preventing external connected devices from compromising vehicle … · 2019. 3. 1. · volkswagen...

Preventing External Connected Devices From Compromising Vehicle SystemsVector CongressNovember 7, 2017Novi, MI

Bob Gruszczynski – VWoAOBD Communication Expert

Volkswagen Group of AmericaEngineering and Environmental Office (EEO) 3

•Challenges to OEMs regarding data access•Vehicle data access vs. vehicle security

•Many entities requesting both legitimate and non-legitimate access•Inspection and Maintenance•Workshop/Service

Current Cybersecurity Status


•Vehicle data access vs. vehicle security •Insurance “telematics”•Other “telematics”•“Prognostics”•Modification of powertrain components (“tuning”)•Malicious attacks (“hacking”)•Digital Millennium Copyright Act (DMCA)



Initially, due to research activity into vehicle hacking, efforts began to describe/define issues• SAE- Electrical and Electronics Diagnostic Committee

(J3005), Cybersecurity Systems Engineering Committee (J3061)

• NHTSA - Request for Comment on Automotive Electronic Control Systems Safety and Security

• US Government- GAO, US DOT, DHS S&T, NIST• ISO TC204, TC32


•OBD Devices•Wirelessly enabled

Wireless network can be spoofed•Bluetooth enabled

Malware installed in phone app•Carnegie Mellon University study with NIST Volpe Research Center – results at:https://resources.sei.cmu.edu/asset_files/WhitePaper/2016_019_001_453877.pdf

Preliminary results show poor software design and cybersecurity practices across a high percentage of currently deployed devices.


https://resources.sei.cmu.edu/asset_files/WhitePaper/2016_019_001_453877.pdf


Current situation:

scen

ario

hack

erat

tack

hacker attackover the mobile communication tothe customerOBD dongle

hacker starts criticalfunctions over theUDS protocol

Volkswagen Group of AmericaEngineering and Environmental Office (EEO)

There are many discussions about further concepts to solve the security problem with e.g. 3rd-party dongles:

1. concept for a short-term solution• Gateway equipped• Non-Gateway equipped• “Hybrid”

2. concept for a long-term solution• Planned in future as a two step solution

• first step: protection of diagnostic access• second step: protection of diagnostic data

8


Concept for a long-term solutionfirst step: protection of diagnostics access

9

IT-Backendcreation of security tokenidentity and access

managementLog saves all events,

accesses, and errors

Diagnostic systemprivate key and

certificate signing requestrouting of security

tokenIndividual-ID: (VIN,

ECU-ID, Project-ID)

secure channel

Electronic Control Unit (ECU)signature verification and

public key


Concept for a long-term solutionsecond step: protection of diagnostic data

10

IT-Backendprivate key and certificate

signing request & data

Diagnostic systemIndividual-ID: (VIN,

ECU-ID, Project-ID)

secure channel

Electronic Control Unit (ECU)signature verification and

public key for every request which change data or start secured functions

For the second step – there are a lot of open questions regarding process and possibleadvantages/ disadvantages, potential risksand problems (e.g. total dependence on Backend-System)


• September 28: NHTSA requests SAE to take the lead and convene industry group to examine issue

• October 14: NHTSA response to House Committee highlights SAE role:“At NHTSA’s urging, SAE International has started a working group that is looking to explore ways to harden the OBD-II port. This group is making good progress and the Agency remains hopeful that the group will move expeditiously to develop a set of recommendations.”

• September 12: Letter from House Committee on Energy and Commerce to NHTSA RE: OBD-II Security

“…request that NHTSA convene an industry-wide effort to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle ecosystem.”

Why the Renewed Focus on OBDII Security?


SAE Committees/Task Forces• J3061 – Cybersecurity Guidebook for Cyber-Physical

Vehicle Systems• J3016 – Guidebook Helping to Frame Cybersecurity

Policy• J3005-1, -2 – Guidelines for Operation and Security of

Devices Connected to the Data Link Connector (DLC)• J3138 – Next slides…


• SAE hosted invitation-only industry workshop December 1.

• Goals:1. Identify common issues, needs, and approach to secure

the OBD2. Gain buy-in to development of an accelerated standards

approach• Very well-attended by industry

– Leads: Mark Zachos, DGTech and Bob Gruszczynski , VW– OEMS: BMW, Ford, GM, Honda, Hyundai, Isuzu, Toyota, VW – Heavy Truck: Volvo, Cummins – Associations: MEMA, ETI, Booz-Allen (Auto ISAC)– Government/Regulators: ARB, NHTSA, NIST


• Discussion yielded the following high-level scope items:

What are we worried about? What are we not worried about?• DLC access Point (J1939/J1962 connector)• Re-programming modules; only concerned about

unlocking • Someone spoofing normal message content

(writing non-diagnostic messages)• Overloading the CAN Bus• Overloading the gateway• Ensuring solution complies with existing

regulations and MOUs• New on-road vehicles (less than 14K pound

GVW)

• Other access points (infotainment, etc.)

• J1979 functionality• Emission-related diagnostics;

J1939 equivalent diagnostic functionality

• Physical attacks to the in-vehicle network

• Privacy• Tool/dongle security


Next Steps1. SAE staff work with volunteer leaders to further define

rationale, scope, and process2. Created new SAE Committee – Data Link Connector

Vehicle Security Committee3. Created new Task Force to house New Work Item –

J3138 (Task Force Name TBD)4. Committee meets monthly5. J3138 in ballot6. New Work Item Proposals started to address long-term

items above


Thanks for your attention !!!

Bob GruszczynskiOBD Communication Expert

Volkswagen [email protected]

preventing external connected devices from compromising vehicle … · 2019. 3. 1. · volkswagen...

Documents