← All talks

Internet of Cars

BSides Las Vegas · 201755:2491 viewsPublished 2017-08Watch on YouTube ↗
Speakers
Chris KingAbe ChenKevin Tierney
Tags
CategoryTechnical
StyleTalk
About this talk
IATC - Internet of Cars - Abe Chen, Chris King & Kevin Tierney I Am The Cavalry BSidesLV 2017 - Tuscany Hotel - July 25, 2017
Show transcript [en]

thanks everyone glad you're here such a late hour I know there's lots of activities going on tonight so I appreciate it we're here to talk about about the Internet of cars and car security in general in particular when when beau first asked me to do this talk you know I started thinking about kind of you know what I wanted to say we want to talk about and along with Abe and Kevin here and I realized that the best way to really talk about it was that I'm more of a narrator in a sense so I don't know how many of you have seen this American life on NPR and I see a couple is people

who like to sleep when I say NPR but the reason I want to say that is I'm your host today I'm Ira Glass so I'm here to actually talk about a story in in three parts and so the first part is basically if you know the format of this American life it's telling stories about interesting things and so that's that's the point of this talk here we're also gonna have a lot of Q&A and questions but really it really the three parts are kind of format it around around part one which is just a background into automotive security and update the latest research policy and more generally how to get involved so if you're someone who is interested in

vehicle security we'll talk a lot about different ways you get involved with that but but like any good story it's more than just kind of the background in history and what's been happening recently it's also about about the new about the new things so in particular this is a pretty cool self-driving electric vehicle which Abel talk from his perspective at a car company that has a chance to build things from the ground up so they have they don't have a lot of the history and and I don't wanna say baggage but they don't have a lot of the kind of background that that a lot of the other OEMs up the DLO so we'll talk about challenges he sees and

designing a new vehicle architecture challenges in hiring and just overall changes he sees in the automotive industry having worked there for many years and then we're gonna go back and not as the past is bad cuz I want to I want to use the fireside chat as sort of the the method introduced by my third speaker Kevin Tierney from General Motors so he is gonna be here through a ride Q&A to everybody and talk kind of about the history and and in particular answer some questions we have about how GM is approaching vehicle security from from their perspective and so like I like to say general is they've been here for a hundred years Neos been here for three star three two

very different perspectives but equally important and equally something we should talk about so as this American life goes this is part one the internet of cars what it is what the industry is doing and where we are going how do I bring my glasses to be IRF totally but uh you guys can imagine that little background in myself Who am I so I'm a passion of security researcher I guess I'm a policy wonk I kind of have happened to get involved with a lot of policy stuff I'm a course of my past life doing a lot of work with card email and cert CC and currently I'm a cyber defense manager at Rockwell Automation I got involved in sort of the

ICS space but this talk is gonna be more about cars itself and a little personal factoid a heavily involved with one of the disclosure disclosure research and especially kind of as a focus in the cyber physical side so I get really excited about CBS s scores so again I'm waiting for people in the back to just start leaving right now so you know the things we talk a lot about that but in particular you know we a need to think about it's more like the Internet of cars and why that's important so you know we know lots of stuffs connected to the Internet Cisco tells us it's two billion connected things shipped in 2014 but what's

interesting is a few kind of statistics I wanted to point out just why this is important to even even though I think a lot of you understand that there's 250 million cars on the road in the US alone 40 million of them are already connected to the Internet seventy-five percent of new cars themselves will be shipped with Internet connectivity in 2020 that's not that far for now 22 percent of all cars will be internet connected by 2020 of all vehicles on the road that's a significant amount now that picture on the right what you're seeing there is an interesting study that that Accenture did so they found out that when they interviewed 18,000 different individuals

just the public who about their car buying habits they found out that that what they is technical features and in fact when they introduced when they interviewed all these people a large majority almost 50% said that they would consider the tech features in that vehicle over any other option and if you look at what the tech features they they desire they're things like autopilot lane-keeping systems night vision device that sort of thing now from a security perspective you start wondering you know these are things to be concerned about we can't stop that the car isn't coming they're gonna come with these features because the public demands it but we can be there to maybe help guide it into a

secure and safe fashion I want to also present a few dates here and why these dates are important so in 2020 this is and these numbers are kind of a little bit debated but some automakers expect the first fully autonomous commercial vehicles so I didn't fool self-driving no no hands in the wheel type of thing I'm 2021 the vehicle the vehicle the vehicle to infrastructure rollout begins assuming that the approval for the rulemaking gets skits through this year and by 2023 full compliance is required and then in 2025 is when somebody else expects basically that we will see all cars on the road excuse me not all cars all new all automakers will have an

