As cars and external devices become more connected, it faces many security risks. Although the industry has recognized this, there is still a long way to go before recognizing that effective solutions are in place.
This article refers to the address: http://
Compared with the future popularity of V2V systems and autonomous vehicles, today's "automobile" is still in its infancy, but even so, there are many ways to carry out malicious attacks from the cloud to the in-vehicle system. The on-board OBD II diagnostic interface located below the meter is currently the most vulnerable to malware attacks. In the past, it was just the interface that auto mechanics used to connect to the car's diagnostics, but today it can even receive WiFi signals to remotely diagnose and remotely unlock the vehicle. Without the protection of the information security system, the car will become a "broiler." ". This paper will take stock of information security risks, information intrusion paths and feasible solutions in the automotive interconnection.
First, the hidden dangers of car interconnection
Remote code tampering
In order to optimize the in-vehicle electronic system programming, car manufacturers can adapt the system code, and hackers can do it, but the difference between the two is that the hacker tampering with the code is malicious.
The intelligent transportation system is essentially the communication of V2V and V2I. The hacker can intercept and modify the data during the information exchange process, which causes confusion.
In the computer, a malware can be uninstalled, and it is impossible to reinstall the system. For a car, being invaded by malware will trigger a sudden traffic accident—even if the volume of the sound system is suddenly turned up remotely, it will scare a driver who is concentrating on driving, causing irreparable consequences.
Product generation cycle is different
The generation cycle of the electronic components in the car is very long, almost three times that of the computer compared to the three-year cycle of the computer. This makes it impossible for the in-vehicle electronic system to update the technology even if there is a technical update.
If you want to replace some electronic components, it will cause new problems. Due to the rapid development of electronic components, new components may not be able to match and interact with the original electronic system, which poses a challenge for the aftermarket suppliers.
Information encryption seems to guarantee the security of the vehicle connection process, but there are also concerns about "grab". In simple terms, malicious data is encrypted like normal data.
High cost of security solutions
If the electronic system in the car is fixed, the update process will involve a huge amount of work; if a heuristic protection scheme is used, a larger data processing process is required, and the programming itself is as troublesome as the processing software. Intrusion; Virtual Private Network (VPN) can provide good security, but if thousands of car users use it, the cost will be very expensive.
Therefore, with the increasingly close relationship between in-vehicle electronic systems and information systems and the outside world, information security solutions are in urgent need of optimization.
Second, the way to invade the car network
Physical connection
That is to say, through a special chip, it is connected to the CANBUS bus of the vehicle, and the car is controlled by means of Bluetooth and mobile data. The disadvantage of this method is that it needs to be installed and is easy to be found; Spanish security researcher Javier Vazquez - Javier Vazquez-Vidal and Alberto Garcia Illera showed off a small device they built in March, costing less than $20.
The device physically interfaces with the car's internal network and inputs malicious commands that affect everything from the window, headlights, and steering wheel to the brakes. The device is three-quarters the size of the iPhone. It is connected to the car's Controller Area Network (CAN) through four antennas to obtain energy from the in-vehicle power system. It can receive remote attackers through the computer at any time. The wireless command is entered into the vehicle system. They named the device a control domain intrusion tool, referred to as CHT.
“It takes only 5 minutes or less to connect, and then you can leave.†Vidal, a German automotive IT security consultant, said, “We can wait a minute or a year, then start the device and instruct it to do anything for us. thing."
Vidal said that the type of command that researchers can remotely input via CHT depends on the model. They tested four different models (they didn't want to disclose specific manufacturers and models), and the commands were to turn off the headlights, activate the alarm, open and close the window, and access the anti-lock braking system or An emergency brake system or the like that may cause a dangerous stop of a moving vehicle to suddenly stop. In some cases, installing the device requires opening the hood or the trunk, while in other cases, they say they only need to climb under the car to install.
Currently, such devices can only be connected via Bluetooth, which limits the distance of wireless attacks to a few feet. But the two researchers said that when they showcase their research in Singapore, they will upgrade to a GSM cellular radio, making it possible to control the device a few miles away.
OBD vulnerability
Through the OBD interface of the vehicle, malicious programs are written into the car to cause the vehicle to malfunction. This is difficult to implement because the OBD interface is often in the car, and the main route is to wait for the opportunity to operate the car when the car is repaired;
Installing the chipset into the car or invading the OBD is not very clever, but it is the best use. After all, the existing car control system basically does not have too much security protection, it is easier to crack, if it can pass OBD Intrusion into the system bus, it is much easier to control the engine ECU, as long as the car itself has enough functions, in addition to controlling acceleration and braking, it can even take over steering (pure electronic assist or line-controlled active steering, etc.).
