00:00:00
I'm Sebastian Awad with the secure
00:00:03
systems lab at NYU working on the
00:00:05
obtained project for software update
00:00:08
security in automobiles with alongside
00:00:12
Southwest Research Institute and
00:00:14
University of Michigan Transportation
00:00:16
Research Institute so I'm going to tell
00:00:19
you just a little bit about the system
00:00:21
they'll be another presentation that
00:00:23
I'll show a link to at the bottom that
00:00:24
will that will go into much more detail
00:00:26
doctrine itself the purpose for this
00:00:29
talk is mostly just assure of a demo so
00:00:33
we're going to be dealing with updates
00:00:35
occurring in vehicles and for these
00:00:38
purposes we separate a primary and
00:00:41
secondary role for the electronic
00:00:44
control unit CPUs in the vehicle this
00:00:48
Raspberry Pi here is going to be playing
00:00:50
the role of a of the primary will
00:00:54
retrieve metadata and images from the
00:00:57
server and distribute it to these other
00:01:01
secondaries the secondaries in the
00:01:02
vehicle like this one who is going to
00:01:05
play the part of each of a friendly
00:01:06
transmission control unit but that will
00:01:11
also perform the full suite of
00:01:13
verification tracks in update both of
00:01:16
them all there there is a lesser set of
00:01:19
the partial verification version of the
00:01:22
client intended for much weaker UC use
00:01:24
but we won't get into that here so aside
00:01:28
from these two who are currently
00:01:30
performing by the way uh looping updates
00:01:32
continuously every couple seconds they
00:01:33
the primary checks for instructions from
00:01:36
the director and the secondary checks
00:01:38
for instructions from the primary so
00:01:41
we'll show you the service side or at
00:01:42
least to the components on the service
00:01:44
side the others are silent and less
00:01:46
interesting so unless we have a basic
00:01:49
web front end that we whip together for
00:01:51
the image repository or focuses selfless
00:01:53
researchers research and since you work
00:01:55
together mostly for the image repository
00:01:57
and on the right we have the front end
00:02:00
for the director repository the image
00:02:02
repository will store images firmware
00:02:06
and the directory repository basically
00:02:08
stores instructions to vehicles as to
00:02:11
what ECU's should which electronic
00:02:13
trilling it's in the vehicle should
00:02:16
install what pieces of firmware or
00:02:18
updates if their differential okay so
00:02:23
with that note I think I'll issue the
00:02:26
first update just a normal update I'm
00:02:29
going to tell our friendly transmission
00:02:31
controlling it to go from firmware
00:02:33
version 1.0 to version 1.1 so it's a
00:02:38
little clunky but here we go I go from
00:02:41
1.1 1.0 to 1.1
00:02:43
okay let's issue the instruction so the
00:02:46
primary should now be retrieving that
00:02:48
instruction from the director as well as
00:02:50
validating the information about the
00:02:54
firmware that should be installed with
00:02:55
the image repository there it is and
00:02:58
then the secondary should retrieve that
00:03:00
instruction from the primary and install
00:03:08
great so normal successful so next we're
00:03:14
going to do a suite of attacks so let's
00:03:16
assume I assume that a malicious party
00:03:20
has decided that they want to install
00:03:24
bad firmware on the vehicle they want to
00:03:26
install something that allows them to
00:03:28
monitor audio perhaps whatever it is
00:03:31
some attacking vehicle they have decided
00:03:35
to intercept traffic between the
00:03:39
director and the vehicle itself the
00:03:41
primary in the vehicle let's say and
00:03:45
replace the firmware image with a
00:03:48
firmware image that's been edited for
00:03:49
their own purposes some arbitrary
00:03:52
modification so if they were to do that
00:03:54
which we will simulate like that then
00:03:57
the primary who retrieves that in this
00:04:00
case is quite quick the primary he
00:04:02
retrieves that will detect if the
00:04:04
firmware does not match the signed
00:04:05
trustworthy metadata that it has that is
00:04:08
validated and it will refuse to keep the
00:04:11
firmware it won't won't present it to
