Vehicle Hacking

um so i was asked to kind of come here a little bit and talk about um secure security so from uh just first first up from a logistics standpoint can everybody hear me okay yes um if if anybody has any questions um i would like this to be kind of interactive so if folks have questions you can stop me i don't need to wait till the end i hopefully won't lose myself um in the in the process i don't think that'll be a problem um from agenda standpoint um we'll talk a little bit about the some of the specific uh challenges in automotive i brought some of this from from our my uh colleague here mr forrester from um from

general motors so i uh changed a little bit but he's uh president uh or heads the sae committee uh for for automotive and security so he had a good presentation insecurity yes um i'll give a little bit of talk on sync which is just from a real world standpoint some of the security thinking that went into um this particular product and then end it with a little bit of just discussion about where the industry is where some of the the uh industry-wide hacking attempts are today and where some of that may um may go um so first point automotive is very challenging um from just a a general standpoint um for for an automotive product development is easily two to

five years so there's very long lead time so it's not like a typical mobile platform or even an i.t project there's a lot of advanced planning and work that has to go into it vehicle programs tend to be on a three to six year pro time frame where they get sort of refreshed in in sort of stages in that period lifetime of vehicle can be three to five or or more years and then often we're required sort of by law just to service it for 10 years after that but obviously folks will have the vehicles on the road potentially much longer so um the kind of the point around that is do we know what our

security uh what challenges we're gonna face for security what challenges we're gonna face for just infrastructure in 20 years and so from a typical i.t standpoint that's that's not what you have to look at but from an automotive standpoint you have things that are much sort of longer time horizon as far as as far as how long they're going to live how long they have to be kind of robust and operate the way that they were expected to um the other big challenge about automotive is really people think of an automotive as kind of a collective unit it isn't it's really you can almost think of it as it's a collection of discrete modules for many vendors with

their own views of security their own architectures their own sort of view of what they consider intellectual property so there's often from an oem standpoint it's challenging to get them to open up and kind of answer security questions and fortunately in some some oems even you get the response back with what's a threat model or why why would i want to do any security at all that this seems like extra overhead that i don't want to pay for um and then it also as a sort of a sub tick it includes sort of everything um that you can imagine from very low end 8-bit micro com 8-bit micro controllers all the way up to 32-bit

arm processors where that becomes interesting is we tend to think of security we we have traditional cryptography views of of the world well if i want to protect against sort of software sort of malfeasance i'll just i'll use one of the nist standard algorithms like um rsa or or or asymmetric asymmetric cryptography on an 8-bit microcontroller that gets to be a little bit challenging um and so you have to it depending on what the application is you have to kind of protect for that wide swath which is why you get some very interesting um hacks and and some of the white papers just kind of scratch their head and say how is it that it's

so easy to possibly kind of get in to the the vehicle systems at this level and then the final point is you get some very unique service requirements um and just to expand on that even you even get some very unique laws that you wouldn't see in in other industries the the federal government um and the european governments and i mean governments around the world tend to regulate automotive avionics and um those industries much more heavily than than you would say an i.t industry certainly like a mobile phone industry at this point so you get things like right to service laws mandate that an oem cannot lock out anybody that would want to service a

vehicle for any reason so basically not that security by obscurity is a good thing but just the idea that you would lock certain things out excuse me um you can't you can't do that so basically the laws say you have to be able to um a clicker which button do i push oh the forward backwards let's see if that works oh windows is telling me helpfully that yes it is there

well we'll give it a second to install and then hmm oh well um where were we oh right to repair um so autumn automakers have to provide mechanisms for the uh for not only our own dealerships but uh um pep boys or uh hackers r us to basically get the tools that that are used to reprogram the modules perform diagnostics um perfor and and anything that would be considered sort of service or diagnostics does it work yay and and the other point is they're often disconnected service scenarios so you'll have scenarios where you've got a thousand vehicles sitting in a parking lot somewhere and um service techs have to go basically through and just update them to to bring

