隨著互聯(lián)功能的不斷普及,汽車遭受網(wǎng)絡(luò)攻擊的風(fēng)險(xiǎn)也與日俱增。車輛在道路中的行駛時(shí)間越長(zhǎng),訪問(wèn)入口暴露出來(lái)的幾率就越高。因此,整個(gè)汽車行業(yè)都加入了一場(chǎng)狂熱的競(jìng)賽,各大公司都爭(zhēng)先恐后地尋找各種網(wǎng)絡(luò)防御措施,從而在各個(gè)層面實(shí)現(xiàn)安全可靠、實(shí)時(shí)監(jiān)控的網(wǎng)絡(luò)保護(hù)機(jī)制。在SAE 2016全球汽車年會(huì)上,一位來(lái)自英特爾公司(Intel)的技術(shù)專家,分享了對(duì)于“汽車行業(yè)該如何確保網(wǎng)聯(lián)安全”這一問(wèn)題的看法。
英特爾的物聯(lián)網(wǎng)(IoT)安全部門總經(jīng)理Lorie Wigle認(rèn)為,雖然加密技術(shù)(特別是針對(duì)CAN總線的加密)一直受到大力吹捧,但“現(xiàn)實(shí)是,加密僅能解決部分網(wǎng)絡(luò)威脅。”
Wigle表示,要解決汽車網(wǎng)絡(luò)安全的問(wèn)題,并不存在什么 “靈丹妙藥”。安全防御應(yīng)當(dāng)是一系列持續(xù)性的行為,并沒(méi)有一勞永逸的解決方案,安全防御的范圍也不局限于車輛的本身。
云平臺(tái)——面對(duì)威脅最大
“如何保證云平臺(tái)和基礎(chǔ)設(shè)施的安全是重中之重,”Wigle解釋說(shuō),對(duì)于高威脅性的網(wǎng)絡(luò)攻擊者而言,“最簡(jiǎn)單的作法是直接攻擊云端,而非汽車本身。”
Wigle表示,盡管許多人普遍認(rèn)為當(dāng)然的威脅風(fēng)險(xiǎn)很高,但事實(shí)上就汽車本身的系統(tǒng)復(fù)雜程度而言,仍屬于相對(duì)較低的水平,雖然每輛車大約會(huì)搭載25到200個(gè)微處理器,運(yùn)行多達(dá)6500萬(wàn)行代碼,但其中50%均為多媒體系統(tǒng)所用。目前,一款豪華車型擁有144個(gè)電子控制單元(ECU),其中73個(gè)位于CAN總線、61個(gè)位于LIN網(wǎng)絡(luò),其余10個(gè)位于Flexray系統(tǒng)中。此外,對(duì)于一輛頂配的汽車而言,車內(nèi)為了實(shí)現(xiàn)內(nèi)部控制可能會(huì)安裝高達(dá)100個(gè)電機(jī)。
云平臺(tái)或許是最佳的攻擊目標(biāo),但汽車本身也有可能是很多黑客下手的對(duì)象。Wigle介紹了6種主要威脅:首先,最常見(jiàn)的一種是盜車賊,他們可以借助物理方法,或通過(guò)無(wú)線網(wǎng)絡(luò)打開(kāi)車門。接下來(lái)的一種更具技術(shù)含量,也就是那些渴望“一戰(zhàn)成名”的黑客,他們完全是通過(guò)無(wú)線網(wǎng)絡(luò)途徑對(duì)目標(biāo)進(jìn)行攻擊的。
然而,最具威脅性的一類罪犯,擁有相對(duì)較高的技術(shù)基礎(chǔ),能夠?qū)o(wú)線網(wǎng)絡(luò)與物理訪問(wèn)相結(jié)合,甚至危害車內(nèi)乘客的安全。此外,現(xiàn)在還存在擁有完全物理訪問(wèn)權(quán)限的調(diào)節(jié)器,可以直接修改車輛的控制設(shè)置。在很大程度上,上述最高威脅級(jí)別的黑客很可能就來(lái)自公司的競(jìng)爭(zhēng)對(duì)手及偽造者,他們有能力獲得完整的物理訪問(wèn)權(quán)限,并希望了解車輛的內(nèi)部架構(gòu)。
Wigle表示,雖然車輛的通信功能目前仍主要集中在信息娛樂(lè)系統(tǒng)之內(nèi),但未來(lái)卻要面對(duì)一個(gè)全面互聯(lián)的環(huán)境,包括V2V、V2I和V2X連接,即車間通信、車輛與基礎(chǔ)設(shè)施通信,以及對(duì)車載驅(qū)動(dòng)/制動(dòng)系統(tǒng)的實(shí)時(shí)整合。就現(xiàn)階段而言,汽車自動(dòng)駕駛功能僅在極少數(shù)幾款車型上配置,大多仍以適應(yīng)性巡航控制和相關(guān)半自動(dòng)系統(tǒng)的形式出現(xiàn)。