00:04:14
the secondary is it just rejects it
00:04:17
so that effect has that that that attack
00:04:23
basically has no effect so now I will
00:04:27
undo it so I say we take a middle out of
00:04:31
a picture again and we'll be resuming
00:04:33
normal normal updates so let's say the
00:04:37
attacker has wised up in a small way and
00:04:39
now is the way that they can't simply
00:04:42
provide arbitrary instructions that
00:04:45
they've modified to the to the vehicle
00:04:49
because they don't have the keys for it
00:04:51
so they're going to instead take old
00:04:53
instructions that they've previously
00:04:55
captured so they've listened and you
00:04:58
know they capture instructions to
00:05:00
install some pizzas firmware and much
00:05:02
later after an exploit is discovered
00:05:04
let's say they want the vehicle to
00:05:06
return to that firmware or stay
00:05:08
indefinitely at that firm or so they
00:05:10
want that they'll read this is a replay
00:05:12
attack so first I'm going to set up the
00:05:15
conditions for the repo attacked let's
00:05:16
say the there's a new version that's
00:05:19
released of some firmware or just
00:05:24
metadata for that matter now the primary
00:05:28
is retrieve that information it keeps
00:05:29
chugging along
00:05:30
and now we'll conduct the attack where
00:05:33
we regress to a previous version of the
00:05:35
of the metadata we try to provide that
00:05:37
to the vehicle so click and in a moment
00:05:41
we should see the primary detecting that
00:05:43
something is wrong that there is a piece
00:05:44
of metadata that is out of date error
00:05:46
scrolled by just a moment ago but you'll
00:05:48
get that in a moment
00:05:49
right so the primary is detective this
00:05:53
is a replay attack and it has rejected
00:05:55
the metadata update will not install
00:05:57
anything that is not trustworthy in that
00:05:59
way so now let's undo that go back to
00:06:02
the most recent version of the metadata
00:06:04
and the moment the primary should stop
00:06:06
complaining
00:06:09
make sure the attacks I'm done yes it
00:06:11
was okay so the next that hack will do
00:06:15
is let's say much more ambitious from
00:06:19
dangerous so suppose someone isn't just
00:06:22
intercepting traffic but actually takes
00:06:24
over the server the director server they
00:06:27
they've gotten in through some through
00:06:31
some hole and they've managed to take
00:06:34
over the system they have access to all
00:06:36
all the keys that are stored on there
00:06:38
which I won't go too tough details but
00:06:41
might be a variety of different levels
00:06:42
of keys and whether they been able to
00:06:46
copy the keys or they're just
00:06:48
instructing the the system to issue new
00:06:52
metadata and sign using even if the keys
00:06:54
are HSM or something if they can use the
00:06:56
keys that's still quite a threat so so
00:07:00
we'll have the attacker seize the keys
00:07:03
sign new metadata about that validates
00:07:06
their own malicious firmware on the
00:07:08
director and have that sent to the car
00:07:11
now
00:07:11
so your direct repositories been
00:07:14
compromised the primary is going to
00:07:17
reject this as well because the
00:07:19
arbitrarily modified firmware is still
00:07:24
not validated by the other repository
00:07:27
the image repository which is I guess
00:07:29
you could say the more sober slow body
00:07:30
generally so for that reason the primary
00:07:35
will not ever install this either okay
00:07:37
so now let's go even further let's say
00:07:40
that so I think the image repository
00:07:42
itself has been compromised or more
00:07:45
likely since that those the key signing
00:07:47
targets there are unlikely to actually
00:07:49
be on that repository let's say they
00:07:52
have compromised some supplier key I'm
00:07:56
gonna turn that down so they've seized
00:08:01
receive the keys of some developer who's
00:08:05
working on the firmware updates for this
00:08:08
part in the vehicle maybe they found
00:08:11
them well doesn't that probably found
00:08:13
them but they've retrieved the keys
00:08:15
let's say so if this happens then they
00:08:17
sign the matching metadata that
00:08:19
that also validates this on the image
00:08:21
repository side that are going to be
