5 Modern cars have become a lot more technologically sophisticated and different
6 than those of the past. We are seeing a wider range of new features and
7 functionality, with a lot more complex software. It is fair to say that the cars
8 being introduced to the market today have much more in common with computing
9 devices like cell phones, than their predecessors did. Modern car manufacturers
10 are also integrating support for a broad range of communication technologies for
11 these “connected” cars. With the advent of such vehicles, Linux has become a
12 natural choice for the software platform, with Automotive Grade Linux as a
15 From a security point of view, the remote capabilities of a connected car
16 results in a much larger attack surface. This opens a whole new world of
17 security vulnerabilities that need to be considered during the architectural
18 design. History shows that physical access to a device is sufficient for a
19 hacker to gain root privileges. This makes the car a hostile environment.
21 The Security Blueprint documents the security features that are included as part
22 of Automotive Grade Linux (AGL) and identifies areas that need to be addressed
23 from a security perspective as part of AGL. It also gives guidance around
24 existing technologies and solutions.
26 Security domains will allow us to create a set of tests verifying the security
27 of Automotive Grade Linux.
29 This document is firstly based on an existing AGL security-blueprint.
31 **For security to be effective, the concepts must be simple. And by default,
32 anything that is not allowed is forbidden.**
34 We will cover topics starting from the lowest level (_Hardware_) up to the
35 highest levels (_Connectivity_ and _Application_). We will move quickly on
36 _Hardware_ and _Connectivity_ because this is not supported at our level.
37 Solutions of connectivity problems concern updates and secured settings while
38 hardware securing is related to the manufacturers.
42 Adversaries and attackers within the Automotive space.
44 - Enthusiast Attackers
46 Enthusiast attackers have physical access to the Engine Control Units (ECUs) at
47 the circuit board level. They can solder ‘mod chips’ onto the board and have
48 access to probing tools. They also have information on ECUs that have been
49 previously compromised and have access to softwares and instructions developed
50 by other members of car modification forums. The goal of the enthusiast hacker
51 could be, but is not limited to, adding extra horse power to the car or hacking
54 - Corrupt Automotive Dealers
56 Corrupt automotive dealers are attackers that have access to the same
57 capabilities as enthusiasts, but also have access to the car manufacturer’s
58 (OEM) dealer network. They may also have access to standard debugging tools
59 provided by the car manufacturer. Their goal may be to support local car theft
60 gangs or organized criminals.
64 Organized criminals have access to all of the above tools but may also have some
65 level of control over the internal network at many dealerships. They may have
66 hacked and gained temporary control of the Over-The-Air (OTA) servers or the
67 In-Vehicle Infotainment (IVI) systems. This is very much like the role of
68 organized criminals in other industries such as paid media today. Their goal is
69 to extort money from OEMs and/or governments by threatening to disable multiple
74 Malware developers have developed malicious software to attack and compromise a
75 large number of vehicles. The malicious software is usually designed to spread
76 from one vehicle to another. Usually, the goal is to take control of multiple
77 machines and then sell access to them for malicious purposes like
78 denial-of-service (DoS) attacks or theft of private information and data.
80 - Security Researchers
82 Security researchers are ‘self-publicized’ security consultants trying to make a
83 name for themselves. They have access to standard tools for software security
84 analysis. They also have physical access to the vehicle and standard hardware
85 debugging tools (Logic Analyzers, Oscilloscopes, etc). Their goal is to
86 publicize attacks for personal gain or just to gain personal understanding with
87 a sense of helping make things more secure.
91 In today’s connected vehicle, more and more functionality is moving to software
92 control, meaning that the threat of attack becomes greater and greater. We see
93 car features like navigation and summoning, car access/engine start, and
94 motor/ECU upgrades all controlled through software and connections to the cloud.
95 The risk of attack is high because there are high value targets in play.
97 Here, we outline some of the major threats categories along with some sample
98 attackers, example attacks, and a relative importance. These threat categories
99 are intended to be general examples. There can be many nuances to threat types.