目前,車輛的車載數(shù)據(jù)分析主要集中在車輛性能及汽車位置等導(dǎo)航相關(guān)信息,但未來(lái)車輛與駕駛員的個(gè)人數(shù)據(jù)也將會(huì)被納入其中。
Bumper-to--bumper防御
Wigle表示,“Bumper to Bumper”這個(gè)術(shù)語(yǔ)通常僅用于描述車輛的保修情況,但最近也用于描述車輛周邊以及云端的適應(yīng)性安全防護(hù)范圍。行業(yè)最佳作法要求廠商在可能的情況下,盡量將“受攻擊面”移到云端。Wigle稱,英特爾下屬麥克菲McAfee公司所開(kāi)的IPS(入侵防御系統(tǒng))就是一個(gè)這樣的例子。
不過(guò),英特爾還在同時(shí)推廣公司的汽車增強(qiáng)通信單元,其中包括一個(gè)“硬件安全防御模塊”,旨在提供全面的運(yùn)行與安全硬件防御。該系統(tǒng)內(nèi)置了風(fēng)河公司(Wind River)的管理程序,可以在一款獨(dú)立中央處理器上運(yùn)行多操作系統(tǒng),以及英特爾的計(jì)算機(jī)版“Trusted Execution Engine(可信執(zhí)行引擎)”。這種硬件技術(shù)經(jīng)過(guò)專門設(shè)計(jì),可以驗(yàn)證平臺(tái)及其操作系統(tǒng)的真實(shí)性,并授予不同級(jí)別的信任等級(jí),從而提供安全防護(hù)。
Wigle表示,未來(lái)OTA(空中)軟件升級(jí)并不會(huì)出現(xiàn)在兩個(gè)獨(dú)立設(shè)備之間,而是通過(guò)在兩個(gè)授信的團(tuán)體之間進(jìn)行。
她指出,汽車電子系統(tǒng)的安全防護(hù)有兩個(gè)方面。首先,正如 SAE J3061指南描述的那樣,這種防護(hù)可以提供更加安全、靈活的開(kāi)發(fā)流程。具體來(lái)說(shuō),這種做法需要首先識(shí)別所有的受攻擊面,并為其編號(hào),然后進(jìn)行威脅分析,從而進(jìn)一步減少攻擊面的數(shù)量并加固軟硬件系統(tǒng)。此外,SAE J3101標(biāo)準(zhǔn)也介紹了一系列僅通過(guò)軟件功能無(wú)法實(shí)現(xiàn)的硬件保護(hù)措施。
Wigle同時(shí)指出,英特爾還集合了來(lái)自汽車行業(yè)供應(yīng)商的研發(fā)人員,成立了汽車安全審查委員會(huì)(Automotive Security Review Board,簡(jiǎn)稱ASRB),從而共同開(kāi)發(fā)基于英特爾平臺(tái)的解決方案。目前,ASRB還聯(lián)合“白帽”安全研究組織IOActive、iamthecavalry.org和opengarages.org,共同招募網(wǎng)絡(luò)安全專家,為汽車網(wǎng)絡(luò)安全做出貢獻(xiàn)。
作者:Paul Weissler
來(lái)源:SAE《汽車工程》雜志
翻譯:SAE中國(guó)辦公室
Intel's "bumper-to-bumper" vehicle security approach
As vehicle connectivity becomes ubiquitous, the threat of being hacked rises. The longer a car is on the road, the more its access points become exposed. Thus the industry's feverish race to find a robust and ongoing cyber defense at every level. At the 2016 SAE World Congress, an expert at microprocessor supplier Intel gave her assessment of what the industry must do to ensure that defense.
