TechCrunch Disrupt Hackathon – Safety for Connected Cars

The Ford Hackathon at Techcrunch Disrupt (San Francisco, 2015) encouraged use of the Ford SmartDeviceLink (SDL) iOS SDK to talk to their in-car head units. The apps can be submitted to Ford for cars supporting Ford Sync. Toyota was present to lend support to this open source effort. With a joint open source effort  the number of cars targetted by such apps could be higher.

The SDL SDK can be useful for insurance applications for measuring ride and driver quality. Many applications were built at the hackathon around this idea.

My team built an iOS application to synchronize brakes between two cars in real-time to prevent vehicle pileups in low visibility conditions. It alerted the driver that another car is braking ahead of his car, by acting as a virtual brake light that turns on if a connected car ahead is braking. Our goal was distraction-free safe driving, so it used voice commands to alert the driver and automatic brake detection from the SmartDeviceLink SDK, instead of manual alert generation.

A previous SDK supported by Ford was OpenXC, an open API for connected cars. Another popular SDK at the hackathon was Vin.li SDK.

There was discussion of a Waze like app that is built into cars. Talking to people I learnt of the role the Department of Transportation is playing to bring Intelligent Transportation to reality.

DSRC is a communication standard for such use cases – Dedicated Short Range Communications.

Salesforce Dreamforce Conference

At the Salesforce conference were several interesting IOT demonstrations.

One of them could Docker to be run inside a Raspberry Pi. This can be used for seamless OTA upgrade of IOT software. Another allowed instant analysis of the chemical composition of a drug and the information is connected to an app.

Another interesting demo was Built.io, which is like an IFTTT for different apis and IOT flows – a virtual circuit diagram allows inputs to be cascaded together in a flexible manner to achieve a variety of outcomes.

Salesforce made the announcement of the IOT Cloud which is built on Salesforce Thunder, a massively scalable real-time event-processing engine. Business can create alerts or filters to identity important data from event streams. This can be used to send alerts from manufacturers to customers or customers to manufacturers, for instance for a malfunctioning device or for a car recall.

Marc Benioff – “The Salesforce IOT Cloud will empower businesses to build proactive 1:1 relationships with their customers to deliver a new kind of customer success”.

Here’s a review of this announcement with the opinion that it is currently more of a positioning statement than a real capability – http://www.zdnet.com/article/dreamforce-2015-salesforce-thunder-unavailable-2016/

CAN bus attacks

A CAN is a Controller Area Network. Electronic Control Units (ECUs) are networked together in a car using a bus based on the CAN standard. A car will have one more CAN buses which are typically accessible via the Onboard Diagnostics (OBD II) port.

The CAN allows a distributed network of micro-controllers and devices to do real time messaging with each other with CAN packets, to exercise real time control. It is used in industrial control systems, vechicles such as airplanes and ships, and automotive systems.

ECU examples are Airbag, HVAC, ABS and Engine Control Unit.

Some CAN related security resources –

  1. Hopping on the CAN bus. https://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On-The-Can-Bus.pdf
  2. Charlie Miller, Chris Valasek.  http://illmatics.com/car_hacking.pdf
  3. Craig Smith, opengarages. http://opengarages.org/handbook/
  4. Original Spec by Bosch. http://www.bosch-semiconductors.de/media/pdf_1/canliteratur/can2spec.pdf
  5. http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS
  6. http://tucrrc.utulsa.edu/DodgeCAN.html

A podcast interview with Chris Valasek: https://securityledger.com/2015/07/podcast-interview-with-car-hacker-chris-valasek-of-ioactive/

Most cars do allow CAN access via OBD. Tesla does not, but the CAN information is still accessible via another port.

It may sound unusual that the OBD port meant for diagnostics should allow sending commands to the CAN bus, but this is in fact possible, in part because there is no source identifier or authentication build into CAN packets.

What if an ECU itself has some kind of problem or degradation ? This can increase vulnerability when combined with open CAN bus access.

For example, there were two independent recalls in early 2015 related to defective airbag deployments. The Jeep recall was due to software that detected rollover aggressively and deployed the airbags. The NHTSA recall was due to Takata airbags with faulty inflators.

As we bravely head to an IOT world where various devices and controllers are networked to external entities, such concerns will increase.

