A Structured Approach to Securing the Connected Car

<p>Vehicles of today have become increasingly dependent on software to handle their functionalities. Updating and maintaining the software in vehicles has therefore become a costly process for the automotive industry. By introducing wireless communications to vehicles, vehicular maintenance can greatly be improved and many other new applications can also be brought to the vehicles. However, the vehicle was not designed with security in mind. Since the vehicle is safety-critical, it is vital that such new remote services do not violate the safety and security requirements of the vehicle. Thus, this thesis presents a general approach to securing the connected car and the usefulness of the approach is demonstrated in a vehicular diagnostics scenario.</p> <p>The thesis comes in two main parts. In the first part, we address security mechanisms for the connected car. First, a survey of current mechanisms to secure the in-vehicle networks is made. Then, a description of possible communication methods with vehicles is given and a taxonomy of current entities involved in such communication is presented. The taxonomy is organised in actors, vehicle-to-X communications, network paths, and dependability and security attributes. The usefulness of the taxonomy is demonstrated by two examples.</p> <p>In the second part, we address security with respect to vehicular diagnostics. First, an overall security analysis of the interaction between the connected car and the repair shop is conducted. We find that the most imminent risk in the repair shop is the loss of authentication keys. The loss of such keys allows masquerading attacks against vehicles. To address this problem, we propose a Kerberos-inspired protocol for authentication and authorisation of the diagnostics equipment and a trusted third party is introduced.</p> <p>To conclude, this thesis shows the value of adopting a structured approach to securing the connected car. The approach has been shown to be useful for identifying threats and countermeasures and thus help improving security.</p

Adapting Threat Modeling Methods for the Automotive Industry

We live in a world that is getting more interconnected by each day and we are witnessing a global change where all the devices in our surroundings are becoming “smart” and connected to the Internet. The automotive industry is also a part of this change. Today\u27s vehicles have more than 150 small computers, embedded control units (ECUs), and multiple connection points to the Internet which makes them vulnerable to various on-line threats. Recent attacks on connected vehicles have all been results of security vulnerabilities that could have been avoided if appropriate risk assessment methods were in place during software development. In this paper we demonstrate how the threat modeling process, common for the computer industry, can be adapted and applied in the automotive industry. The overall contribution is achieved by providing two threat modeling methods that are specifically adapted for the concept of the connected car and can further be used by automotive experts. The methods were chosen after an extensive literature survey and with support of domain experts from the vehicle industry. The two methods were then successfully applied to the connected car and the underlying software architecture based on the AUTOSAR standard. We have empirically validated our results with domain experts as well as tested the found vulnerabilities in a simulated vehicle environment

Security aspects of the in-vehicle network in the connected car

In this paper, we briefly survey the research with respect to the security of the connected car, and in particular its in-vehicle network. The aim is to highlight the current state of the research; which are the problems found, and what solutions have been suggested. We have structured our investigation by categorizing the research into the following five categories: problems in the in-vehicle network, architectural security features, intrusion detection systems, honeypots, and threats and attacks. We conclude that even though quite some effort has already been expended in the area, most of it has been directed towards problem definition and not so much towards security solutions. We also highlight a few areas that we believe are of immediate concern

A Structured Approach to Securing the Connected Car

Vehicles of today have become increasingly dependent on software to handle their functionalities. Updating and maintaining the software in vehicles has therefore become a costly process for the automotive industry. By introducing wireless communications to vehicles, vehicular maintenance can greatly be improved and many other new applications can also be brought to the vehicles. However, the vehicle was not designed with security in mind. Since the vehicle is safety-critical, it is vital that such new remote services do not violate the safety and security requirements of the vehicle. Thus, this thesis presents a general approach to securing the connected car and the usefulness of the approach is demonstrated in a vehicular diagnostics scenario.The thesis comes in two main parts. In the first part, we address security mechanisms for the connected car. First, a survey of current mechanisms to secure the in-vehicle networks is made. Then, a description of possible communication methods with vehicles is given and a taxonomy of current entities involved in such communication is presented. The taxonomy is organised in actors, vehicle-to-X communications, network paths, and dependability and security attributes. The usefulness of the taxonomy is demonstrated by two examples.In the second part, we address security with respect to vehicular diagnostics. First, an overall security analysis of the interaction between the connected car and the repair shop is conducted. We find that the most imminent risk in the repair shop is the loss of authentication keys. The loss of such keys allows masquerading attacks against vehicles. To address this problem, we propose a Kerberos-inspired protocol for authentication and authorisation of the diagnostics equipment and a trusted third party is introduced.To conclude, this thesis shows the value of adopting a structured approach to securing the connected car. The approach has been shown to be useful for identifying threats and countermeasures and thus help improving security

On Securing the Connected Car - Methods and Protocols for Secure Vehicle Diagnostics