100 Additionally, there can be many sub-attacks that eventually lead to these higher
103 | Threat Category | Sample Attacker | Example Attacks | Relative Importance |
104 |-------------------------------|-----------------------------------------|-------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
105 | Vehicle theft | Individual, organized criminals | Send the car to an unplanned destination, get a key for the car, gain control of the unlock mechanism | Reduced likelihood of future vehicle purchases (Profit Later), bad press (Brand Integrity) |
106 | Reduced vehicle functionality | Terrorist groups, disgruntled employees | Lock the driver out of the car, cause the car to crash, block access to infotainment system | Inability sell paid-for apps and content (Profit Now), bad press (Brand Integrity), possible loss of life (Physical Injury) |
107 | Vehicle hacking | Vehicle owner, competitor | Get content without paying, modify DRM licenses, unlock of after-market features, theft of IP | Loss of sales for content and features (Profit Now), lawsuits from content owners (Profit Later), loss of competitive advantage (Profit Later) |
108 | Sensitive asset theft | Organized criminals, blackmailers | Steal credit card numbers, health information, camera data, steal bandwidth | Bad press (Brand Integrity), lawsuits from vehicle owners (Profit Later) |
110 The Automotive Grade Linux (AGL) initiative builds upon open-source software
111 including Linux and Tizen to offer a flexible application framework. However,
112 the security provisions of the app framework, Cynara, and the security manager
113 only go so far in keeping the biggest threats at bay. As experience has shown,
114 providing a constrained app (like that in the Android Open Source Platform) and
115 store development flow, signature verification, DAC sandboxing, and MAC (SMACK)
116 controls over the platform can have a certain amount of success with the
117 security of the system. However, the openness of the system invites many
118 researchers, hobbyists and hackers and financially motivated attackers to
119 compromise the system for their own gains.
121 As AGL arrives on modern automobiles, this is inevitably inviting many capable
122 actors to modify, attack, and compromise these well thought-out systems and
123 their applications. With concerns like safety and security, the auto industry
124 cannot afford to go the way of consumer devices like phones and tablets where
125 security problems are encountered on a frequent basis. It is imperative to use a
126 layered approach and defense-in-depth to protect the system from inevitable
129 ## Assets and Security Categorization
131 This section outlines some of the assets that are likely to be found in the
132 vehicle and their relative sensitivity from an attack point of view.
133 Additionally, the final column on the right lists some of the recommended
134 protection types that can be applied to these types of assets (Note that the
135 empty cells refer to the cells above them). A good protection approach will give
136 priority to the most sensitive assets, using a defense-in-depth approach to
137 cover these assets. Less sensitive assets are treated at a lower priority,
138 typically protected with fewer protection techniques. A more fine-grained
139 prioritization of the the assets in a concrete vehicle network can be achieved
140 with detailed threat analysis which considers the topology of the vehicle
141 network and access-controls that are in-place. e.g. the EVITA framework for
144 | Asset Category | Examples | Sensitivity | Recommended Protection Types |
145 |-------------------|--------------------------------------------------------------------------------|-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
146 | Software | ECU software, infotainment software, OS images | Critical | Key Management, Mutual Asymmetric Authentication, HSM and WhiteBox Encryption, Message Integrity Checks, Hardening/SW Protection, Program Transforms/ Obfuscation, Integrity Verification, Secure OS |
147 | Car Access | Biometric data, car keys | | |
148 | Payment Data | Credit cards, User profile critical data | | |
149 | Recordings | Internal camera recording, internal audio recording, external camera recording | High | Encryption, Message Integrity Checks, Hardening/SW Protection, Program Transforms / Obfuscation |
150 | User Profile | Usernames and passwords, customization, calendar, contacts | | |
151 | Location | GPS coordinates, vehicle usage data | | |
152 | Purchased Content | Video, audio, licenses | | |
153 | Teleconference | Chat, audio, video | Medium | SW Protection, Program Transforms / Obfuscation, Authenticated encryption for transmission |
154 | Vehicle data | Vehicle info, sensor data | | |
155 | Navigation data | Static and dynamic maps | | |
156 | 3rd party data | Home automation commands, cloud game data | | |
160 The term Hardening refers to the tools, techniques and processes required in
161 order to reduce the attack surface on an embedded system, such as an embedded
162 control unit (**ECU**) or other managed devices. The target for all hardening
163 activities is to prevent the execution of invalid binaries on the device, and to
164 prevent copying of security related data from the device.