them up to sort of local laws if they're being exported to china or something like that or there's their software updates or service pieces that have to be have to be um have to be installed on those so it definitely makes i mean you start from a very interesting um security set of constraints that are that are placed on automotive just just from the start of things um the second um sort of background piece is most of the automotive networks are based on can which is controller area network which is basically a technology where these group of modules and group of automotive components can can communicate with each other it's as popular to some degree in

avionics and some medical device applications as well but it's it's heavily used in in automotive just because it's very inexpensive um the weight requirements as far as the wiring are there and um and and it's just historically meets all of the kind of automotive um electrical requirements um so to contemplate kind of how things work in the world of can first we have to shift our metal model from be thinking of a networking type protocol to thinking like a purely an electrical engineer would so it's purely based on the concept of signals and where they even where we lay out

a discrepancy um so what we basically did is we basically had a special mode for the for the module basically on the moving assembly line it would get the the signal from the test station and it would basically go into the uh the mode and it would basically start downloading the pieces that it was told to validate them and then basically finish sort of customizing itself at the the end of the process we looked at the alternative which was we just um i mean folks probably don't know um there's a big problem in the auto industry in general where they usually say hey there's four million different ways that you can possibly build this vehicle there's no way you can possibly

test every single one of them so that's that's the classic combinatoric problem where you've got i might have a moon roof or i might have these kind of tires or i might have this kind of engine paired with this quickly if if you're just allowing an arbitrary pairing you get just a sort of a geometric explosion and what we found is just with language packs whether it was ford or ford or lincoln or the brand options like navigation regional options you quickly got into several hundred different different physical parts that you would have to have to maintain so what this this really did is let us maintain from a software quality standpoint one base part and then just

kind of customize it the personality of it as it was going down the the assembly line um so that was quite interesting from a security standpoint it's very it was very similar to the um to the usb update um in terms of in terms of the code signing um and then we had some security to basically make sure that the it wouldn't get back into this into this mode even after it left the assembly line and somebody tried to reprogram it or reflash it or or make changes changes within it any questions no um the other sort of interesting topic is around sort of mobile integration which i thought would be very very kind of interesting for

this group this is a really hot topic in the automotive and in some other communities as we're as we're finding out right now just because smartphones i think a lot of the studies say that they'll at least reach they'll read it which is about 50 or greater penetration in the next couple of years um i think by show of hands how many folks have a smartphone and i would actually include blackberry though that's kind of questionable so yeah ooh ain't nobody here works for a room right no i have a blackberry so i i won't um so yeah it's it's easily about about half the folks in the room and um so there's been a lot of interest in

terms of just especially ford's broaden strategy but i know i know gm toyota hyundai everybody's everybody's pretty much looking at it there's starting to even be some some industry uh consortium work being done in this area and um so ours is app link mirror link um so just talk a little bit about the different the different models um so mirror link is is the one that's kind of pushed forward by the connected car consortium um conceptually you can just think of it well not even conceptually it's literally just running uh vnc over um over some some data link whether it's um usb or bluetooth and then they kind of extend it with with some additional

additional sort of parameters um so basically you're just taking your cell phone's screen displaying it up on on the head unit um and and there you go uh of course automotive companies the the high-end automotive company's kind of response was yeah that's good we can we can stop there uh issue is when you get into the u.s you get again this this thing called the federal government kind of um in in your in your that gets very interested and they have these things called driver distraction laws um and i make i make it sound bad but it is it is actually just a very good thing so the the intent is absolutely hands on the road eyes on um

hands on the wheel yeah hands down the road handsome yeah you should be texting while you're while you're driving and then kind of looking down here um no actually if you listen to ray lahood that's that's the bane of all evil and he's he's made made some very interesting statements about just banning all cell phone use in the car and requiring automakers to just block bluetooth signals and then of course we get into there's lots of fun and interesting security questions you could ask around that about well what would i do for denial of service for so a passenger or if there was an emergency and and what if i didn't what if i disabled that device um