autonomous model available so and the question I think you can expect the answer here is well that's new connectivity who is going to secure it so a little history about myself I also am a passionate medievalist and interested in kind of history and there's a very interesting picture here that this is the Battle of Moving's most people don't even know what this is so this is a battle that was between the French and the English combined army with the Flemish and the Germans basically the French won this battle it was a huge route but what this end up leading to is that the current king of england the time john he was so badly beaten that when he came home his nobles

revolted and this revolt is what became of a document most people know as the Magna Carta so if you think about it from the sense of you know one battle not even very well-known that resulted in nobles revolting to cause action I just want to be able to think about that from the cavalry perspective of we fight many little small battles in policy circles amongst a lot of different standards bodies but that's what what can cause change to happen it's exciting to you some of the recent unwanted security research so I'm not gonna go back to 2010 and talk about kind of the original kind of car research happening happened from the University of Washington I'm

not gonna talk about the 2014 G pack a lot it's important just this last year you know what can we focus on so what's interesting is that we have a couple different research that came out so in particular it was the gateway internals at Tesla Motors that was done by the ten sync crew at Keene lab where they basically are able to fully control a Tesla and cause Tesla changed their firmware update model from where it was not being signed to being signed it correct me if I'm wrong that was secondly the security now set in vehicle infotainment system so this is a pretty cool one that was done at woot in 2016 so they focused on from an app

perspective and in vehicle infotainment system a lot of the automaker's are moving towards standardized system so you plug your phone in you get that nice from here up there that shows you're at your your current phone or that's Android auto or apple carplay this one in particular was very similar to that so they found that basically the apps on both the ivi side and on the phone side both had significant security weaknesses and I'll talk a little bit more about about why that's interesting if you're interesting in to the vehicle secure third mobile apps and stealing a connected car so some researchers did some work because at RSA where they talked about how a lot of the apps out

there for vehicle security rescue for vehicles in particular that you download and use with your car are really poorly done or just done not in a secure fashion and so they were able to do a lot of interesting things with the vehicle by basically attacking the app itself last one is basically interesting privacy story so Henderson was at RSA he talked about a story where he had his car he sold his car and the app he had he was unable to get the the app itself to disassociate itself in the car so you know he sold somebody he tried to get the app you know disconnected he could still actually control the vehicle functions despite what the automaker was

telling them and it turned out that they never considered the model of someone selling their car and that app no longer having to be used so it's kind of a weird situation from it from a training perspective so focus on four is that there's a number of different ones there's kind of main ones there's an increase of use of mobile applications so obviously we go back to that picture I showed you of what the demand is you know consumers want connectivity they want to be able to turn on their heated seats from the comfort of their home what's up resolving into is an extension of that trust boundary in the vehicle to that mobile application so now we have

to consider not just how the vehicles design all that kind of ecosystem out to the application to the servers to the in vehicle systems secondly data privacy so everything's stored on the app it's stored in the car so in the cloud or wherever that's also privacy issues we have GPS locations we have very personal information about individuals that are stored everywhere still an issue with with OEMs lastly not much public research so we haven't seen a reference the Jeep app we haven't seen a number G pack and I started thinking about why and and talking with Ava a little bit about some of the reasons you know it's it's a little interesting to see that we

have less public research research even though we have all this published data about how you hack your own car basically and I started wondering why and what's what's the issue there and I think not that on typically too much but I think it's interesting that there's some private research going on and the private research is done with the OEMs and they're finding bugs and are reporting it but they're interested in kind of that commercial deal and the OEMs are very interested in keeping you know this information private from the sense of its it can potentially be a safety issue so I understand that so we have to kind of consider that there is research going on it just might not be

publicly reported and I'll talk about why that's a little bit of an issue from the sense of a researcher perspective and learning from our mistakes talk about kind of industry and policy actions a little bit what I really like is in September of 2016 the 2017 model of the Cadillac CTS was the first v2v capable vehicle on the market so before even the mandate has come out is the first vehicle that has a vehicle to vehicle communication radio installed around October that's when the EMC exemption came out so now it is legal for you to break into your car find stuff about it and then report it if you want which will go out of effect

next year October 2016 is the Nitsa proposed rulemaking skiis me cybersecurity guidance this guidance when it came out was a pretty influential I macabre did a couple comments on it it talked about a lot of a different kind of recommendations that automakers should have when they're building and deploying a new connected vehicle system the guidance lean heavily on the SAE guidance that came out before that it was work on you know amongst a lot of partners but it was a big win for niches perspective and actually getting some guidance out there about what you know what you should do with your car still proposed though in December this is when the v2v notice of proposed

rulemaking came out so VW is still not required and for those I don't know v2v is is the vehicles each communicate to each other there's a there's a whole set of standards that gets it at 802 u1p you believe I don't quite recall it but basically each car will talk using kind of a short-range radio and but at the same time it keeps privacy from the driver but still can communicate at a very quick fashion how fast it's going where it's going that sort of thing it also communicates infrastructure as well and this is this is not just a US and the EU they're also considering similar legislation so this is a proposed rulemaking saying if it

