4. Mitsubishi EMI Incident (2003)
• Brakes disabled when given 1000-10000x legal
levels of EMI radiation
• Car thinks brakes are locked, so it releases
• All within limits required by law
5. Slammer Worm (2003)
• Nuclear plant safety monitoring disabled for 5
hours
• “The business value of access to the data
within the control center worth the risk of
open connections between the control center
and the corporate network”
• Unpatched MSSQL Server
6. Hello, my name is Bruce Schneier and I
think routers are super duper easy to
hack, mostly because you nerds never
patch the software
https://www.schneier.com/essays/archives/2014/01/the
_internet_of_thin.html
7. University of Washington Study (2010)
“We demonstrate that an attacker who is able to
infiltrate virtually any Electronic Control Unit
(ECU) can leverage this ability to completely
circumvent a broad array of safety-critical
systems”
http://www.autosec.org/pubs/cars-
oakland2010.pdf
8. Hey, check it out! I
made my own
encryption algorithm
9.
10. Embedded Needs “Rails”
• Software Updates
• Security & Identity
• Communication
• Media Streaming
• User Interfaces
* David-Besse nuclear power plant
Safety monitoring disabled for 5 hours
FirstEnergy – received unsecured monitoring information
Make care ignore driver input
Completely erase all evidence of tampering
Unidentified make and model from 2009
Open source
Lots of Partners
Share methods, algorithms, and testing
The irony: Maybe OSS projects are more successful because we’re asked to do them a favor
http://www.forbes.com/sites/sap/2011/11/16/do-me-a-favor-so-youll-like-me-the-reverse-psychology-of-likeability/
Cluster tree mesh network
Go over code https://github.com/tkellogg/alljoyn-examples/blob/master/secure/service/src/org/alljoyn/bus/samples/secureservice/
Shared Remote Password
Authenticates
A common (public) secret is combined with private secrets