summaryrefslogtreecommitdiffstats
path: root/security-blueprint/part-7
diff options
context:
space:
mode:
authormudcam <v.nieutin@live.fr>2017-12-08 23:45:21 +0100
committermudcam <v.nieutin@live.fr>2017-12-08 23:45:21 +0100
commit89e89e757243865c1e85b72ce22240af0ed1f14f (patch)
treef0c251e8405b827c2693ec502d6fb486383928ab /security-blueprint/part-7
parent687774d7352c656652128a11fc0594a3bbf23cd2 (diff)
parentdf4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 (diff)
Merge branch 'master' of github.com:automotive-grade-linux/docs-agl into sandbox/nieutin
Diffstat (limited to 'security-blueprint/part-7')
-rw-r--r--security-blueprint/part-7/0_Abstract.md4
-rw-r--r--security-blueprint/part-7/1-BusAndConnectors.md8
-rw-r--r--security-blueprint/part-7/2-Wireless.md28
-rw-r--r--security-blueprint/part-7/3-Cloud.md12
4 files changed, 26 insertions, 26 deletions
diff --git a/security-blueprint/part-7/0_Abstract.md b/security-blueprint/part-7/0_Abstract.md
index 162aced..f7acbe5 100644
--- a/security-blueprint/part-7/0_Abstract.md
+++ b/security-blueprint/part-7/0_Abstract.md
@@ -4,13 +4,13 @@
This part shows different Connectivity attacks on the car.
-<!-- todo -->
+<!-- section-todo -->
Domain | Improvement
----------------------- | -----------------
Connectivity-Abstract-1 | Improve abstract.
-<!-- endtodo -->
+<!-- end-section-todo -->
--------------------------------------------------------------------------------
diff --git a/security-blueprint/part-7/1-BusAndConnectors.md b/security-blueprint/part-7/1-BusAndConnectors.md
index 843a921..0cdedc2 100644
--- a/security-blueprint/part-7/1-BusAndConnectors.md
+++ b/security-blueprint/part-7/1-BusAndConnectors.md
@@ -25,13 +25,13 @@ packets. We just describe them a bit:
2001 on everywhere in a car, where the bandwidth and versatility of a **CAN**
network is not required.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
---------------------------------- | --------- | --------------------------------------------------------------------------
Connectivity-BusAndConnector-Bus-1 | CAN | Implement hardware solution in order to prohibit sending unwanted signals.
-<!-- endconfig -->
+<!-- end-section-config -->
See [Security in Automotive Bus Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf) for more information.
@@ -42,7 +42,7 @@ the **USB** must be disabled to avoid attacks like BadUSB. If not, configure the
Kernel to only enable the minimum require **USB** devices. The connectors used
to diagnose the car like **OBD-II** must be disabled outside garages.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
----------------------------------------- | --------- | ----------------------------------------------------------------------
@@ -51,4 +51,4 @@ Connectivity-BusAndConnector-Connectors-2 | USB | Confidential data exchan
Connectivity-BusAndConnector-Connectors-3 | USB | USB Boot on a ECU must be disable.
Connectivity-BusAndConnector-Connectors-4 | OBD-II | Must be disabled outside garages.
-<!-- endconfig -->
+<!-- end-section-config -->
diff --git a/security-blueprint/part-7/2-Wireless.md b/security-blueprint/part-7/2-Wireless.md
index a324673..d3fda8b 100644
--- a/security-blueprint/part-7/2-Wireless.md
+++ b/security-blueprint/part-7/2-Wireless.md
@@ -6,13 +6,13 @@ describe attacks and how to prevent them with some recommendations. The main
recommendation is to always follow the latest updates of these remote
communication channels.
-<!-- config -->
+<!-- section-config -->
Domain | Object | Recommendations
----------------------- | ------ | ------------------------------------------------------------------
Connectivity-Wireless-1 | Update | Always follow the latest updates of remote communication channels.
-<!-- endconfig -->
+<!-- end-section-config -->
We will see the following parts:
@@ -26,13 +26,13 @@ We will see the following parts:
- [NFC](#nfc)
-<!-- todo -->
+<!-- section-todo -->
Domain | Improvement
----------------------- | -------------------------------------------
Connectivity-Wireless-1 | Add communication channels (RFID, ZigBee?).
