ramn resistant automotive miniature network - ramn...camille gay | ramn: resistant automotive...

RAMNResistant Automotive Miniature Network

Camille Gay

Senior Researcher, Toyota Motor Corporation (Tokyo, Japan)

Tsuyoshi Toyama, Principal ResearcherHisashi Oguma, Group Manager

Camille Gay | RAMN: Resistant Automotive Miniature Network 3

Presentation plan

• Automotive Security• Automotive Testbeds• What “Automotive Grade” means• Why it matters for security• RAMN details and demonstrations• Goals


Automotive Security

A brief introduction


The news

• Researchers have demonstrated several times that “connected cars” could be remotely hijacked

http://illmatics.com/Remote%20Car%20Hacking.pdf

https://ieeexplore.ieee.org/document/5504804

https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

http://illmatics.com/Remote%20Car%20Hacking.pdf


https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus-wp.pdf



Vehicle Crime

• Theft

• Fraud

• Counterfeiting

•Bypassing regulations

• Spying

• Etc.

“Stolen vehicles are frequently trafficked in order to finance and carry out other criminal activities, ranging from drug trafficking, arms dealing, people smuggling and international terrorism.”https://www.interpol.int/en/Crimes/Vehicle-crime

https://www.interpol.int/en/Crimes/Vehicle-crime


Challenges

• Securing cars is not an easy task• hundreds of computing units• … from different companies• … running thousands of lines of code

• Can only happen with• Presence of automotive security experts across companies• Good cooperation between them• Efficient tools at their disposal


Automotive Testbeds

How people research automotive security


Automotive Architecture ECU: Electronic Control UnitIVI: In-Vehicle InfotainmentTCU: Telematic Control UnitCGW: Central GatewayCAN (Controller Area Network)

CAN-FD (CAN Flexible Data rate)100Base-T1 (Automotive Ethernet)LINFlexRayMOSTetc.


Real car


• Actual network of ECUs

• Expensive• Black Box • Dangerous



Hacking testbeds

https://www.bugcrowd.com/resources/webinars/from-an-ivi-in-a-box-to-a-car-in-a-box/

https://gsec.hitb.org/sg2019/sessions/commsec-car-hacking-made-easel-by-car-security-quarter-csq/

https://hackaday.com/2018/08/11/car-hacking-at-def-con-26/

• Fun !• Involve actual ECUs

• Not easily reproducible

• Require a lot of effort • Partially black box

https://www.bugcrowd.com/resources/webinars/from-an-ivi-in-a-box-to-a-car-in-a-box/

https://gsec.hitb.org/sg2019/sessions/commsec-car-hacking-made-easel-by-car-security-quarter-csq/

https://hackaday.com/2018/08/11/car-hacking-at-def-con-26/


Academic testbeds

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cho.pdf

https://people-ece.vse.gmu.edu/~kzeng2/publications/2017/CAN_Authentication_ICCPS2017.pdf

• Reproducible• White box

• Not appealing to newcomers• Not automotive grade




Professional testbeds

https://www.chip1stop.com/sp/products/toyota-pasta

•PASTA• Testbed Introduced at Black Hat Europe 2018

• Open

• Adaptable

• Safe

• Portable• White box• Adaptable and Portable• Fun

• Expensive• Not automotive grade



Problem 1: require High Investment

• Consequence 1: Less freedom for research• Must share the testbed• No permanent modification• Must not break

• Consequence 2: Less people involved• Less people getting started• Few experts


Low Entry barrier• Arduino

• Raspberry Pi

• Google coral

• Nvidia Jetson Nano

https://www.arduino.cc/

https://www.raspberrypi.org/

https://coral.ai/

http://developer.nvidia.com/embedded/jetson-nano-developer-kit

Low cost andsupporting community



https://coral.ai/

http://developer.nvidia.com/embedded/jetson-nano-developer-kit


Why is “not automotive grade” a problem ?

Problem 2: not automotive grade


Automotive Grade

A simplified introduction


Why do we need different grades of electronics ?


