Dennis K. Nilsson

Secure Firmware Updates over the Air in Intelligent Vehicles

Modern intelligent vehicles have electronic control units containing firmware that enables various functions in the vehicle. New firmware versions are constantly developed to remove bugs and improve functionality. Automobile manufacturers have traditionally performed firmware updates over cables but in the near future they are aiming at conducting firmware updates over the air, which would allow faster updates and improved safety for the driver. In this paper, we present a protocol for secure firmware updates over the air. The protocol provides data integrity, data authentication, data confidentiality, and freshness. In our protocol, a hash chain is created of the firmware, and the first packet is signed by a trusted source, thus authenticating the whole chain. Moreover, the packets are encrypted using symmetric keys. We discuss the practical considerations that exist for implementing our protocol and show that the protocol is computationally efficient, has low memory overhead, and is suitable for wireless communication. Therefore, it is well suited to the limited hardware resources in the wireless vehicle environment.

An approach to specification-based attack detection for in-vehicle networks

An upcoming trend for automotive manufacturers is to create seamless interaction between a vehicle and fleet management to provide remote diagnostics and firmware updates over the air. To allow this, the previously isolated in-vehicle network must be connected to an external network, and can thus be exposed to a whole new range of threats known as cyber attacks. In this paper we explore the applicability of a specification-based approach to detect cyber attacks within the in-vehicle network. We derive information to create security specifications for communication and ECU behavior from the CANopen draft standard 3.01 communication protocol and object directory sections. We also provide a set of example specifications, propose a suitable location for the attack detector, and evaluate the detection using a set of attack actions.

Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes

Modern vehicles contain an in-vehicle network consisting of a number of electronic control units (ECUs). These ECUs are responsible for most of the functionality in the vehicle, including vehicle control and maneuverability. To date, no security features exist in this network since it has been isolated. However, an upcoming trend among automobile manufacturers is to establish a wireless connection to the vehicle to provide remote diagnostics and software updates. As a consequence, the in-vehicle network is exposed to external communication, and a potential entry point for attackers is introduced. Messages sent on the in-vehicle network lack integrity protection and data authentication; thus, the network is vulnerable to injection and modification attacks. Due to the real-time constraints and the limited resources in the ECUs, achieving data authentication is a challenge. In this paper, we propose an efficient delayed data authentication using compound message authentication codes. A message authentication code is calculated on a compound of successive messages and sent together with the subsequent messages, resulting in a delayed authentication. This data authentication could be used to detect and possibly recover from injection and modification attacks in the in-vehicle network.

Key management and secure software updates in wireless process control environments

Process control systems using wireless sensor nodes are large and complex environments built to last for a long time. Cryptographic keys are typically preloaded in the wireless nodes prior to deployment and used for the rest of their lifetime. To reduce the risk of successful cryptanalysis, new keys must be established (rekeying). We have designed a rekeying scheme that provides both backward and forward secrecy. Furthermore, since these nodes are used for extensive periods of time, there is a need to update the software on the nodes. Different types of sensors run different types and versions of software. We therefore establish group keys to update the software on groups of nodes. The software binary is split into fragments to construct a hash chain that is then signed by the network manager. The nodes can thus verify the authenticity and the integrity of the new software binary. We extend this protocol by encrypting the packets with the group key such that only the intended receivers can access the new software binary.

Securing vehicles against cyber attacks

The automobile industry has grown to become an integral part of our everyday life. As vehicles evolve, the primarily mechanical solutions for vehicle control are gradually replaced by electronics and software solutions forming in-vehicle computer networks. An emerging trend is to introduce wireless technology in the vehicle domain by attaching a wireless gateway to the in-vehicle network. By allowing wireless communication, real-time information exchange between vehicles and between infrastructure and vehicles become reality. This communication allows for road condition reporting, decision making, and remote diagnostics and firmware updates over-the-air. However, allowing external parties wireless access to the in-vehicle network creates a potential entry-point for cyber attacks. In this paper, we investigate the security issues of allowing external wireless communication. We use a defense-in-depth perspective and discuss security challenges for each of the prevention, detection, deflection, countermeasures, and recovery layers.

