 start with our next talk how to defend cars and therefore it's an honor to introduce the two following speakers. First it is Alexios Likides. He's a security researcher and research associate at the security group of the technology. He's PhD in applied mathematics and computer science. Additionally you found Guillaume Dupont and he is a PhD candidate in automotive security focused on IDS in in vehicle networks. So give them a warm applause and a warm welcome. Thank you. Thank you very much. Hi from us as well. We are here today to present the topic that we are working on for the last couple of months. So first of all I will start by giving an introduction about ourselves. So as for me I am a senior researcher at Security Matters. Security Matters does network security. They specialize on networking and detecting threats and malfunctions of the software hardware. So I'm also a lecturer in the TUE. It's here in Eindhoven. So I did my PhD as it was mentioned on applied mathematics and all the basis design. So I'm also focused on performance evaluation and network monitoring and this is Guillaume standing near by me. He's now doing his PhD also in the TUE. His research areas are basically automotive security and also intrusion detection. So how to actually defend cars which is our main topic for today. So I will start giving some introduction to how to enter in the in-vehicle environment which is actually what we call a car to X communication. Then I will continue the presentation by giving some insight what could be done if you really go inside it. How are the protocols working and what actually are the vulnerabilities in the instance. And then Guillaume will continue on how to develop an idea and then we will focus on our ongoing work and presenting you some things about actually what we are currently busy on doing. So first of all let's have let's say a very basic view on what happens in the in-vehicle X-vehicle communication which means actually the V2X as we call it. So V2X means actually that any car can communicate it to any entity which is actually in the network. This is like a wireless communication which means actually that on the one hand you can have cars, you can have satellites, you can have road stations that you talk to, you can have let's say access points or also backend devices which are serviced and manage your data and manage also the fact that actually when something is spotted in the car or in the neighbor's car then actually this is sent to all over the network and you can see traffic, you can see as we will see later other entities. So the important thing to note here is that actually the concept is still ongoing. So the protocols that are already there they provide you this kind of communication that you're able to use wireless or an extension to Wi-Fi in order to be able to connect to actually a single LAN network and then from there you can be able to send data to your neighbors. So what we have in wireless sensor network is the notion of neighborhood which means actually that let's say take for instance this car it will have an range all over the place and in this range you can actually either unicast to find actually what are the other cars and what data it needs to send to or even road stations as we see here by these flags. So these are roadside units, the roadside units are responsible for maintaining actually the traffic, maintaining each entity which is connected on the network and then actually you can be able through this communication to be aware actually of conditions on the road. So for instance if you have to slow down what happens actually if you slow down automatically it's a concept that actually is under working so now what you can see actually on the GPS is that can tell you okay you have traffic so please slow down but what happens actually if this context becomes more generic which means actually when we have autonomous vehicles and then actually they can break down automatically by giving an indication on the network units. So to be honest with you as I said before the technologies that are there actually are not really so extensive so some of them are being worked on and some of them actually are still ongoing. So we have let's say an extension of the Wi-Fi as I said before which is for short range. This is actually the next one the standard that is worked on so the 5G communication which is an extended range communication. You have also cellular networks what happens actually if a pedestrian has his smartphone and he needs to communicate to let's say the car or some interfaces and this kind of communication has to be managed in such a way that you have actually automotive overtaking you can have actually collaborative driving you can actually see through vehicles visually and you can find users that actually do not violate the conditions or do not respect them. So how does this happen so here I give you demonstration actually of your own vehicle how all these entities and modules communicate between each other and then actually how the communication is happening with other vehicles on the one hand and also with the roadside units on the other hand so this means actually that you send information and you get information from the roadside unit and then this roadside unit can also interact with other vehicles which are not in your neighborhood as the concept actually of wireless sensor networks and then what you can also do is that you can do collaborators per space perception and you can send the data actually to some backend server which will do that for you and then actually it can it can not only inform the neighborhood but also the whole range of cars and the whole city or area what you want to call it. So what are the requirements though for this kind of communication one of the important