Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile App Crashworthiness
Securing Vehicle...
Andrew Hoog
CEO | NowSecure
Twitter - @ahoog42
E-mail - ahoog@nowsecure.com
• Computer scientist, mobile security &
forens...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
• Automakers are software companie...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Automakers = Software Companies
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
>100 million lines of code make up the mode...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Automakers are making progress in security,...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
The V2D & mobile app
security problem
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Wide-angle overview of connected car entry ...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile platforms are vulnerable
http://www....
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
And OS security updates are a problem
iOSAn...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
And mobile apps are vulnerable
21% of Andro...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Example: Potential vulnerability in automak...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
The roots of the mobile security problem
De...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Making software secure
prior to launch
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Developing with security in mind saves you ...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile app security testsNHTSA crash tests
...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Shift security testing
to the left
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Crucial aspects of building security into t...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Document app security policies
● Establish ...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Perform automated security assessments cont...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Also consider third-party apps that hook in...
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contact
information:
Jeff Nolan // VP Marke...
Upcoming SlideShare
Loading in …5
×

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications

356 views

Published on

+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk?
+ Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity
+ How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process

Published in: Automotive
  • Be the first to comment

  • Be the first to like this

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications

  1. 1. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile App Crashworthiness Securing Vehicle-to-Device (V2D) Interfaces and Communications
  2. 2. Andrew Hoog CEO | NowSecure Twitter - @ahoog42 E-mail - ahoog@nowsecure.com • Computer scientist, mobile security & forensics researcher • Author, expert witness & patent-holder • Regularly briefs senior government officials & top banking institutions on mobile security
  3. 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents • Automakers are software companies • The vehicle-to-device & mobile app security problem • How to deliver more secure mobile apps • Questions
  4. 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers = Software Companies
  5. 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. >100 million lines of code make up the modern automobile http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
  6. 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers are making progress in security, but there’s more to be done Some key findings: ● Automakers believe they’re less knowledgeable than other industries about secure software development ● Impediments to secure software development include pressure to meet release dates and lack of skills, training, policies ● Legacy technology makes it harder to make vehicles more secure https://www.slideshare.net/SecurityInnovation/car-cybersecurity-the-gap-still-exists Survey of developers, programmers, engineers, and executives from automakers and their electronics suppliers conducted in August 2016
  7. 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The V2D & mobile app security problem
  8. 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Wide-angle overview of connected car entry points Wired ● OBD-II Port ● Network harness connectors ● Diagnostic Port ● On-board vehicle networks (e.g., CAN, FlexRay, Ethernet, MOST) ● CD/DVD player ● Vehicle Charging Port Wireless ● Short range ○ Radio Frequency (e.g., TPMS, KES) ○ Near-field communications ○ Wi-Fi ○ Bluetooth ○ Dedicated short range communications ● Long range ○ GPS receiver ○ GSM / CDMA ○ LTE !! McCarthy, C., Harnett, K., & Carter, A. (2014, October). Characterization of potential security threats in modern automobiles: A composite modeling approach. (Report No. DOT HS 812 074). Washington, DC: National Highway Traffic Safety Administration.
  9. 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  10. 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile platforms are vulnerable http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 523Disclosed vulnerabilities (CVEs) in Google Android in 2016 161Disclosed vulnerabilities (CVEs) in Apple iOS in 2016 http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49 691 CVEs over lifetime (2009-2016) 984 CVEs over lifetime (2007-2016)
  11. 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And OS security updates are a problem iOSAndroid 31.3% 32.5% 20.8% 10.6% 2.8% 1.0% 1.0% a/o March 6, 2017 https://developer.android.com/about/dashboards/index.html a/o February 20, 2017 https://developer.apple.com/support/app-store/
  12. 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And mobile apps are vulnerable 21% of Android apps had ≥1 high-risk security finding 2.36high-risk findings per app with ≥1 high-risk finding: 19%of iOS apps had ≥1 high-risk security finding 4.22high-risk findings per app with ≥1 high-risk finding:
  13. 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Example: Potential vulnerability in automaker apps ● Performed dynamic/static analysis of 10 popular automotive apps for Android ○ Apps published on Google Play by automakers ○ Remote start, media center, and other typical connected-car functionality ● Three apps included a vulnerable version of a third party library ○ OkHttp – an open-source library for sending and receiving HTTP requests ○ Vulnerable versions are those prior to 2.7.2 and 3.x prior to 3.1.2 ● The problem ○ A man-in-the-middle attack can bypass certificate pinning via CVE-2016-2402 ○ https://koz.io/pinning-cve-2016-2402/ ● Next step = confirming whether the app relies on that version for certificate pinning
  14. 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The roots of the mobile security problem Developers aren’t trained in developing secure mobile apps Mobile app security is assumed (if it’s considered at all) Time and budget are not committed to mobile app security Tools that identify mobile security flaws aren’t kept up-to-date
  15. 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Making software secure prior to launch
  16. 16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Developing with security in mind saves you money & time Requirements/ Architecture Coding Integration/ Component Testing System/ Acceptance Testing Production/ Post-Release Fixing software defects is 30xmore expensive post-deployment
  17. 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile app security testsNHTSA crash tests ● Side barrier crash test ● Side pole crash test ● Frontal crash test ● Rollover resistance test ● Forensics / data-storage tests ● Network / communications tests ● Back-end services tests ● Reverse-engineering tests
  18. 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Shift security testing to the left
  19. 19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Crucial aspects of building security into the SDLC Document app security policies Code using secure development best practices Perform automated security assessments on each build Perform penetration testing on each release candidate Deploy more secure apps to production
  20. 20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Document app security policies ● Establish cross-departmental buy-in ● Agree to adhere to a set of app security standards (and issues that block release) ● Explain how apps will be audited against those policies Code using secure development best practices ● Provide documentation of secure development best practices to developers ● Educate developers on secure coding practices and how flaws put the business at risk ● Provide feedback to developers when they need it (i.e., when their “heads are in the code”)
  21. 21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Perform automated security assessments continually ● Work with your DevOps team to integrate it into developers’ existing workflow ● Plug into build servers and the continuous integration/continuous delivery (CI/CD) toolchain ● Populate issue trackers with security findings Perform penetration testing on release candidates ● Test an application from the perspective of an attacker ● Give a human free reign to apply their creativity and ingenuity in trying to compromise an app ● Create a checklist and use tools that support consistent reporting
  22. 22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Also consider third-party apps that hook into connected cars
  23. 23. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contact information: Jeff Nolan // VP Marketing (650) 549-4062 jnolan@nowsecure.com Let’s Talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a collection of the week’s mobile news that matters - https://www.nowsecure.com/go/subscribe

×