There are attacks on other car interfaces such as bluetooth, telematics unit and remote key. Recently (July) there was an attack on Jeep which caused an update to fix the bug. The Israeli media reported a couple startups, Argus and TowerSec could have prevented this attack.   Update Jan 2016: TowerSec is acquired by Harman – CES 2016 announcement.

OpenDNS and Cisco

Cisco recently acquired OpenDNS and its security offerings.

The Domain Name Service is a hierarchical lookup service that converts human readable names to IP addresses that are used for routing. As such the DNS lookup servers can see the names being accessed, their access trends, web security attack patterns such as phishing redirects and so on.

But how did OpenDNS come to focus on security ? It was preceded by a free DNS service called EveryDNS started by David Ulevitch in his college dorm in 2001. The free nature of it attracted an interesting clientele– a number of malicious services, sites and agents.  This gave EveryDNS visibility into this part of the internet – both the customer view and a real-time view. David realized the potential and started a new company OpenDNS with both a free+paid dns offering and a growing number of security services.

In 2012 OpenDNS offered an Umbrella service to blacklist malicious sites. The most interesting offering is its OpenDNS Security Graph. The Umbrella Security Graph maintains and automatically updates malware, botnet, phishing domain and IP blacklists. This is then sold to enterprises – a higher margin business than providing DNS lookup alone.

Verisign is also in the DNS security business after it sold its certificate business to Symantec.

Tesla Model S hacked by researchers

Tesla is an advanced computer on wheels. How is security for such systems designed ? Snippets from below are insightful.

http://www.wired.com/2015/08/researchers-hacked-model-s-teslas-already/

“Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.”

“Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.”

“The Model S has a 17-inch touchscreen that has two critical computer systems. One is an Ubuntu server responsible for driving the screen and running the browser; the other is a gateway system that talks to the car. The Tesla gateway and car interact through a vehicle API so that when a driver uses the touchscreen to change the car’s suspension, lock the doors, or engage its parking brake, the touchscreen communicates with the gateway through an API, and the gateway communicates with the car. The touchscreen never communicates directly with the car. “At least so our research has found so far,” Mahaffey says.”

“The Model S has an Ethernet cable for diagnostic purposes and by connecting to this they were able to get access to the car’s LAN. This allowed them to uncover information about the firmware update process, such as the configuration of the VPN the car used to obtain updates as well as the URLs from where the updates were downloaded. They also found four SD cards inside the car that contained keys for the VPN structure, and they found unsecured passwords in an update file that allowed them to gain access to the Tesla firmware update server. “By using the VPN credentials we got from the SD card, we were able to configure and open VPN clients to go and talk to Tesla’s infrastructure and mimic the car.”

Even though Tesla provided the update quickly, having unsecured passwords in a file that allowed access to go to the firmware update server should alert one to the risks of connected cars.

Zigbee Scanning from a Flying Drone

From http://thehackernews.com/2015/08/hacking-internet-of-things-drone.html

Security researchers have developed a Flying Drone with a custom-made tracking tool capable of sniffing out data from the devices connected to the Internet – better known as the Internet-of-things.

Under its Internet of Things Map Project, a team of security researchers at the Texas-based firm Praetorian wanted to create a searchable database that will be the Shodan search engine for SCADA devices.

 

The researchers located all ZigBee-enabled smart devices and networks and then started expanding their research.
“When [IoT devices] communicated over a wireless protocol called ZigBee, this protocol is open at a network level. So when the devices start connecting, they send out beacon requests. We capture data based on this,” says Paul West Jauregui, from Praetorian.
ZigBee is a popular smart-home wireless communication standard used by the majority of Internet of Things (IoT) devices today.
ZigBee protocol, which lets IoT devices talk to each other, is implemented by major vendors including Toshiba, Philips, Huawei, Sony, Siemens, Samsung, Motorola, and many more.

Building Automation Security Plan (Target, HVAC)

The Target data breach in 2013 affected 40million credit cards. It was traced back to an onsite HVAC (that was remotely accessible for billing) being on the same network as the rest of the system . The credentials for the HVAC were breached and used to attack the internal computers.

The link below discusses a comprehensive security plan for a building automation system. The connected components are identified and the network and systems are designed for authorized access.

http://www.automatedbuildings.com/news/may14/articles/llnl/140425010101llnl.html

One can see such a plan being useful for a number of sensor/IOT systems – e.g. energy, temperature and and video sensors.