requirements that we have to consider here is that the latency so what happens actually if I have a wireless network and I put it in the car and actually the car needs some information and it doesn't get it because of pocket loss because of pocket actually collisions or whatever so the reliability also is one important thing if you have if you actually go to the context of Internet of Things what they try to do is that you have web services where you have clients and servers and you actually have this context here so how reliable this context it's not because once actually you put it to the wireless yeah so you know actually what the problems are so what I would like to also focus is the density of the traffic so the density means when cars are really connected to each other and they are platooning so what happens then a requirement here is actually that you can collaborate within each other if they are not there you can't so what happens if actually I have a car and the car actually sends the position in a GPS and the position is not accurate enough what will happen then so I see actually something in the road and the position that I send is not accurate so all those things actually impact the communication what happens if the data rate is not correct or lie I lose the bandwidth or let's say the ITS station the the roadside units loses the bandwidth so all these requirements come to the fact that actually on top of that we have also the security issues so these are personal information here so we have to consider actually that you as an entity or as a person you send some information over the network and then actually this this network can be listened to by everyone so the data actually becomes not confidential any longer and in this case actually there are a lot of permissions that you need to give so for this reason you have this kind of privacy issues and their privacy issues here do not really apply perfectly because actually if you have a unit that is not behaving very well or it sends some wrong information or some malicious even information then actually the whole network is out of sync and then all the cars do whatever they like so in this case what is really important here is that we consider the fact of firewall so to go to the firewall issue the firewall actually allows you to only get the messages that you really have to so in this case you can use them but this is like an application level what happens actually if I have a car and the car really needs to be protected internally and not only on the application level what happens if I say every time okay I need to update my film work every time actually I have new rules for the antivirus or the firewall so so I have to get an over the air update what happens if the over the air update is exposed so in this kind of situations okay what network security gives you is the fast the detection mechanism you see all the data that is coming to the network and then actually you can reason upon them and then also what happens to the network accessibility so for instance there is an attacker or an adversary and then actually he blocks the network accessibility how you detect such kind of threat the application level will not tell you anything so to give you let's say one concrete example is when you actually abuse this kind of concept of collaborative communication here on this side you can see actually cars that inform the car that is in front of an icy road but what happens actually if I am an attacker an adversary here and I just connect to the network I mean so I break the network and I connected or it's like an open network and I send false information and he actually has to break and stop actually all the other cars from moving and make a traffic jam out of nowhere so what happens also if I have a denial service so I just start sending messages and everybody can receive it so this kind of situation like a black hole attack where actually all the messages that I send are put somewhere else or actually I stopped the network from being accessible and then all the messages that I sent are dropped so this kind of communication and also of course the RSU the roadside unit is important here because if you have roads and units and control so they are responsible for for being able to maintain this communication what happens if they're not so to give you more realistic scenario what you see here on the one side is actually a practical example of this kind of attack so Milan and Valacek they started by exploring actually different cars and in the end they managed to actually get inside some of them and also what you could be able to do is that to disable them entirely so actually you are driving on the road and then actually the Jeep stops and you are in the middle of nowhere or even you hit someone so how dangerous could that be to the passenger and also to everybody else so and here you can see also what the CIA does is that they actually find some leaks in the cars in order to be able to make you aware in the first place but you don't have this kind of information but also remotely control your vehicle if you do something bad or if you already what if they make mistake and they stop your vehicle or they access your vehicle and you are unable to do anything so the two questions that we need to answer here is that how can we able to as an entity for me to detect an attack before it's happened and also what can I do with this detection so how useful can it be while I'm driving and I see on the screen on the GPS screen for instance all the telematics screen I see okay you've been hacked how will I respond to this so these kind of questions are really important if you consider the fact of the attack scenarios that can happen and also the interfaces and the and the ways that you can access