© F

raun

hofe

r-G

esel

lsch

aft

2016

A CRISP Member

Automatisiertes Fahren – Datenschutz und Datensicherheit: Stand der Technik und weitere technologische Entwicklung

Prof. Dr. Michael WaidnerFraunhofer-Institut für Sichere Informationstechnologie SIT, InstitutsleiterCenter for Research in Security and Privacy CRISP, Sprecher

Automatisiertes Fahren – Datenschutz und DatensicherheitVereinigung der Bayerischen Wirtschaft eV, München, 1. August 2016

– 2 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Fraunhofer Institute for Secure Information Technology SITLeading Institute in Germany for Applied Cybersecurity Research

Applied cybersecurity R&D for industry, government, society

»Security by Design« & »Security at Large«

Designs, analyses, tests, experiments and measurements

Cybersecurity, forensics, privacy, cloud, embedded, Internet, infrastructure, software, business/industrial IT

Facts and figures

1961: Foundation, 1996: Refocus on cyber,2001: Member of Fraunhofer-Gesellschaft

170 employees, 9 departments in Darmstadt and Birlinghoven(Bonn), project center in Jerusalem

On-campus labs: Airbus/Stormshield, SAP, Sirrix AG, Software AG

1/3 base funding, 2/3 contract research

Co-operation with industry and governments

Member of federal/state-fundedCenter for Research in Security and Privacy (CRISP)

https://www.sit.fraunhofer.de

– 3 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Cybersecurity

Automotive Cybersecurity

Examples

Conclusions

Outline

– 4 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Die Hightech-Themen 2016Die wichtigsten Technologie- und Markttrends aus Sicht der ITK-Branche

Source: https://www.bitkom.org/Presse/Presseinformation/Sicherheit-fuer-IT-Unternehmen-das-Thema-des-Jahres.html

– 5 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Source: https://www.bitkom.org/Presse/Presseinformation/Industrie-im-Visier-von-Cyberkriminellen-und-Nachrichtendiensten.html

Datenklau, Spionage, SabotageZwei Drittel der Industrie sind betroffen

– 6 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Prototypical CyberattacksTargeted, organized and economically or politically motivated. Many high-profile victims: everybody is vulnerable.

PRC Unit 61398, Shanghai (2013),NSA / GCHQ Programs (2013/14)

Stuxnet (2010)

German Bundestag (2015)

German Steel Mill (2014)

Saudi Aramco (2012)

DigiNotar (2011)

RSA/Lockheed-Martin (2011)

EADS (2012)

US Office of Personnel Management (2015)

– 7 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Key Sources of Insecurity

Insufficient engineering Ca. 8000 new vulnerabilities per year (IBM, 2016)

Ca. 100 – 1000 vulnerabilities in larger software

Insecure integration: no security design, unnecessarily large attack surface, wrong interface assumptions, no or insufficient authentication, …

Insufficient adoption of best practices and known technologies

Insufficient understanding of privacy and data minimization

Insufficient visibility and insight Ca. 140 days breach detection time (Mandiant, 2016)

Insufficient data, insufficient visibility across organizations

Limited readiness for emergency response

Insufficient systems management

Insiders, Social Engineering, Usability, …

– 8 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Source: https://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/

– 9 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Cybersecurity

Automotive Cybersecurity

Examples

Conclusions

Outline

– 10 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Information Technology as Key EnablerNew technology enables new business models and applications

Increased traffic safety and efficiency Emergency call (eCall), accident documentation

Infotainment Optimized maintenance processes Better diagnostics, predictive maintenance

New insurance tariffs (»Pay as you drive«) New car sharing and fleet management models Product improvement for OEMs

– 11 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Information Technology as Key EnablerNew interfaces and increased connectivity

GSM/UMTS/LTE,WiFi, Bluetooth

InterfacesOn-Board Diagnostics (OBD),

Tire Pressure Monitoring,EV Charging

Car-2-X Communication

Immobilizer,Remote Keyless Entry

E/E, ECU SecurityTachograph, Chip Tuning, Function

Activation

USBLightning GPS,DAB,

TMC,RDS

Infotainment

50-100 ECUs,10-100 millions lines of code

– 12 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Information Technology as Key EnablerIncreased impact of malfunctions and attacks

Terrorists & Criminals

Vehicle owner

Vehicle driver

Repair shops

Fleet owner

Service provider

Insurance companies

Government

Manufacturer

Damages to live and limb Influence brakes, engine,

advanced driver assistance

Financial Damages Vehicle theft Turn back odometer Illegal function activation

or chip tuning

Loss of Privacy Driving behavior profiles Movement profiles Driver identification