Another popular hidden danger exists in the “OBD communication equipment†purchased and installed by the owner. Now some electronic manufacturers have launched WIFI or Bluetooth devices based on reading the OBD information of the car, which can transmit the car information to the mobile phone via WIFI or Bluetooth. Or in the computer, this allows the owner to know more about the vehicle information, and even upload it to the Internet via the mobile phone app, and exchange driving information such as fuel consumption, which seems to be beneficial and harmless. In fact, there are hidden dangers. A malicious OBD intrusion procedure is implanted, and even a regular product may be handed down by a bad business in the sales process. This hidden danger may already exist.
Wireless control
Nowadays, cars with advanced points have networking functions. Whether it is smart co-driver or connected driving, once connected to the network, it is very likely to be invaded. This is the same reason that computers are attacked by hackers.
Freescale Semiconductor Technician Richard Soja said: "Remote wireless intrusion will become the main threat to in-vehicle systems. There are many ways to save data on a specific chip." Although remote wireless intrusion is not currently listed as the most Threats in the car connection system attack means, but several related studies have shown its potential harm. Component suppliers and subsystem developers are looking for ways to prevent outsiders from invading the in-vehicle network.
Bjoern Steurich, head of the Infineon cross-functional team, said: "One of the effective ways to prevent this is to use digital signatures for data-safe data transmission on the vehicle bus. This is compared to encrypting all data over the bus. One method is more practical because it is not affected by network bandwidth.†Smartphones have always been an object of interest to hackers, and as they become more closely connected to in-vehicle systems, they will also become exploitable by hackers to invade in-car connectivity systems. Breakthrough. More and more users are connecting their smartphones to the system, using applications and entertainment features, and there is a lot of data transfer during which any vulnerability can cause the system to be "black."
Third, the invasion of the car instance
Hacking the Prius and the Wing Tiger
Last year, Charlie Miller, a software security engineer at Twitter, and Chris Valasek, director of smart security at IOActive Security, said they were attacking cars via a network attack with permission from the US government. A few months of research will be conducted; a 100-page white paper will be published in the future detailing the methods used to attack the key systems of the Toyota Prius and Ford Maverick.
Two experts said that it is possible to force the Prius to brake at 80 mph (128 km/h), make the car slam the steering wheel and accelerate the engine; it can also make the Mavericks brake at very low speeds. No matter how the driver slams on the brakes, the vehicle will continue to move forward.
Miller and Varasek have said they have played the role of "White Hats", a hacker who finds software vulnerabilities in front of criminals to prevent loopholes from being exploited by criminals. Miller said: "Rather than believing in Ford and Toyota, I would rather trust the eyes of 100 security researchers."
Crack the six-digit password to easily unlock Tesla
On March 28th, at the Black Hat Security Conference in Singapore, cyber security consultant Nitesh Dhanjani announced that the recent research on the Tesla Model S luxury sports car found that the car security system has several design flaws, but the main system of the vehicle No hidden software vulnerabilities were found.
When the owner purchases Tesla electric car products, he needs to set up an account with a password of 6 digits. This password is used to unlock the smartphone app function and enter the owner's online Tesla account. This free app feature locates the vehicle and unlocks it remotely, as well as controls and monitors other features.
Dhanjani explained that Tesla Model S's account password security is low, and several hacking methods like stealing computer account passwords or online account passwords may make password security very vulnerable. The 6-digit password does not change much. Hackers may guess the password through the Tesla website and be able to locate the vehicle and steal relevant privacy.
Fourth, automotive network information security countermeasures
Each phase of the life cycle is guaranteed one by one
Management (overall) Regardless of the stage of the car's life cycle, product providers must constantly implement security measures. We will develop a holistic approach and implement consistent security measures at all stages in accordance with this policy. If you develop security measures from scratch every time you develop products and services, not only will it cause a lot of waste, but it may also cause deviations in the organization's security measures. In terms of management, it is especially important to cultivate talents who are proficient in information security, formulate basic rules throughout the development system, and continuously collect information related to the “everyday†attack method.
It is very important to combine the security measures from the planning stage before entering the actual development. Because in the planning stage, it is often necessary to discuss the budget of the entire life cycle of the car. At this stage, the concept and equipment of the car will be determined. At this time, it is necessary to consider the importance of the safety of each function, and allocate a budget for countermeasures that are in line with the importance. Moreover, when choosing the features of the vehicle and handing it over to the development side, don't forget to include safety requirements.
Development phase In the manufacturing phase, automotive companies and component companies design hardware and software and install them on the car, which is the front line of security measures. What must be done at this stage is "accurate installation of the requirements definition", "disclosure when installing", "in the event of a vulnerability, it must be discovered before shipment." As for related countermeasures, please also refer to the previous articles in this series. In addition, if the budget is sufficient, it is necessary to purchase a vulnerability assessment device.