the vehicle so what because surface is here is the different interfaces like the the pressure managing system which actually can be accessible wireless and also from Bluetooth what happens if I have let's say a key and the key actually is hacked and it's not working correctly what happens if for instance I plug a USB or a malicious drive in general and for instance I can send messages to whatever entity I want in the car and also what is the most critical issue here is also what happens if I gain remote access to the diagnostic port of the car and then I can send diagnostic messages to the car get all the information and then stop everything from working so another example as he as we focus actually on the telematics unit is to have a malware so here you have actually what but you see actually is a screen of a car and then here the profiles are decrypted and then you get some kind of information that you have to pay a lot of money to decrypt all those files and you have certain time to pay it so what happens if I have a rum somewhere what as we say it and in this sense I would like to focus on the in vehicle communication so what happens actually when I'm in the car so how can I defend the car or I can know what happens when I'm inside so in this figure you see actually all the systems that communicate to the car you have control network which is the basic one and it's used to all the vehicles that we know nowadays it's a stable interface is here in the face and a lean which is used for controlling the keys for controlling the windows and also you can see here that can is responsible for the engine is responsible for the breaking also flex ray new protocols they are responsible for suspension in the car so what happens if I get inside one of these interfaces and I start getting sending commands to the vehicle so in this sense the the way to get in what may mostly all the people do is that I can go to the central gateway the gateway can be accessed by vehicle 2x communication so you can actually gain access to this if it's not properly and it's not properly it's not confidential is not properly secured so what happens if I go inside the gateway and I actually say okay I want to gain access to the engine so okay I want to gain access to the breaking system and then actually I stop them by sending messages that are exactly the same as actually the car would expect them to and I be I'm able to control it so in this sense we have these four protocols and also now we have the concept of automotive ethernet that communicate between each other in order to be able to control the different functionalities of the car and its protocol is actually giving a different functionality as we see here in this example yeah so in this example we have the safety related ECUs so this means that there are ECUs inside the car that are actually providing safety to the passengers that are there and others that actually is not so critical to defend against them or to secure them so if we go into the more deeper more deeper in detail in this sense as I mentioned before this is the overview of all the actual mechanisms and protocols that are used in the car and of course all these protocols they connect to each other in a really manufacture specific architecture so you have let's say can flex ray as I said before and most which is responsible for the telematics for seeing videos for the GPS and also the motive ethernet is under development for infotainment and also safety and flex ray which is actually for more luxury let's say cars so in this sense as I mentioned before what is the most simplest thing to do is that you can actually focus on a protocol that is used by the integrity of the cars like can I think let's say for the people that do not know can I just put a slide here to just introduce it to you so can is like a serial communication protocol that actually sends data over a broadcast bus which means actually that all those controllers or the ECUs will how we call it everyone that is on the bus can listen to this data and what you can also do is that you can also receive it and then try to reverse engineer it and understand what they are so if you compromise something inside this communication then you have to know that actually everything else is compromised so so in this sense what happens is that can uses the this arbitration mechanism in order to control how the messages are transferred over the bus which means messages are also defining priority so priority means actually if I want to do denial service I can send a high priority let's say frame onto the bus and then I can block it from working so it's that simple so in this sense here you can see actually the frame which tells you actually in this sense that you have only eight data bytes in order to put your information there so there's no encryption nothing that you can be done in this sense so in this case what are the vulnerabilities as I mentioned is that you lack of a scheme to address actually the different stations you lack of encryption of authentication and of course what I I just say here is that there is no authentication between the different ECUs each ECU can let's say encode an ID and you can send it over the bus nobody else actually will know that it is this ID this ECU or that ECU so it will just know that this information I just need to interpret so it's really easy to spoof so the main message that they want to make here is that security is important in this sense but how you do security you can use keys to authenticate you can use actually cryptography but of course all these things you have to know that you are targeting some let's say property system that is manufactured specific and it's also resource constrained so all these to use are embedded so they have microcontrollers which