Slide 1

Mohammad sadegh Sadeghi

Slide 2

outline Introduction to Secure Embedded Systems Satellites Game Stations Automobiles Medical Hardware Security and Trust, CE, SUT2

Slide 3

security is essentially risk management Assets Threats Vulnerabilities Attacks Risks Safeguards Countermeasures Hardware Security and Trust, CE, SUT3 Introduction to Secure Embedded Systems

Slide 4

Assets: things you want to protect the collection of magazines under your bed Threats: bad things that might happen e.g. someone stealing those magazines Vulnerabilities: weaknesses that might facilitate the occurrence of a threat, e.g. the fact that you rarely close the bedroom window when you go out Attacks: ways a threat can be made to happen, e.g. coming in through the open window and stealing the magazines Hardware Security and Trust, CE, SUT4 Introduction to Secure Embedded Systems

Slide 5

Risks: the expected loss caused by each attack, corresponding to the value of the asset involved times the probability that the attack will occur Safeguards: a priori defenses, e.g. welding steel bars across the window to prevent break-ins Countermeasures: a posteriori defenses, e.g. welding steel bars to the window after a break-in has actually occurred, or calling the police Hardware Security and Trust, CE, SUT5 Introduction to Secure Embedded Systems

Slide 6

General attacks: Probing or penetrating attack Active and invasive(cut communication, dumps memory contents, bus structures) Busses on the PCB(attacks on Xbox) On-chip buses(smart cards) Monitoring attacks(launch time attack) Passive and noninvasive Side channel Credit card PDAs Cell phones automobiles Hardware Security and Trust, CE, SUT6 Introduction to Secure Embedded Systems

Slide 7

Manipulation attack: Noninvasive In conjunction with the monitoring attack boosting of signals so that a side channel attack is easier to perform. Substitution attack: Module is removed and replaced Trusted platform module(TPM) replaced with malicious device Modchips Automobile: higher levels of performance Game stations: play unauthenticated programs Replay attack: recording data and used later Impersonate another authentic user or device Hardware Security and Trust, CE, SUT7 Introduction to Secure Embedded Systems

Slide 8

Modification attack: Active and invasive Modification of internal connection or memory Software version of a modchip Spoofing attack: Replaces part of the message with their own data Splicing attack: Permute data Hardware Security and Trust, CE, SUT8 Introduction to Secure Embedded Systems

Slide 9

Game Stations Xbox, PlayStation, Wii Xbox and Xbox 360 Close resemblance to pc(processor, HD, DVD drive, Ethernet, USB) Mostly subjected to modifications Modified Xbox As PC, File server, web server, As storage device and an invisible computer Hardware Security and Trust, CE, SUT9

Slide 10

Security mechanism (chain of trust) CPU starts execution of code stored in the secret ROM The secret ROM decrypts and verifies the second boot loader The second boot loader decrypts and verifies the Windows kernel The Windows kernel checks the allowed media bits and RSA signature of the game Boot loader and kernel are stored in flash ROM The secret key and crypto algorithm are stored in a secure boot block CPU is connected to secure boot block using a high-speed bus A PhD Student from MIT(Huang 2002) was attacked Hardware Security and Trust, CE, SUT10

Slide 11

Xbox security and forensic challenges All Xbox executable files(.xbe files) 2048 bit RSA algorithm Modification community began to look for vulnerabilities to exploit Buffer overflow vulnerabilities ATA security Hard disc 32 bit password: Key from EEPROM+model and serial # HD Cant swapped Forensically sound procedure Boot Xbox using Xebian bootable disc and acquire the image of HD form a Linux computer networked to the Xbox Hardware Security and Trust, CE, SUT11

Slide 12

Xbox security and forensic challenges Software Modification(soft Mod) Based on buffer overflow vulnerabilities refer to reference [4] Hardware Modification(Hard Mod) Replacing the original EEPROM A modified OS that support FATX could be installed Hardware Security and Trust, CE, SUT12

Slide 13

Satellites Satellites communicate with two types of ground stations: communications stations control stations(ground stations) Satellite links Telemetry, tracking and control links (TT&C) mission information and control of the satellite confidentiality and authentication Data links Cross-links Hardware Security and Trust, CE, SUT13