Customer’s needs and expectations

• Popular smartphones are designed to operate in the temperature range of 0℃ to 35℃

• Extending that operating range would result in more disappointed customers than happy customers

https://support.apple.com/en-us/HT201678

https://www.samsung.com/us/support/answer/ANS00076952/


https://www.samsung.com/us/support/answer/ANS00076952/


Different grades for different expectations

• Electronic components designed to match the expectations of the customer base• not less• not more

• Mainly four grades:• Commercial Grade• Industrial Grade• Automotive Grade• Military and Aerospace Grade


How is automotive grade different ?

•Very harsh environment

•Very high reliability and safety requirements

• Long life expectancy (>10 years)

•High volumes






•High volumes



Operating and storing temperature



Automotive electronics environment• Extreme temperatures (-40℃ to +150℃) (-40℉ to 302℉)

• High Humidity

• Salt spray

• Corrosive atmospheric gasses

• Dust

• Vibrations

• Shocks

• Unstable power-supply (micro-cuts, cranking, ripples, load dumps, etc.)

• Electro-Static Discharges (ESD)

• Electromagnetic Noise

• People (dropping an ECU, reverse polarity, failed jump-start, etc.)


What are the risks in harsh environments ?

•Corrosion

• Solder cracks

• Intermetallic growth

•Whiskers

•Dendrites

• Electromigration

• Etc.https://cdn.intechopen.com/pdfs/70995.pdf

https://nepp.nasa.gov/whisker/reference/tech_papers/2006-Leidecker-Tin-Whisker-Failures.pdf

https://cdn.intechopen.com/pdfs/70995.pdf

https://nepp.nasa.gov/whisker/reference/tech_papers/2006-Leidecker-Tin-Whisker-Failures.pdf


Standards• AEC-Qxxx (Automotive Electronics Council)

• AEC-Q100: Integrated Circuits• AEC-Q101: Discrete Semiconductors• AEC-Q200: Passive Components• Etc.

• Defines 4 automotive grade and the tests they need to pass.• Grade 0: -40 to 150℃• Grade 1: -40 to 125℃• Grade 2: -40 to 105℃• Grade 3: -40 to 85℃

• Other important standards: IPC-6012DA, etc.http://www.aecouncil.com/Documents/AEC_Q100_Rev_H_Base_Document.pdf

http://www.aecouncil.com/Documents/AEC_Q100_Rev_H_Base_Document.pdf


Aerospace/Military vs Automotive

• Different problems for aerospace• more radiations• more susceptible to tin whiskers ?• etc.

• Different temperature range:• Automotive -40 to 150℃• Aerospace -55 to 125℃

• Might be compatible but no guaranteehttps://nepp.nasa.gov/workshops/eeesmallmissions/talks/10%20-%20WED/1500%20-%20Sampson%20-%20Is%20It%20Wise%20to%20Fly%20Automotive%20Electronics_v4.pdfhttps://escies.org/download/webDocumentFile?id=63946

https://nepp.nasa.gov/workshops/eeesmallmissions/talks/10%20-%20WED/1500%20-%20Sampson%20-%20Is%20It%20Wise%20to%20Fly%20Automotive%20Electronics_v4.pdf

https://escies.org/download/webDocumentFile?id=63946


https://en.wikipedia.org/wiki/Elon_Musk's_Tesla_Roadster

https://en.wikipedia.org/wiki/Elon_Musk's_Tesla_Roadster






•High volumes


How bad is a random failure ?

• Commercial grade• Customer likely inconvenienced• Provide good service and they’ll forgive you / like you even more

• Industrial grade• Customer likely impacted financially• Customer not likely to forgive

• Automotive grade / Aerospace grade• People potentially harmed physically• Someone will need to take responsibility


Failures always happen

• Every component has a low chance of randomly failing

• You can estimate that probability with

• Prediction methods

• IEC 61709:2017, SN29500, FIDES, JESD89A, etc.