gets approved it would essentially require these radios to be installed on every single vehicle in June just recently we had the first not the first but a more recent federal self-driving car legislation that introducing the house representatives so in particular this is actually trying to show from a federal level they want to be able to legislate the requirements for self-driving vehicles over the entire country rather than having you know the patchwork of states were in some states it's okay to since some kids say to stop from the European perspective we have the European Commission strategy on cits which is the cooperative intelligent transportation systems very similar to kind of the Nitsa guidance but it basically focuses on not just Vav but

also the entire kind of connected car eco system and they had a very comprehensive report that focused on you know what what requirements that they're looking to see not just from a cyber security perspective but also just from a standards and connected vehicles bourbon perspective in September Volkswagen started their first automotive security company as a wholly owned subsidiary so we're seeing kind of some trends for SEMA movement not as quick as we've seen in the past but definite movement towards improving security and in the US and EU just overall training though if you think about it excuse me the policymakers regulators in the US are a little hesitant to move forward on regulating just from the sense of they don't want

to cause problems by regulating too quickly and secondly the EU has been studying vehicles for years since 2010 I believe with the Evita report that can't be the project that came out and they're also moving but a little more aggressive than the US and actually have very defined standards about what they're looking to see from a cyber security perspective so kind of two different policy trends that are happening so far so I kind of talked about the history of you know where we were in the last year where we moved to or still I think in in a similar state we've improved a couple of things a couple of room rule makings came out we haven't seen a lot of

security research that I think has moved the bar too far and so that's why I want to say you know like how can you guys get involved talking get involved and and playing with vehicles doing some car hacking at home do some cool stuff so first off I just want to have a little word of warning cars are very expensive as you as you all know not really ideal the test on your own vehicle just from the sense of you do something and you might break your car so Chris and Charlie we know broke the car many times took to the dealership trying to get it fixed a lot you usually a good idea so

if you don't have a car or you don't want to test in their own car what can you actually do so there's a lot of really awesome open-source products from a hardware perspective there's three like ooh what's actually more than this but these are the kind of ones that I'm most familiar with mashina is a Kickstarter project where it's about 80 bucks or a hundred bucks or so you get the picture on the right there it allows you to connect to IBD to and it gives you access to a ton of different buses there it's really cool the kantack project very similar a little bit older but it's complete open source you can build it yourself if you

don't actually want to buy anything all the source code all the schematics are located on that website pretty neat cam Badger this is a little I think it's around the same time as can't act it's a pretty robust project same thing fully Hardware open-source download the source code allows you to access the of a t2 port allows you to do a lot of different kind of decoding of the different protocols and at the same time allows you to kind of do a little bit more interesting kind of fantasy type stuff like having multiple devices chained together to a server to try and test different buses on the car again fully free open source if you wanna

check it out from a software perspective there's a lot of other cool stuff we have - so I was gonna list a bunch of open-source projects and keep them here but in particular Jared the coder has a really awesome repository of open source tools highly recommend just check it out it just pretty much lists most of the ones that that I'm familiar with secondly open garages so this is a Craig Smith child I guess but basically it's an open community we just join you join a local garage you have access to resources UX access to expertise and share information and just talk about car hacking alright so you know where to go know where to get the tools you know

where to start so what you do we test what you know so a lot of people you know would say well I don't I don't know I don't know canvas you know I don't know GM LAN you know how do i how do I start tech how do I get involved intestines I'm not a mechanic well you don't have to be mechanic if you look on the right there that says this is the mirrorlink architecture which i talked about was what's broken at woot last year that doesn't look like can that's all pretty commodity protocols that we're all familiar with so you have xxx experience get involved with this very easily but even if you don't or you might have that

and mastered that and every done the cool some some of the work start learning what you don't know so canvas is the easiest way to start and anyone who has a Linux box can literally get that get can on their Linux box in a few minutes and finally what's what's a really good resource and it seems weird is the car binding forms so all the guys who've been doing car modding for years and years and years have figured this out they understand how to reverse engineer the protocols they've done the sharing they found that weird tricks that work in this model of you know a Pontiac Firebird versus that model not the game-high yeah just just good point

and in particular and really Craig did not pay me to put this up here but it should be your Bible if you're interested in getting car hacking just just have it right here so now you found something you found a bug you found a bull you found something cool let's share it if everybody you know it's part of the Calvary we like to talk about about sharing and the power of kind of people getting together and solving problems when you share it the moves the whole community forward whether it's it's providing a talk writing a blog sharing just you know the research with individuals on a con or if the Oakland Rogers community itself and like I said