are really small in capabilities and in terms of in terms of power in terms of processing and how can you keep all these devices up to date so you can you do secure over their updates you can't most of the times so in order to move forward we actually with Guillaume which is standing by my side we thought of another solution how to be able to actually protect this kind of environment on distance by just let's say focusing on the network itself so I give now the word to Guillaume and we will continue later as well thank you Alexio so like Alexio just discussed we really need some strong security in all in vehicle network so there have been some papers or research conducted in order to come up with some solutions so for instance we often hear about issue identification with certificates or how can we use Mac message authentication code in order to make sure that the message that we receive on issue is coming from the right peer most of the time the problem is related to the underlying protocol specification of the car network protocol that we are using so like Alexio just discussed the very short data size 8 bytes doesn't give us much room to add security features so for instance adding a Mac in order to identify the message doesn't work unfortunately there are also some researchers who try to segregate networks or at least subnetworks within the car just to make sure that avoiding let's say a non-critical ECU residing on a non-critical subnetwork wouldn't be able to send a forward message to a more highly critical one. There are also some ideas proposed in order to embed on-chip a trusted platform module the problem again like Alexio mentioned every use on cars are very let's say resource constrained and limited so everything that we used to do or that we are actually currently doing in desktop IT is unfortunately not translatable or one-to-one mapping in the automotive world so I recently read about an article about describing cars being like the new Windows XP so doing automotive security is a little bit like looking at security back in the 80s so we have to reinvent ourselves basically from scratch with very unsecured protocol our research is actually looking at ideas so how do we come up with intrusion detection system solution that we could embed in cars looks very promising especially when it comes to let's say a more general security measure network monitoring is one of the key let's say a key technology that you should have in your network being in control means first knowing what exactly is happening on your network so first of all there are some constraints and technical challenges that we will have to overcome in order to develop such a security measure so first of all hardware like we just discussed ECUs or the little microcontrollers that are communicating on the car network are very limited in term of resources there is also a real time constraint so basically when you ride your car and you want to break you start pushing the pedal you want your car to start breaking right away you we cannot have any delay in term of message sent and received there is also another problem when it comes to the physical location of your car sometimes let's say you're gonna path through a tunnel or you're gonna maybe go abroad or let's say in a country or in an area where there is poor signal reception how do we make sure that your security measure doesn't rely on an let's say constant internet connection because you might be actually sometimes in so-called blind zones another problem will be the life cycle of the car so usually when you buy a car a new car right out of the manufacturer we could consider that it will last for a period of time from 15 to maybe 20 years how do you make sure that you're the security measure that you will implement will last over such a long time especially when it comes to cryptography we know that usually like after some years crypto gets broken so how do we make sure that we embed security measures that we can securely also update along with the coming new technologies and also the compatibility constraints so how do we make sure that the solution we can deploy for one car will be also portable or compatible with all the manufacturer or all the model and one thing that we tend to see in the manufacturing or in the auto manufacturing industry is every model is based let's say on a new architecture even if you take the same model car model if they produce a new one some years after chances are they will have some modification already in the architecture which makes it really difficult to have a generic end of solution that we can deploy and regardless of the brand or the model of the car so ideas one-on-one so for those of you that are not really familiar with intrusion detection system let's set up some definitions here so first of all according to NIST the National Institute of Standard and Technology they define intrusion detection as the process of monitoring the events occurring in a computer system and analyzing them for sign of possible incidents so if we would translate this definition to our automotive context basically ideas for cars would be monitoring the events occurring on the car network and analyzing them for incidents so incident in a situation would be any events that we identify that could lead to a compromise of the CIA confidentiality sorry confidentiality integrity and availability of the car data so in that sense basically an ideas is simply the software or the hardware product automating this process there are two main ways to look at ideas so basically when it comes to the response you can either have a very passive approach which means the ideas will detect an alert and passively will simply notify send a notification let's say to the system administrator or in our situation in the car to