Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 W3C Automotive and Web Platform Working Group Overview of Security Challenges – Implementing Vehicle and Data APIs.

Published byCharla Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "1 W3C Automotive and Web Platform Working Group Overview of Security Challenges – Implementing Vehicle and Data APIs."— Presentation transcript:

1 1 W3C Automotive and Web Platform Working Group Overview of Security Challenges – Implementing Vehicle and Data APIs

2 2 Document Summary Purpose:Provide an overview of the security challenges associated with implementing W3C Automotive & Web Platform Business Group and Vehicle and Data APIs Audience:W3C Working Group. JLR Management, Teams working on Connected Infotainment, Connected Services etc. Status:DRAFT v0.1 04 April 2015 Author:Dr. Kevin Gavigan, Software Architect, Connected Infotainment, Electrical Product Development, Jaguar LandRover

3 3 Contents Threat Surface Potential Attackers Use Cases Access Control References

4 4 Vehicle Ordering Threat Attack Surface Dealership Factory Threat Attack Surface Vehicle API Vehicle Network #1 Vehicle Network #2 Vehicle Network #n Infotainment ADAS etc… Smart Homes, Smart Cities Passengers Driver National Sales Centre

5 5 Potential Attackers External Cyber-criminals (professional hackers) Non-professional hackers Malware (virus/worm/etc.) authors Industrial Spies Activists Criminal fraternity Social Engineers Independent Dealers State Sponsored Agents Internal Rogue employees Contractors and vendors OEM Partners with rogue employee(s) Eavesdropping Espionage Tampering

6 6 Example Use Case Advanced Driver Assistance System (ADAS) – Controller setting safety critical controls When ADAS is active, steering wheel, accelerator and brake pedal position should only be able to be set by a suitably authorised source e.g. ADAS Controller Electronic Control Unit (ECU) N.B. It is imperative that steering wheel, accelerator and brake position can only be set by a trusted source. [Diag. Source: JLRPW1]

7 7 Example Use Case ADAS – Driving using valid inputs from internal sensors. Inputs into the ADAS Control Module should be from valid sensors only and should not be able to be interrupted e.g. by a Denial of Service (DOS) attack or be tampered with/modified. N.B. A possible Attack Vector that needs to be mitigated would be to replace/spoof inputs from one or more sensors to trick the Control Module into behaving incorrectly. [Diag. Source: JLRPW1]

8 8 Example Use Case ADAS – Travelling in convoy, accepting speed input from other vehicles in convoy The ADAS Controller unit in a vehicle may use real-time speed data from vehicles in front of it in convoy as one of the inputs in determining the vehicles speed (e.g. to prepare for emergency braking)..

9 9 Example Use Case Passenger(s) in car share journey with virtual passenger(s) that are not in car One or more passengers travelling in a vehicle want to communicate and ‘share their journey’ with family, friends, business associates etc. who are either in other vehicles, at other locations (e.g. home, office) or using mobile devices. Enabled by outputs from internal (and optionally external) camera and microphone feeds being passed and audio/visual feeds received to/from one or more authenticated and authorised: Vehicles Users Smart Homes Consumer Electronics

10 10 Context: Web / Internet of Things (IoT) Cars will be amongst the most expensive discrete ‘devices’ in the ‘Internet of Things’ Customer will have very high expectations. Experiences will need to flow and to ‘just work’ securely and seamlessly with other devices in: Smart Homes Smart Offices Smart City infrastructure Smart Home / Office will be composed of smaller IoT sub-systems Infotainment Centres Security Cameras / Alarms Smart White Goods / Appliances etc Mobile Devices Etc etc…

11 11 Access Control Authentication and Authorization Need to establish identity (authenticate) in order: Authorize access to data Authorize inputs and instructions So which entities will need to authenticate? People  anyone that participates in the IoT Vehicles Vehicle Modules / Electronic Control Units (ECUs) At least safety and security critical ones Organisations Manufacturers, Dealers, Finance Company, Gov. Agencies, Police, Trusted Infrastructure Smart Homes and Offices and their sub-systems Security Systems, Entertainment Systems, Appliances, Mobile Devices etc. etc.

12 12 Summary and Conclusions Standards based APIs are likely to emerge for other IoT domains Defining equivalents of the Automotive Working Group Vehicle API These are likely to face the similar security (trust, identity, authorization) challenges and issues IoT Security Challenges are varied and complex How to decide that the vehicle at front of convoy is a source that can be trusted How does my vehicle know it is not receiving input from a hacker or a hacker’s vehicle? Federations of Trust Will each car, smart houses etc. have its identity established using PKI? Will devices within a car / house prove their identity and obtain security tokens from local Trust Authority whose identity is validated by PKI? Will we need graduated/earned trust and hence trust histories (similar to a credit history)? Will higher level of trust be needed e.g. to lead high speed vehicle convoy W3C Web of Things (IoT) Vehicle API is an example of an IoT API Suggest Automotive WG considers collaborating with other W3C groups on ‘Security for IoT devices’:

13 13 Further Reading 24 Deadly Sins of Software Security, M. Howard, D. LeBlanc, J. Viega, McGraw Hill, 2010 Cryptography Engineering, N. Ferguson, B. Schneier, T. Kohno, Wiley, 2010 Hacking Exposed Mobile: Security Secrets and Solutions, N. Bergman et al, McGraw-Hill, 2013 Hacking Exposed 7: Network Security Secrets & Solutions, S. McClure et al, McGraw-Hill, 2012 High Assurance Design, C.J. Berg, Addison Wesley, 2006 Metasploit – The Penetration Tester’s Guide, D. Kennedy et al., No Starch Press, 2011 Secrets and Lies, Bruce Schneier, Wiley, 2002 Software Security: Building Security In, G. McGraw, Addison-Wesley, 2006 The Art of Deception, Kevin Mitnick, Wiley, 2002 The Art of Intrusion, Kevin Mitnick, Wiley, 2005 The Basics of Hacking and Penetration Testing, P. Engebretson, Syngress (Elsevier), 2013 The Car Hackers Manual 2014, Craig Smith, TheiaLabs Publication, 2014 The Hacker Playbook, P. Kim, Secure Planet LLC, 2014 The Web Application Hackers Handbook, D. Stuttard, M. Pinto, Wiley, 2011 Threat Modelling, Frank Swiderski, Window Synder, Microsoft Press, 2004 Threat Modelling – Designing for Security, Adam Shostack, Wiley, 2014 Understanding Cryptography, C. Paar, J. Pelzl, Springer-Verlag, 2010

14 14 References Ref.Source JLR_PW1Sensing for ADAS & Automated Driving – a vision of present and future needs, Paul Widdowson, JLR Research, https://connect.innovateuk.org/documents/2864009/22346187/JLRADAS_Auto_sense.pdf/d39c5195-64df- 4c65-907c-40f9705c8272 https://connect.innovateuk.org/documents/2864009/22346187/JLRADAS_Auto_sense.pdf/d39c5195-64df- 4c65-907c-40f9705c8272 WIFIhttps://www.iconfinder.com/icons/174752/wifi_icon#size=128 MS_IOT1http://www.microsoft.com/en-gb/server-cloud/internet-of-things.aspx#Fragment_Scenario1 BOSCH1https://www.bosch-si.com/contact-forms/wp-iot-platforms/contact-form.php?ref=ga-global-2014h2-iot- technology-whitepaper WIKI_TRFTrust Federations, Wikipedia, http://en.wikipedia.org/wiki/Trust_federation IBM_SM1Smarter Cities, http://www.ibm.com/smarterplanet/us/en/smarter_cities/overview/http://www.ibm.com/smarterplanet/us/en/smarter_cities/overview/ DTLS-based Security with two-way Authentication for IoT, https://tools.ietf.org/html/draft-schmitt-two-way- authentication-for-iot-00 Leveraging Public-Key-Based Authentication for the Internet of Things, Hossein Shafagh, http://www.inf.ethz.ch/personal/mshafagh/master_thesis_Hossein_Shafagh_PKC_in_the_IoT.pdf

Download ppt "1 W3C Automotive and Web Platform Working Group Overview of Security Challenges – Implementing Vehicle and Data APIs."

Similar presentations

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
LAPD TELEMATICS PRESENTATION. Why Consider Telematics? 1. Advanced Vehicle Technology 2. Advanced Wireless Communications 3. New Generation of Police.

LAPD TELEMATICS PRESENTATION. Why Consider Telematics? 1. Advanced Vehicle Technology 2. Advanced Wireless Communications 3. New Generation of Police.
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.

August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Smart Grid Cyber Security Framework

Smart Grid Cyber Security Framework
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
IBM Digital Communities Solutions Wireless Clouds Connecting Our Communities Riz Khaliq Business Area Leader Community Broadband, IBM Global Government.

IBM Digital Communities Solutions Wireless Clouds Connecting Our Communities Riz Khaliq Business Area Leader Community Broadband, IBM Global Government.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
The Nordic Design House For intelligent products Rune Domsten – Vice President Technology.

The Nordic Design House For intelligent products Rune Domsten – Vice President Technology.
Michael Westra, CISSP June 2012 2012 BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.

Michael Westra, CISSP June BSides Detroit Security Presentation: Vehicle Hacking “If you think technology can solve your security problems, then.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.

Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
Securing Information Systems

Securing Information Systems
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
TRIALOG 25 rue du Général Foy F-75008 - Paris - France Tel. +33 1 44 70 61 08 Fax +33 1 42 94 80 64 url:

TRIALOG 25 rue du Général Foy F Paris - France Tel Fax url:
Advanced Access Content System (AACS) Industry Briefing July 14, 2004.

Advanced Access Content System (AACS) Industry Briefing July 14, 2004.

Similar presentations

Ads by Google