I'm a vulnerability nerd so disclosure is super important we talk about safety critical systems vehicles are a safety critical system so if you think there's a safety risk it's pretty much going to be a big deal you need to reach out you to report it mainly because if if you don't you release it potentially if it gets exploited you know it can cause harm and that's what we want to avoid so search org if you're having issues with the OEM you know they'll take your vulnerability and coordinate for you auto Isacc will do it supposedly they claim that they'll get you in touch with the right person although they do not do one ability tree edges what they tell me

and then hacker one and in other other sites also have for example GM's 102 disclosure policies held on hacker one all right so you just go some bugs you can't think you've gotten you know pretty familiar with car security you already to kind of help out you know try to work on the solution if you're interested try to work in the solution maybe you care enough that you want to start working for know um whether it's these guys or one of the other major OEMs are even Tier one suppliers so there's they don't give a lot of love but a lot of the the vehicles themselves are just meaningful bunch of parts that are built by a lot of other people a lot

but they'll have security knowledge so the big bureaucracies they might not be the most abundant work at except for GM of course right but uh but in particular it's it's it's good to work with the solutions if you can and finally just kind of contribute and and get started with an open-source project if you're interested so I'll give you guys kind of a background into kind of where car Security's been in the last the last year or so where policies kind of sitting but uh now what kind of ship here is a little bit I started talking with ade here he's gonna kind of talk about his challenges he's seeing from from his perspective working on kind of

a new vehicle architecture and he's also gonna kind of talk about some of the challenges he sees in the industry in general so I'll buy eight up here talk and then we'll move on the rest of the talk more slides so I want to start by saying thanks for you guys for staying so late know it's a it's a long day so I kind of stayed out a little bit too late yesterday so excuse me if I start to stutter tend to get too tired but uh so my name is HN I'm gonna try to cover quite a bit of areas in about 15 minutes so we have time for you to or core fireside chat and also provide time for

you to ask those questions okay so the start Who am I I work in Silicon Valley work in a place called San Jose for a company called neo I previously I worked at a company kapil build the new product security team from scratch also what's the first personal security engineer at Tesla Motors and also build that team as well so I hired of Vick works the Chris and Paget's the you know the squads and so forth and so currently I'm a neo and lovel O'Neill shameless plug we are hiring so if you have any uh you're interested come and talk to me after the meeting or talk so currently neo has a our only car on the market

right now or semi on the market is the EP 9 it says super car it's set the fastest set the record for the Nurburgring for the fastest electric vehicle as well as the fastest Thomas vehicle car around the circuit of Americas so for a company that's only three years old that's for us you know we're very proud of that I had product security there the difference between neo and previous companies I've worked at is that I have this belief that security should be building security and this is I'll talk a little bit about this philosophy later on and so what we do is we build security hardware or secure related hardware that goes into cars we write

the security stacks that go in on top of our platforms and we build security components that manage the overall vehicles but it be in the cloud or in car so that's very different from other perspectives from some of the other companies I worked at and past where a security function wore as a risk assessment apparatus or a consulting arm of the company okay see so currently what I'm doing is I'm working on some really cool stuff for our target our goal is to have a low 4 or Thomas vehicle in the US market by 2020 and so much of my team is working on that as well as we're working on a China market vehicle that's to be released sometime

next year and we are again you're hiring unknown level two in China yeah level four for 2020 yeah low four we're still pretty far away from low for a lot of the technology pieces are there but there's a lot of work to be done so since you bring that up one of the things that the challenges from a security perspective is that you know when I look at it we're not ready for you know connected cars are not very secure so imagine a connected Thomas vehicle what can potentially go wrong right so there's a lot of ton of work in the security field that needs to be done before we're ready for level 4 regardless of whether the

cars can actually perform the level 4 so it's been four years since the first auto manufacturers started to reach out to the secured research community it's been let's say about three years since the calvary published the first five they are the five star on a little safe cybersecurity safety program and it's been two years since valasek and miller demoed their GPAC right also we know that as a result of all that effort and those work though those companies and people individual people as care researchers we now have some level awareness and that has sprouted lots of security conferences right so so there's a lot of security conferences you can you know you can basically go to one

security confidence every month at this point but unfortunately improvements are still very slow and I know this because I work with different suppliers and engineers and teams and stuff and I'm still finding some of the same challenges and I hope to do is to kind of talk a little bit and share a little bit about well I'm my team and I as well are seeing in the industry and why we believe that where the issues are and how we think what needs to change before we can get to the point where we can build much more secure vehicles more robust security systems okay so to start off I have this concept I always bring up on my team about the catch-22 use of

vehicle security so how it kind of works is the supplier sales capabilities to the OEM and of course is not always the same for every OEM but this is very generic so just keep it generic right om decides whether it's cost okay it's very expensive to build cars very expensive and the OEM knows only what some sometimes most of time that starting change it only knows what the supplier shows them so supplier says hey I have this new feature said it's really cool okay om works with two one suppliers and you know unfortunately they're slow to buy from smaller security firms that sort of provide very specific potentially robust security features okay and so there's