the user doesn't take any action and on the other hand you also have a more active approach in which basically you detect an event which is flagged at malicious and then you will take actions so an action that could be taken for instance will be terminating the communication for instance or reconfiguring some network security device for instance automating the automatically changing a firewall for instance so basically these two approaches leads to identities to intrusion detection system versus intrusion prevention system in our context we will use a little bit loosely this two term and according to literature we agree that we can shorten that by saying simply IDPS intrusion detection and prevention systems so one key question that we also have to take into account is how do we measure and how do we assess the efficiency of an ideas so according to porous and valdes in the 98 they propose three metrics so the accuracy the performance and the completeness when it comes to the accuracy there are three main values that we look at the false positive the full negative and the true negative true positive sorry so basically if the system sees another season event which is malicious and flag it as a malicious this is a true positive it correctly identify a malicious event on your hand if it for didn't recognize an malicious event and let it through it's a false negative what we want what we want to avoid is flagging as malicious a non-malicious event which called a false positive what happened if you have a high rate of false positive you're gonna be swamped with false alerts that you would eventually have to react on but even every time you're gonna spend time to react on an on a false positive which basically leads you to waste of waste of time and eventually at some point you will not rely on the system and say well it's just for so that all the time I don't care anymore so the idea here we need to have true positive rates performance it's all about also how does the ideas is successful processing in real time the events and the packets coming on the network and another metric the completeness quite hard to assess but it's all about how capable is the ideas in detecting every attacks so when it comes into the context of in-vehicle ideas it first has been introduced by hope and I'll in a paper entitled security threats to automotive can networks back in 2008 so here the the purpose they identify that it's all about monitoring the data transmitted between issues and be able to assert the legitimacy so they also identified three different characteristic that in order to detect intrusion detection so they come up with some patterns so first of all it will be recognizing the increased frequency of can messages being able to observe low-level communication characteristic and finally identify the misuse of the messages ideas so like Alex you mentioned earlier can the automotive networks are very deterministic so if you just look at what's happening on the network it's very easy according to the can specification to know when is to who is talking when so any deviation from this kind of specification will be normally easy to detect and also will be leading to a direct incident so we part of our work we were looking at how could we define an ideas taxonomy for in-vehicle networks so we base our work from debar and also in back in 2000 they propose a revised taxonomy for ideas in which they propose different category in order to distinguish ideas is so first of all we can we can look at the different detection method so in a nutshell you have two main classes of the detection method namely knowledge or behavior based we will come to this notion in a minute then you can also look at the behavior on detection like we just discussed you find something what do you do you react passively or actively then you also have the auditors location where do you put your ideas are you there is like made mainly two ways either you look at the host or you look at the network we will come to this two different characteristics in a minute as well and finally usage frequency do you want continuous real-time monitoring preferably yes or you could also look at periodic monitoring basically what your antivirus is doing every day hopefully or every morning you put up you turn on your laptop and then we'll run a check it's just checking once a day for let's say signs of intrusion on a snapshot of your system periodic monitoring and finally you can also look at the detection pairing state versus transition base a bit out of topic for today so we come up with this decomposition of in-vehicle ideas so we were looking at different detection techniques so first of all you have knowledge base and then behave your base in between if you combine these two approach you can have what we call an hybrid ideas and then you also have sub types of behavior base namely behavior specification base flow base payload base we will discuss about the characteristics of this in a minute so first of all when it comes to the audit source location like we just mentioned we can either look at the host of deploying an ideas at the host or at the network so they both have their drawbacks and advantages but in a shell so basically the host base ideas will collect information and monitors events occurring within the host it is monitoring in order to do that it will analyze system logs file accesses modification and he knows at any given time exactly what kind of activities are going on on the host so mainly the advantages will be keep being capable of detecting events on the host itself and to also be able to handle encrypted traffic because when it comes to network when you look at the network if you have point-to-point encryption usually there is no way to be able to to know what's happening in encrypted