SAE 2016全球汽車年會之互聯技術論壇(2016 SAE Congress forum on Connectivity)聽起來更像是一場在作戰(zhàn)室內召開的軍事作戰(zhàn)會議,隨時都會蹦出“攻擊通知”、“資產部署”等專業(yè)詞匯,大家聊的也都是“全新聯盟”和“全球風險”等話題。從某種意義而言,本次論壇的確是一場“作戰(zhàn)會議”。
當下,網絡安全問題刻不容緩,行業(yè)必須拿出先進措施,積極抵御網絡攻擊。在這個問題上,汽車行業(yè)給出的答案與航空業(yè)很類似,那就是成立一個信息共享分析中心(Information Sharing and Analysis Center,即ISAC)。
航空ISAC中心執(zhí)行總監(jiān)Faye Francy解釋說,這個中心可以提供一個信息收集的框架,并匿名分析任何可能攻擊所有廠商架構的普遍威脅。與航空ISAC類似,剛剛進入運營的汽車ISAC中心也將作為一個中心情報收集樞紐,追蹤汽車行業(yè)內的網絡威脅,并識別具有普遍性的電子元件漏洞,也就是說將主要集中在可能會對不止一家廠商造成影響的威脅。
汽車ISAC中心由兩個行業(yè)協(xié)會組成,目前共有22個成員。Francy表示,“從某種程度而言,可以說我們一直都處于被攻擊的處境之下。”
在本屆大會上,論壇專家從多個角度強調了由惡意軟件入侵汽車而帶來的問題。采埃孚天合(ZF TRW)安全卓越部全球總監(jiān)Brian Murray表示,黑客的威脅將“摧毀人們的信任。”
美國國土安全局(Department of Homeland Security,簡稱DHS)網絡安全項目經理Dan Massey表示,“如果人們感覺有什么東西不安全,那事實究竟是不是如此,其實已經不重要了,即使至今為止并沒有發(fā)生任何實質性傷害,也不會改變大家的看法。”此外,Kaprica Security公司CEO Doug Britton提出,“只要存在傷害,就會引發(fā)人名的擔憂,而具體存在多少次,通常并不重要。”
“個別事件已經足夠引起公眾的警覺,你并不需要統(tǒng)計出事故數量是不是五萬起,”Britton表示,“通常10個案例就夠引起人們注意的了。”
“ABS防抱死”系統(tǒng)的維護命令存在漏洞
美國密歇根大學網絡安全專家Andrew Weimerskirch指出,汽車在進行維護時,經常會用到一條禁用車輛防抱死系統(tǒng)(ABS)的命令,而該命令可能存在暴露嚴重漏洞的風險。很多年以來,汽車維修技師一直在使用這條命令,排空車輛液壓制動系統(tǒng)中防抱死模塊內的氣體。舉一個最常見的例子,技師在更換車輛制動調節(jié)管時,就會先用這條命令,排清回路中的所有氣體,保證制動液可以充滿整條回路。
一般來說,市面上幾乎所有哪怕最基礎的掃描工具都內置了ABS禁用功能,黑客可以通過OBD II網關或裝入的電子狗訪問該命令,該功能也因此成為一個汽車網絡安全漏洞。Weimerskirch表示,“這一功能根本不應該存在。”
然而,按照當下大多數車型的ABS控制配置,隔絕這一功能可能并不簡單。更重要的是,ABS禁用功能僅僅是我們面臨的威脅之一。采埃孚天合公司的Murray談到了保護“車輛維護安全”的整體問題,他告訴與會者,電子維護設置與故障代碼修正一般在汽車研發(fā)的后期進行,主要是出于保修的目的。
國土安全局的Dan Massey也提出了一些內置功能可能暴露的弱點。他說,“有時候我才上5年級的女兒都能用自己的手機配對到別人家的車。”
《維修權利法》的影響
根據各州的維修權利法,比如馬塞諸塞州即將出臺的法規(guī),所有汽車修理廠,哪怕并不是經過授權的獨立修車廠,都可以獲知整套車輛故障診斷命令。也就是說,只要愿意支付使用費,基本上任何人都能拿到這些命令。盡管經銷商的技師應該是“值得信任的”,但包括Weimerskirch在內的多名網絡安全專家均明確了一條信息,那就是對汽車的安全防護必須建立在“安全流通車輛原廠信息”的前提之下,也就是說要確保包括技師在內的所有人員均不能通過外部功能對車輛進行修改。
然而,這些網絡安全專家必須親自解決這些汽車命令帶來的問題。舉個例子,在《維修權利法》之下,大眾汽車就必須公布控制電動轉向器運行,以及關閉發(fā)動機的軟件相關信息。
采埃孚天合的Murray表示,遠程入車鑰匙也已經變成了一個嚴重漏洞。他提醒觀眾,“如果你車鑰匙丟了,你應該把這把鑰匙變成“磚”。
”
Weimerskirch在研討會上表示,現在出現了很多優(yōu)化汽車網絡安全的思路。但首先必須存在一個測試平臺,這樣研發(fā)人員才能對這些思路進行驗證。Kaprica公司的Britton也談到了相關問題:我們要確保這些各式各樣的想法“不會僅存在于一堆堆的文件材料之中。”
作者:Paul Weissler
來源:SAE《汽車工程》雜志
翻譯:SAE上海辦公室
New auto "ISAC" is framework for improved cybersecurity
The 2016 SAE Congress forum on Connectivity sounded like a meeting in a war room—peppered with terms like "notification of attack" and "assets deployed" along with talk of "new alliances" and "global risks." And in a sense, it was such a discussion.