this cycle that goes around and so that's part one part two is the industry tends to follow okay because it's expensive though cars building cars is very risky there are introducing new capabilities can cause all sorts of potential safety issues so oftentimes will happen is that a vehicle and we'll watch to see another vehicle and take that chance first before they jump in the boat so for example Tesla start the bug bounty program and then embrace researchers and then over time other OEM started to come on board and have their own bounty responsible reporting programs this is one example okay we're also saying I'm also seeing this trend where there's a lot of talk about adopting IT security

right or you know this term that's been coined as data center in the car okay and my take on that is that that's a really bad idea okay because I T gives hacked every day okay there's the model that we use I believe in IT security or information security is broad and and we could talk a little bit off line because that's maybe I'll do a talk in the future about why I think that is I've been in the doing IT security for close to 20 years so before I transitioned over to vehicle security and when I first started working in vehicle security I also have this belief that I could just take my knowledge from my T

apply it to a car embedded systems are very different from computers they're not the same embedded systems networks are very different for computing systems but so in the basic concepts crossover but protecting these systems it's a it's a totally different beast okay superb so care programs tend to be reactive and you know it's it's kind of like either scary professional although who management I say you need to do this right and then they'll say well there's no evidence of this being a problem you know my friends company doesn't have this issue why do I need to do this so and then so we go through this process of where an incident occurs in the way

that says that say I told you so this type scenario which we of course hate having to be in and then we get some money or we get some headcount and then just enough to get us to the next incident next is it happens you know you see this all the time we get more money we can more headcount and then this cycle just keeps going going going or we have technologies that are just you know like new technologies pop up we buy it with some new technologies and then suddenly you have 50 different kind of technologies there to protect your network and cost you doing dollars to to to even have a sense of security but you

have the same time you're still getting hacked so this is reactive program right and the reality is what happens is that real instance often equal half efforts and lots of incidents really don't result in the city finished you know a secure solution it only gets as a quarter of the way there okay legacy costs so legacy is a huge issue because especially in auto industry you have a you know it's it's expensive to go cars it's expensive to be architect so unfortunately you know I'll explain this little bit what you'll find in situation not just the auto industry of a lot of industries for my teas even i-24 related to IT security where people don't want to spend the

time to fit - no matter how horrible are the consequences and you know and just this is what I this is my personal feeling is that for me it's I've been fighting a battle for the last 20 years and maybe the public is just starting if you realize many of us in this room have been fighting battles for longer than I have but and reality is we're losing and and when you're talking about an autonomous vehicle Brian Thomas connected vehicle there's no room for compromise and so yes so okay so that's that's part of okay the reality also another point is that cars are actually made to be hacked okay there are laws out there that ensure

their parties and owners of vehicles have the right to modify certain common components of the cars when those laws are written and this is a point that I was brought up by Kevin earlier when those laws written security wasn't even really nobody thought about security so we have this challenge where we need to build secure cars that can be modified by owners okay and so that's that's one of the problems and so what we're seeing is this like and this is a little off-topic from that bullet point but so this is why like you could take a component out of the car replace it of the Raspberry Pi so at the cars been hacked right well you had physical

access of the car the car was designed so that some third-party mechanic or you yourself can repair right so it's not designed to prevent you from taking that component out and replacing it with something else and so that's that's one of the issues that we're seeing okay and then another point is last point on this as what's causing these issues is that there's just arrogance or a willingness to share I think we're at the point where I believe that Owens and supplier should be sharing information about issues that they're seeing sharing information on how things should be fixed right security is not something that of course it could be potentially a competitive advantage but when you're looking at

what we're talking about safety related systems there's something that should be at a higher level right so this whole attitude about first to market wins I don't think should apply here that's another one my personal opinion right okay so what needs to change so very important we need you okay and this is a big thing big issue area now that we have is that we're starting to get the trend where we have more and more secure researchers looking at the problem finding problems but we don't have anyone to fix the problems we don't have engineers we don't have developers that are trained in security or who understand security fixing these issues so security researches of the trust

secure research is very important but at the end of the day someone needs to fix that problem and we just don't have enough bodies to fix eyes you and this is you know Kevin you know I was talking about this or we're struggling to find the right people to do the work I literally cone the world I have a guy from Spain I have a guy from Germany and have a guy from Turkey you know I've a guy from China it's just like literally I have to comb the world to find these guys okay so yourself you know if you know I'm hiring so again shame to know shameless plug so if you're if you're interested come talk to

me okay and then there's this other concept which I brought up earlier on the sessions that let's security build security okay this is important those that don't care about security are building future tech without it and this has been happening for forever okay and secured if you have an engineer buildings a function and someone the room says hey maybe we should think about security the engineer says okay I'll go figure it out and oftentimes the result might not be secure or if you know what a bunch of many of you if you're doing a developer engineer in the room would know that if the project schedule you're falling behind security is oftentimes the first thing that's tossed out so that's yeah

