diff options
Diffstat (limited to 'docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity')
4 files changed, 55 insertions, 59 deletions
diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.0_Abstract.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.0_Abstract.md index ad11649..499d858 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.0_Abstract.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.0_Abstract.md @@ -1,12 +1,7 @@ --- -edit_link: '' title: Introduction -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/0_Abstract.md --- -<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> - # Part 7 - Connectivity ## Abstract diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.1_Bus_And_Connectors.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.1_Bus_And_Connectors.md index 4403d41..c7b577a 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.1_Bus_And_Connectors.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.1_Bus_And_Connectors.md @@ -1,12 +1,7 @@ --- -edit_link: '' title: Bus and connectors -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/1-BusAndConnectors.md --- -<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> - # Bus We only speak about the **CAN** bus to take an example, because the different @@ -15,8 +10,8 @@ engineering and the main argument to improve their security is to encrypt data packets. We just describe them a bit: - **CAN**: Controller Area Network, developed in the early 1980s, is an - event-triggered controller network for serial communication with data rates - up to one MBit/s. **CAN** messages are classified over their respective + event-triggered controller network for serial communication with data rates up + to one MBit/s. **CAN** messages are classified over their respective identifier. **CAN** controller broadcast their messages to all connected nodes and all receiving nodes decide independently if they process the message. - **FlewRay**: Is a deterministic and error-tolerant high-speed bus. With a data @@ -37,16 +32,17 @@ packets. We just describe them a bit: On just about every vehicle, **ECU**s (**E**lectronic **C**ontrol **U**nits) communicate over a CAN bus, which is a two-wire bus using hardware arbitration for messages sent on the shared medium. This is essentially a *trusted* network -where all traffic is visible to all controllers and any controller can send any message. +where all traffic is visible to all controllers and any controller can send any +message. A malicious **ECU** on the CAN bus can easily inject messages destined for any other device, including things like the instrument cluster and the head unit. -There are common ways for hardware to do USB to CAN and open source software to send -and receive messages. For example, there is a driver included in the Linux kernel -that can be used to send/receive CAN signals. A malicious device on the CAN bus can -cause a great number of harmful things to happen to the system, including: sending -bogus information to other devices, sending unintended commands to ECUs, -causing DOS (Denial Of Service) on the CAN bus, etc. +There are common ways for hardware to do USB to CAN and open source software to +send and receive messages. For example, there is a driver included in the Linux +kernel that can be used to send/receive CAN signals. A malicious device on the +CAN bus can cause a great number of harmful things to happen to the system, +including: sending bogus information to other devices, sending unintended +commands to ECUs, causing DOS (Denial Of Service) on the CAN bus, etc. <!-- section-config --> @@ -56,7 +52,9 @@ Connectivity-BusAndConnector-Bus-1 | CAN | Implement hardware solution in <!-- end-section-config --> -See [Security in Automotive Bus Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf) for more information. +See [Security in Automotive Bus +Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf) +for more information. # Connectors diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md index 1be314d..ce0259e 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.2_Wireless.md @@ -1,12 +1,7 @@ --- -edit_link: '' title: Wireless -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/2-Wireless.md --- -<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> - # Wireless In this part, we talk about possible remote attacks on a car, according to the @@ -46,16 +41,21 @@ Connectivity-Wireless-1 | Add communication channels (RFID, ZigBee?). -------------------------------------------------------------------------------- For existing automotive-specific means, we take examples of existing system -attacks from the _IOActive_ document ([A Survey of Remote Automotive Attack Surfaces](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf)) -and from the ETH document ([Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars](https://eprint.iacr.org/2010/332.pdf)). +attacks from the _IOActive_ document ([A Survey of Remote Automotive Attack +Surfaces](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf)) +and from the ETH document ([Relay Attacks on Passive Keyless Entry and Start +Systems in Modern Cars](https://eprint.iacr.org/2010/332.pdf)). - [Telematics](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) -- [Passive Anti-Theft System (PATS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A11%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C574%2C0%5D) +- [Passive Anti-Theft System + (PATS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A11%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C574%2C0%5D) -- [Tire Pressure Monitoring System (TPMS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A17%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) +- [Tire Pressure Monitoring System + (TPMS)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A17%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) -- [Remote Keyless Entry/Start (RKE)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A26%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) +- [Remote Keyless Entry/Start + (RKE)](https://www.ioactive.com/pdfs/IOActive_Remote_Attack_Surfaces.pdf#%5B%7B%22num%22%3A26%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C60%2C720%2C0%5D) - [Passive Keyless Entry (PKE)](https://eprint.iacr.org/2010/332.pdf) @@ -85,10 +85,11 @@ We can differentiate existing attacks on wifi in two categories: Those on - **WPA** attacks: - **Beck and Tews**: Exploit weakness in **TKIP**. "Allow the attacker to - decrypt **ARP** packets and to inject traffic into a network, even - allowing him to perform a **DoS** or an **ARP** poisoning". + decrypt **ARP** packets and to inject traffic into a network, even allowing + him to perform a **DoS** or an **ARP** poisoning". - [KRACK](https://github.com/kristate/krackinfo): (K)ey (R)einstallation - (A)tta(ck) ([jira AGL SPEC-1017](https://jira.automotivelinux.org/browse/SPEC-1017)). + (A)tta(ck) ([jira AGL + SPEC-1017](https://jira.automotivelinux.org/browse/SPEC-1017)). ### Recommendations @@ -110,9 +111,9 @@ Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software <!