Liz Slocum Jensen Connected Car Expert

Cloud Security Alliance, IoT Working GroupJuly 28, 2016

Connected Car Security and the Future of Transportation

• About me • 4 basic types of connected cars • 4 connected car hacks • Overview of the Connected Car Landscape • Security • How car ownership is changing • Looking forward to the autonomous car • Questions

Agenda

@WhatLizTweets

About Me: Liz Slocum Jensen

CONNECTED CARSSECURITYBIG DATA

Ford Electrified Vehicle Hackathon,Best Application

Smarter Driving, Finalist 20151999 2003 2005

20102013

2016

2014

PRO

JEC

TSEM

PLO

YMEN

T

4 Basic Types of Connected Cars

Vehicle-to-Vehicle (V2V) Vehicle-to-Infrastructure (V2I)

Vehicle-to-Mobile Vehicle-to-Cloud

SafetySecurity

CommunicationsEntertainment

@WhatLizTweets

@WhatLizTweets

WHO: Department of Computer Science and Engineering at UC San Diego and University of Washington WHEN: 2010

KEY FINDINGS: • Once the team was able to physically access the car via the media player,

diagnostics port, Bluetooth, or cellular, they were able to completely compromise the car.

• The research team could access the systems by simply calling the car. • Since the telematics system is Unix-based, they were able to get root access and

install an IRC channel.

RESEARCHER’S SUGGESTED ACTIONS:• Use stack cookies to help detect an attack. • Do not allow inbound calls. Instead, immediately call back a trusted number. • Arbitrary ECUs should not be able to issue diagnostic and reflashing commands. • Commands should only be accepted with some validation, and physical access to

the car should be required before dangerous commands are executed.

Experimental Attacks on Diagnostics, CD Player, Bluetooth, Cellular Radio

@WhatLizTweets

WHO: University of South Carolina and Rutgers University WHEN: 2010 WHAT: Tire Pressure Monitoring System

KEY FINDINGS:• Reverse engineering in order to spoof and eavesdrop, specifically to track the

car location, is possible. • There was no encryption in the TPMS. • If hackers flooded the tire pressure ECU with packets, they disabled the ECU

and the ability for the alert to display in the dashboard. Even when this happened, however, the car was still driveable.

• They were able to spoof the alert light for no more than 6 seconds.

RESEARCHER’S SUGGESTED ACTIONS• Check for conflicting input information. For example, the system reported a low

pressure event through the tire pressure ECU, but the PSI reported was normal. • Use encryption.

Tire Pressure Monitoring System (TPMS)

@WhatLizTweets

WHO: Dr. Charlie Miller and Chris Valasek WHEN: 2013

KEY FINDINGS: • Spoofing is possible.• It is possible to disable functions of the car by flooding it with arbitrary CAN

(Controller Area Network or the embedded network) packets.

The DARPA-funded hack of a Toyota Prius and Ford Escape

Follow-up research on remote attacksWHEN: 2014

KEY FINDINGS: • Bluetooth is one of the biggest and most viable attack points of a car

because of its ubiquity.• In-car apps and web browser technology are a significant threat, mostly

because they offer a familiar attack target that is already understood by those who want to exploit it.

@WhatLizTweets

RESEARCHER’S SUGGESTED ACTIONS:

• Since remote attacks happen in multiple stages, they recommend that defense be multi-staged.

• Secure the remote endpoints.• Make it harder for the attacker to inject CAN messages immediately.• For attack detection, monitor the rate of ECU messages for a noticeable

increase.

The DARPA-funded hack of a Toyota Prius and Ford Escape..continued

@WhatLizTweets

Common Findings

• The car can be compromised remotely…but it is very time-consuming and difficult to sustain.

• Systems varies from carmaker to carmaker, model to model, year to year.

• Attacks are detectable.

• The car is still drivable after spoofing and ECU attacks.

@WhatLizTweets

The Connected Car is Hackable What Carmakers and Suppliers Can Do

• Air Gap.

• Perform Over-the-Air (OTA) updates.

• Use encryption.

• Working with the hacker community:

• Challenge hackers to break your security with a bug bounty. • Make it easy for a researcher to contact the company privately

about the exploit. • Have a policy to fix exploits within a specific time period. • Report the exploits publicly and give the researcher credit for

finding it, if desired. Other resources: https://www.iamthecavalry.org/domains/automotive/5star/ http://venturebeat.com/2016/06/27/the-5-scariest-car-hacks-including-some-that-could-make-you-crash/

Connected Cars Landscape POWERED BY

Name

DESIGNED BY

Liz Slocum Jensen

April 2016

Consumer (107)

Enterprise (72)

Things (54)

Shippr.in

theKarrier

Doorman

ThePorter

Lugg

Lets transport

Delivery(6)

Turo

FlightCar

Car Next Door

Getaround

JustShareIt

PPzuche

Zify

Zen Car

Car Sharing(9)

The Floow

Drivemode

Driving Curve Inc

iOnRoad

Dash

MotorMate

Carandus Road Rules

True Mileage

Fuelly

Cellcontrol

Driver Behavior

(11)

Lemur Vehicle

Monitors

hum by Verizon

CellAssist

Mojio

VoyomotiveAutomile

XGear

American Automobile Association

AutomaticZubie

ULU

Dash Labs Nebula Systems

CarMD.com

Diagnostics(16)