The urgency of the cybersecurity topic has created the need for advanced approaches to defense. The auto industry has formed an overarching answer that is similar to what already has been done in aviation—an Information Sharing and Analysis Center (ISAC).
The aviation ISAC is a framework to collect for analysis, anonymously, anything that could attack all OE architectures, explained Faye Francy, executive director. The automotive equivalent, which has just become operational, also will serve as a central hub for gathering intelligence to track cyber threats and identify weaknesses in vehicle electronics that are common to more than one manufacturer.
Auto-ISAC, formed by two industry associations, has 22 members. "We're all getting attacked at some level," Francy said.
The openness of the automobile to malware intrusion was one issue addressed in different ways by the forum panelists. The threat of hackers "drives a wedge into people's trust," said Brian Murray, ZF TRW Global Director of Safety and Security Excellence.
If there's a perception that something is not safe, it doesn't matter to the public, even if there is no physical or kinetic damage to date, added Dan Massey, program manager on cybersecurity at the U.S. Department of Homeland Security (DHS). And when there is damage, the absolute numbers often aren't important, claimed Doug Britton, CEO of Kaprica Security.
"A small number is enough; you don't need 50,000," Britton noted. "You could do it with 10."
ABS service command an issue
A serious issue could be posed by so common a vulnerability as the command to disable the vehicle’s ABS (anti-lock brakes) actuator, noted Andrew Weimerskirch, cybersecurity researcher at the University of Michigan. Automotive service technicians have had to use this command for many years to permit bleeding the ABS section of the hydraulic brake system, particularly when a new brake pressure modulator valve assembly is installed, so as to purge any air and fill the circuits with brake fluid.
The ABS disabling capability is routinely built into all but the most basic scan tools, and a hacker accessing it through an OBD II gateway or an installed dongle could raise it to the level of a threat. "This command should not exist," Weimerskirch said.
However, with current ABS control configurations, isolating is not necessarily simple on many cars. And it’s just one example. The entire problem of secure service access was observed by ZF TRW's Murray. He told the attendees that electronic service decisions and trouble code modifications typically come late in the vehicle design cycle, when warranty concerns may be raised.
The present level of built-in vulnerability was raised by the DHS's Dan Massey. "Sometimes my fifth grade daughter has been able to pair her phone with another car," he reported.
Effect of Right-to-Repair laws
The effect of Right-to-Repair laws, such as the impending one in Massachusetts, means that access to problematic commands will be available to all garages, not just independent ones—effectively to anyone willing to pay the access fees. Although the dealer technician may be "more trustworthy," cybersecurity specialists including Weimerskirch have made it clear that the protection must be based on passing through packets of needed OE information without an externally-inserted ability to change it.
However, the cybersecurity specialists must deal with the issue of the commands themselves. Under Right to Repair, Volkswagen for example, would have to release the software that permits operating the electric power steering rack and shutting off the engine.
The remote key fob, an established entry point, also has become a serious vulnerability, ZF TRW's Murray said. "If you lose the keys to a car, you can effectively turn it into a 'brick,'" he told the audience.
There are many ideas to improve automotive cybersecurity, Weimerskirch told the session. But first a test platform is needed, to enable researchers to validate them. A related issue was cited by Kaprica's Britton: it's important that the flow of ideas "doesn't also translate into a big bill of materials."
Author: Paul Weissler
Source: SAE Automotive Engineering Magazine