• Accelerated tests

• Reputable manufacturers let you access their data

• https://www.ti.com/quality/docs/estimator.tsp

FIT: Failures In TimeNumber of failures expected per billion device-hours.

Humans and lightning: 0.23 FiThttps://www.cdc.gov/disasters/lightning/victimdata.html

https://www.ti.com/quality/docs/estimator.tsp

https://www.cdc.gov/disasters/lightning/victimdata.html


Automotive risks

• Millions of cars

• Thousands of components

• Thousands of operating hours


ExampleBypass / ESD capacitor

ECU Circuitry

12V

GND

ECU Circuitry

12V

GND


Failure modesWhat happens when the component fail ?

• Significant shift in its parameters• It could become a “short-circuit”

ECU Circuitry

12V

GND

Potential Fire HazardLoss of ECU function


Single Point Fault (SPF)

•1 failure leads to catastrophic consequences

ECU Circuitry

12V

GND


Countermeasures

•1) Detection

“Residual Fault” (also an SPF)


Countermeasures

•2) Redundancy

ECU Circuitry

12V

GND

“Latent Fault” (LF) (Multiple-point fault).


If the ECU has a critical missionWhy not do this ?

ECU Circuitry

12V

GND

ECU Circuitry

12V

GND


Raising the bar

•That’s just ONE component of ONE ECU

•… Thousands to go …

•When do you stop ?


Standards

• ISO26262• Also cover other topics (Systematic failures, etc.)• Defines different safety levels for an ECU’s function• Automotive Safety Integrity Level

• ISO 16949• PPAP (Production Part Approval Process), etc.

http://cadence.com/content/dam/cadence-www/global/en_US/documents/solutions/automotive-functional-safety-wp.pdf

http://cadence.com/content/dam/cadence-www/global/en_US/documents/solutions/automotive-functional-safety-wp.pdf


What about Software ?

• Also covered by ISO26262

• Random “transient” failures in hardware (bitflips from cosmic rays, etc.)

• Redundancy

• Two CPUs executing the same code (lock-step)

• ECC (Error-Correcting Code Memory)

• Bugs (“systematic failures”) mitigated by best practices

• No dynamic memory allocation

• Sanity checks of every parameter

• Periodic internal memory checks

• Enforcement of low complexity

• Restricted use of interrupts

https://www.st.com/resource/en/application_note/dm00076080-safety-manual-for-spc570s-family-stmicroelectronics.pdf

https://www.st.com/resource/en/application_note/dm00076080-safety-manual-for-spc570s-family-stmicroelectronics.pdf


What about Software ?

• MISRA C• Set of rules for safe and reliable code

• Always use brackets for statements (if, while, etc.)• No dynamic function pointers• No variadic functions• Etc.

• Not very different from CERT-C

• Automotive SPICE (ISO/IEC 15504)


Impact on Security

Does Automotive Grade matter ?


What does it mean for security ?

Safety and reliability measures limit the security countermeasures developers can take.

• You could encrypt the CAN bus• You could permanently lock debug ports• You could obfuscate the firmware• … But how would you investigate a problem that was

reported ?



• ECC memory still susceptible to attacks• https://www.vusec.net/projects/eccploit/

• Some ECUs susceptible to glitching attacks• https://www.riscure.com/uploads/2018/11/Riscure_Whitepaper_Analyzing_Automotive_Firmware.pdf

• Even ASIL-D microcontrollers susceptible to glitching attacks• https://www.riscure.com/uploads/2017/08/Riscure_Whitepaper_Safety_is_not_Security_Automotive.pdf

Safety and reliability measures may make things harder for attackers, but not impossible

https://www.vusec.net/projects/eccploit/

https://www.riscure.com/uploads/2018/11/Riscure_Whitepaper_Analyzing_Automotive_Firmware.pdf

https://www.riscure.com/uploads/2017/08/Riscure_Whitepaper_Safety_is_not_Security_Automotive.pdf



• Higher temperature = Higher security risk ?

