Cars are likely the most complex connected devices we see. The attack surface is immense – The Internet, mobile, Bluetooth, custom RF protocols, DAB, media files imported over USB, remote diagnostics, telematics, mobile apps… the list goes on:
What are the most common issues in these areas?
- Use of plaintext communications, allowing traffic to be intercepted and tampered with. Transport encryption is vital, especially on mobile devices that often use untrusted Wi-Fi connections.
- Insecure storage of data on the device, allowing an attacker to obtain secrets such as stored passwords, Wi-Fi PSKs, and other keys. Device capture or a malicious app can make this possible.
- Insecure direct object reference – the API uses something like a VIN number or sequential ID without authorization checks to access data.
- Weak device pairing – it’s important that it isn’t possible to pair a new mobile device with an already paired car!
- Debug or hidden functionality – frequently the mobile application contains references to functionality that should never end up in a customer’s hands.
- Outsourced application development, leading to loss of control and oversight of application and API security.
15 “most hackable and exposed surfaces” on a modern car: Remote Link Type App, Airbag ECU, OBD II, USB, Bluetooth, DSRC-Based Receiver, Passive Keyless Entry, Remote Key Entry, TPMS, ADAS System ECU, Lighting System ECU, Engine and Transmission ECU, Steering and Breaking ECU, Vehicle Access System ECU, User’s Smartphone.
A high level look at areas of significant risk for cybersecurity breach include:
- Secure Boot – Works with the hardware to ensure that the loaded software components are valid to provide a root of trust for the rest of the system.
- Hardware Security – Secure boot and software attestation functions: Detects tampering with boot loaders and critical operating system files by checking their digital signatures and product keys.
- Network Security – Message authentication: Verifies that communications are coming from the approved source and defenses to protect authentications from being spoofed or recorded and replayed.
- Cloud Security – Secure authenticated channel to the cloud: Leverages hardware-assisted cryptography for remote monitoring, software updates, and other communications.
OWASP and others publish guidelines to help secure mobile applications and web APIs. Following these will place you in a stronger position than most.
Encrypt and sign your firmware – if an attacker can simply download and unpack your firmware to reverse engineer it, you have missed a useful layer of security. Signing your firmware protects against malicious updates.
Disabled unused functionality – frequently our route into embedded devices is via functionality that a user will never use, such as a serial port, JTAG, telnet, or hidden debug functionality. Remove everything that will not be used from production devices.
Every system will contain vulnerabilities and bugs. Because of this, it is vital that you can update the firmware in devices in a seamless and secure manner.
In the past, embedded, IoT and automotive systems have not dealt with this well. Frequently firmware updates need to be performed manually, or worse still, by a garage as part of a service.
Firmware update mechanisms in vehicles must be reliable. With upwards of over 100 ECUs in some modern vehicles, bricking any one of these would likely result in an undrivable car.
It’s also important the update mechanism is secure. Frequently firmware updates are a source of vulnerability in themselves – what happens if an attacker can upload their own firmware, or downgrade a system to a version with a previous vulnerability?