diff options
| author |   mudcam <v.nieutin@live.fr> | 2017-12-08 23:45:21 +0100 |
|---|---|---|
| committer | mudcam <v.nieutin@live.fr> | 2017-12-08 23:45:21 +0100 |
| commit | 89e89e757243865c1e85b72ce22240af0ed1f14f (patch) | |
| tree | f0c251e8405b827c2693ec502d6fb486383928ab /security-blueprint/part-7 | |
| parent | 687774d7352c656652128a11fc0594a3bbf23cd2 (diff) | |
| parent | df4bdd6e9e5669451e7f60ecdc5c9e0d25e3f726 (diff) | |
Merge branch 'master' of github.com:automotive-grade-linux/docs-agl into sandbox/nieutin
Diffstat (limited to 'security-blueprint/part-7')
| -rw-r--r-- | security-blueprint/part-7/0_Abstract.md | 4 | ||||
| -rw-r--r-- | security-blueprint/part-7/1-BusAndConnectors.md | 8 | ||||
| -rw-r--r-- | security-blueprint/part-7/2-Wireless.md | 28 | ||||
| -rw-r--r-- | security-blueprint/part-7/3-Cloud.md | 12 |
4 files changed, 26 insertions, 26 deletions
diff --git a/security-blueprint/part-7/0_Abstract.md b/security-blueprint/part-7/0_Abstract.md index 162aced..f7acbe5 100644 --- a/security-blueprint/part-7/0_Abstract.md +++ b/security-blueprint/part-7/0_Abstract.md @@ -4,13 +4,13 @@ This part shows different Connectivity attacks on the car. -<!-- todo --> +<!-- section-todo --> Domain | Improvement ----------------------- | ----------------- Connectivity-Abstract-1 | Improve abstract. -<!-- endtodo --> +<!-- end-section-todo --> -------------------------------------------------------------------------------- diff --git a/security-blueprint/part-7/1-BusAndConnectors.md b/security-blueprint/part-7/1-BusAndConnectors.md index 843a921..0cdedc2 100644 --- a/security-blueprint/part-7/1-BusAndConnectors.md +++ b/security-blueprint/part-7/1-BusAndConnectors.md @@ -25,13 +25,13 @@ packets. We just describe them a bit: 2001 on everywhere in a car, where the bandwidth and versatility of a **CAN** network is not required. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations ---------------------------------- | --------- | -------------------------------------------------------------------------- Connectivity-BusAndConnector-Bus-1 | CAN | Implement hardware solution in order to prohibit sending unwanted signals. -<!-- endconfig --> +<!-- end-section-config --> See [Security in Automotive Bus Systems](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep1&type=pdf) for more information. @@ -42,7 +42,7 @@ the **USB** must be disabled to avoid attacks like BadUSB. If not, configure the Kernel to only enable the minimum require **USB** devices. The connectors used to diagnose the car like **OBD-II** must be disabled outside garages. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations ----------------------------------------- | --------- | ---------------------------------------------------------------------- @@ -51,4 +51,4 @@ Connectivity-BusAndConnector-Connectors-2 | USB | Confidential data exchan Connectivity-BusAndConnector-Connectors-3 | USB | USB Boot on a ECU must be disable. Connectivity-BusAndConnector-Connectors-4 | OBD-II | Must be disabled outside garages. -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-7/2-Wireless.md b/security-blueprint/part-7/2-Wireless.md index a324673..d3fda8b 100644 --- a/security-blueprint/part-7/2-Wireless.md +++ b/security-blueprint/part-7/2-Wireless.md @@ -6,13 +6,13 @@ describe attacks and how to prevent them with some recommendations. The main recommendation is to always follow the latest updates of these remote communication channels. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ----------------------- | ------ | ------------------------------------------------------------------ Connectivity-Wireless-1 | Update | Always follow the latest updates of remote communication channels. -<!-- endconfig --> +<!-- end-section-config --> We will see the following parts: @@ -26,13 +26,13 @@ We will see the following parts: - [NFC](#nfc) -<!-- todo --> +<!-- section-todo --> Domain | Improvement ----------------------- | ------------------------------------------- Connectivity-Wireless-1 | Add communication channels (RFID, ZigBee?). -<!-- endtodo --> +<!-- end-section-todo --> -------------------------------------------------------------------------------- @@ -89,7 +89,7 @@ We can differentiate existing attacks on wifi in two categories: Those on - Should protect data sniffing. -<!-- config --> +<!-- section-config --> Domain | Tech name or object | Recommendations ---------------------------- | ------------------- | ------------------------------------------------------------------------- @@ -99,7 +99,7 @@ Connectivity-Wireless-Wifi-3 | WPA2 | Should protect data sniffin Connectivity-Wireless-Wifi-4 | PSK | Changing regularly the password. Connectivity-Wireless-Wifi-5 | Device | Upgraded easily in software or firmware to have the last security update. -<!