Hardware.io, BruCON, and Virus Bulletin 2015

If you’re in Europe in late September and early October, there are a handful of conferences for you to check out. Hardwear.io is a first year conference focusing on hardware hacking. The venerable BruCON is back for it’s 0x07th year running. and the Virus Bulletin Conference celebrates its 25th year! This makes for a pretty amazing 10 day tour package. If you couldn’t slip away for the Vegas conferences this year, see if you can make it out for these.

Hardwear.io (September 29-October 2 | The Hague)

Hardware.io has a pretty impressive looking lineup for a first year conference in a specialty area. This one is focused on hardware, with trainings September 29-30, and briefings October 1-2. Here’s a sample of the goodness.

Jon Callas (Silent Circle & Blackphone) will be keynoting, as will Harald Welte (Sysmocom and other Open Source projects). Jon’s talk looks interesting – Everything is broken and always will be, we MUST be able to fix it remotely.

I’ll be moderating a C-level panel discussion with Jaya Baloo (CISO of the Dutch Telecom company KPN), Jasper Woudenberg (CTO Riscure from North America), and Christopher King (CERT/CC).

Other notable talks and trainings:

  • Security of Medical Devices | Florian Gunrow
  • Semantics-aware Intrusion Detection for ICS | Ömer Yüksel
  • Off-the-shelf embedded devices as research platforms | Lucian Cojocar & Herbert Bos
  • Low Level Hardware Reversing | Javier Vazquez Vidal & Henrik Ferdinand Nölscher
  • Integrated Circuit Security 101 | Olivier Thomas & Dmitry Nedospasov

BruCON (October 5-9 | Ghent)

BruCON is one of the premiere security community conferences globally. It’s now back for it’s 7th year and promises to be pretty awesome! They’ll run trainings from October 5-7 and briefings October 8-9. I Am The Cavalry will run a workshop (stay tuned for details). Other noteworthy trainings, talks, and workshops:

  • Offensive IoT Exploitation | Aditya Gupta and Aseem Jakhar
  • Assessing and Exploiting Control Systems | Don C. Weber
  • Brain Waves Surfing – (In)Security in EEG (Electroencephalography) Technologies | Alejandro Hernandez
  • Hacking as Practice for Transplanetary Life in the 21st Century: How Hackers Frame the Pictures in Which Others Live | Richard Thieme
  • A Hands On Introduction To Software Defined Radio | Didier Stevens

The ICS village will be a new addition this year, so if you missed it at DEF CON, come see if you can learn how those control systems work – and how to break them.

This is unrelated to I Am The Cavalry, but really cool is a DJ Workshop by Ocean Lam, Count Ninjula and Keith Myers!

Virus Bulletin Conference (September 29-October 2 | Prague)

Claus Cramon Houmann will be addressing the 25th annual Virus Bulletin Conference (VB2015) in Prague, Czech Republic. His will be a collaborative session, first introducing I Am The Cavalry and then brainstorming how to make an impact in Europe. If you’re going to be there, or nearby, come by and join the conversation!

Hope to see you at one or more of the events!

Assessment of BMW Door Lock Security Updates

There has been positive news in automotive cyber safety lately. BMW announced that they have fixed a flaw in over 2.2 million of their cars, silently and remotely. The flaw allowed someone other than the driver to remotely unlock the car, through the ConnectedDrive system. BMW pushed out an update over the mobile data network to the affected vehicles, and detailed further security measures they have taken to protect against accidents and adversaries.

The German Automobile Association (ADAC) investigated the cyber security of several BMW models and discovered six security flaws in the design and implementation of the ConnectedDrive software. They disclosed their research to BMW, who collaborated with ADAC researchers to understand and develop a fix for two of the most critical flaws. BMW remotely updated its customers’ vehicles, adding HTTPS encryption and server authentication checks. BMW then announced the details of what they found, how they fixed it, and what other measures they have already taken to protect the safety of drivers, passengers, other vehicles, pedestrians, etc.

This is a big, positive step forward for cyber safety in automobiles. First, it shows that remote attacks against vehicles are still real threats, as demonstrated in 2010 and 2011 by security researchers. Second, this establishes the benefits of working with third-party technical experts, as well as the willingness of automobile manufacturers to engage security researchers acting in good faith. Third, it demonstrates the clear benefits of secure, remote update capabilities to shorten exposure time, reduce costs, and preserve customer confidence. Fourth, BMW gained credibility with customers and regulators by discussing the steps they have taken. Consequentially, taking cyber security seriously has given BMW a PR boost.

Despite these positive steps, some concerns remain. The problems ADAC researchers discovered – and that BMW subsequently fixed – have been solved for decades. It is concerning that the ConnectedDrive team either did not know about these potential issues or did not apply the fixes at that time. Newer vehicles were found to have better safeguards around ConnectedDrive, but the two improvements pushed out by BMW recently were not among these. The presence of these flaws to begin with, and the continued use of flawed software designs, also raises a question about the thoroughness and adequacy of internal processes and decision-making. Further, BMW did not say how critical car systems (such as braking, steering, and acceleration) are safeguarded from a compromise of the ConnectedDrive or other systems. Perhaps ADAC or other security researchers could investigate those potential issues in a similar way.

