The Use of Threat Intelligence to Enhance Automotive Security

so welcome everybody to our presentation on the use of threat intelligence in the automotive security um thank you very much for joining our little talk uh today and we're going to talk a little bit about the automotive threat landscape the use of threat intelligence um how to make intelligence actionable through threat modeling in the automotive world then janos is going to talk a little bit about product incident management awareness and then he's going to give you a short demo on projects uh dimitri um with you today uh are speakers from ernst young as well as dustin group my name is ben sorvath i lead our next gen security operations and advanced security teams um in the ey cyber practice in london

and um i'll let bianos my co-presenter introduce himself greetings everyone my name is janos kovac and i am cyber security manager at decent group steering and we are currently working uh really hard to be compliant with the forming iso 21434 standard as well as the unec regulation 155 to create a secure automotive word thanks janos let's uh let's jump into the presentation directly and as mentioned in the agenda the first topic is uh the automotive threat landscape or you know what happens if the car becomes basically a computer on four wheels um what are the main elements of the threat landscape and the ecosystem today so on a very high level we see that um

you know now with with a modern digital connected car automotive security has become a rather complex topic you need to of course protect the products and services as well as the production and operation of automotive components but you need to also pay attention in protecting employees and consumers from malicious actors as well as protection of businesses and branding we've all known um previous um attacks against car makers as well as automotive suppliers um that have unfortunately led to serious incidences but even those that do not lead to any incidences you know very costly recalls and fixes in automotive products can lead to damaging of the business of the brands of the suppliers as well um and we really see this um over a

myriads of you know various vectors you know from electric vehicles where um the battery health status and management and over-the-air configurations and software updates are becoming increasingly common please commonplace these days in intelligence vehicles to you know safety and security features um that are built into modern cars too um simple you know constant updates on the infotainment systems uh that can be arrived over the air um but if we go a little bit deeper into it and and we take uh our focus onto connected vehicles um we do see that you know um modern uh digital and digitally interconnected vehicles um have very complicated inter-vehicle systems and run a complex control area network that includes the ecu's as well as a

number of sensors physical you know as well as wireless um and as the complexity of these systems increases um so does of course um the need to uh to defend them um be honest this is your you know uh absolute uh subject matter uh expertise and you've been uh working on this for you know quite quite a few years now is there anything that you would want to add here as well yes thank you currently the big picture is presented i guess really well by the unec regulation 155 which is the key success factor of basically remaining on the market uh as an automotive participant in the close future and the unec regulation 155 represent a

holistic view of weak cyber security which causes the back end infrastructure of the oems and the suppliers as well as the physical products uh manifested by the weakers so so yes that i really like this uh figure because it contains everything we will need thanks a lot yeah we've tried we've tried to put everything together in one picture which is as you mentioned uh if if you're going from a uh quite thorough and lengthy uh legislation it can be a bit of a challenge but what does it mean in in real life what are some of the examples of uh of attack vectors that we're seeing and generally what of course uh we've seen vodunk vote out in the wild um are uh

remote attack vectors um that have been uh thankfully at this point largely uh realized uh through laboratory conditions but it is possible um you know for uh for a remote attacker to use um a connected device such as a passenger phone um um to send malicious files it can be a song it can be you know any other um file that's uh that is accessed uh through the phone os system and uh you know that's that's that phone is then connected um to the ivi system of the car itself and um it is possible to execute certain attacks to again certain um types of vehicles uh and we will talk about this a little bit

later as well as um the more i would say common attack vector that does require physical access to um the actual uh port debug port of the car by an attacker now this this physical access of course can be um replicated through a physical device that is then internet connected but definitely you know it's it's not something which uh you can execute by by simply um you know just from the distance you need physical access to the to the car to the debug port of the car um where you are able to plug in a malicious code directly via the debug car debug port and thus take control over the vehicle so this is i would say the

main point of the current um threat landscape in in automotive security um which we're going to be referring to throughout our presentation now for the next section of our presentation let's talk a little bit about cyber threat intelligence as um you know uh the title of our presentation does talk about you know the application of cti in an automotive context so um in order to set the scene a little bit let's talk about what is cyber threat intelligence so cti is um a topic that concerns itself um information intelligence about threats the specific nature of intelligence is of course driven by the requirements how we use this intelligence that it has been designed to answer and

as well as the nature of the audience to which uh to whom we're presenting and this intelligence um cti is um you know actionable answers it can be used as um a decision support uh to make certain um certain choices uh let them be the choices of using in our various technologies or in order to support a risk-based decision um cti is of course based on facts and corroborated observations and you know on a higher level it does include a holistic approach cti in and of itself is um not applied knowledge it is not a covert action or an evidential chain you don't need to be a double 07 to be able to take your aston martin to get cyber

threat intelligence uh but really most basic form you could understand cyber threat intelligence as the answer to the questions what are my top security risks what are the threat actors targeting me my products my my consumers my customers and what are their objective what do they want to do do they want to you know ransom and and their objective is financial gain and that's what they want to do um or do they want to create uh fear uncertainty and doubt uh in the capabilities of connected cars and of course the third answer is um applying um cti's the you know this is when you get actionable um is how do i use this knowledge of

