1 / 11

Daniel Kent 19 March 2019

Project Proposal: Assuring Vehicle ECU Update Integrity using Public Key Infrastructure (PKI) and Public Key Cryptography (PKC). Daniel Kent 19 March 2019. Problem Statement. Currently, ECU firmware is barely protected, if at all

Anita
Download Presentation

Daniel Kent 19 March 2019

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Project Proposal: Assuring Vehicle ECU Update Integrity using Public Key Infrastructure (PKI) and Public Key Cryptography (PKC) Daniel Kent 19 March 2019

  2. Problem Statement • Currently, ECU firmware is barely protected, if at all • Miller et al. demonstrated capability to reprogram ECUs even with manufacturer obfuscation • Tools to reprogram cost thousands of dollars, but can be obtained/cloned by unauthorized third parties • Key word: obfuscation (not encryption!) • ECU tuning is commonly performed by enthusiasts looking to improve performance • May result in increased emissions (sometimes deliberately) • How trustworthy is third-party modified/developed/hosted firmware? • ECU firmware upgrades are typically performed at dealerships • Expensive/time-consuming for all parties involved • Opens up risks if dealerships become compromised • There is a push to perform automotive updates OTA – but how can OTA updates be protected from errors (deliberate or otherwise?)

  3. Problems with Off-The-Shelf Solutions • Obvious solution: sign/encrypt firmware using PKC/PKI • Commonly used in smartphones; allows assured OTA updates, and wholesale firmware flashing [android]. • There are problems with this approach: • Maintaining PKI is expensive (see: SSL Authorities) • Also: long chain of trust can be vulnerable • Multiple interested parties (Manufacturer, Tier 1) mean that single-signature solutions are not adequate • ECUs are typically resource-constrained and built on a tight budget; additional hardware/code must be justified • Solution must not just address technical problems, but organizational ones as well

  4. Research Direction • Research will cover four main areas: • Analysis of existing PKI/PKC systems • Proposal for PKI-based ECU Update Structure • Analysis of Threat Surface for Proposed Structure • Discussion of Impact of Proposed Structure • Analysis of Existing PKI/PKC Systems • US Department of Defense Common Access Card (CAC) • SSL Authority System • Smartphone Updates (Android) • Vehicle-Related Prior Art (Intel, Hyundai patents)

  5. Research Direction (Continued) • Proposal for PKI-based ECU Update Structure • Hybrid-signature approach • Tier 1 signs code; auto manufacturer signs code, T1 signature, and configuration • Can be encrypted (entire update is encrypted) or signed (only signature is encrypted) • 3-segment PKI Chain – Root, Year, Model • Private Keys are kept on physical tokens (smart cards) • Reduces possibility of keys getting stolen from a compromised computer • Provides more time to update all ECUs if tokens are stolen • Analysis of Threat Surface for Proposed Structure • Stolen/Counterfeit Certificates • Malicious access to software development repository

  6. Research Direction (Continued) • Discussion of Impact of Proposed Structure Hybrid-signature approach • Hardware requirements for PKC/PKI verification on ECUs • Existing interest in security coprocessors on ECUs • Need to address space requirements • Cross-ECU Validation not addressed • Timing of ECU Updates not addressed • Impact on Automotive Repair • ECU updates could be performed by third-parties instead of dealerships, while assuring ECU firmware load • Would curtail ECU tuning – could be seen as negative in enthusiast/right-to-repair circles

  7. Supplemental Material

  8. Supplemental – Dual Signed Updates

  9. Supplemental - Keying • Current proposal uses three layers of keys • Smaller chains less expensive to maintain, but more vulnerable to attack • Keys protected using smartcards or other physical tokens that perform signature operations • Prevents private keys from leaving tokens

  10. Supplemental – Update Option 1 • Option 1: Only validate against stored subkey • Pros: • Not vulnerable to key disclosure at higher levels • Cons: • Key replacement must be signed with old key

  11. Supplemental – Update Option 2 • Option 2: Update provides intermediate keys in instance where lower-level key has changed • Pros: • Can change key without requiring old (possibly insecure) key • Cons: • Requires updater to provide new subkey • Disclosure of higher-level keys affects more ECUs and will require more updates

More Related