• Suggested by many papers• https://ieeexplore.ieee.org/document/6976636

• https://upcommons.upc.edu/bitstream/handle/2117/99293/FCTRU_2016_17_Smart_Card_Fault.pdf

• … where “high temperatures” mean 60℃ and 100℃.

• Higher age = Lower security risk ?• https://tches.iacr.org/index.php/TCHES/article/view/8295

• https://dl.acm.org/doi/abs/10.1145/3194554.3194638


https://upcommons.upc.edu/bitstream/handle/2117/99293/FCTRU_2016_17_Smart_Card_Fault.pdf

https://tches.iacr.org/index.php/TCHES/article/view/8295

https://dl.acm.org/doi/abs/10.1145/3194554.3194638


Developing new technologies

• Proving a security technology on ONE testbed does not mean much• It must work on millions of cars• … with slightly different characteristics due to

hardware manufacturing tolerances• … without failing

• It must work at the lowest temperature.

• It must work at the highest temperature.

• It must still work after 10 years.


Evaluating new technologies

•Hard to ensure technologies work for EVERY scenario

•Must be evaluated in conditions in which they are the most at risk• Low temperatures, High temperatures•When failsafe mechanisms are engaged


Automotive grade does make a difference


The story so far

•Many testbeds available, but they are usually:•High investment •Not automotive-grade


RAMN:Resistant Automotive Miniature Network

Inexpensive automotive-grade testbed


Objectives

•1) Something “low-investment”• Inexpensive•Fun and easy to get started with

• 2) Something useful for automotive research•Automotive grade ...•… or almost ?


https://www.defcon.org/html/links/dc-badge.html



Influences

•Popular education and research tools

•Conference Badges

https://hackaday.com/2017/08/04/all-the-hardware-badges-of-def-con-25/

https://www.defcon.org/html/links/dc-badge.html



https://hackaday.com/2017/08/04/all-the-hardware-badges-of-def-con-25/


Inexpensive

•Keep it small and simple•PCB size of a credit card•USB-Powered•Two Layers only•Large track width/spacing•Easy to solder

Loved by the Automotive

Industry


Number of ECUs

• Most testbeds have less than 4 ECUs

• Communicating over CAN








Most testbeds look like this:

ECU 1 ECU 2

ECU 3 ECU 4

CAN

That fits on a credit card

Even with CAN-FD


RAMN


Block Diagram

USB Pow

er Enab

le

Microcontroller

3.3V low-noise PSU

CANFD Transceiver

ECU

B

Microcontroller

3.3V low-noise PSU

CANFD Transceiver

ECU

C

Microcontroller

3.3V low-noise PSU

CANFD Transceiver

ECU

D

Microcontroller

3.3V low-noise PSU

CAN-FD Transceiver

ECU

A

GPIOs x6 (3x Power Enable + 3x BOOT0)

USB FS

CAN/CAN-FD Bus

TerminalBlock

BO

OT0

BO

OT0

BO

OT0

Pow

er Enab

le

Pow

er Enab

le

Expan

sion

Expan

sion

Expan

sion

Expansion


Making it more interesting


Expansion boards


ScreenGateway


Steering WheelChassis domain


Brake / Accelerator / Gear shiftPowertrain domain


DashboardBody domain


More expansion boards


Debugger + Breakout


External Memory


TPM


Chip Whisperer


Designed with Open-Source tools

•Designed with KiCAD•https://kicad.org/

https://kicad.org/


Getting Started Quickly


Fun and easy to get started with

• Integrating required tools•CAN/CAN-FD adapter•Programmer



•Easy interfacing with popular tools•Logic Analyzers•Oscilloscope•Chip Whisperer



•Connectable to an open-source driving simulator•CARLA


CARLAhttps://carla.org/

• “Open-source simulator for autonomous driving research”

• Based on Unreal Engine

• With a python API

• Comes with an example self-driving algorithm

https://www.unrealengine.com/en-US/spotlights/carla-democratizes-autonomous-vehicle-r-d-with-free-open-source-simulator

https://carla.org/

https://www.unrealengine.com/en-US/spotlights/carla-democratizes-autonomous-vehicle-r-d-with-free-open-source-simulator


Integration with CARLA

• By default software only

• Implemented closed-loop controls with RAMN

• Vehicle Controls only accessible through the CAN/CAN-FD bus

• Simulated values (such as vehicle speed) also visible on CAN/CAN-FD bus


Demo 1 (normal)


Automotive grade ?


