Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

LES PROBLÉMATIQUES DE SÉCURITÉ POUR LES IOT – APPLICATION AU VÉHICULE AUTONOME

69 vues

Publié le

Présentation de Cédric VAMOUR (Renault Software Labs) pour Sophia Security Camp, le 9 octobre 2018.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

LES PROBLÉMATIQUES DE SÉCURITÉ POUR LES IOT – APPLICATION AU VÉHICULE AUTONOME

  1. 1. IoT C ybersecurit y C hallenges I n C o n n e c t e d C a r s t o wa r d s A u t o n o m o u s D r i v i n g Telecom Valley, Security Camp. October 9th 2018 Cédric VAMOUR Cybersecurity Architect
  2. 2. Remote Hacking of Connected Cars 2 IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving
  3. 3. REMOTE HACKING OF THE JEEP CHEROKEE3
  4. 4. 4 REMOTE HACKING OF THE JEEP CHEROKEE
  5. 5. 5 REMOTE HACKING OF THE JEEP CHEROKEE
  6. 6. 6 REMOTE HACKING OF THE JEEP CHEROKEE
  7. 7. 7 REMOTE HACKING OF THE JEEP CHEROKEE
  8. 8. 8 REMOTE HACKING OF THE JEEP CHEROKEE
  9. 9. 9 REMOTE HACKING OF THE JEEP CHEROKEE
  10. 10. 10 REMOTE HACKING OF THE JEEP CHEROKEE
  11. 11. 11 REMOTE HACKING OF THE JEEP CHEROKEE
  12. 12. Hackers Remotely Kill a Jeep on a Highway | WIRED (Video 5 min) DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle (Video 46 min) Remote Exploitation of an Unaltered Passenger Vehicle (pdf 90p) Remote Car Hacking - Jeep Cherokee (Video 9 min) REMOTE HACKING OF THE JEEP CHEROKEE12
  13. 13. REMOTE HACKING OF THE JEEP CHEROKEE13 Attack Steps Vulnerabilities Responsibility Get Remote Access No IP Filtering inside Sprint Network Any IP can access any IP inside NW Sprint: Cellular Operator Get Service Internal IPC D-BUS Services bound to port 6667 Harman: U-Connect Integrator Get Privilege Execute Shell with root Access Harman: U-Connect Integrator Get CAN Vehicle Access Flashing interface through D-BUS with unsigned Firmware Harman: U-Connect Integrator Get Safety Access No Secure Gateway Jeep: Car Maker Autopsy: What went wrong? No significant « Crafted Exploit » was required.
  14. 14. Connected, Autonomous Driving Cars are IoT Devices IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving 14
  15. 15. IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving 15 MIL-STD-882E DoD STRIDE Microsoft Renault Frameworks for RISK ANALYSIS Methodology Evaluate the risk level for each attack scenario The risk is the combination of the impact with the likelihood
  16. 16. IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving Before: ✓Car theft ✓ Brand image In the near Future: ✓Autonomous Driving ✓ Car sharing ✓ Robot TaxiPresently: ✓X by wire: Breaking or Steering ✓ Park assist ✓ Remote Start ✓ ADAS ✓ Personal Data 16 Evolution of the IMPACT LEVEL in Automotive
  17. 17. IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving Before: ✓Physical Attack ✓ Remote Unlock Next future: ✓Application Stores Google Android Services, Alibaba… ✓ V2X, Internet Access ✓ Ethernet ✓ ADAS/AD Presently: ✓Connected Car ✓ Cellular Network, WIFI, BT, Electric charger … ✓ FOTA, Remote Diagnostics Remote Car Hacking - Jeep Cherokee 17 Evolution of the LIKELIHOOD LEVEL
  18. 18. IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving 18 In all systems, there are always vulnerabilities and exploits. By using multiple layers to mitigate damage, even if one (or multiple) layers fails, the system is still protected. Minimize Risks: A Multi-Layer Vehicle Security Framework
  19. 19. IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving ▪ Security must be an integral part of the system design (not an afterthough) ▪ Security must follow Multi-layer approach, going beyond only prevention: Prevent, Detect, Reduce, and Fix ▪ with enough motivation and resources attackers will find a way to circumvent intrussion prevention, we need to detect attacks (runtime integrity protection, IDS), reduce impact (process isolation, firewall), and fix vulnerabilities (secure OTA updates), hence not rely on a single countermeasure. IoT Car Provable Security (Authentification) Physical protection Hardened software Secure Boot Runtime integrity protection Intrusion Detection System Inter- process isolation Firewall OTA updates 19 Minimize Risks: A Multi-Layer Vehicle Security Framework
  20. 20. Questions? IoT Cybersecurity Challenges In Connected Cars towards Autonomous Driving 20

×