Understanding the security implications of IoT transformation, with real world examples including the Chrysler Jeep Hack

1. COUNTERING CYBERSECURITY RISK
in today’s IoT world
Brad Nicholas
Anajali Gurnani
Brett Heliker

2. THE RIGHT SECURITY FRAMEWORK
We cannot solve our problems with the same
thinking we used when we created them.
—Albert Einstein
Security controls
are shifting away
from the traditional
perimeter
Adoption of cloud
platforms and security
as a service will
continue
Where and how
data is stored is
key to evaluating
risks

3. ACCELERATING PROGRAM MATURITY
STARTS WITH A COMMON LANGUAGE
FOR THE PRODUCTS AND SERVICES A
COMPANY CAN BUY

4. ASSESS RISKS IN A STRUCTURED WAY
AND DEVELOP A ROADMAP
DEVICES
APPS
NETWORK
DATA
PEOPLE
IDENTIFY PROTECT DETECT RESPOND RECOVER
(NIST FRAMEWORK)
Pre-compromise
Post-compromise

5. A CULTURE OF SECURITY FACILITATES
RESPONSIBLE BUSINESS
German steel mill suffers
“massive damages” after
hackers accessed a
blast furnace that
workers could not
properly shut down
1
2
Recipient of targeted
email is tricked into
downloading malware
to their computer Attackers make their
way from corporate
network into production
networks to access
systems controlling
plant equipment
3

6. MAKE SECURITY A SHARED
RESPONSIBILITY
COMMUNICATE Spearhead security as a product.
Make it bold and important internally.
INNOVATE Be strategic about security
architecture and standardization.
ACCELERATE
Leverage agile practices to iterate and
improve controls implementation.
INTEGRATE Move security testing as close to the
developer as possible.

7. THE NEW
IOT VULNERABILITIES
a few examples

8. IOT ADDS THE “PHYSICAL WEB”
IoT is about the physical web of
everything around you
A whole slew of smart connected
products + services are coming
Multiple networks, all interacting
with you or on your behalf
MORE COMPLEXITY
NEW ATTACK SURFACES
COMPOUND EFFECTS

9. SMART PRODUCTS NEED BROADER,
NON-TRADITIONAL EXPERTISE
• Krebs & Cisco: IoT Reality: Smart Devices, Dumb Defaults
“Consider whether you can realistically care for and feed the security needs of yet another IoT thing that is:
-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch”
• NW World: 500K WeMo users could be hacked; CERT issues advisory
“when CERT tried to contact Belkin, Belkin chose not to respond at all”
• IBM: Smart Building Security Risks
“Connected building systems fly under the Cybersecurity radar, creating a Shadow IoT”
http://www.networkworld.com/article/2226371/microsoft-subnet/500-000-belkin-wemo-users-could-be-hacked--cert-issues-advisory.html
http://krebsonsecurity.com/2016/02/iot-reality-smart-devices-dumb-defaults/
http://www.techrepublic.com/article/ibm-x-force-finds-multiple-iot-security-risks-in-smart-buildings/

10. WE HAVE A LONG WAY TO GO
• Hidden, hardcoded
credentials and passwords
• Credentials stored as static
text within files
• Insecure default
configurations
• Insufficient network
segmentation enabling
attacks from within
• Weak support and
nonexistent updates,
exacerbated by economics
• Some/all of the above
present in combination
IBM smart building infographic

11. THE CHRYSLER JEEP HACK
Lessons to be Learned
WITH MUCH THANKS TO:
Charlie Miller & Chris Valasek
White-hat Superheroes

12. thecavalry.org
“Modern [vehicles] are computers
on wheels and are increasingly
connected and controlled by
software.
Dependence on technology in
vehicles has grown faster than
effective means to secure it.”

13. MICRO-CONTROLLERS, EMBEDDED SOFTWARE AND
NETWORKING EVERYWHERE
Federally mandated “OBD” vehicle
diagnostics since 1996
Dozens of networked control
systems and millions of lines of code
“Black boxes” silently record vehicle
dynamics
“OnStar” telematics since 1996
Fleet management, and usage based
insurance are now widespread
Remote access adds MAJOR
security implications, mandating
disciplined design Graphic: Quora

14. CONNECTED VEHICLES
A MASSIVE OPPORTUNITY
An executive order from the White House in March 2015 called for
federal agencies with fleets of more than 20 vehicles to use
telematics systems whenever possible to improve vehicle efficiencies
E.O. section 3(g)(iii):
Collecting and utilizing as a fleet efficiency management tool, as soon
as practicable but not later than two years after the date of this order,
agency fleet operational data through deployment of vehicle
telematics at a vehicle asset level for all new passenger and light duty
vehicle acquisitions and for medium duty vehicles where appropriate
https://www.whitehouse.gov/sites/default/files/docs/eo_13693_implementing_instructions_june_10_2015.pdf