Software has been the enabler for the last decades of innovation in new vehicle functions. It is now an integrated part of today\u27s cars and the maintenance and update of this software have become a costly process for the automotive industry. As wireless communication to vehicles is being introduced, vehicular maintenance can greatly be improved and many other new applications can be brought to the vehicles. However, the vehicle was not designed with security in mind. Since the vehicle is safety-critical, it is vital that such new remote services do not violate the safety and security requirements of the vehicle and that appropriate security mechanisms are implemented in the vehicle to prevent malicious vehicle manipulations.In this thesis, approaches to secure the connected car and in particular mechanisms and protocols to secure administrative services for vehicle diagnostics and software download are presented.First, the landscape of the connected car and its infrastructure is investigated.A survey of current mechanisms to secure the in-vehicle network is made and a description of possible communication methods with vehicles is given together with a taxonomy of current entities involved in such communication. The usefulness of the taxonomy is demonstrated by two examples. Then, security analyses of vehicle maintenance in repair shops are conducted. Generic mechanisms and protocols are proposed to secure vehicle diagnostics, which are independent of the diagnostics protocol being used. The proposed protocol prevents unauthorised access to vehicles and it has been formally verified to ensure its correctness.Finally, security mechanisms for in-vehicle communication is addressed, where analyses are performed to design better in-vehicle network architectures that support both safety and security.To conclude, this thesis contributes with new approaches to perform secure maintenance of future connected cars using wireless communication and to prevent unauthorised manipulations of the vehicle

Formal Verification of an Authorization Protocol for Remote Vehicle Diagnostics

Remote diagnostics protocols have generally only considered correct authentication to be enough to grant access to vehicles. However, as diagnostics equipment or their keys can be stolen or copied, these devices can not be trusted. Thus, authentication alone is not enough to prevent unauthorized access to vehicles. In previous work, we proposed an authorization protocol to prevent unauthorized access to vehicles.In the automotive industrywhere lives are at risk and a certain liability is exacted on the manufacturer, their vehicles and its software, it is critical that such a protocol has no flaws. Thus, using formal methods to prove the correctness of protocol designs is an important step.In this paper, we formally prove that the proposed authorization protocol provides mutual authentication between the diagnostics equipment and the vehicle, and that it guarantees both secrecy of the distributed session key and freshness of the distributed authorization information. Our formal analysis is conducted using both the Burrows-Abadi-Needham (BAN) Logic and the ProVerif automated verification tool.To the authors\u27 best knowledge, this is the first formally verified authorization protocol for remote vehicular diagnostics

Short Paper: Formal Verification of an Authorization Protocol for Remote Vehicle Diagnostics

Remote diagnostics protocols have generally only considered correct authentication to be enough to grant access to vehicles. However, as diagnostics equipment or their keys can be stolen or copied, these devices can not be trusted. Thus, authentication alone is not enough to prevent unauthorized access to vehicles. In previous work, we proposed an authorization protocol to prevent unauthorized access to vehicles. In this paper, we formally prove that the proposed authorization protocol provides mutual authentication between the diagnostics equipment and the vehicle, and that it guarantees both secrecy of the distributed session key and freshness of the distributed authorization information. Our formal analysis is conducted using both the Burrows-Abadi-Needham (BAN) Logic and the PROVERIF automated verification tool

Formal Verification of an Authorization Protocol for Remote Vehicle Diagnostics

Remote diagnostics protocols have generally only considered correct authentication to be enough to grant access to vehicles. However, as diagnostics equipment or their keys can be stolen or copied, these devices can not be trusted. Thus, authentication alone is not enough to prevent unauthorized access to vehicles. In previous work, we proposed an authorization protocol to prevent unauthorized access to vehicles.In the automotive industrywhere lives are at risk and a certain liability is exacted on the manufacturer, their vehicles and its software, it is critical that such a protocol has no flaws. Thus, using formal methods to prove the correctness of protocol designs is an important step.In this paper, we formally prove that the proposed authorization protocol provides mutual authentication between the diagnostics equipment and the vehicle, and that it guarantees both secrecy of the distributed session key and freshness of the distributed authorization information. Our formal analysis is conducted using both the Burrows-Abadi-Needham (BAN) Logic and the ProVerif automated verification tool.To the authors\u27 best knowledge, this is the first formally verified authorization protocol for remote vehicular diagnostics

Security aspects of the in-vehicle network in the connected car

In this paper, we briefly survey the research with respect to the security of the connected car, and in particular its in-vehicle network. The aim is to highlight the current state of the research; which are the problems found, and what solutions have been suggested. We have structured our investigation by categorizing the research into the following five categories: problems in the in-vehicle network, architectural security features, intrusion detection systems, honeypots, and threats and attacks. We conclude that even though quite some effort has already been expended in the area, most of it has been directed towards problem definition and not so much towards security solutions. We also highlight a few areas that we believe are of immediate concern

An In-Depth Analysis of the Security of the Connected Repair Shop

In this paper, we present a security analysis ofdelivering diagnostics services to the connected car in futureconnected repair shops. The repair shop will mainly providetwo services; vehicle diagnostics and software download. Weanalyse the security within the repair shop by applying a reducedversion of the threat, vulnerability, and risk analysis (TVRA)method defined by ETSI. First, a system description of therepair shop is given. Security objectives and assets are thenidentified, followed by the threat and vulnerability analysis.Possible countermeasures are derived and we outline and discussone possible approach for addressing the security in the repairshop. We find that many of the identified vulnerabilities candirectly be mitigated by countermeasures and, to our surprise,we find that the handling of authentication keys is critical andmay affect vehicles outside the repair shop as well. Furthermore,we conclude that the TVRA method was not easy to follow,but still useful in this analysis. Finally, we suggest that repairshop security should mainly be addressed at the link layer. Suchan approach may integrate network authentication mechanismsduring address allocation and also support encryption of datafor all upper layer protocols with minimal modifications