A First Simulation of Attacks in the Automotive Network Communications Protocol FlexRay

The automotive industry has over the last decade gradually replaced mechanical parts with electronics and software solutions. Modern vehicles contain a number of electronic control units (ECUs), which are connected in an in-vehicle network and provide various vehicle functionalities. The next generation automotive network communications protocol FlexRay has been developed to meet the future demands of automotive networking and can replace the existing CAN protocol. Moreover, the upcoming trend of ubiquitous vehicle communication in terms of vehicle-to-vehicle and vehicle-to-infrastructure communication introduces an entry point to the previously isolated in-vehicle network. Consequently, the in-vehicle network is exposed to a whole new range of threats known as cyber attacks. In this paper, we have analyzed the FlexRay protocol specification and evaluated the ability of the FlexRay protocol to withstand cyber attacks. We have simulated a set of plausible attacks targeting the ECUs on a FlexRay bus. From the results, we conclude that the FlexRay protocol lacks sufficient protection against the executed attacks, and we therefore argue that future versions of the specification should include security protection.

An intrusion detection system for wireless process control systems

A recent trend in the process control system (PCS) is to deploy sensor networks in hard-to-reach areas. Using wireless sensors greatly decreases the wiring costs and increases the volume of data gathered for plant monitoring. However, ensuring the security of the deployed sensor network, which is part of the overall security of PCS, is of crucial importance. In this paper, we design a model-based intrusion detection system (IDS) for sensor networks used for PCS. Given that PCS tends to have regular traffic patterns and a well-defined request-response communication, we can design an IDS that models normal behavior of the entities and detects attacks when there is a deviation from this model. Model-based IDS can prove useful in detecting unknown attacks.

A Defense-in-Depth Approach to Securing the Wireless Vehicle Infrastructure

The automobile industry has grown to become an integral part of our everyday life. As vehicles evolve, the primarily mechanical solutions for vehicle control are gradually replaced by electronics and software solutions forming in-vehicle computer networks. An emerging trend is to introduce wireless technology in the vehicle domain by attaching a wireless gateway to the in-vehicle network. By allowing wireless communication, real-time information exchange between vehicles and between infrastructure and vehicles become reality. This communication allows for road condition reporting, decision making, and remote diagnostics and _rmware updates over-the-air. However, allowing external parties wireless access to the in-vehicle network creates a potential entry-point for cyber attackers. In this paper, we investigate the security issues of allowing external wireless communication. We use a defense-in-depth perspective and discuss security challenges and propose solutions for each of the prevention, detection, de_ection, and forensics approaches. We stress the important need for applying security using the defense-in-depth principle.

Creating a Secure Infrastructure for Wireless Diagnostics and Software Updates in Vehicles

A set of guidelines for creating a secure infrastructure for wireless diagnostics and software updates in vehicles is presented. The guidelines are derived from a risk assessment for a wireless infrastructure. From the outcome of the risk assessment, a set of security requirements to counter the identified security risks were developed. The security requirements can be viewed as guidelines to support a secure implementation of the wireless infrastructure. Moreover, we discuss the importance of defining security policies.

Combining Physical and Digital Evidence in Vehicle Environments

Traditional forensic investigations of vehicles aims at gathering physical evidence since most crimes involving vehicles are physical. However, in the near future digital crimes on vehicles will most likely surge, and therefore it will be necessary to also gather digital evidence. In this paper, we investigate the possibilities of combining physical and digital evidence in forensic investigations of vehicle crime scenes. We show that digital evidence can be used to improve the investigation of physical crimes and, respectively, that physical evidence can be used to improve the investigation of digital crimes. We also recognize that by gathering purely physical or digital evidence certain crimes cannot be solved. Finally, we show that by combining physical and digital evidence it is possible to distinguish between different types of physical and digital crime.