threat actors and their objectives to defend my products defend my uh my customers defend my uh my company there are four main types of of cti which we are um differentiating between the time horizons and the level of context so of course if we are talking about immediate threats in in a low level context this is technical intelligence uh this is something that is of course contains uh specific malware or vulnerability exposure or information how that that vulnerability can be exploited um then if we're moving uh to a higher level into in the context area then um we're talking about operational intelligence this is of course um details about certain attack vectors information about targeting and of course this is

information that can support uh structured decision on the lower management level you know how do you um support designing you know defending the enterprise as well as um defending certain products that are in the product in the security team if we are thinking around more in the low level of contacts but uh on the long term time horizon um then we arrive to uh tactical um intelligence that supports middle management and semi-structured decisions you know this is when we're talking about the techniques tactics and procedures and ttps of um of attackers and understanding you know what how does how do those change um over time and and if you are talking about high level of contacts and of course

long-term time horizons that would be um strategic intelligence that is a really dare to support unstructured decision making you know this is horizon scanning into the future now if we have our own threat intelligence um how can we apply that and as i mentioned uh intelligence isn't in and of itself is just um data it's information um how can we go from threat intelligence to threat modeling of course we can create specific threat profiles specific cons concepts uh from our knowledge of the products our knowledge of the enterprise um as well as pro our knowledge of the threat landscape and we can develop uh you know complex use cases based on these various threats we can feed these into

for example a product development life cycle to you know look for specific violations suspicious events uh even you know malicious behavior because you know we mentioned in the in in the earlier part of the presentation you know you might have absolutely valid reasons to access the debugging port of a car for example when it is brought in for maintenance um and you could also have malicious reasons to inject you know codes into the vehicle system that would enable an attacker to then take control over the car and this of course is a cycle that keeps feeding on uh in and of itself and we can also take into account you know various additional um context around controls that exist in

our products the risk that these certain vulnerabilities expose as of course as well as the threats so i mean if the threat is um something really serious that would uh you know affect the the handling or the safety features of a vehicle then of course um that uh raises the risk level of um of that uh particular issue but if the uh exploit is uh were much theoretical and would require a level of um access as well as specialized hardware to the car that of course decreases um the risk contracts as well as you know there are additional controls that you can apply to say okay in theory this particular vulnerability can be exposed but we've already um put

in you know various compensating controls other measures to to combat this threat and for the second part of the presentation i will hand over the ball to janos to talk about the organizational benefits of cti thank you bense so what are the organizational benefits of uh cti first the most obvious way you created for an organization leveraging this type of service is that cti can be an important trigger of the product incident management because the situation for the automotive products are really specific and really unique in the world of uh the cyberspace because uh you know the automotive products are left basically at the digital widerness because this is really problematic to collecting the product cyber security data from the

field because especially as a tier one supplier we do not have directly access direct access to our products on the field we can of course leverage data collected by the fleet management systems however this is not like operating uh security operation center connecting directly to the infrastructure you operate but rather leaving our products basically in the wide and also the hackers and malicious attackers uh are able to examine and attack the products without basically be being bothered we do not know uh the eve about the events uh of uh these kind of attacks because you can just uh disassemble a vehicle and start disassembling and examining uh the embedded products and nobody will detect you doing so

because this is a part removed from the vehicle without the power supply and the data bus connection of the vehicle furthermore it is very important consider that the more time is passed between the zero data exploit and the discovery of the system compromise the more harm can be done it is a new universal truth and this makes this interval or rather shortening this interval a key success factor for keeping our product secure and this is because because using such service you may can make the difference between a secure product and basically an insecure product so the involvement of an experienced third party can be a major step for gaining these benefits and getting to this achievement

uh what can be uh this data useful for uh furthermore uh benz i mentioned uh that making the threat models uh more accurate is also a valuable benefit from this service and i'm so i strongly uh agree with him because uh threat analysis and risk assessment is the basis of product cyber security concepts creating a threat model and placing our product in the cyberspace within its context and understanding its context and these threat models accuracy is the key also a key success factor uh for keeping a product secure so it is also important to collect this data because we have minimal amount of uh exact historical data about the impacts of a vehicle product security

breach and be the from because of this we cannot uh really uh estimate uh precisely the impact of a security breach and because of that the importance of isa mining the transportation industrial landscape is more important than ever and the cti data can be a basis of these interpolations and it would make the company able to access the products related cyber security risks in a more accurate way and there is also one thing that the fragment information of the cti service can keep the threat model up to date and it would make us able to react faster and swifter and there is also one thing that cti information can be a valuable asset in keeping up the awareness the cyber

security awareness and the more precisely the product cyber security awareness we can leverage lessons learned and i should say that lessons learned is a one thing that we can turn our previous failures future opportunities and i shall say that even the exploits of other products can be useful if we can find the analogy between those exploits and our products uh way of working and even architecture and the company educational programs shall include these vulnerabilities and these vulnerabilities and the education of these vulnerabilities can direct the focus of the development and the vigilance of assurance towards fixing these future vulnerabilities and you know the fixing of vulnerabilities which never placed inside the product is the cheapest way