Autopro Automation Consultants

Ford Sync 3

MirrorLink

BMW iDrive

NissanConnect

Chevrolet Mylink

Hyundai Blue Link

GMC IntelliLink

Kia UvoTesla Infotainment

mbrace

Apple CarPlay

Uconnect Toyota Entune

Volvo Sensus

Android Auto

Infotainment Interface (15)

Uber

Didi Chuxing

Dadabus

Via

Bandwagon Taxishare

Chariot

Shuddle Lyft

Wheeliz

Yidao Yongche

HopSkipDrive

Boost

Jugnoo

51yongche

mytaxi

Tiantian Yongche

Kabbee

Ride Hailing(20)

InstavansKeepTruckin

smartShift Technologies

ConvoyAutomile

Trucker Path

Onfleet

Cargomatic

Maves International

Software

ThePorter Transfix

Distribution/Logistics (11) ChargePoint

PlugShare

StreetLight Data

Factual

Volta Industries

Streetline

Airsage EV Connect

Smart Cities(8)

Ingenie

Censio Driveway Software

Nationwide Building Society

Metromile

Progressive Insurance

D-rive byDeloitte

Usage-Based Insurance (9)

Security (2)

State Farm Insurance

CalAmpOmnitracs

SkyBitzDanlaw

RoadsenseFleet Management

Solutions

Safety Track

T Dispatch

ConnectMZonar Systems

Traffilog

GoFleet

Fleetmatics Group

BigRoad

Teletrac

Safe Fleet

XGear

Vnomics FieldLogix

Fleet Tracking & Asset Management (20)

TelogisDENSO

AgeroNNG

NEXCOM International

Aeris Communications AryngaIMETRIK

MiX Telematics

Smartcar

Verizon Telematics

RealVNC

Airbiquity

FEVNovatel Wireless

Jasper Technologies

Abalta Technologies

KORE Telematics

Covisint

Telematic Service Providers (19)

Volta Industries

ChargePointPlugShare

EV Charging(3)

ZipCar

UpshiftCity CarShare

SilvercarZoomcar

Skurt Audi at home

Local Motion

Scoot Networks

Shenzhou Zhuanche

On Demand Rentals

(11)

JustPark

BestParking

MonkeyParking

HonkMobile

PayBySky

Streetline

Cityzen Data

Parclick

ParkWhiz

Parkopedia

Parkmobile

ParkMe

Parking (12)

Drivr

Open-Taxi

TaxiStartup

Cabforce

Carpool Arabia

CityfloBlaBlaCar

True Mileage

UberCadillac

Autonomous (9) Navdyi4driveMaking

Virtual Solid -

California

Heads Up Display (3)

TriLumina Corp

Quanergy HIGH MOBILITY

Roadar

Carvi Peloton Technology

NAVX CalAmp Novatel Wireless

Danlaw

Sensors/Hardware (10)

Sensys Networks

Vehicle to Infrastructure

(1)SKULLY NUVIZ

Wearables(2) Magellan Panasonic

Automotive Systems

TomTom International

BV

HARMAN Infotainment

CloudCar Pioneer Electronics

Infotainment Embedded

(10)

Dongle (19)

Automatic

Munic

Dash Labs

Zubie Voyomotive

CarMD.com

CellAssist

Lemur Vehicle

Monitors

splitsecnd

XGear

ULU

Automile

hum by Verizon

Mojio

Carvoyant

Vinli

OpenXC

Apps - Location - Data (44)

Aha by Harman

Aupeo IMS’ DriveSync

Infotainment Applications (3) INRIX

LogiNext

Streetline

TrafficCast

StreetLight Data

Cardinal Optimization

Big Data(6)

Progressive Insurance

Automatic ULU Nebula Systems

Mojio

Metromile Voyomotive hum by Verizon

DriversitiState Farm Insurance

Zubie Dash

Road Rules

Zendrive

Driver Behavior (14)

Nebula Systems

Zubie

Cloud Your Car

Android Auto

Mojio

OpenXC

Munic

CarvoyantVinli Apple CarPlay

Automatic

App Platform(11)

Location/Navigation (14)

Apple Maps

Waze

Beat the Traffic

Google Maps

Swift Navigation

MaponicsMapbox

HEREStreetLight Data

MapmyIndiaTelenav IntuviGlympse GasBuddy

DENSO ARPEGGiO

Samsung Drive Link

Bosch mySPIN

Nvidia Drive PX

Nebula Systems

Cloud Your Car

Torque

Tesla Self Driving Car

Delphi Advanced

Driver Assistance

Audi Piloted Driving

Google Self-Driving

Car

Ride Sharing/Carpooling

(6)

Optimus Ride

nuTonomy Zoox

ReachNow

Uber

Lyft

Argus Cybey Security

InterWorking Labs

Routing Optimization

(3)Cardinal Optimization

Viamente Route4Me

Pogo

Bao Pinche

@WhatLizTweets

Security Attacks are Detectable

Karamba

Security

Shuddle

Car Ownership is Changing

Car sharing (Peer-to-Peer)

Rentals

Ride Hailing/Carpool Closed

Jignoo (autorickshaw)

Bandwagon (taxisharing)

SidecarVia (van pooling)

PPZucheTuro Getaround

OlaBlaBlaCar Didi Chuxing

Uber

@WhatLizTweets

@WhatLizTweets

Autonomous is Coming

Route Optimization

NuTonomy

Fleet Management

Quanergy

Traffic Intelligence

Sensors

Waze

Location/Navigation

Questions?

Liz Slocum Jensen

Twitter: @WhatLizTweets