Automated Vehicles

– the good, the bad and the ugly!

Sebastian Rohr, CISA/CISM/CISSP

Digital Security Risks to Transport Infrastructure

Who am I? Sebastian Rohr, CEO of accessec GmbH

08.02.2018 2

• Product- / Production Security• Secure Automotive Networks & Backends

• Chief Security Advisor @ Microsoft• Security Strategy for SME/Corporations

• Started career in (IT-) Security @ Siemens• Security Research @ Fraunhofer SIT

OECD Workshop, Paris

Roadway Security & Safety! My secured castle!

OECD Workshop, Paris

Qu

elle

: Sc

ala

Cas

tle

of

Sirm

ion

e, ©

Mar

tin

Sam

pso

n

Page 3

Well, not anymore, Ladies & Gentlemen

OECD Workshop, Paris Page 4

New architectures are needed!

OECD Workshop, Paris Page 5

Automotive Networks

Previously…

2/8/2018 6

© U

glyH

edgeh

og , B

od

ham

Vastle OECD Workshop, Paris

And now…

2/8/2018 7

© P

ho

torato

r[U

RL=h

ttp://p

ho

torato

r.com

/ph

oto

/56

12

4/califo

rnia-state-ro

ute

-high

way-in

terchan

ge-in

-los-an

geles

OECD Workshop, Paris

Vehicles today are “moving data-centers”– with lots of vulnerable interfaces!

GSM/UMTS/LTE,

WiFi, Bluetooth

Interfaces:

OBD

Tire Pressure Monitoring

EV Charging

Car-2-X Communication

Immobilizer

Remote Keyless Entry

E/E, ECU Security:

Tachograph

ChipTuning

Function Activation

USB

Lightning GPS,DAB,

TMC,RDS

Infotainment

Picture source: https://www.sit.fraunhofer.de/de/automotive-security/Page 8OECD Workshop, Paris

And unfortunately, they are exploited as we speak…

Vehicle hack using a car gadgetYoutube: “Corvette hacked through text message” https://www.youtube.com/watch?v=XdARgh4K0wc

Jeep Cherokee HackYoutube: “Hackers Remotely Kill a Jeep on the Highway—With Me inIt”

Page 9OECD Workshop, Paris

And why is that so?

Page 10

• Absence of incentive for securing the „product“ (car) alone

• Absence investment in security infrastructure of roadways either

• Absence of regulative pressure (who needs security?)

Good example: GDRP!

Lots of awareness created on board level

Significant effort put into protecting data and endusers (finally)

Suggestion:

Move forward to establish international

„minimum security requirements“ for autonomous vehicles

And why is that so?

Page 11

• Absence of incentive for securing the „product“ (car) alone

• Absence investment in security infrastructure of roadways either

• Absence of regulative pressure (who needs security?)

Good example: GDRP!

Lots of awareness created on board level

Significant effort put into protecting data and endusers (finally)

Suggestion:

Move forward to establish international

„minimum security requirements“ for autonomous vehicles

When will we start?

08.02.2018 12

Sebastian Rohr, CISA/CISM/CISSP

CEO & Founder

accessec GmbH

rohr@accessec.com

+491715580066

OECD Workshop, Paris