On Software Requirements

There are a couple high level tradeoffs in the requirements specification process. Each tradeoff can be thought as an axis: Specificity (detailed vs vague), Audacity (visionary vs trivial/checkmark), Customer-driven (needs vs wants; with timelines).

It is possible for them to be too detailed – the more detailed and specific the requirements are, the less understandable they are and the less flexible they are in a rapidly changing context. But if the requirements are too vague, then they are likely to be misunderstood or ignored by a development team. This is a case where directly talking to the end users and clear communication between team members to flesh out use cases will help.

Also if the requirements are too visionary then they may appear infeasible to the team.  Showing they are achievable by looking at related products is one solution. Decomposing the target into achievable modules is another. If they are too near-term, then they may appear trivial and fail to excite the team.

Finally the requirements should be well grounded in customer use cases and narrowly stated, rather than inherited as a long list from past successful technical products. This is probably the most important and hardest thing in practice.

Specifying the right amount of detail for development targets that are grounded, challenging and achievable is an important skill.

Another take on this topic is Joel Spolsky’s series on writing painless functional specifications.

SSO, SAML, OAuth, JWT, OpenID

Web authentication and SSO typically imply that state is maintained on the server to indicate whether the user is logged in or not. The identity provider maintains this state and the identity consumers check this state with the identity provider. The protocol and message format differ in different implementations – SAML, OAuth, OpenID and several others.

SAML is the richest, most flexible auth protocol, but also most complex to implement. It covers the most number of use cases. The security assertions about an identity are captured in an xml format which can be exchanged between providers and consumers over the web.

OAuth is simpler and requires fewer things from the implementer. OAuth 2 has become a vehicle for enterprise use cases like SAML. SDKs for OAuth are available.

OAuth 2 and OpenID both use Json WebToken (JWT) which is a JSON format specification for interoperability.

OpenID Connect is the most open and newest of the three. It reduces  reliance on checking auth state with the identity provider by embedding more information in the JWT and standardizing things like scope to increase interoperability. If officially supports authentication use cases, unlike OAuth2 which is designed for authorization, but is used for pseudo-authentication.

A key consideration when deciding on an implementation is the scalability requirement. Ideally the system is structured to keep the least amount of state (zero) on the server. This is not true of most SSO implementations.

Like a stateless NFS server, based on leases for lock state that can be refreshed, a stateless implementation for SSO is possible (classic NFS has no open, only lookup). The tradeoff is that revocation is not as easy and reporting may need to be handled differently than with a stateful implementation. Here’s a discussion – http://stackoverflow.com/questions/26739167/jwt-json-web-token-automatic-prolongation-of-expiration

Update. Here’s another discussion which points to some tradeoffs – https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens , basically that this is more useful for SSO and API implementations not simple websites.

iOS TouchID Enterprise Use Cases

When implementing TouchID for an enterprise authentication solution there are some interesting attack vectors to consider, that are not obvious.

There are differences in requirements between COPE and BYOD deployments for instance.

Depending on the type of deployment and the type of data accessed, the security required may call for (a) a simple TouchId based “user presence check”,  without a password being stored or retrieved, or (b) for a password to be stored in the enclave to be retrieved, or (c) for TouchId to be combined with another factor for a multi-factor authentication solution.

Some drawbacks to the initial TouchID implementation for enterprise uses cases, were discussed here . There is now a developer API available which allows more flexibility in implementing a solution for the enterprise.

OS X Malware and Connected homes

Here is a talk from Synack on OS X malware. iOS is locked down but OS X is much more open – obviously one can download applications outside the appstore and load and run apps and dylibs that are unsigned. This impacts security for a connected home with many devices with hubs that may be OSX based.

For example here’s a description of remote control of a baby monitor – http://www.zdnet.com/article/iot-security-under-scrutiny-as-apple-looks-at-smart-home-system/ .