that's an issue that's why I say security should be building security and that's approach that you know I would not have signed on to neo unless that was something that was guaranteed that security professionals build security features or security capabilities engineers you know learn are engineers that are security engineers learn but security engineers need to build the security features okay also let's say if you want to get involved in security but you're not in a role that's security focus this is also a great opportunity for you because you can be the voice in the room we don't have enough voices in the room when those engineers who don't want to or developers oftentimes they don't want to include security in their

meetings because security always has something to say that will slow the project down right so but if you're our engineer or developer and you're in the room be the voice speak up and then what I've seen with some of the folks of how they got into security is that when they spoke up they were the one who got the work right and so they learned they went out and learned security from other secure professionals and became secure professionals themselves so that will help this in the cycle I'm sorry for us to get more secured professionals Oh uses their suppliers are always hiring former and hardware engineer so you know again embed ourselves lead security efforts okay and and then the third

thing or third point that Craig Craig Smith always reminds me of his cars needs to be serviceable by third parties and smart enough to defend themselves so autonomous security is the terminal autonomous security needs to be compatible at their party services so let's say we start billing security that's automated but you know that the end of day you still need to be compatible with third parties that third party service models and I think that's it for me and what are we doing on time okay we're good now no interference sorry about that making sure y'all awake Thank You Ava and I really want to want to bring back to the point about the right to repair I

think that's that's extremely important I think it's Massachusetts in particular it has a right to repair law but beyond that I mean the reason why you have so many things in your car is because of different legislation so the EPA guidance is why you have an obd2 port stuck on you know the lower left side or right side of the driver side so these things are important and they're there for a reason but at the same time they were meant ever for a vehicle were no longer as a constrain to just physical access that can cause an effect to the vehicle itself it's it's beyond that it's it's anything connected to it now that's that's the challenge that the

industry faces as a whole and so as the next part of our show we're going to talk with Kevin and we're gonna do some a couple Q&A with him I have some questions that we're gonna start out with and then we're open to questions and it won't be just a Kevin T it also be the Abe so well kind of hear Kevin's perspective and working for what the largest auto one of the largest automakers in the world in dealing with with a myriad of problems from a massive legacy problem to trying to kind of convince an engineering organization to do things differently in a better way so like to introduce Kevin tyranny from from General Motors so good evening I'm

Kevin Tierney thanks for having me it's my first time at besides in Las Vegas so it's great to be here

that better okay so I want to talk a little bit about kind of my view on product security and I think I agree with pretty much everything you guys just said there's it's a huge space and General Motors I have the privilege of working for a company that it takes cybersecurity of its products very seriously and I think that's one of the main reasons I'm sitting here today is because we have leadership that understands that security is an important aspect of product development and because of that we have a team we have resources we have the headcount arguably before it becomes an incident response exercise on the how to product and so because of that

leadership support we have a global team of almost 80 people working on product security so within GM we have an information security organization that's both focused primarily on the IT portions of the system and then we have a product security organization that I'm a part of with the chief product cyber security officer that's charged with with just the security of the Enda and products so the vehicles the mobile apps that interface to the vehicles as well as the telecommunication and systems like OnStar that I'm sure you're familiar with so it's it's been a priority of GM for quite a number of years and you reference some of the research back to 2010 we were actually

heavily involved in that at that time and you know we continue to grow our organization since then realizing that the threats and the risk of connected vehicles and autonomous vehicles are only going to continue to grow and so we take you know a defense-in-depth strategy and approach into our vehicles and while you know this is a journey you know there's not an end state here it's a kind of continual evolution that were that we're taking with our vehicles you know there's a lot of momentum you know that we see within GM and the industry you reference the auto is act and and you know what they're doing I think it's great because finally the OEMs are

getting together at the table the suppliers are there information is being exchanged I'd say it's still early days there's not as much vulnerability information being shared as as we want but we're getting there and GM is one of the leaders that always we always publish information there with attribution and people call us and ask questions and we're always to leave that interaction so you know within GME maybe just to wrap up a little bit on what my role is so I report to our chief product cyber security officer Jeff massamilla some of you guys are probably familiar with that name I'm responsible for the on vehicle security so I lead our on vehicle security architecture team so those are

the guy is trying to figure out how to secure can you know where do we go with vehicle network what's the right way to secure diagnostics and the face of right to repair you know how do you program modules whether it's through service tools or over-the-air and how do you do that securely and what's the balance between that and vulnerability management through an OTA mechanism versus having that ability which is a security challenge in and of itself and so a whole myriad of things are in that team I also run our own internal red team so we have I think one of the industry for son of Tesla had has a team red team but we have about a dozen guys

