This document discusses best practices for automotive cybersecurity. It identifies 15 main hackable attack surfaces in connected cars and recommends implementing a 4-layer security architecture with software, network, cloud and hardware security. It provides an overview of core security functions and discusses techniques for back-end security like access control and front-end security like strong encryption, certificate pinning and password requirements. Layered solutions from Bamboo Apps address vehicle encryption, protected data storage and detection/prevention of attacks.
2. Transforming Automotive
Experience
Bamboo Apps wants to be a part of automotive
revolution and by working closely with OEMs and mobility
companies Bamboo apps team is proud to be one of the
few who change the car now and forever.
design and software studio auto.bambooapps.eu
3. Main Hackable Attack Surface
Fifteen of the most hackable and exposed attack surfaces on
a next-generation car.
Smartphone Remote Link Type App
Airbag ECU
OBD ll
USB
Bluetooth
DSRC-Based server (V2X)
Passive Keyless Entryvvv
Vehicle Access System ECU
Steering and Braking ECU
Engine and Transmission
ECU
Lighting System ECU
ADAS System ECU
TPMS
Remote Key
design and software studio auto.bambooapps.eu
4. 4 Layers of Security Architecture
Software securityNetwork security
Cloud security
Gateway
Hardware security
design and software studio auto.bambooapps.eu
5. Security Functions Overview
Core security functions to be implemented to deliver a high degree
of back-end and front-end security to connected car software.
Security logs
Communication protection
Control keys and access
User data protection
Identification, authentication, authorisation
design and software studio auto.bambooapps.eu
6. Back-end Security Techniques
Secure Rest API Communication
Secure REST services must only provide HTTPS endpoints.
“Use mutually authenticated client-side certificates
to provide additional protection for highly privileged
web services.”
design and software studio auto.bambooapps.eu
7. Back-end Security Techniques
We opt for Virtual Private Networks (VPN) or a Transport Layer Security
model (TLS model).
TLS is mainly a defense against man-in-the-middle attacks. TLS
protocols are also effective in securing communications with external
entities including telematics service providers, consumer smart devices
and, in future, other vehicles and ITS infrastructure.
Architecture
design and software studio auto.bambooapps.eu
8. Back-end Security Techniques
Establishing a certificate authority and managing certificates for
servers allows each entity within the infrastructure to validate the
members’ identity and encrypt their traffic.
Server certificate
design and software studio auto.bambooapps.eu
9. Back-end Security Techniques
Server Protocol And Cipher Configuration Rules
Only Support Strong Protocols;
Prefer Ephemeral Key Exchanges;
Support TLS-PSK and TLS-SRP for Mutual Authentication;
Only Support Secure Renegotiations;
Disable Compression;
Update Crypto Libraries;
Only to support strong cryptographic ciphers.
design and software studio auto.bambooapps.eu
10. Back-end Security Techniques
Access control is performed by REST services at each API endpoint.
Web services in monolithic applications implement this by means of
user authentication, authorisation logic and session management.
Access Control
design and software studio auto.bambooapps.eu
11. Back-end Security Techniques
API Keys
“Based on our experience, public REST services
without access control run the risk of being farmed
leading to excessive bills for bandwidth or compute
cycles. API keys can be used to mitigate this risk.”
design and software studio auto.bambooapps.eu
12. Back-end Security Techniques
Other Security Practices
File extension checking;
Session tokens, credentials are only delivered over HTTPS;
Check password quality;
Check good and wrong attempts;
Multi-factor authentication;
Client-side and server-side validation rules;
design and software studio auto.bambooapps.eu
13. Back-end Security Techniques
Other Security Practices
Out-of-channel notification of account lockouts and
successful password changes;
Brute force protection;
Secure cookie session;
Restrict Injection: SQL, HTML, NoSQL etc;
Restrict Cross-Site Scripting
design and software studio auto.bambooapps.eu
14. Front-end Security Techniques
We recommend to use the following algorythms:
Confidentiality algorithms: AES-GCM-256 or ChaCha20-Poly1305;
Integrity algorithms: SHA-256, SHA-384, SHA-512, Blake2;
Digital signature algorithms: RSA (3072 bits and higher), ECDSA with
NIST P-384;
Key establishment algorithms: RSA (3072 bits and higher), ECDH with
NIST P-384.
Up-to-date Cryptographic Algorythms
design and software studio auto.bambooapps.eu
15. Front-end Security Techniques
Strong Random Number Generators
“In order to ensure the quality of the generated
numbers, our team supports SecureRandom
implementation on Android side and
SecureRandomBytes implementation on iOS.”
design and software studio auto.bambooapps.eu
16. Front-end Security Techniques
Requirements for password length:
Minimum password length (10 characters) should be enforced;
Maximum password length should not be too short
The typical maximum length is 128 characters.
Password Strength
design and software studio auto.bambooapps.eu
17. Front-end Security Techniques
Rules for password complexity:
At least one uppercase character (A-Z);
At least one lowercase character;
At least one digit (0-9);
At least one special character.
Password Strength
design and software studio auto.bambooapps.eu
18. Front-end Security Techniques
It is essential to rely on HTTP for communication with the
backend. HTTPS wraps HTTP in an encrypted
connection.TLS allows authentication of the backend
service and ensures confidentiality and integrity of the
network data.
Data Encryption on The Network
design and software studio auto.bambooapps.eu
19. Front-end Security Techniques
Certificate Pinning
“Bamboo Apps uses certificate pinning to verify that
a certificate comes from a trusted source and to
check whether the endpoint server presents the right
certificate.”
design and software studio auto.bambooapps.eu
20. Front-end Security Techniques
Protect sensitive data in the keyboard cash: auto correction, spell
checking
Protect sensitive data in backups: all backups are stored encrypted
Protect sensitive information on screenshots: a default screenshot
cached
Other Security Practices
design and software studio auto.bambooapps.eu
21. Layer 1 Layer 2
SolutionsVehicle
Encryption
Protected Data Storage
Detected & Prevention of Attacks
Secure Connectivity
Security Review
Security Testing
Wireless Car
AT&T Drive
Remoto
Mojito
In-depth approach to automotive
security
design and software studio auto.bambooapps.eu
22. About Bamboo Apps
Bamboo Apps is a Design & Software Studio with a proven background
in the automotive and mobility domains. We deliver the best user
experience possible guided by design-centric philosophy, product-first
thinking, and extensive tech expertise.
Address: 5th floor, Laeva 2, Tallinn, 10111, Estonia
Phone: + 372 69 803 35
Email: contact@bambooapps.eu
design and software studio auto.bambooapps.eu