– 13 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Information Technology as Key EnablerIncreased attack surface and adversary incentives result in increased risk

Car Electronics Autonomous Driving

Time

Car2X Communication

Increased use of IT (SW/HW)+ Increased design complexity+ Increased “software-defined everything”+ New interfaces and increased connectivity Increased attack surface

+ Increased use/generation of (personal) data+ Increased impact of malfunction/attack Increased risk

– 14 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Cybersecurity

Automotive Cybersecurity

Examples

Conclusions

Outline

– 15 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Car Hacking, Chip Tuning, Unauthorized Function ActivationClassical approach of hacking : standard vulnerabilities in SW [no Security by Design], HW [not tamper-resistant], crypto [weak keys, weak randomness]

Complete takeover of a regular 2014 Chrysler Jeep Cherokee through an update vulnerability in the UConnect infotainment system [Miller/Valasek, Blackhat 2015; Koscheret.al., IEEE SP 2010]

Needed: Security and Privacy by Design,Trusted HW, Secure Architectures

1. Find an open interface

2. Move and escalate rights

Take control, steal data

• OBD i/f• Wireless connection

w/ weak protection• EV Charging i/f• Infotainment i/f• Internet/mobile apps

• Weak isolation• Well-known exploits• Standard buses (CAN,

…) w/o security• Easy to flash firmware

• E.g., send arbitrary CAN messages

Sources: C. Miller, C. Valasek: Remote Exploitation of an Unaltered Passenger Vehicle; Blackhat 2015;K. Koscher et. al.: Experimental Security Analysis of a Modern Automobile; IEEE SP “Oakland” 2010;

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway

– 16 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Security and Privacy by Design:Relevant and Ongoing Standardization Efforts

AUTomotive Open System Architecture: Crypto Service Manager (CSM), Crypto Abstraction Library (CAL), Secure Onboard Communication, …, Adaptive Platform

Society of Automotive Engineers:SAE J3061: Cybersecurity Guidebook for Cyber-Physical Vehicle Systems (ongoing)

International Organization for Standardization:ISO/TC 22 WG »Automotive Security« (ongoing)

Gemeinsame Erklärung der Konferenz der unab-hängigen Datenschutzbehörden des Bundes und der Länder und des Verbandes der Automobil-industrie vom 26. Januar 2016

– 17 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Circumvent Remote Keyless Entry / ImmobilizerClassical failures of crypto designs: weak/proprietary algorithms, short keys, no update feature for broken systems, flawed proximity assumption

Source: https://www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/keyless/default.aspx

Straightforward man-in-the-middle attack on remote keyless entry systems [ADAC 2015]

Needed: State-of-the-art crypto design, standard crypto/RNG, distance bounding / relay-resistance

www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/keyless

– 18 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Reality Distortion and Tracing in Car2XLate stages of standardization. Several details and PKI operator still open.

– 19 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Privacy Violation through Data AnalysisWide range of driver-related data collected and accessible via unprotected on-board diagnostic interface

Driver identification using just velocity and rpm

Needed: Privacy by Design / by Default; effective controls and transparency, encryption, data masking, data minimization, data anonymization, pseudonyms

– 20 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Cybersecurity

Automotive Cybersecurity

Examples

Conclusions

Outline

– 21 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Conclusions (1/2)

Automotive digitization comes with new threats … most well known from other domains Typical »teething problems«

Proprietary crypto, weak or even fixed keys Open networks / interfaces, weak authentication Integration based on unjustified assumptions Unprotected hardware in »hostile« environments Direct inheritance of problems from other

domains (software, mobile systems, …) Exploding design complexity

– 22 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Conclusions (2/2)

Requires best practices; standards; testing guidelines, tools and labs, and »Security and Privacy by Design«

High awareness in industry and research

Data Minimization Data Sharing

Conjecture: there is no contradiction Industrial Data Spaces: architecture

supporting controlled, secure and privacy-friendly sharing

Privacy & Transparency Enhancing Technologies like end-to-end encryption, ABCs and cryptographic pseudonyms, data masking and anonymization

– 23 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Vielen Dank!

Thank you very much!

Merci beaucoup!

תודה רבה!谢谢

Dziękuję!

Dank je well!

ありがとうございますشكرا لك

– 24 –

© F

raun

hofe

r-G

esel

lsch

aft

2016

Prof. Dr. Michael Waidner

Fraunhofer Institute for Secure Information Technology SITDirector

www.sit.fraunhofer.de

Rheinstrasse 75, 64295 Darmstadtmichael.waidner@sit.fraunhofer.de +49 6151 869 250 (Office)+49 170 929 8243 (Cell)