that their full-time job is doing red teaming on our systems and really focusing on the on the embedded systems in the vehicle and the mobile apps and things of that nature also having governance and risk management functions so while you know we want to design in security from the start of course you know we're looking at the architectures up front and making sure things have the appropriate security posture from the start there is a risk management function especially when you have a company as big as GM you can't do everything all the time so you have to really depend on some of those mechanisms to to help you sort through what the priorities are as you move

through the process and then incident response so well you know I think we're starting to work ahead of the problem we know that something will happen somethings you know minor things do happen and so we want to be ready and prepared for those events and so we also have our own Incident Response capability that we work partner with IT security as well because many things kind of bridge between the two domains so that's a little bit about my background it's great and you mentioned the auto eyes second I know Fayette Francie he used to get the aviation Isaac now is the general director there and is done great work so yeah definitely it's it's a step in the right

direction so Kevin oh I also want to ask you kind of a couple questions and then we'll move to audience you know with all the major OEMs and and tech companies even moving towards fully autonomous vehicles you know what do you see is the biggest challenge to make sure that security isn't left behind in this and this race to get get that first vehicle off there because really what what keeps me up at night is is those dates I showed you we're moving very very quickly to that that 2020 date that 2025 date and it it's gonna be too late if we have to wait until those vehicles are down the road and people are inside of them we want to make sure

it's it's tested way beforehand and we want to make sure it sits them in such a way that that I don't think it stifles the industry because I think you know we have to consider the option if we don't have autonomous cars and the reason why autonomous cars are so interesting from a regulatory perspective is that you know the most common cause of death and the vehicle is by human error so you remove human error you save lives so we have to balance that with the cybersecurity component and the potential that do harm there you know there's a potential and doing nothing that we cause more harm so it's it's a difficult balance that kind of one just

ask you you know what what's the challenges you see and getting to that that level well I think the positive aspect is cybersecurity is now a real thing within the industry and so the fact that we're developing autonomous vehicles and it's top of mind for I think most of the automakers I think is a good thing within GM we have our own dedicated AV security team they report up through product cybersecurity but they're devoted a hundred percent to AV security because some things are going to be different the architectures are going to be slightly different than a traditional connected vehicle and so there's new technologies that are there's new risks there's kind of a new

paradigm because the autonomous vehicle starts to look less like a car the more like other things like airplanes and other systems where you have to have high uptime high of you know reliability fail operational states which are a little different than a traditional vehicle so I think you know having a focus from the start having a voice at the table as you're developing these systems I think it's critical and I know we're taking that that's that approach and I think others are as well you talk about regulation you know and there are is obviously some bills going through that actually have cybersecurity language in them which I think you know is a step in the right direction in

terms of trying to get everyone to an equal playing field regulation there I don't think ever solves security but at least maybe in this case gets gets everyone up to some basic threshold but to your point earlier you know watching an AV program without security is is I think crazy right in our perspective is it has to be there just like safety you know you have to prove that the systems are safe you have to prove that they're secure you have to prove that they're reliable all these things that are required to to prove that you have a commercial product has to be there before you launch and security is is one of those check offs and GM that is

absolutely required and again has the the support of our senior leadership and you mentioned vulnerabilities and and I want to kind of ask you a difficult question so so prepare yourself a little bit so last May national high return the Safety Administration released an interesting proposed rulemaking this was basically the funnel our question was is is a vulnerable one is a vulnerability considered to be a safety issue and then they looked at it from the sense of that entire ecosystem of connected things to the vehicle and basically implied that if if your app that caused a vehicle you know to engine turn on or turn off happen to be hacked in such a way that

could cause a safety issue you have to recall that application the same way that you would a faulty airbag and so what I want to ask you is is what do you think about that when do you consider a vulnerability to be a safety issue is it a safety issue and how do you how do you determine that threshold in okay only freedom anything that's that's a tough question you know it's a it's a tough question it's the right question it's a hard question because I'd still say Industries is trying to figure out that right model I think absolutely some vulnerabilities are safety issues absolutely I don't think all are there's a lot of vulnerabilities out there and

I'll use an example so you guys have cars you know parts break things fail not all of those are safety issues right and so whatever you want to call those warranty issues or quality issues I think it's similar to the ocean of vulnerabilities that could exist in your vehicle at different parts of system now there's a there's a lot of work that goes in between the OEM and it's a to determine which of those failures actually our safety defects that are recallable and it's all only a very small percentage of failures that actually lead to a recall and so I think it's it's kind of a similar process that we have to work through is to understand

the vulnerability what it can impact and through through a very detailed analysis if we prove that yes this has some impact on the safety systems then yeah absolutely follows the safety process and so that's what we've instituted at GM so we're very aligned with the safety process we actually link into the safety process if we hit a certain threshold when we are analyzing a vulnerability and we let safety run it and they're the ones that primarily communicate with nits and things of that nature if there's some sort of issue and so what we do is you know you look at a vulnerability and it could be just a minor minor vulnerability and a piece of software

