Towards Effective Identification and Rating of Automotive Vulnerabilities

Transcript

1. Towards Effective Identification and Rating of Automotive Vulnerabilities Pranshu Bajpai,

   Richard Enbody Michigan State University 08/05/2020 AutoSec 2020

2. Introduction ◦ Vehicles are complex members of the IoT ◦

   Not designed with interconnectivity in mind (e.g. CAN) ◦ Aftermath of vulnerability discovery ▫ Quantification of severity ▫ Pattern discovery ◦ Safety and security are not the same 2

3. Introduction ◦ Security vulnerabilities different in severity ◦ Need for

   prioritization for mitigation ◦ Vulnerability identification: ▫ What? ▫ Where? ▫ When? ▫ How? ▫ Who? 3

4. Common Vulnerability Scoring System 4 ◦ Well-established ◦ Modular and

   adaptable ◦ Indicates root causes ◦ Measures complexity and impact

5. CVSS (CVE-2012-1516) Vector string: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 5

6. CVV Identifier CVV-YYYY-CP-NNNNN ◦ CVV prefix ◦ Year ◦ Component

   ◦ Arbitrary digits 6 Source ID Protocol 00 Infotainment System 01 3rd Party Devices 02 Keyfobs and Immobilizers 03 Wireless 04 App/Software/Service 05 Others 06

7. CVV Identifier (Nissan Leaf) The Nissan Leaf vulnerability [1] CVV

   − 2016 − 05 − 45623 [1] https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ 7 When Where How

8. CVSS Adaptation to Automobiles 8 Vector Value Condition User Interaction

   Required User plugs in a 3rd party device Attack vector Network / Adjacent Network / Local / Physical Internet / Bluetooth or WiFi / Dealership / Manipulate hardware Scope Changed Keyfob -> Physical access -> OBD2 port Environmental Metrics (CIA) High Automotives are critical infrastructure

9. CVSS Rating for CVV-2015-04-11142 “Tracking connected automobiles using wireless means”

   (University of Twente [2]) https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:L/PR: N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:R/CR:H/IR:H/AR:H/MAV: X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X Connected cars broadcast 10 unencrypted message/sec, using Wi-Fi spectrum at 5.9 gigahertz (802.11p) Messages carry unique digital signatures [2] Petit, Jonathan, Djurrre Broekhuis, Michael Feiri, and Frank Kargl. "Connected vehicles: Surveillance threat and mitigation." Black Hat Europe 11 (2015): 2015. 9

10. CVSS Rating for CVV-2015-04-11142 “Tracking connected automobiles using wireless means”

    (University of Twente [1]) https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:L/PR: N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:R/CR:H/IR:H/AR:H/MAV: X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X 10

11. Conclusion ◦ Aftermath of vulnerability discovery ◦ Track vulnerability introduction

    during development cycle and lifetime ◦ Break down multi-faceted vulnerabilities ◦ Validate the assigned score ◦ Repository of automotive vulnerabilities 11

12. Thank you! QUESTIONS? Twitter: @amirootyet 12