15. VULNERABILITIES *
* circa first half 2015

16. How hackable
is your car?
Most Hackable: Jeep Cherokee,
Escalade, Infiniti Q50, 2010 Prius
The Q50’s radio & adaptive controls
(adaptive cruise control and adaptive
steering) were directly connected to
engine and braking systems.
Older cars are least hackable.
Not a confidence inspiring trend..
http://illmatics.com/remote%20attack%20surfaces.pdf

17. RollJam
$32
Hacks keyless entry systems,
alarm systems and garage
door openers
Proven on Nissan, Cadillac, Ford,
Toyota, Lotus, Volkswagen,and
Chrysler vehicles; Cobra and
Viper alarm systems; and Genie
and Liftmaster garage door
openers.
http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/

18. OwnStar
Any On-Star equipped GM car
could be located, unlocked
and started via the phone app
uses SSL encryption,
Kamkar says it doesn’t
properly check the certificate
http://arstechnica.com/security/2015/07/ownstar-researcher-hijacks-remote-access-to-onstar/

19. Progressive
‘Snapshot’
“The firmware running on the
dongle is minimal and insecure.
It does no validation or signing of
firmware updates,no secure boot, no
cellular authentication,no secure
communicationsor encryption,no data
execution prevention or attack
mitigation technologies… basically it
uses no security technologies
whatsoever.”
http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/

20. TomTom
OBDII dongle
Used to reduced insurance
rates for customers.
Hacked by UCSD by
sending SMS messages to
control the CAN bus to
control brakes, steering,
etc. Confirmed in Corvette,
Prius, Escape.
http://www.wired.com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/

21. DEALERS AND MECHANICS
• Infections of equipment used by
mechanics and dealerships to
update car software and run
vehicle diagnostics.
• An infected vehicle can spread
an infection to a dealership’s
testing equipment, which in turn
would spread the malware to
every vehicle the dealership
services.

22. THE INDUSTRY HAS TO DO BETTER.
WE CAN ALL HELP.

23. DON’T HIDE BEHIND THE DMCA
• Auto Alliance and General Motors actively make legal threats against anyone who
tinkers with the code in their own vehicles, and actively fight proposed auto
exemptions in the Digital Millennium Copyright Act.
• “The proposed exemption could introduce safety and security issues as well as
facilitate violation of various laws designed specifically to regulate the modern car,
including emissions, fuel economy, and vehicle safety regulations” - GM
http://copyright.gov/1201/2015/comments-032715/class%2021/General_Motors_Class21_1201_2014.pdf
• “a vehicle owner does not own a copy of the relevant computer programs in the
vehicle.” - GM
• John Deere argues that “bypassing of cars’ protection mechanisms could allow
drivers to listen to pirated music, audio books or films, adding that this might
encourage others to partake in the enjoyment of illegal material.”

24. IAMTHECAVALRY.ORG
5 STAR AUTOMOTIVESAFETYPROGRAM
1. Safety by Design via standards compliance and secure software
development lifecycle
2. Third Party Collaboration between the automotive industry and
security researchers
3. Evidence Capture: tamper evident, forensically-sound logging
and evidence capture
4. Security Updates in a prompt and agile manner (not a mailed
USB drive)
5. Segmentation and Isolation: internet-connected infotainment
systems shouldn’t be able to talk to brakes or transmission.
https://www.iamthecavalry.org/domains/automotive/5star/

25. A FEW ATTACK VECTORS
• Bluetooth, WiFi, keyless entry
• Cellular gateways (e.g., modems, Femtocells)
• OnStar or OnStar-like cellular radio
• Insecure OS configuration, update media, interprocess comms
• Static, clear text/hex strings in executable files
• Android app on the driver’s phone synched to the car’s network
• Malicious audio file burned onto a CD in the car’s stereo.
• Radio-readable tire pressure monitoring systems

26. BLAH BLAH BLAH
WHAT DOES IT ALL MEAN?

27. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

28. BUT IT WASN’T DESIGNED THAT WAY!
HOW DID THEY DO THAT?

29. A CASCADE OF VULNERABILITIES
• You can reach a cell network from the Internet
• You can port scan the car from the cell network!
• The car is listening to the cell network in an un-protected
manner
• The head unit (radio/nav) runs an OS that isn’t configured
properly
• The head unit’s application software is not secured properly
• The head unit is connected to both vehicle CAN networks
(infotainment and powertrain)
• Head unit nav upgrade software delivery includes flashing
tools and lots of commented script files
• The CAN interface firmware in the head unit isn’t code signed
http://illmatics.com/Remote%20Car%20Hacking.pdf

31. http://www.computerworld.com/article/2952186/mobile-security/chrysler-recalls-14m-vehicles-after-jeep-hack.html

32. SO HOW DID CHRYSLER HELP CUSTOMERS
FIX THEIR VEHICLES?
• Plug in a USB flash drive you receive in the mail,
then update the firmware in the head unit
or
• Go to a dealer and they’ll take care of it
• No remote software updates

33. DOES THAT SEEM RIGHT TO YOU?

34. ATTACK MITIGATION - BEST PRACTICES
• Hardware based cryptography that supports
attestation, authentication and encryption
services
• Secure boot and code signing
• Restricted processes
• Multi-stage communications
• Secure software updates