for fixing vulnerabilities and these informations can also be the basis of future test scenarios and it happened that i had some free time in the past and i thought that what could be the uh the more valuable application of this threat informations on the awareness and in the awareness program and i happened to create the dimitri project this dimitri project is an open source project which is basically a story based classic role-playing game but focusing on typical embedded vulnerabilities and i should say public information getting from public vulnerability databases and i strongly believe that this project can be important example uh or a useful example shall i say for any other professionals in the cyber security

industry implementing a security awareness program because it means gamification and learning via gamification if we see there are important vulnerabilities in the market then we shall prepare not to place these vulnerabilities inside our products so in dimitri project there is two parts one is the story which is uh placed in a cyan berpunk inspired eastern european city chernograd and there is an oppressive regime so it's a basically a quite generic cyber bank story and you are quite amateur vehicle electrician called dimitri who stands up against this oppressive regime firstly to get the wider resources for him and his friends and after that even how can i say defeating the this oppressive regime so this is basically basically uh on the

classic fighting fantasy books uh you are probably familiar with from the 90s and the another part the technical part is if we visualize the environment simulating a connection between a diagnostic tool and an automotive issue no automatic embedded ecu and you have means for communicating with the ecu and using diagnostic protocols and there are common vulnerabilities placed inside those easy models and the how can i say this kind of capture the flag game is closely connected and uh and uh proxies with the story itself uh here you can see the dimitri uh part two this is basically the stage two uh many thanks for paul rybar for sharing me this uh image of uh these gopnik guy

and letting me use this resource in my project and here the story is that uh dimitri and his friends made the set up uh ambush on an autonomous uh transportation truck uh carrying uh foods and other supplies uh to the uh how can i say the rich people loyal to the opera slip regime and they do not have these kind of resources but these are vital for them of course like i mean dimitri and his friends needs these resources so they made this ambush to rob this vehicle and get these foods and supplies dimitri tried before during the basically the tutorial mission to cause a denial of service on the ccu and he found a way for doing that

and he is basically ready for carrying out this attack this model does not focus on the getting connected to this car but this connection is made according to story by uh connecting uh connector a remote dongle to the car by leveraging insider threats like dimitri has a friend working in the transportation company okay and uh here is the first uh help that we should execute the run stage 2 bash file ok can you i hope you can see my screen even now we executed the best script and here we see that we just started up on our computer the diagnostic tool here we see the basic commands and we start to cause this denial of service

if this denial of service on the engine control unit is successful then the car will stop and we will able to get what we need from the cargo okay here we see that we shall use tester cone to connect the tester to the weaker we connected it is successful and dimitri happens to know the correct command for causing this denial of service because he tried it at his home laboratory so the it's a little bit spoiler but uh he shall use the ecu reset to cause this denial of service because when you send the reset then the ecu will stop working and the engine will stop working but hey it is a really big problem because

we got a negative response permission denied authentication is needed for this service because maybe it happens the secur that the oem which is the syndicate automotive company fictional company of course made a security patch for fixing the vulnerability dimitri exploited in the last stage so uh dimitri uh might be in a bit of trouble something is wrong and and dimitri need to fix this problem on the field and try to find another vulnerability here we have some hints some helps and we can get them by coloring the the fonts and coloring the text which is hidden we shall sing leveraging service another than the diagnostics because this is because the diagnostic is basically hardened and we cannot exploit this one

so uh what can we do do we have the standard diagnostics and we also have the universal measurement and calibration protocol called xcp we shall go by that we connect it to xcp and we shall read the memory map okay here we see the values the variables mapped to the uh atl file and here we see that there is a privilege level uh if i uh read it out it's a one which might mean in our case that this is a default value we are you know the default field mode basically okay let's move further what can i do i could try to overwrite this value maybe for a 2. i executed this job let's see what

happened it's still the same we might have no permission from writing uh this value uh even with the xcp protocol okay let's uh use another hint uh this is another hint is that we should get familiar with the cv top 25 let's see what can we see here i try to make it a little bit more quick because i see we are running out of time what can we see here that the second one is out of bronze uh right and out of bonds read and what we see here uh we have memory addresses let's try what we can do xcp read address if we try for example the consecutive failed attempts this is a

not ready something went wrong but the privilege level is able to read out and it is a one but how about trying an entire enormously large number it happened to work the the ecu is reset and the car stops if we move further then we can see that denitry and his guys get the resources what they need and everybody is happy even the neighborhood have his stomach filled and after that i think this is also really important that there is a takeaway box which is a for educational purposes and and the key takeaway informations are listed here that the developers and the participants of the product lifecycle might be able to use in their uh further

career okay thank you for your attention and we are glad to answer your questions in the remaining time left thank you very much everybody and thank you very much janos for the very exciting story and presentation that you've um that you've given us and yes i believe now it's time for q a