 - **[2014]** - [IOActive Remote Attack
257 Surface](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf).
258 - _https:// www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf_
259 - **[2011]** - [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data
260 communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf).
262 media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf_
263 - **[2011]** - [Comprehensive Experimental Analyses of Automotive Attack
264 Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf).
265 - _http:// www.autosec.org/pubs/cars-usenixsec2011.pdf_
266 - **[2010]** - [Relay Attacks on Passive Keyless Entry and Start Systems in
267 Modern Cars](https://eprint.iacr.org/2010/332.pdf).
268 - _https:// eprint.iacr.org/2010/332.pdf_
269 - **[2010]** - [Wifi attacks wep
270 wpa](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf).
271 - _https:// matthieu.io/dl/wifi-attacks-wep-wpa.pdf_
273 [SMACK](http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf).
275 schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf_
Code Review / AGL / documentation.git / blob