The following table is an overview of this story through the lens of I Am The Cavalry’s Five-Star Automotive Cyber Safety Framework, released six months ago. Note that information collected was not complete, so this rating likely does not represent BMW’s full set of cyber safety capabilities.

Framework Capability BMW Capability Demonstrated
Safety by Design No public attestation of Secure Development Lifecycle.
No evidence of a sufficiently robust development process.
-
Third-Party Collaboration Clearly demonstrated their willingness to collaborate with third-party researchers acting in good faith.
Evidence Capture No further information about these vehicles’ ability to capture logs of system or network activity that could potentially expose further security gaps. -
Security Updates Clearly demonstrated their ability to update the ConnectedDrive system in a prompt and agile manner.
Segmentation and Isolation No information provided on the physical or logical isolation measures separating critical systems (braking, steering, etc) from non-critical ones (door locks). -

In summary, BMW demonstrated capabilities aligned to two of the five stars in I Am The Cavalry’s framework. These capabilities allow BMW to draw upon expertise and experience from those in the cyber security field, and facilitate continual improvement more quickly and inexpensively than other approaches. Issues still remain, but we are far ahead of where we were just a few years ago.

References

  • http://www.autoblog.com/2015/02/03/bmws-connected-drive-feature-vulnerable-to-hackers/
  • http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html
  • http://www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/sicherheitsluecken.aspx​(​German)
  • http://www.bmw.com/com/en/insights/technology/connecteddrive/2013/
  • http://grahamcluley.com/2015/02/bmw-security-patch/
  • http://www.autosec.org/publications.html
  • https://www.iamthecavalry.org/domains/automotive/5star/
  • https://www.press.bmwgroup.com/global/pressDetail.html?title=bmw-group-connecteddrive-increases-data-security-rapid-response-to-reports-from-the-german-automobile&id=T0202503EN
  • http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf

Download a PDF copy of this article, Assessment of BMW Door Lock Security Updates.

Car Hacking Research on OBD II Adapters

A lively thread started today by Wayne Yan on our discussion group. He posted the results of his team’s research into the security of OBD II adapters. You can go to the thread and engage in the discussion, as well as grab the research paper. More videos and information are available from Visual Threat.

The OBD II port is a diagnostic connection to the computer on your car’s engine. Mechanics use this to determine what has been going wrong with the car. When going for your emission’s check, this is the port that gives engine information. Rental car agencies and insurance companies use this to log driving habits.

Several adapters are now coming to market which will enable this diagnostic information transfer to happen over Bluetooth, rather than through a wired connection. That’s a nice feature for long-term use cases, such as logging driving behavior. Except that some of these adapters allow instructions to be transmitted to the car from a remote device. In other words, if you’re driving a rental car with one of these devices, someone else could kill the engine, unlock the doors, open the trunk, etc. It’s only a limited set of instructions, but that should still be enough to make people take notice.

The video below demonstrates some of the research.

 

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

“I AM THE CAVALRY” CALLS FOR COLLABORATION WITH AUTOMOTIVE INDUSTRY TO IMPROVE PUBLIC SAFETY

Security Research Movement Issues Letter Outlining Five Star Automotive Cyber Safety Program

DEF CON 22, Las Vegas, NV – August 8th – I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns, today issued a letter to leaders in the automotive industry, calling for the adoption of five key capabilities that create a baseline for safety relating to the computer systems in cars.

The letter, addressed to CEOs in the automotive industry, calls for safety to be built into the adoption and design of computer systems in vehicles.  Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood.  I Am The Cavalry wants to help address this and protect people by collaborating with leaders in the automotive industry.  To start this process, they have identified five key capabilities that represent a foundation for building better cyber safety in cars:

  • Safety by Design – developing automotive computer systems with security in mind.
  • Third-Party Collaboration – publishing a clear vulnerability disclosure response policy that works with security researchers.
  • Evidence Capture – logging information that may assist with an investigation should one be necessary.
  • Security Updates – providing a mechanism for consumers to receive updates to computer systems quickly and easily as issues are found and fixed.
  • Segmentation and Isolation – ensuring that issues in non-critical systems do not impact the performance of critical systems.

“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry. “Dependence on technology in vehicles has grown faster than effective means to secure it. We’re just at the start of understanding the implications for public safety. The combined expertise of the automotive industry and the cyber security research community can rise to meet the challenge. This framework can be the foundation of that collaboration.”

“I think the proposed framework clearly states important principles and intent in a plain, sensible and workable way.” said Tony Sager, Chief Technologist for The Council on Cyber Security. “It puts information sharing between vendors and researchers into a constructive framework and establishes a shared goal of continuous safety improvement. “

The letter has also been published as a petition with a request for members of the public to show their support for car safety: https://www.change.org/petitions/automotive-industry-we-request-that-you-unite-with-us-in-a-joint-commitment-to-safety-between-the-automotive-and-cyber-security-industries

In addition, I Am The Cavalry co-founders Joshua Corman and Nicholas J. Percoco will be discussing the letter during the security research convention, DEF CON:

  • Press conference: 4:00pm, Friday, August 8th in the press room
  • Presentation: “The Cavalry Year[0] & a Path Forward for Public Safety” – 10:00am, Saturday, August 9th, Penn & Teller room

The letter is included in full below:

An Open Letter to the Automotive Industry: Collaborating for Safety 

Dear Automotive CEOs,

We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries.