166 ## AGL security overview
168 AGL roots are based on security concepts. Those concepts are implemented by the
169 security framework as shown in this picture:
171 
173 --------------------------------------------------------------------------------
175 # Acronyms and Abbreviations
177 The following table lists the strongest terms utilized within all this document.
179 | Acronyms or Abbreviations | Description |
180 |---------------------------|-------------------------------------|
181 | _AGL_ | **A**utomotive **G**rade **L**inux |
182 | _ECU_ | **E**lectronic **C**ontrol **U**nit |
184 --------------------------------------------------------------------------------
188 - [security-blueprint](http://docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html).
190 docs.automotivelinux.org/docs/architecture/en/dev/reference/security/01-overview.html_
191 - **[2017]** - [kernel
192 security](https://www.kernel.org/doc/Documentation/security/).
193 - _https:// www.kernel.org/doc/Documentation/security/_
194 - **[2017]** - [Systemd integration and user
195 management](http://iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf).
196 - _http:// iot.bzh/download/public/2017/AMM-Dresden/AGL-systemd.pdf_
197 - **[2017]** - [AGL - Application Framework
198 Documentation](http://iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf).
199 - _http:// iot.bzh/download/public/2017/SDK/AppFw-Documentation-v3.1.pdf_
200 - **[2017]** - [Improving Vehicle
201 Cybersecurity](https://access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf).
203 access.atis.org/apps/group_public/download.php/35648/ATIS-I-0000059.pdf_
204 - **[2016]** - [AGL framework
205 overview](http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html).
207 docs.automotivelinux.org/docs/apis_services/en/dev/reference/af-main/0-introduction.html_
209 [SecureBoot-SecureSoftwareUpdates](http://iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf).
211 iot.bzh/download/public/2016/publications/SecureBoot-SecureSoftwareUpdates.pdf_
212 - **[2016]** - [Linux Automotive
213 Security](http://iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf).
215 iot.bzh/download/public/2016/security/Linux-Automotive-Security-v10.pdf_
216 - **[2016]** - [Automotive Security Best
217 Practices](https://www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf).
219 www.mcafee.com/it/resources/white-papers/wp-automotive-security.pdf_
220 - **[2016]** - [Gattacking Bluetooth Smart
221 Devices](http://gattack.io/whitepaper.pdf).
222 - _http:// gattack.io/whitepaper.pdf_
223 - **[2015]** - [Comprehensive Experimental Analysis of Automotive Attack
224 Surfaces](http://www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf).
226 www.cs.wayne.edu/fengwei/15fa-csc6991/slides/8-CarHackingUsenixSecurity.pdf_
227 - **[2015]** - [Security in Automotive Bus
228 Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf).
230 citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf_
231 - **[2014]** - [IOActive Remote Attack
232 Surface](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf).
233 - _https:// www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf_
234 - **[2011]** - [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data
235 communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf).
237 media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf_
238 - **[2011]** - [Comprehensive Experimental Analyses of Automotive Attack
239 Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf).
240 - _http:// www.autosec.org/pubs/cars-usenixsec2011.pdf_
241 - **[2010]** - [Relay Attacks on Passive Keyless Entry and Start Systems in
242 Modern Cars](https://eprint.iacr.org/2010/332.pdf).
243 - _https:// eprint.iacr.org/2010/332.pdf_
244 - **[2010]** - [Wifi attacks wep
245 wpa](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf).
246 - _https:// matthieu.io/dl/wifi-attacks-wep-wpa.pdf_
248 [SMACK](http://schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf).
250 schaufler-ca.com/yahoo_site_admin/assets/docs/SmackWhitePaper.257153003.pdf_
Code Review / AGL / documentation.git / blob