that's way upstream in a system and that by itself doesn't tell you if it's really a safety defect you really have to do very complicated I'd call it system threat modeling looking at how does that vulnerability exist in the software can it kind of get outside and that piece of software or the other software that's around it you know what's the context of that system can it get on the network if you get on the network as are their firewalls between that and other safety critical systems on and on and on you have to there's usually multiple steps that have to occur for one vulnerability to actually execute something in a system and so we have to take all that into

account and we've built a lot of threat modeling and system risk assessments around that that sort of methodology and then once we get to an end state we understand hey this is what could occur then we run it through the safety process to say hey yeah this is something or no this isn't so sounds good it's hard that's not easy it takes a lot of hours a lot of domain knowledge you have to understand how your system works you have to understand how that vulnerability can interact in that system and so it's it's a continual process and we have to figure out how that's going to work at large as a whole industry but that's the person we're

taking so yeah absolutely I think some will but I don't know that all and you know we have to figure that out over time as more and more security controls are introduced one vulnerability doesn't necessarily mean a recall in every case yes that's a good answer and interesting yeah from from a CBS s perspective escort many vulnerabilities and you look at it from that perspective you're looking at one system one tiny vulnerability it's a lot different when it's a whole vehicle like that and you have to consider the system itself so that that's interesting we have we have five minutes left so I'll make sure we have time for questions here so please grab a microphone and

let's ask some questions people walking around see want up in the front or in the middle here this year I bought a 2017 GM long-range evie but with the 2010 16 DMCA exemption on vehicle reverse engineering GM still made me sign a I won't reverse-engineer the firmware of my car I think that was a purchase contract yeah it's not necessarily our purchase contract so and I don't want to get into that too much except what I will say is I think it's been obvious to GM values the work of security researchers we do have a coordinated disclosure program on Hacker one where you can go look at the language there and see it's pretty pretty easy to abide by I think in my

mind so yeah the legal legal world out there around the stuff is complicated but I'm I'm an engineer I'm not a lawyer understood question I hear Kevin you mentioned this when he talked about securing vehicle networks and also the threat modeling are there are there plans to replace or augment canvas with something authenticated to protect gifts malicious actors on the canvas or is the focus on keeping the threats out you know away from the car I think it's both and so not anything not to get into too much detail about our future plans some of this is public record there are plans to augment can with our fornication' mechanisms the big challenge there is it's a very low bandwidth

network so you can't do maybe the full security that you may want to do otherwise you can't send any data over for it anymore so what you'll see is an evolution of authentication mechanisms and then likely some higher speed bandwidth networks and future architectures that we're working on there's something called can FD which is anything - about 2 megabit and then there's Ethernet obviously that gets you there sometimes I say that going to Ethernet may actually create more problems and again so it's hard to say exactly what we're gonna land with but we're gonna have higher bandwidth networks there's gonna be authentication but we're also gonna try to block people out as well it's really like I said at

the beginning defense-in-depth strategy I don't want anyone in a vehicle network I kind of assumed that if you're there I've already lost but if you're there then I want to have something else there to make it harder for you to masquerade as as a device and be able to send a safety critical message thank you take greater question in the back there yeah I you said previously that you have to kind of prove that your product is secure before you ship that and in traditional IT that's all it's not necessarily how problem but it's something that takes much effort if you want to do that so how do you do that with your car's a great question it is a

lot of reference we have about 80 people working on this so there's a lot of systems that we release every every year a lot of software that we release and basically what we've instituted is not unlike in a IT environment an sdlc process that Amir's our vehicle development process so for every component that sits in the vehicle that does something that you know could be of concern from a cyber perspective generally all the components that have software is what we look at and if you think about it a vehicle has like 30,000 parts it's only about a hundred parts or so so of those you know we run through a very dedicated process doing pen testing

scanning software you know analysis code reviews etc and all that gets summarized you know in a report before we go to production so I know I'm running out of time but at a high level that's that's what we do for our products in every cycle all right I think we're pretty close on time so I just want to I want to thank everybody for for stopping by this late we'll be here a little bit afterwards just you want to ask a couple questions and I'm not sure if a band camera to be had like at this week but but feel free to just come by and just talk to us but thanks for stopping by and please come hot car it's

cool [Applause]

Related talks

51:51
Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar
BSides Las Vegas
32:48
G1234! - Cash in the Aisles: How Gift Cards are Easily Exploited - William Caput
BSides Las Vegas
33:48
How to Start a Cyber War: Lessons from Brussels – EU Cyber Warfare Exercises
BSides Las Vegas · 2018
54:33
BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK - Katie Ni
BSides Las Vegas
31:06
From Email Address to Phone Number: A New OSINT Approach
BSides Las Vegas · 2019
20:51
One OSINT Tool to Rule Them All
BSides Las Vegas · 2017
[ feedback ]