By Tim Radzykewycz
Last year, at the Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek reported their security research on a Jeep Cherokee. They were able to remotely break into the system and take control of steering, brakes, and other safety critical systems on the vehicle, as well as systems not normally considered safety critical such as the infotainment unit.
After learning about the hacks, Fiat, the parent company of Chrysler, responded exceptionally well. They implemented a fix and recalled 1.4 million vehicles to install it. This was implemented in what I call the BOUNDARY LAYER, which attempts to keep attackers from gaining access to the system at all.
The pair has continued to research the vehicle since then, and this year, again at Black Hat, they presented their new findings. This time, they ignored the wireless access and discovered several ways to get more complete control of the vehicle once they got access.
Fiat’s response this time was different. They point out that the current research results require physical access to the vehicle. This is true. And since last year’s fix “prevents” remote access at the boundary, they don’t seem to be as concerned. To many across the industry, Fiat’s less than urgent response is alarming.
Why so? Consider these two common maxims in security that are relevant here:
* any system can be breached by a sufficiently motivated, skilled, and funded attacker
* defense should involve multiple independent layers of security
The first one implies that at some time in the future another vulnerability will be discovered, allowing attackers to get access. They will bypass the current boundary security. Vulnerabilities do exist, whether or not we know about them. The question is not whether attackers can break in, but only when.
Right now, if the attackers were to get past the boundary security, they would be able to take control of the vehicle. They would be able to stop the vehicle from any speed, accelerate quickly, affect the steering at any speed, engage and set the cruise control, and other things to create a dangerous situation on the road.
That’s where the second maxim comes in. I like to divide security into different layers, which are mostly independent of each other conceptually. Depending on the context, the layers may change, but the following is a good starting point:
* boundary : prevent attackers from getting to the system
* communication : keep communication private and reliable
* configuration : ensure that the system is configured securely
* forensics : discover attacks in progress or soon after
* mitigation : know how to respond to an attack, whether it was successful or not
* prevention : keep attacks from achieving their goals
* secure_environment : ensure that the software is authorized
* sanitization : ensure that no sensitive data is present when it is no longer needed
* certification (pseudo layer) : have experts review the system
Historically, security started with boundary security. But if that is the only protection, then when it is bypassed, attackers easily do whatever they want to do on the compromised system. Like in the Jeep, as Miller and Valasek showed last week.
In the case of an automobile, communication security is equally important. A successful attack on the infotainment unit should not allow the attacker full access to the automotive CAN bus. But in many automobiles, CANbus is not well protected.
Forensics is important here. Monitoring the CAN network can discover attacks in progress and thwart them.
What I call the prevention layer consists of techniques to make attacks more difficult, such as using various forms of mandatory access control. There are many things in an automobile, which an infotainment unit or TPMS should not be allowed to do. Enforcing those mandatory access controls would increase automobile safety.
As for certification, there’s loads of it in automotive design and manufacture, some related to security but most related to other things.
To be fair to Fiat, they are concerned. They have instituted a security bug bounty program, which is another great step. And the response they gave, indicating that the attacks require physical access, may not indicate that they are not concerned, but only that they are trying to calm fears that the general public might have. So they’re not doing bad this time, either. Though, as a security professional, I would still like to hear about the other security layers that they’re addressing in current and future products.
What are your thoughts?