-<!-- endtodo -->
+<!-- end-section-todo -->
--------------------------------------------------------------------------------
@@ -89,7 +89,7 @@ We can differentiate existing attacks on wifi in two categories: Those on
- Should protect data sniffing.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name or object | Recommendations
---------------------------- | ------------------- | -------------------------------------------------------------------------
@@ -99,7 +99,7 @@ Connectivity-Wireless-Wifi-3 | WPA2 | Should protect data sniffin
Connectivity-Wireless-Wifi-4 | PSK | Changing regularly the password.
Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software or firmware to have the last security update.
-<!-- endconfig -->
+<!-- end-section-config -->
See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf)
and [Breaking wep and wpa (Beck and Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf)
@@ -136,7 +136,7 @@ for more information.
avoid using the "Just Works" association model. The device must verify that
an authenticated link key was generated during pairing.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
--------------------------------- | ------------- | ------------------------------------------------------------
@@ -146,7 +146,7 @@ Connectivity-Wireless-Bluetooth-3 | SSP | Avoid using the "Just Works"
Connectivity-Wireless-Bluetooth-4 | Visibility | Configured by default as undiscoverable. Except when needed.
Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow down brute force attacks.
-<!-- endconfig -->
+<!-- end-section-config -->
See [Low energy and the automotive transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf),
[Gattacking Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf),
@@ -179,14 +179,14 @@ for more information.
- Check antenna legitimacy.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
-------------------------------- | --------- | --------------------------
Connectivity-Wireless-Cellular-1 | GPRS/EDGE | Avoid
Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming.
-<!-- endconfig -->
+<!-- end-section-config -->
See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf)
for more information.
@@ -205,13 +205,13 @@ for more information.
- Use the **R**adio **D**ata **S**ystem (**RDS**) only to send signals for audio
output and meta concerning radio.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
----------------------------- | --------- | --------------------------------------------
Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concerning radio.
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -234,11 +234,11 @@ Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concernin
Certification Mark shows that products meet global interoperability standards.
- NFC Modified Miller coding is preferred over NFC Manchester coding.
-<!-- config -->
+<!-- section-config -->
Domain | Tech name | Recommendations
--------------------------- | --------- | ------------------------------------------------------
Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks.
Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles.
-<!-- endconfig -->
+<!-- end-section-config -->
diff --git a/security-blueprint/part-7/3-Cloud.md b/security-blueprint/part-7/3-Cloud.md
index af40978..ec7edea 100644
--- a/security-blueprint/part-7/3-Cloud.md
+++ b/security-blueprint/part-7/3-Cloud.md
@@ -10,14 +10,14 @@
functionality by providing rules and allowing access or denying access based
on a subscriber's profile and services purchased.
-<!-- config -->
+<!-- section-config -->
Domain | Object | Recommendations
---------------------------- | -------------- | --------------------------------------
Application-Cloud-Download-1 | authentication | Must implement authentication process.
Application-Cloud-Download-2 | Authorization | Must implement Authorization process.
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -50,7 +50,7 @@ Application-Cloud-Download-2 | Authorization | Must implement Authorization pro
<!-- pagebreak -->
-<!-- config -->
+<!-- section-config -->
Domain | Object | Recommendations
---------------------------------- | ------------- | ----------------------------------------------------------
@@ -60,7 +60,7 @@ Application-Cloud-Infrastructure-3 | Test | Should implement scanning t
Application-Cloud-Infrastructure-4 | Log | Should implement security tools (IDS and IPS).
Application-Cloud-Infrastructure-5 | App integrity | Applications must be signed by the code signing authority.
-<!-- endconfig -->
+<!-- end-section-config -->
--------------------------------------------------------------------------------
@@ -98,10 +98,10 @@ to configure each application to **IPSec** standards.
An additional means of protection would be to do the monitoring between users
and the cloud as a **CASB** will provide.
-<!-- config -->
+<!-- section-config -->
Domain | Object | Recommendations
----------------------------- | ----------------------------------------- | ---------------------------------
Application-Cloud-Transport-1 | Integrity, confidentiality and legitimacy | Should implement IPSec standards.
-<!-- endconfig -->
+<!-- end-section-config -->