so yeah there's a lot of interest from the federal government to basically around just this this um uh hmi or human machine interface and that you're basically not looking at away from your from from the driving task you're not spending much too much you're not looking at your phone you're not spending too much time looking at a center stack um and so one of the challenges with with mirror link that kind of a lot of the automakers i i know gm chrysler and ford have all kind of kind of expressed this this issue is basically you're you're just mirroring what's on your smartphone display onto onto the the center stack um and apple for whatever reason just

doesn't take driver distraction into account and and and nor should they uh really because that's not the purpose of the device so you get a disconnect as far as both legal and just kind of functional um standpoint and so they've tried to fix it by um forcing the concept of tpm into the the the smartphone side so they've they've asserted that they're going to basically ask fart road makers to put in a full tpm stack do full digital certificates from the cell phone to the auto the auto the automotive side um and back um they'll do application verification um so it gets me it gets very messy very very quickly app link is based on kind of a different

approach it's based on there's a set of apis that we've defined that are very very limited kind of very sort of smartphone oriented and sort of have the the assumption assumed rules of driver destruction uh built into them and then that that sort of library gets built into somebody's smartphone app if they want to integrate with with the um with the car and then basically they can they can make what amounts to api calls to basically use the voice engine basically display limited sets of menus and those menus are restricted as far as as far as how many how many glances or how many how many page turns they can do because you get into some some

esoteric uh um interpretations of the law because you're not allowed to go through so many menus in a certain amount of time or within a certain number of glances certain certain logical functions have to be locked out and then similar like others i think toyota does this kia might as well signature gateway application where basically you being say someone like pandora or stitcher pay the oem a money and they'll integrate it into their sort of signature application integrated into the actual head unit uh sort of software stack and then basically you can interact through the back end um through that there's a lot of logistical problems as we see it with that just just it doesn't scale as

well so each each model has different going in security assumptions ours when we went into it were basically apps are untrusted can never be trusted you cannot you can't build a secure smartphone app period will not happen for the general masses obviously if you're in an enterprise or you work for the government they're doing all there's a lot of work going on to basically do sort of virtualized uh isolation layers and things like that um but for a general consumer the smartphone is just basically you assume it's just filled with malware and and just it's it's it's it's completely untrusted um assumptions about spoofing applications so we do provide an applica uh an api with right now partner apps so the

assumption is yes somebody could pretend to be pandora or stitcher or npr or something like that but then they would basically be asserting that they're that they're pandora the consumer well first the consumer would would would notice that hey this isn't behaving like pandora um second you have some legal remedies in uh with some of the app stores android's a little bit funny um the ios apple tends to tends to be very um hey if you're not obeying the rules then then you're at our mercy because this is our walled garden and and you're you're you're a guest here um so that's that's kind of the the the thinking that we put into it apps are

hosted or directly displayed or activated api so that's those are kind of the three models um any questions on that i just kind of i kind of blew through that pretty quickly i thought it would be kind of an interesting topic for discussion in in this forum um those are the assumptions and then the last point it's not just about security um and that's i think that's that's a big point that was made in a lot of the other discussions security isn't doesn't just stand by itself it often goes hand in hand with whether it's availability that's the the key piece or a liability or whatever is critical to the business yes how malleable are those discussions

are those decisions in the industry you mean in terms of the application interface or the or the or the driver destruction piece yes both um so on the on the mobile app piece i would say that is still heavily evolving and there's a lot of debate as to how will this all coalesce whether it's around standards or because i think a lot of the the oems are saying seeing that hey it's it's it's a big enough deal that we it's not one company is necessarily going to be able to do it all right now each automaker kind of has their own approach and that's that's kind of the way it's going and and muralink is kind of in its

own too because it's primarily a nokia led uh initiative and google and apple have kind of just not been at all interested in coming to the party so there's some question about how far how how much traction they can get when when um when those guys combined on 70 plus percent of the market and i'm being i'm being very generous they probably own much much more um the other piece on the driver distraction that's an interesting question the way it works now is how to state this without sounding kind of flippant it's somewhat of a gentleman's agreement so there's general kind of conceptual guidelines and frameworks and the each automaker kind of does some level of interpretation so at ford we've