According to Lorie Wigle, General Manager of Intel's Internet of Things (IoT) Security, while encryption (particularly of the CAN bus) has been highly-touted, "the reality is encryption is going to address just part of the threat."
There is no "silver bullet" solution, Wigle said. Security must be a continuing operation, not a single preparatory event. And it extends beyond the vehicle.
Biggest bang in cloud
"Clouds and infrastructure also must be secured," she explained, noting that the "biggest bang for the buck" for a high-threat attacker is in "the cloud," not the car parc.
Although many consider today's threat level high, the automotive fleet actually represents relatively low complexity, despite the fact that a typical car has 25 to 200 microprocessors and up to 65 million lines of codes, about half of which are for the multimedia systems, she said. A current luxury model has 144 ECU connections—73 are on CAN busses, 61 are on LIN (Local Interconnect Networks) and 10 on FlexRay. Further, a fully-optioned vehicle may have up to 100 electric motors for interior controls.
The cloud may be the highest value target, but the vehicle itself is the object of many groups of potential attackers. Wigle pointed out six primary threat models. The most common is the car thief, whose access into the vehicle is typically physical entry but also via wireless. More technically astute is the hacker seeking his minutes of fame and working the purely wireless approach.
The highest threats, however, come from the criminal who may have medium to very high technical knowledge and can combine wireless with physical access to pose a danger to passengers. There's also the workshop tuner with total physical access to modify a vehicle's control settings. Perhaps the highest hacker-threat comes from counterfeiters and competitors, who have physical access and are looking to understand the vehicle architecture.
According to Wigle, the present level of telematics is largely in the entertainment area, whereas the future is a fully connected environment—V2V, V2I and V2X (vehicle to vehicle and infrastructure, and real-time integration with on-board drive/brake systems). Vehicle automated operation is on a handful of cars, and limited in most cases to advanced forms of adaptive cruise and related semi-autonomous systems.
Data analytics on-board is currently focused on performance and such navigation-related items as vehicle location, whereas the future will go well beyond, into vehicle-driver personal data.
Bumper-to-bumper defense
The term "bumper to bumper" used to only describe a vehicle's warranty. Recently it has also come to describe the adaptive security perimeter around the vehicle and extending into the cloud, Wigle said. Best practices will require moving "attack surfaces" to the cloud where possible. She pointed to Intel McAfee's cloud-based IPS (Intrusion Prevention System) as an example.
However, Intel also is promoting its vehicle enhanced head unit including a "Hardware Security Module" intended to provide broad-based operating and security hardware coverage. The system includes a Wind River hypervisor, which can run multiple operating systems on a single central processing unit, and Intel's PC-established "Trusted Execution Engine." This hardware technology is designed to attest to the authenticity of a platform and its operating system and establish levels of trust to provide security.
OTA (over the air) software updates, Wigle said, will not be between individual devices, but from and to certified groups.
There are two sides of providing vehicle electrical system security, she noted. One is a secure, flexible development process as described in the guidebook for SAE J3061. This requires identifying and numbering all attack surfaces and conducting threat analyses, reducing attack surfaces and hardening the hardware and software. It is accompanied by SAE J3101, which defines a common set of requirements for hardware protection which exceeds the capability of the software alone.
Wigle also pointed to Intel's formation of the Automotive Security Review Board, to be composed of researchers from industry vendors, to develop solutions using Intel-based platforms. ASRB is working with three "white hat" security research operations—IOActive, iamthecavalry.org and opengarages.org—to recruit cybersecurity professionals to contribute.
Author: Paul Weissler
Source: SAE Automotive Engineering Magazine