-- endconfig --> +<!-- end-section-config --> See [Wifi attacks WEP WPA](https://matthieu.io/dl/wifi-attacks-wep-wpa.pdf) and [Breaking wep and wpa (Beck and Tews)](https://dl.aircrack-ng.org/breakingwepandwpa.pdf) @@ -136,7 +136,7 @@ for more information. avoid using the "Just Works" association model. The device must verify that an authenticated link key was generated during pairing. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations --------------------------------- | ------------- | ------------------------------------------------------------ @@ -146,7 +146,7 @@ Connectivity-Wireless-Bluetooth-3 | SSP | Avoid using the "Just Works" Connectivity-Wireless-Bluetooth-4 | Visibility | Configured by default as undiscoverable. Except when needed. Connectivity-Wireless-Bluetooth-5 | Anti-scanning | Used, inter alia, to slow down brute force attacks. -<!-- endconfig --> +<!-- end-section-config --> See [Low energy and the automotive transformation](http://www.ti.com/lit/wp/sway008/sway008.pdf), [Gattacking Bluetooth Smart Devices](http://gattack.io/whitepaper.pdf), @@ -179,14 +179,14 @@ for more information. - Check antenna legitimacy. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations -------------------------------- | --------- | -------------------------- Connectivity-Wireless-Cellular-1 | GPRS/EDGE | Avoid Connectivity-Wireless-Cellular-2 | UMTS/HSPA | Protected against Jamming. -<!-- endconfig --> +<!-- end-section-config --> See [A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications](https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf) for more information. @@ -205,13 +205,13 @@ for more information. - Use the **R**adio **D**ata **S**ystem (**RDS**) only to send signals for audio output and meta concerning radio. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations ----------------------------- | --------- | -------------------------------------------- Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concerning radio. -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -234,11 +234,11 @@ Connectivity-Wireless-Radio-1 | RDS | Only audio output and meta concernin Certification Mark shows that products meet global interoperability standards. - NFC Modified Miller coding is preferred over NFC Manchester coding. -<!-- config --> +<!-- section-config --> Domain | Tech name | Recommendations --------------------------- | --------- | ------------------------------------------------------ Connectivity-Wireless-NFC-1 | NFC | Protected against relay and replay attacks. Connectivity-Wireless-NFC-2 | Device | Disable unneeded and unapproved services and profiles. -<!-- endconfig --> +<!-- end-section-config --> diff --git a/security-blueprint/part-7/3-Cloud.md b/security-blueprint/part-7/3-Cloud.md index af40978..ec7edea 100644 --- a/security-blueprint/part-7/3-Cloud.md +++ b/security-blueprint/part-7/3-Cloud.md @@ -10,14 +10,14 @@ functionality by providing rules and allowing access or denying access based on a subscriber's profile and services purchased. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ---------------------------- | -------------- | -------------------------------------- Application-Cloud-Download-1 | authentication | Must implement authentication process. Application-Cloud-Download-2 | Authorization | Must implement Authorization process. -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -50,7 +50,7 @@ Application-Cloud-Download-2 | Authorization | Must implement Authorization pro <!-- pagebreak --> -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ---------------------------------- | ------------- | ---------------------------------------------------------- @@ -60,7 +60,7 @@ Application-Cloud-Infrastructure-3 | Test | Should implement scanning t Application-Cloud-Infrastructure-4 | Log | Should implement security tools (IDS and IPS). Application-Cloud-Infrastructure-5 | App integrity | Applications must be signed by the code signing authority. -<!-- endconfig --> +<!-- end-section-config --> -------------------------------------------------------------------------------- @@ -98,10 +98,10 @@ to configure each application to **IPSec** standards. An additional means of protection would be to do the monitoring between users and the cloud as a **CASB** will provide. -<!-- config --> +<!-- section-config --> Domain | Object | Recommendations ----------------------------- | ----------------------------------------- | --------------------------------- Application-Cloud-Transport-1 | Integrity, confidentiality and legitimacy | Should implement IPSec standards. -<!-- endconfig --> +<!-- end-section-config --> |