made we've we've our our legal department has made a lot of just very kind of um put some very strong guidelines in place so things like when you're dr the the task has to be related to driving you don't want to check say your stock quotes while you're driving as much as some people would like like to it has to it cannot be business related it has to be sort of related to the driving task the technical agreements don't get into that detail um on well fortunately or unfortunately uh nitsas put out drafts of something more formal and more prescriptive so they've said things like moving maps on an oem sponsored screen are should be considered a no-no um they can

only update once every two seconds and things like that and obviously i i don't speak for ford in this but um or officially speak but there's a lot of concern because that actually in some respects makes it harder to to tackle the driver distraction problem because i mean having driven both with a map down here or paper map or having had a navigation system here this is a lot easier and a lot less distracting when it's basically kind of you can just kind of glance over and it's going to voice tell you you need to turn in 20 feet or here you've got kind of to glance down and that's a little more distracting or a map but the funny

thing is the government doesn't mandate those other two they can't they in in some without going interagency they can't demand that that these these these also are kind of regulated does that answer your question or or did you want to elaborate on

okay perspective that are really saying that those statements that you're saying are absolutes at this point really shouldn't be which ones that are absolutes are trusted or untrusted the only reason i say that is because um i would i would say you don't own the um and and even in aerospace you don't own the the mobile device that a consumer the consumer has and it's it's it's the same with a pc or or a um or mobile device um though though to the aeronautics point that is a very good point because they do a lot when we get back to the canned discussion they do a lot where they mix different safety critical pieces yeah yeah they've been doing it

for years and they've got a lot of embedded real-time operating system-based virtualization techniques and i think you're absolutely right i think the automotive space is probably going to go there in the next couple of years um to the to the mobile app discussion i still think that space is is a bit i mean it's not really wild wild west but it's still really rapidly evolving and automakers are struggling a little bit because you look at pandora they they roll their code on maybe a week or two week basis automakers have traditionally rolled their code and i'm sure avionics is the same rolled it much more slowly and so the pace is it's there's a huge

disconnect there there's a huge safety disconnect but the assumption here that i put in is i don't know what you're bringing into into the into the into the automotive environment i don't know what's there so i have to put either some sort of logical separation i have to put some sort of control point in there um to to just kind of keep those to at least kind of manage the security between those and i think on avionics i don't think really mixes just consumer broad-end devices with with the core avionics systems that i've i've ever seen in general aviation that's happening in what in what context i would i would ask okay they're interfacing with

so how would you say that they they manage that same kind of kind of level of the risk of the piece of software to prove it is safe it doesn't have it can be trusted so you think the apps anybody any of these app developers are going to be doing that anytime soon yes once for the phone yes really even just here in michigan where we're meeting is app developers

a couple more minutes okay something where it can involve somebody's life and the safety of life is a completely different different level of security and i think yeah but if it does who should decide whether it's valued or appropriate or not the receiver of the product or the creator and the other big big point is how big the ecosystem is going to be too i mean if if it's if it's if you control if you control what they i mean the set of apps that you're going to put in there then there's probably a lot of validity to that like if ford were to basically say hey you buy a ford and you get an ipad

and it's locked down and we can basically guarantee that you're going to run say this this driving app not that i would think that that's really a great way to inter yeah to interface with your car exactly who's going to develop that you know one of the things you've got this huge economy of scale essentially if you're if you're an app developer and you're targeting either exactly you've got just like you said how many millions of devices out there now how many contrast that with how many how many vehicles will be sold with this interface and how much money they could you know potentially how much effort they would have to go through versus how much money they could make

developing an app that's only going to go in this model you know ford infotainment system exactly i mean and and we find that and that's another huge thing i mean even just just buying commodities in the consumer space with from from traditional consumer companies we come and we're like yes we're going to buy a million units and they're like okay i sold 40 million to apple just this last quarter who cares and and that's exactly what the what the app makers tend to think at least for the traditional sort of entertainment apps like pandora uh stitcher uh npr etc um they're they're looking at hey what can i hit the largest ecosystem with and they've like it's mostly a lot of it's