00:08:23
essentially more dangerous and the
00:08:26
primary now we'll see validated metadata
00:08:29
from both the image repository and the
00:08:31
director plus story by all the necessary
00:08:32
trusted parties indicating that the
00:08:35
image through the firmware that it's
00:08:36
been instructive install is the correct
00:08:38
one and that it's frustrating so it will
00:08:42
happily receive this and it will
00:08:45
distribute it to the secondary's who
00:08:47
will install it or the appropriate
00:08:50
secondary one cool install it so I think
00:08:53
in a moment we yeah there we go so the
00:08:57
secondary is not compromised there's no
00:09:00
way that it would have detected this
00:09:01
it's just customized so our splash
00:09:03
screen is for flavor it's now installed
00:09:07
arbitrary sequence so all of this so if
00:09:12
an attacker has gone to this this level
00:09:14
these keys from both service and both
00:09:16
repositories even maybe an offline key
00:09:19
from the developer for the image
00:09:21
repository for the appropriate part then
00:09:24
well your your it's a difficult scenario
00:09:28
to deal with but tough and thereby
00:09:31
update provides the mechanism for
00:09:34
reliably revoking compromised keys using
00:09:38
a the root role which is a rarely used
00:09:41
feature of the sessions that rarely used
00:09:43
which is a feature of the system that
00:09:45
just rarely used to find metadata it
00:09:47
only when a top-level key is has been
00:09:51
compromised does the rule need to come
00:09:53
into play and sign the revocation of
00:09:55
that all clients start with that root of
00:09:58
trust and so when that root of trust
00:10:00
issues a new instruction it will be it
00:10:05
will override the use of those keys
00:10:07
thereafter so we'll start by revoking
00:10:12
keys on the director repository which is
00:10:15
going to take a little bit of time in
00:10:16
this demo 20 seconds I think
00:10:21
and once that is done you will see that
00:10:25
the direct the primary the primary will
00:10:29
now be receiving good valid metadata
00:10:32
from the director and as far as it knows
00:10:36
good valid metadata from the image
00:10:37
repository but in the latter case the
00:10:39
image repository is still hosting the
00:10:41
attacked compromised data so they don't
00:10:45
match so the primary will refuse to
00:10:47
download will refuse to retain the file
00:10:49
so now if we also do the recovery and
00:10:52
let's say we revoke the developer key
00:10:54
that we've discovered is now compromised
00:10:56
and when that's done the primary will
00:10:59
now be able to install software updates
00:11:02
normally again so next after once that's
00:11:15
done we're going to do one more attack
00:11:20
where we simply demonstrate the efficacy
00:11:24
of the of the replicate the key
00:11:26
revocation so here you I'm all next one
00:11:32
I guess the tough details well I will
00:11:35
wait until the update is complete yes
00:11:38
okay okay all right so the next attack
00:11:42
will be the attacker trying to sign
00:11:44
metadata with that compromised key again
00:11:47
newer metadata to sort of suggest Oh
00:11:50
ignore that other that other guy here
00:11:53
here's the metadata that is more recent
00:11:56
than that and valid and you should
00:12:00
install this piece of this piece of
00:12:02
former so when that's done the primary
00:12:08
will detect as that is a revoked he
00:12:09
already and it will disregard it and
00:12:11
even if you were to perform this on both
00:12:14
repositories again
00:12:15
you wouldn't the primary wouldn't accept
00:12:18
it because it's a longer trusted key
00:12:20
according to the route roll which can be
00:12:24
trusted above these intervals so we
00:12:29
should receive which we defended
00:12:31
repeatedly it's all good
00:12:33
great so I'll undo that attack too and
00:12:36
leave the system in normal state and
00:12:38
that covers all the attacks that are in
00:12:41
this demo there are a variety of other
00:12:43
attacks that the system also protects
00:12:46
against and the design documents will
00:12:48
cover that mostly presentation the other
00:12:51
presentation might also cover those but
00:12:53
I think that's it for us for today at
00:12:55
least so thanks