RSA World 2015 San Francisco Internet of Things

Several interesting companies I talked to in the mobile and enterprise space

  • BlueBox Security – automatic containerization of mobile apps
  • SkyCure – identified some DoS attacks that can occur against iOS devices
  • Okta – allows integrations with some 4000 different applications from a single identity console.
  • BlueCoat Systems – network traffic analysis for malware detection
  • Microsoft – integration of admin and user policies for Office365 with Email.
  • Shape Security – changes the shape of the traffic by detecting the large fraction of traffic that is not coming from real users and blocking it from hitting the webservers
  • German pavilion with several technologies including database encryption and controls

On the IOT side of things there were hacking demos of Nest thermostats, Vera home automation systems, remotely connected storage devices. Read more about the “Internet of Crappy Things” at the Kaspersky blog – https://blog.kaspersky.com/internet-of-crappy-things-2/8518/

Simple Crypto Operations

In a pure transposition cipher, the text “AAAAAA” is transformed to “AAAAAA”.

In a pure, static substitution cipher, the text “AAAAAA” is transformed to (say) “ZZZZZZ”.

In a vignere pad, the string “AAAAAA” input  is transformed to an output which is equal to the keyword (or an offset of all its letters, making it easy to guess).

If the keyword were completely random and not used again, but still shared between two parties, one would arrive at the one-time pad, which has perfect secrecy.  Is this possible ? Wikipedia says information-theoretic secrecy is used in top secret communications.

The Enigma cipher was a dynamic substitution cipher where the substitution maps changes as the rotors rotate before each letter is entered. This machine and its code-breaking machine is the subject of the movie The Imitation Game, discussed in my previous blog post.

The Imitation Game – The Movie

The number of permutations of the 26 alphabet, 26! is ~0.4 billion billion billion – 0.4 octillion – 4 followed by 26 zeros. This is the number of maps from the set of 26 letters to itself, and the size of the space of all maps that the German Enigma machine played in.

The number of maps the Enigma actually utilized to transform an input letter to another is much smaller. At the core the machine has a handful of rings which implement fixed maps. Each individual ring implements one fixed permutation map of the numbers 1-26 to itself.   The fixedness is important – bit hard to believe as it appears to considerably simplify the attack – the ring does not vary its map (input-output permutation) except due to rotation of the ring – which can be in any of 26 different positions. With 3 rings, they could be ordered in 6 ways and total of 6×26^3 maps – only about 106,000. With the 3 rings chosen from 5 available rings instead of 3, there could be 5x4x3 or 60 combinations and 60×26^3 maps – a million. At each letter entry the rotors would change to use another of the ~10600 maps.  Guessing a valid map (10^5) from the much larger space of all maps (4*10^26) made cracking the code near impossible – assuming good operating procedures. The plugboard implemented another (fixed) permutation. 

The Polish bomba utilized leaked knowledge of both the maps and the known number of rings – and with that information tried a brute force attack for the 3-ring design. Even with knowledge of the machine internals this required ingenuity to look for patterns in the messages – duplicate input letters that were frequently mapped to duplicates in the output reduced the search space.

This worked until the Germans added two more rings to the original 3. At this point the Polish method was not effective. Turing understood a different method was needed.

The machine that was built at Bletchley park and was shown in the movie was also a brute force machine, not a general purpose computer (as I assumed before the movie). It used input text that was likely to be in the transmitted data, encrypted it in several combinations then compared it with the actual transmissions. This is called a chosen plaintext attack.

An interesting aspect in the movie was how hard Turing had to fight to keep the idea of this machine alive as it was an unknown and unproven concept to the military generals. When he succeeded and U-boats were started to be destroyed (with a cover of air surveillance as the source of sighting the subs), Admiral Karl Dönitz on the German side had to convince his own chain of command of the need to change Enigma – a request deflected for several months as the German chain of command bought the air surveillance story. Dönitz eventually succeeded in adding a fourth rotor and the submarine attacks subsided immediately – until a couple subs were captured and the details of the newer rings were found by the British.

In a way, the machines on either side were trying to get smarter but were slowed down by a human bottleneck. The selfish machines.

The basic idea of a small set of pseudo-random (fixed) permutations embedded in a larger space of permutations is utilized in block-ciphers (DES, AES) in form of P-boxes. A difference is the presence of S-boxes which achieve mixing of the inputs so an input pattern does not have a deterministic effect on output patterns.

What’s interesting is an information theoretic notion of security which is not susceptible to attacks. Some of these ideas are used in the IDEA cipher.