A hallmark of the automotive industry is extraordinary innovation in the face of market needs. 50 years ago, basic automotive safety features were an afterthought. Since then, the auto industry has steadily driven advances in safety features, safety engineering, and supply chain management in ways that software and cyber security disciplines must emulate.

Now the automotive industry faces a new challenge. Modern vehicles are computers on wheels and are increasingly connected and controlled by software and embedded devices. These new technologies enable innovations designed to increase vehicle safety and bring other positive features. Vehicle-to-vehicle communication, driverless cars, automated traffic flow, and remote control functions are just a few of the evolutions under active development.

New technology introduces new classes of accidents and adversaries that must be anticipated and addressed proactively. Malicious attackers, software flaws, and privacy concerns are the potential unintended consequences of computer technologies driving this latest round of innovation. The once distinct worlds of automobiles and cyber security have collided. In kind, now is the time for the automotive industry and the security community to connect and collaborate toward our common goals.

When the technology we depend on affects public safety and human life, it commands our utmost attention and diligence. Our cars command this level of care. Each and every day, we entrust our lives and the lives of those we love to our automobiles.

The goal of our outreach effort here is to catalyze greater teamwork between security researchers and the automotive industry. Our combined expertise is required to ensure that the safety issues introduced by computer technologies are treated with the same diligence as other classes of automotive safety issues.

Will you join us in this endeavor?

We propose five critical capabilities to lay a foundation for safety, both for collaboration and for increasing consumer confidence. This content was developed jointly with leading cyber security researchers and others working in and around the automotive industry. We crafted these capabilities to be objectively defined, lasting, and to allow for adaptation and innovation within each function.

We urge the automotive industry to adopt, develop, enhance, and attest to these capabilities. Just as they consider other safety features, concerned consumers will be better enabled to make purchasing decisions based on your attestations against these five areas. We will help you navigate this road to build greater protections for your customers and set a new standard for safety.

Five Star Automotive Cyber Safety Program

Further details and explanations can be found at https://www.iamthecavalry.org/auto/5star

1. Safety by Design

VALUE: We take public safety seriously in our design, development, and testing.

PROOF: As such, we have published an attestation of our secure software development lifecycle, summarizing our design, development, and adversarial resilience testing programs for our products and our supply chain.

2. Third-Party Collaboration

VALUE: We recognize that our programs will not find all flaws.

PROOF: As such, we have a published coordinated disclosure policy inviting the assistance of third-party researchers acting in good faith.

3. Evidence Capture

VALUE: We want to learn from failures and enable continuous improvement.

PROOF: As such, our systems provide tamper evident, forensically sound logging and evidence capture to facilitate safety investigations.

4. Security Updates

VALUE: We recognize the need to address newly discovered safety issues.

PROOF: As such, our systems can be securely updated in a prompt and agile manner.

5. Segmentation & Isolation

VALUE: We believe a compromise of non-critical systems (like entertainment) should never adversely affect critical/physical systems (like braking).

PROOF: As such, we have published an attestation of the physical/logical isolation and layered defense measures we have implemented.

We are eager to start working with you within the next 90 days and to begin promoting your current and future capabilities to the public. These attestations establish a foundation and serve to catalyze an ongoing collaboration to better prepare us for the next 50 years and beyond. Given our research and experience to date, we are encouraged to see some early investments toward these capabilities. While capabilities like evidence logging will take time to bring to market, valuable policy and capability attestations can begin now. On this journey, the challenges will be many and they will be significant, but together and through collaboration we can rise to meet them. Let’s start now.

Respectfully,

“I am The Cavalry”, members of the security research community, & concerned citizens

Signatures and instructions for signing can be found at https://www.iamthecavalry.org/auto/5star

Signatures are solely the opinion of the individual.

I am The Cavalry – https://www.iamthecavalry.org – @iamthecavalry – autosafety@iamthecavalry.org

To ensure technologies with the potential to impact public safety and human life are worthy of our trust.

***

About I Am The Cavalry

The I Am The Cavalry movement was formed in response to concerns over the impact of cybersecurity threats on public safety.  Its efforts are focused on cybersecurity issues relating to four main of public safety: medical, automotive, home electronics, and public infrastructure. For more information, please visit: https://www.iamthecavalry.org/

For more information, please contact press@iamthecavalry.org

Monthly Update: April

We had a full track of Cavalry-esque presentations at SOURCE Boston, and all of the keynotes ended up having some overlap. Our workshops at THOTCON and BSides Chicago were great! Thanks to all those who presented and those who participated. Craig Smith of Open Garages did a great introduction to Car Hacking and a hands on demo. Scott Erven presented on research he’s done on medical device security issues and gave an introduction to the issues in the field.