车辆信息安全开发

Third- party APP
1
Car remote control APP
2
Android System QNX Hypervisor
H/W
2. Hackers directly implant a trojan virus in car remote control applications when connected to cloud, which then can manipulate car remote APP to forge any signals and sent to other ECUs. Phenomenon: the vehicle is not controlled by the driver.
娱乐系统
2
Infotainment System
Multimedia access Internet connection Multimedia playback
In-vehicle personalization setup
TSP Connection
3
网联系统 Connectivity System
• Multimedia access and Internet connection function can result that black screen and the vehicle is not controlled by the driver
- It is Major ~ substantial consequences; stakeholder will be able to overcome
Private data
Debug interface
Communication interface
Firmware
OS
Application
Configuration data
Private data
Debug interface
Communication interface
Firmware
OS
Application
行车记录系统
5
DVR System
Video recording Video playback
6
V2X通信系统 V2X System
V2X connection V2X protocol
V2X application
录音系统
7
Microphone System
Voice record
8
放音系统 Sound System
X-Call Remote control Remote data including OTA
Near vehicle access
后排信息娱乐系统
4
Rear Infotainment System
Multimedia access Multimedia playback
In-vehicle access
QNX image
Android Diag. OTA http Com. …
Network config
Strategy config
Key GPS
ID
Cert. …
Debug interface
Communication interface
Firmware
OS
Application
Configuration data
HW
SW
Data
Debug interface
ADB Demware
OS
Application
Configuration file
Private data
BT
Wi-Fi USB
CAN
Ethernet
Uboot Image
Android image
Automotive Cybersecurity Development 车辆信息安全开发
EEA: Function Allocation
Infotainment as Reference
No.
System Name
Functions
1
组合仪表系统 Cluster System
Telltale & Warning Message Display
Sound playback
Remark: only list partial function, for real project, all function needs to do analysis
Participate ECUs
ECUs <-> IC
Radio/BT/Wi-Fi/USB <-> IVI TSP <–Tbox-> IVI
Configuration data
Private data
No.
Functions
Communication Path
Communication Protocol
Networking OS & Diagnotics
1
Multimedia access
Bluetooth Wi-Fi
USB
CAN
Ethernet
4
In-vehicle personalization setup
Bluetooth
Wi-Fi
USB
CAN
Ethernet
LTE
BT HFP
BT A2DP
Wi-Fi USB
CAN TCP/IP AVB STN MQTT HTTP … OSEK Autosar SOMEIP DDS DoCAN DoIP …
IVI <-> Sound System IVI <-> ECUs Tbox <-> TSP Tbox <-> TSP Tbox <-> TSP Tbox <-> TSP
BLE, NFC <-> Tbox USB <-> RSE
RSE <-> Sound System RSE <-> ECUs DVR DVR <-> IVI
Wireless Wired Wired
CAN, Ethernet NA
Wired DSRC, LTE-V2X DSRC, LTE-V2X DSRC, LTE-V2X
Wired
Wired
EEA3.0: Asset of ECU and Communication Path for Allocated Functions
CAN Controller ECU
EEA3.0: Threat Analysis for Allocated Functions
Determination of impact rating of the damage scenario
• For purposes of this presentation, we will use an impact scale of 4 levels of
infotainment system and the destination server
• What is the associated attack feasibility?
• Various methods to determine attack feasibility could be used, such as CVSS-based approach or using ISO-18045 attack potential parameters and mapping to attack feasibility
CAN TCP/IP AVB STN MQTT HTTP … OSEK Autosar SOMEIP DDS DoCAN DoIP …
3
Multimedia playback Bluetooth Wi-Fi
USB
CAN
Ethernet
LTE
BT HFP
BT A2DP
Wi-Fi USB
CAN TCP/IP AVB STN MQTT HTTP … OSEK Autosar SOMEIP DDS DoCAN DoIP …
EEA3.0: Threat Analysis for Allocated Functions
Attack path analysis and associated attack feasibility
• An attack path would be an attacker tapping into a point between the
Severe, Major, Moderate and Negligible
• For a financial impact
- Severe ~ catastrophic consequences; stakeholder might not overcome - Major ~ substantial consequences; stakeholder will be able to overcome - Moderate ~ inconvenient consequences; stakeholder can overcome with limited resources - Negligible ~ no effect, negligible consequences or is irrelevant
2 2
1
1. Hackers enter third-party applications when access USB, implant virus, attack the firmware and system layers, and result in system failure. Phenomenon: black screen.
LTE
BT HFP
BT A2DP
Wi-Fi USB
CAN
TCP/IP
AVB
STN
MQTT
HTTP
…
OSEK
Autosar
SOMEIP
DDS
DoCAN
DoIP …
…
…
…
2
Internet connection
Bluetooth Wi-Fi
USB
CAN
Ethernet
LTE
BT HFP
BT A2DP
Wi-Fi USB
OBU/RSU <-> OBU OBU/RSU <-> OBU OBU/RSU <-> OBU
Microphone
Speaker
Communication Paths
CAN
Wireless, Wired CAN, Ethernet, LTE
Wired CAN, Ethernet
LTE Voice over LTE TCP/IP over LTE TCP/IP over LTE
IVI as Reference
No.
Functions
Chip 1 Multimedia access Trust zone
HSM
2 Internet connection
Chip
3 Multimedia playback
4
In-vehicle personalization setup
Chip Chip
- We will use ISO-18045 parameters; most of them are also in the HEAVENS threat modeling methodology and thus most familiar to the organization doing the threat modeling (elapsed time not part of HEAVENS)
The associated attack potential parameters are: Elapsed Time, Expertise, Knowledge of Item, Window of Opportunity, Equipment. We will adopt them for use in automotive by changing some parameter values. Each of these parameters have numeric values associated with the various options in each category. They are summed to derive an overall attack potential value
Remark: only list partial function and relevant asset, for real project, all function and relevant asset needs to do analysis
EEA3.0: Threat Analysis for Allocated Functions Attack Path Analysis (Multimedia access and Internet connection function as Reference)