The use phase is the stage in which the user buys the car through a sales store or the like. During the use of the vehicle, a large amount of information such as location information, software downloaded by the user, user's operation record, and travel record will be stored in the vehicle and data center. Moreover, like car sharing, car rental, and company cars, there are also many cases where users are not owners and users will be replaced in the short term. Although security measures should be implemented in conjunction with the scenarios used by users, it is also important to protect privacy. In addition, if a loophole is discovered after the vehicle is sold, it is necessary to consider constructing a system that can notify the user and the owner of the relevant information, and cooperate with the sales shop and the repair shop.
In the discarding stage, when the user abandons the car due to reasons such as redemption or failure, it is often easy to ignore the safety measures. Therefore, pay special attention to this stage. Disposal methods include transfer to other users through channels such as used car sales stores, and scrapping after cancellation. Different situations must take different countermeasures.
User assistance
Among the above-mentioned initiatives throughout the life cycle, the most important thing is to “provide information to users and car-related personnel†during the use phase. Because it is almost impossible to create a system without loopholes during the development phase. The life cycle of a car is very long. New attacks and vulnerabilities are likely to occur after users start using them.
It is imperative to create a mechanism to install security patches on vehicles after use. However, it is best not to install the security patch to use the Internet like a software upgrade for a general information system. As a security countermeasure for users who may be attacked by a targeted vulnerability, an upgrade can be implemented at the time of the vehicle inspection, and a pure electric vehicle can be upgraded while charging. For example, a television set using embedded software has a case of upgrading through a television signal.
In addition, it is easy to ignore the "disposal of waste policy, etc." at the discarding stage, and special attention should be paid. In addition to car owners, cars are often driven by others. There are also many cases where users transfer used cars. The mechanism of renting a car by multiple users such as car rental and car sharing is also very popular. This requires measures to prevent the owner's personal information from falling into the hands of others.
The current car navigation system may store the owner's address, and the company's car may store the customer's information. If the car navigation device can use SNS (social network service), it may save the account, password and other data. In the world of information systems, there are many examples of discarded hard drive leaking information. Car navigation devices have also appeared on the car to display information about previous owners. In order to ensure safety, in addition to the measures taken by the company, the assistance of car users is also indispensable. In the future, it is estimated that enterprises will become more and more important to users' security enlightenment activities.
Big data" reduces network security costs
How to effectively prevent the outbreak of cybersecurity crisis in the "no manpower" situation? How to make the system easier to get the correct security policy in the broader data analysis? WatchGuard believes that the idea of ​​big data may help Busy.
Today, the lack of security professionals is very common. A report from Frost & Sullivan, a global corporate growth consulting firm, found that 56% of respondents who surveyed more than 12,000 information security professionals said their organizations lacked cybersecurity expertise and were difficult to raise. Funding for this aspect of investment.
In Wellington, New Zealand, a service provider that provides cloud infrastructure and secure hosting for users has encountered this problem. Although information security has been increasingly valued, many customers have chosen their security service company. However, as the MSSP security service provider, they are similar to the customer's situation, and they also encounter the problem of “lack of peopleâ€. The company's decision-making level said that from the perspective of security risks, we must not let go of every suspicious log, because this is the key to helping customers eliminate threats and guarantee service quality. However, "there is not enough people", especially the shortage of advanced cyber threat analysts, and the engineers are dragged down by the tedious log analysis work, which consumes everyone's energy and seriously restricts the company's business. The speed of development.
In the process of finding answers to the questions, the MSSP chose the Dimension solution from WatchGuard. The new analytics system leverages cloud computing and big data technologies to provide easy access to key points of security threats and trends. The company's technical director said that their business unit can be completely open, because Dimension cloud security network solution helps the technical department to achieve intelligent, agile, simple log analysis, and the ability to threat alert, tracking and analysis is not Rely rely entirely on manpower. Dimension's analysis report has become the growth point of business revenue. The automated real-time generated threat assessment report and corresponding security policy recommendations provide MSSP customers with the highest level of service.
Dimension works in a more efficient and convenient cloud operating environment and uses state-of-the-art big data technology as the underlying support for log analysis. The integration of ideas and technology allows Dimension to gain insight into network changes and recommend more professional security policies to users. Under the guidance of the tree-level menu, administrators and decision-makers can have “self-contained†data reports, and efficiently excavate the danger zone buried deep in the network. In addition, based on the global threat map's presentation layer design and reports of more than 70 data sets, the results of threat detection can be clearly seen, including dynamic dashboards, professional guidance, and practical results of outstanding customers.
China leading manufacturers and suppliers of Smart Solar Street Light,Solar Street Lighting System, and we are specialize in Integrated Solar Street Light,All In One Solar Street Light, etc.
Solar Street Light
Smart Solar Street Light,Solar Street Lighting System,Integrated Solar Street Light,All In One Solar Street Light
Jiangmen Liangtu Photoelectric Technology Co., Ltd. , https://www.liangtulight.com