Slide 14

Satellites Hardware Security and Trust, CE, SUT14

Slide 15

Satellites Hardware Security and Trust, CE, SUT15

Slide 16

Automobiles Driver safety Safety critical aspect of automobiles Customers expectations: Zero accidents Plug&play: update of ADAS technology Always-on: interconnectivity Design for safety and security Security implementation considerations: Resistance to attacks Reactions to possible attacks Technological advances Duplication metal keys vs. biometrics But other input/output ports of automobile network: tire sensors, side view mirrors Hardware Security and Trust, CE, SUT16

Slide 17

Automobiles Electronic Control Units (ECUs) an in-vehicle distributed networked embedded system hard realtime control of automobile mechanical parts infotainment functions gateway between modern cars and their surroundings traffic lights Smartphones Vehicles accessible networks car-to-car and car-to-X = cybercars' communication Hardware Security and Trust, CE, SUT17

Slide 18

Hardware Security and Trust, CE, SUT18

Slide 19

CyberCars in-car system with the network and the car components, communication interfaces to external communication partners communications partners represent by external devices, cars, infrastructure or cloud Hardware Security and Trust, CE, SUT19

Slide 20

Vehicle attack surface Hardware Security and Trust, CE, SUT20

Slide 21

Vehicle Vulnerabilities exploitation Hardware Security and Trust, CE, SUT21

Slide 22

CYBERCAR SECURITY CHALLENGES In-vehicle security Controller Area Network (CAN) protocol CAN is the most attractive protocol for attackers to embed security(authentication and data integrity) in the CAN protocol Constraints fault tolerance times of about 100ms message sizes of approximately 2-4 bytes efficient cryptography algorithms Hardware Security and Trust, CE, SUT22

Slide 23

CYBERCAR SECURITY CHALLENGES Car-to-X (a.k.a., Car2X) Security and Privacy car-2-X communications Car2X application: active brake based on a warning message received from an external communication maximum delay of 250ms plausibility checks authentication and integrity Huge number of signature verifications per second Hardware Security and Trust, CE, SUT23

Slide 24

CYBERCAR SECURITY CHALLENGES Secure integration at the infotainment platform(head unit) Insecure Surfaces: media players and Bluetooth Head unit runs three types of applications: no access rights to the in-vehicle domains, read access such as diagnostic tasks, location data, fuel consumption, and the vehicle identification number(VIN) read/write access such as firmware updates control of the car Hardware Security and Trust, CE, SUT24

Slide 25

Conclusions Integration of networked computation and physical components in Cybercars Makes them vulnerable to security attacks integration of security within the embedded system design flow Developing methodologies and tools In-vehicle attacks through cars internal wired network Vehicle attack surfaces Future Security risks: Externally-facing attack surface of a car Hardware Security and Trust, CE, SUT25

Slide 26

Whats an IMD? Implanted Medical Devices (IMDs) are surgically implanted systems that monitor physiological conditions and (usually) apply therapies. Pacemakers Cardiac defibrillators Neurostimulators Drug-delivery devices 25 million people in U.S. alone fitted with IMDs 26

Slide 27

Whats an IMD? Medical devices branching into many areas; someday, most people may have one Example: Transcranial Direct Current Stimulation (tDCS) Improves cognitive performance (May also prevent migraines) 27

Slide 28

Why do we need to secure IMDs? IMDs are embedded systems Microprocessors Batteries Wireless interfaces Why wireless? In order to Update firmware, programming Provide telemetry 28

Slide 29

Two big dangers to IMD users 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked over the air In real life, revealed in 2013 to have disabled pacemaker wireless in 2007 over concerns about hacking 29 thankfully only on TV

Slide 30

Two big dangers to IMD users 30 1. IMD access is too easy Landmark attack by Halperin et al. in 2008 (UMass, UW, BI) The case of former U.S. VP Dick Cheney He has a heart He has a pacemaker (IMD) He was assassinated when his pacemaker was hacked In real life, revealed in 2013 to have disabled pacemaker wireless in 2007 over concerns about hacking

Slide 31

Two big dangers to IMD users 31 1. IMD access is too easy 2. IMD access is too hard E.g., Patient collapses on sidewalk EMTs arrive and try to read diagnostics / reprogram IMD They cant get access (They cant remember their first pets names) How do we address these conflicting challenges for emergency access to IMD?

Slide 32

Conclusions Heads of state shouldnt have to deactivate IMD features Today, though, its perhaps prudent to do so IMD authentication is an important and interesting problem at physical / logical security boundary Hardware Security and Trust, CE, SUT32

Slide 33

Hardware Security and Trust, CE, SUT33 Thank you

Slide 34

Hardware Security and Trust, CE, SUT34 Question??????