been interest from from any audio streaming companies just because their data says hey you spent a lot of your time in the car and they're basically trying to hit where folks are spending a good bit of their time so they see a huge value in it and that's and that's that's the challenge because there's a there's a there's a sort of a crossover point where it isn't worth their while

yes i mean if it was purely safety if it was a limited ecosystem i think we could probably do that um the challenge is really around um just how big the ecosystem should be for that the other thing too is we're talking a lot about the apps and the integration of that within the systems within the vehicle but is near an evolutionary process going on as a result of distracted riding and that now there's going to be some type of a standard to where vehicles can communicate with each other so that they can carry collisions with each other so now you have another opportunity for a security opening i was going to avoid that the whole

discussion the v to v and and dsrc stuff but yeah

all right and that's that's a good market for people in other words we have a question back here sorry about what's going on going back to the discussion about trusted apps or untrusted apps especially when you're getting into things that have the privilege of you know getting on the can bus possibly taking control of cars um i like if there's enough if there's enough incentive people are gonna figure out okay how does this thing decide that an app is trusted or not trusted oh yeah absolutely how can i break that i mean i i i agree i agree with the security model that no ad is trusted because you know going back to another one of your

precepts which i completely agree with anything can be hacked and given enough motivation enough time they're going to hack the trust mechanism yeah absolutely um so yeah abs yes completely agree but um trying to think what was i was gonna make a follow-up comment to that but i forgot what um what i was gonna say um so we talked a little bit about the uw uh university of washington papers uh so we can kind of skip through this there were some tpms hacks uh which is tire pressure monitor sensor uh it was mostly theoretical stuff that i've gotta kind of wrap it up a little bit so uh where technology is going it's where the pc

industry was 15 years ago democratization so um oh i was going to mention so yeah distracted driving um what's interesting is you go to china they complete they don't care they don't care at all it's like display the video on the screen and we want to watch tv while we're going down the road um so you get a really a different a different viewpoint even as you go into different markets and they're also their philosophy is hey i don't care about safety glass i want a nice big screen in my in my dashboard um south america you get some examples of that too where they want the big screen and they don't care about sort of what

we would consider to be just stuff like airbags and stuff that you would consider to be key to the vehicle yes

so electric vehicles uh can you be more specific you mean like how

we haven't done a whole lot with zigbee at this point it's just a question of how big the ecosystem is so i can speak i'm i'm trying to refresh how much of this is i think most of it is public and we've did a ces or our ceo did a cs presentation about a year ago on it um a keynote um so right now the way it works is there is an embedded modem and basically it uses that to communicate back to sort of cloud-based services that have the the the smart the smart grid information to help kind of optimize the charging the big the big deal around that is if you can charge during certain times of

the day you can get a much lower rate and so you can make the the uh the economies for the uh for the the either the hybrid or the battery electric much more appealing so that's kind of how it's working now uh just because it is a very small ecosystem for for the hybrid vehicles for everybody um as it grows assuming it grows i mean and how big it grows it could it could take off it's just a question of where it's where it's gonna go right now electric vehicles tend to be more popular with fleet customers because they can they can get the roi much more quickly i think i've got just i'm almost done actually so

um security's getting a lot more detail because anyone's failure gives everyone a black eye there's a lot of work in sae going on right now to the black eye comment was when the university of washington paper came out um even though it wasn't ford the the press folks that that that our pr lead um talked to the the attitude was very much every oem is guilty until proven innocent so it's interesting security even if you don't get hacked you still i would say you don't get mileage out of it but you you basically you still you still everybody gets a black eye so even though it wasn't ours and you can kind of go shoo but it's still hey

from from the larger sort of consumer public vantage point everybody is kind of suspect now that this has become possible so there's a lot of interest and a lot of desire to kind of kind of work across across oem and supplier lines to kind of kind of um work through the problem which is very good news um and so that's what i've got any other questions i know we're right we're kind of pushing the boundary on the time nope okay thank you