Automotive Grade

•Automotive Microcontrollers not available without NDAs …

•Automotive Software expensive and closed-source

•Had to compromise …


Microcontrollers of RAMN• Board compatible with STM32L4 and STM32L5 series

• Automotive-like features• ECC memory• Temperature Range -40 to +125℃

• Security Capabilities• TRNG• AES-Engine (optional)• TrustZone (STM32L5 only)• Secure Boot, Secure Reprogramming, etc. (STM32L5 only)

• CAN

• CAN-FD (STM32L5 only)


Testbed firmware

• Developed with STM32CubeIDE• STM32 HAL• FreeRTOS

• Both compliant with MISRA-C

• FreeRTOS not compliant with automotive standards, but there is a paid variant (safeRTOS) available• https://www.freertos.org/FreeRTOS-

Plus/Safety_Critical_Certified/SafeRTOS.html

https://www.freertos.org/FreeRTOS-Plus/Safety_Critical_Certified/SafeRTOS.html


Testbed RAMN (STM32L5 variant) PASTA

Microcontroller STM32L552/STM32L562 R5F563NFHDFB

Microcontroller Family Ultra-Low Power High-Performance

CPU type 32-bit ARM Cortex M33 32-bit RX CPU

Clock 110MHz (165 DMIPS) 96MHz (165 DMIPS)

RAM 256 kB 256 kB

Flash 512kB 2MB + 32k EEPROM

Software layers FreeRTOS + STM32 HAL Bare metal

TrustZone & TRNG Yes No (MPU supported)

ECC Yes No

Temperature range -40~125℃ -40~85℃ (ECU)

Power Supply 5V (USB) 12V

ECU # 4 ECUs in one PCB 4 independent ECUs

CAN Bus # 1 (CAN-FD) 4 (CAN2.0)

Protection (ESD, etc.) No Yes


PASTA• Quality Assurance and support from

experimented professionals

• More Adaptability

• 1 PCB per ECU

• 4 CAN Bus

• 12V power supply

• Integrated OBD-II port

• Comes with external CAN adapter

• Etc.

Different tools, same philosophy

Identical CAN messages


Main merits of RAMN

• Close to automotive grade specifications

• Inexpensive• No need to share a single expensive testbed• No need to worry about breaking the testbed• Evaluate manufacturing tolerances

• Easy to get started with for beginners in electronics and embedded software.


Limitations

•Only 1 CAN/CAN-FD bus

•No 12V power supply

•Not 100% automotive grade


Goals


Future of automotive security

• There are very good reasons for the automotive industry to be closed• Takes a lot of resources to develop automotive grade hardware and

software

• ISO21434 coming for automotive security

• Standards do not solve everything• Never-considered-before scenarios

• Other reasons

• More experts = more solutions


Goals

•Promote more openness in the automotive industry

•Get more people interested in automotive systems

• Facilitate education• Security• Safety, reliability, etc.

• Facilitate research on ECU networks


RAMN is not

•A car hacking tool• You cannot connect RAMN to a car•Does not replace a CAN adapter

•An endorsement of real car hacking•Might be illegal in your country•No bug bounty


Future works

•Platform for:• Education•Automotive security skills evaluation•Automotive bug bounty platform•Automotive CTF platform


How to get one

• Focusing on releasing high quality design files• Easy to order from PCB fabrication services

• Exploring options for distribution

• Feedback appreciated

Thank YouCamille Gay, [email protected]

@ramn_auto

See you at HITB's Discord channel for questions & answers!