-- end-section-config --> -See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf) -and [Breaking wep and wpa (Beck and Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf) -for more information. +See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf) and +[Breaking wep and wpa (Beck and +Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf) for more information. -------------------------------------------------------------------------------- @@ -132,7 +133,8 @@ for more information. features but is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 10-15 meters. - **Bluejacking** is the sending of unsolicited messages. -- **BLE**: **B**luetooth **L**ow **E**nergy [attacks](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf). +- **BLE**: **B**luetooth **L**ow **E**nergy + [attacks](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf). - **DoS**: Drain a device's battery or temporarily paralyze the phone. ### Recommendations @@ -142,8 +144,8 @@ for more information. - Monitoring. - Use **BLE** with caution. - For v2.1 and later devices using **S**ecure **S**imple **P**airing (**SSP**), - avoid using the "Just Works" association model. The device must verify that - an authenticated link key was generated during pairing. + avoid using the "Just Works" association model. The device must verify that an + authenticated link key was generated during pairing. <!-- section-config --> @@ -157,10 +159,13 @@ Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow do <!-- end-section-config --> -See [Low energy and the automotive transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf), -[Gattacking Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf), -[Comprehensive Experimental Analyses of Automotive Attack Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf) -and [With Low Energy comes Low Security](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) +See [Low energy and the automotive +transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf), [Gattacking +Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf), [Comprehensive +Experimental Analyses of Automotive Attack +Surfaces](http://www.autosec.org/pubs/cars-usenixsec2011.pdf) and [With Low +Energy comes Low +Security](https://www.usenix.org/system/files/conference/woot13/woot13-ryan.pdf) for more information. -------------------------------------------------------------------------------- @@ -177,7 +182,8 @@ for more information. the service provider's real towers, it is considered a man-in-the-middle (**MITM**) attack. -- Lack of mutual authentication (**GPRS**/**EDGE**) and encryption with **GEA0**. +- Lack of mutual authentication (**GPRS**/**EDGE**) and encryption with + **GEA0**. - **Fall back** from **UMTS**/**HSPA** to **GPRS**/**EDGE** (Jamming against **UMTS**/**HSPA**). @@ -197,7 +203,8 @@ Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming. <!-- end-section-config --> -See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf) +See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data +communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf) for more information. -------------------------------------------------------------------------------- @@ -234,7 +241,8 @@ Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concernin ### Recommendations -- Should implements protection against relay and replay attacks (Tokens, etc...). +- Should implements protection against relay and replay attacks (Tokens, + etc...). - Disable unneeded and unapproved services and profiles. - NFC should be use encrypted link (secure channel). A standard key agreement protocol like Diffie-Hellmann based on RSA or Elliptic Curves could be applied diff --git a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.3_Cloud.md b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.3_Cloud.md index 36c4df8..d4112fc 100644 --- a/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.3_Cloud.md +++ b/docs/2_Architecture_Guides/2.2_Security_Blueprint/7_Connectivity/1.2.7.3_Cloud.md @@ -1,12 +1,7 @@ --- -edit_link: '' title: Cloud -origin_url: >- - https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-7/3-Cloud.md --- -<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> - # Cloud ## Download @@ -16,8 +11,8 @@ origin_url: >- characteristics bound to that device, entity or person. - **Authorization**: Parses the network to allow access to some or all network -functionality by providing rules and allowing access or denying access based -on a subscriber's profile and services purchased. + functionality by providing rules and allowing access or denying access based + on a subscriber's profile and services purchased. <!-- section-config --> @@ -75,10 +70,10 @@ Application-Cloud-Infrastructure-5 | App integrity | Applications must be signed ## Transport -For data transport, it is necessary to **encrypt data end-to-end**. To prevent **MITM** attacks, -no third party should be able to interpret transported data. Another aspect -is the data anonymization in order to protect the leakage of private information -on the user or any other third party. +For data transport, it is necessary to **encrypt data end-to-end**. To prevent +**MITM** attacks, no third party should be able to interpret transported data. +Another aspect is the data anonymization in order to protect the leakage of +private information on the user or any other third party. The use of standards such as **IPSec** provides "_private and secure communications over IP networks, through the use of cryptographic security @@ -99,8 +94,8 @@ to configure each application to **IPSec** standards. - Integrity: A service that consists in ensuring that data has not been tampered with accidentally or fraudulently. - Replay Protection: A service that prevents attacks by re-sending a valid - intercepted packet to the network for the same authorization. - This service is provided by the presence of a sequence number. + intercepted packet to the network for the same authorization. This service is + provided by the presence of a sequence number. - Key management: Mechanism for negotiating the length of encryption keys between two **IPSec** elements and exchange of these keys. |