Last week I had the pleasure to attend the “escar” (Embedded Security in Cars) conference in Cologne, Germany.
Arriving late Tuesday, I had the chance to get a rich breakfast before joining the con in the hotel Dorint at Cologne’s famous place the Heumarkt. Unfortunately I had to deal with two stumbling blocks on my way to the Dobrint: The magnetic sensor of my mobile which went crazy (no compass) and – the date. 11th of November in Cologne means just one thing – carneval! The whole city was just in a state of exception. Everybody on my way to the venue seemed to be drinking or beeing already drunk – at 9am! 😉
Being a little late, I went straight to the room after registration. As there was only one track to follow you could not miss any talk – nice thing!
After we were welcomed by the hosts, and the first talk started.
“Green Lights Forever: Analyzing the Security of Traffic Infrastructure” by Allen Hillaker
The con’s first talk was presented by Allen Hillaker. He was speaking about the security of mostly wireless traffic lights and their infrastructure in the US.
Allen presented the design of a typical traffic intersection which is connected via a radio to the road agency. He also described what happens, when a malfunction is triggered and the malfunction management unit sets the traffic lights to a well known (safe) state.
The traffic lights usually operate at 900MHz or 5.8GHz using a protocol similar to 802.11 (Wifi) without strong safety. They gathered access to the networks by using same model radio the systems at the intersections were using. As possible attacks Denial of Service, the change of the traffic lights’ timings and individual light control were named. To mitigate this, he suggested to use WPA, not broadcasting SSIDs, the use of firewalls, firmware updates and – of course – changing the default credentials.
“Building an Automotive Vulnerability Database – Survey and Tools” by Jürgen Dürrwang, University of Applied Scieces Karlsruhe
An IMHO this was a very interesting talk. Some guys at the University of Applied Sciences in Karlsruhe are working at the database and tools mentioned above. The whole thing will be available online in a few months, I hope.
Reported vulnerabilities should be disclosed to the manufacturer and if there is no reaction within 45 days, they plan to go public with the vulnerabilities via the database.
Not only the database would be of high interest for the public domain, even the tools sounded great.
So they’ve developed a nmap-like port scanner for CAN and LIN busses, which will discover connected ECUs, as well as their available services and functions. Also a big thing would be the “Security Access Tool”, which will compute the key algorithm that is needed to access the ECUs for diagnostic reasons (e.g. brake system).
Unfortunately an employee of a big German car manufacturer said during the conference, that his company doesn’t want to attend at the vulnerability database.
On the first day we had eight talks, followed by a social event where we went to the MMC Studios Cologne, which are Germany’s most modern TV and movie studios.
After a short bus trip we arrived at the studios and got seperated in groups. Some were starting with the studio tour; my group had the pleasure to start their movie career 😉 And so we went to Studio47, which was a real TV studio until last year when the channel moved. The studio guys (yeah – and girls, to pay respect to the other gender) gave us a little introduction.
Let the show begin! Some of us were elected (or elected themselves) as talkmaster and his guests. One studio girl wanted beardy me as a guest – I rejected, because I wanted to see the technique behind such a show and joined the production room, alongside a few others.
We had to choose two topics, finally we got “Self-driving cars in 2015” and “American Football – Love it or hate it”.
It was funny to be in a studio and do your own show 😉
Right after finishing the thing, we got the studio tour – really crazy how big some buildings were and what people were doing inside. They built some kind of forest with a house in one hall. There was also a whole street with buildings for some famous German TV shows.
When we had returned to the venue, there was also a dinner and time for some networking. Before calling it a day, a group of people I got to know during the day and I went to spend some time in the city. Although most of us were Germans, we were wondering about the endurance of Cologne’s party people – still partying after more than 16 hours!
Day 2:
“Cybersecurity for Cars – Technologies and Processes” by Albert Held, Daimler
On the conference’s second – and last day – there was a presentation of one of Germany’s leading car manufacturers, which is Daimler.
Albert Held spoke first about the connected car and it’s “ecosystem”, which consists of the car itself, the OEMs backend, service providers, garages and – of course – the internet. All together create different problems in security (and as a consequence also often safety) which lead to the next slides that were enumerating four levels of how to secure the connected car:
Level 1: block attacks
This could be done before attacks reach the car in the OEM backend by firewalls, IDS/IPS, content monitoring / filtering / anti-virus or secure hosting.
And also in the car by hardening the OS, integrity checks / secure boot, firewalls, IDS, virtualization, secure hardware / storage.
Level 2: eliminate vulnerabilites
During the development process: risk assessment, secure coding rules / best practices, evaluation (code reviews) or penetration tests.
Lifecycle management: risk re-assessment (including CERT, Auto ISAC, etc.), updates and sundown mechanisms
Level 3: authorization
Here Mr Held mentioned identity management / authentication (users, cars, etc.), access management (devices, network, data, etc.), signed software, secure communication, privacy enhancing technologies and copy protection mechanisms.
Level 4: minimize loss
Sorry, but I have a lack of notes here 😉
“Common Security Flaws in Connected Cars Systems” by Yaron Galula, Argus Cyber Security
Among others we heard a talk about the common security flaws many manufacturers do while developing. This talk was done by a Yaron Galula from Argus.
At the beginning there was a overview of different attack scenarios given: From firmware extraction, over initial penetration, over propagation into the in-vehicle network to injection of malicious messages.
One example given was the JTAG interface which gives you often access to microcontroller units of embedded devices. JTAG could be hidden on the PCBs and only exposed as test points; also it could be locked so it needs e.g. a password to connect. This could sometimes be stored in the flash of the device or in firmware update files.
Galula also talked about vulnerabilities in boot loaders, open ports or services (exposed to the cellular network) and code injection in QNX.
Right down the line, there were many interesting talks at this years’ escar – especially on the first day. Some talks were not as interesting for me, as I’m not a developer, which some of the talks were aimed at.
I’ve also spoken to companies presenting some of their products at booths outside the conference room. It was nice to see, that there is something happening in case of security, but I had also the feeling that many of them are doing their own thing, instead of working on common standards in security for future connected cars and embedded security.
Hope you enjoyed my a bit more detailed report about the escar 😉
Cheers,
Stefan