packets but if you look at the hosts right after the description the decryption eventually you can know exactly what what is happening the limitation to that it is actually hard to manage let's say it's nice if you have only ten ECU's or ten hosts to manage you put the ideas on the ten of them but when it comes to updates or modification if you have a configuration file to change if you have ten it's fine but what's about if you have one thousand you have a problem of scale here and another problem it is the blind to network attacks and we are missing the overall context which is not the case for the network base ideas in which here we are monitoring the network so here we are looking for packets like just traffic flows and here the idea we will be able to detect network specific attack and also denial of service attack for instance and we don't have any impact on the host itself we don't let's say or burden the ECU's with extra processing on the other hand we can only identify an attack meaning we see the attack passing but we have no clue if the attack was successful or not and if successful we have no clue what was the damage which hopefully normally if well configured the host ideas will know so here knowledge base ideas so this is the most straightforward way to address intrusion detection here the idea would be to define what or how look like an attack so if you look at every attacks available in the wild and if you let's say create pattern of this attack you put that in a database and for every single event or packet that you see you're gonna try to find a match in this database if there is a match you know this is a true positive there is an attack going on so if you have a well defined database perfect if you are capable of having a database containing every attack available in the wild it will golden because you know that with such ideas the great thing is that there is a very high rest of true positive on the other hand is very easy to bypass or to evade and there is no way of course that such an ideas can be aware of the latest all day for instance and plus it's so easy to evade like today you have like very easy tools to you can encrypt an already known attack you just bypass it it's same with antivirus so another problem that we have to keep in mind is that if you would take such an approach you will have to update it very recurrently so basically every day or even shorter than that problem is within a with a laptop or a computer server works fine we are basically connected all the time but with a car if you remember the constraint we just mentioned earlier how do you do that if you are not connected online so in the in the literature we have seen a proposal for such a system Matsumoto and his team proposed a way to prevent the transmission of unauthorized data so here as you can see the fact that they are also capable of prevents so this is where we call it intrusion prevention system to go back to the introduction on ideas and here the idea is they will modify an issue to make sure that every packet coming to the issue so few step back if you remember what Alexio mentioned about the way issues communicate together everything is broadcasted so every issue is received every message is sent so the idea here since there is no addressing you only have an ID of the message sent by the NSU if you are monitoring what's coming to you and if you see that you receive a message with an ID that normally you are the only one to produce you know that there are someone trying to spoof or to send message and pretending to be you so as soon as it detects that it will send a narrow frame which basically send a message to everyone on the on the bus saying guys there is an error don't take into into consideration this packet so this was knowledge base but then like we said it's really hard you know to come to to have a way or to come up with solutions in order to detect let's say the unforeseen attack like the famous all days for instance so this is where here in this approach we're gonna first look at the behavior of the host that we would like to defend the host or the network so here the idea is to first create a model so you're gonna start let's say within a certain period of time monitoring the network and trying to learn what is the normal behavior for that network so you see for instance this is you talking with this one you see for instance 10 packets coming back and forth within let's say this period of time and so on you create a model as soon as you have such a model you start just monitoring and everything which will be outside of this model so any anomalies will be flagged as an incident so basically if you know that for instance two issues are communicating every two seconds by sending back and forth two packets if you start seeing 20 packets within let's say less than one second you know there is something going wrong because it is not according to the model the normal behavior model that you just build them great to detect unknown attack because basically with such a technique you don't really need to know exactly how an attack is made of or what are the signals or the pattern to detect such an attack as long as you start seeing something different which usually is an incident you raise an alert the problem in primaries in cars is very difficult to be able to lower the risk of false positive what happened every driver is different you drive your car in a certain way so packets are sent in a certain way then the next person driving your car the model will be totally let's say faulty and will raise a lot of false positive we have sorry some some papers as well proposed in order to come up with a behavior based intro and detection system here place on the every ideas and basically here the idea is first to look at the transmission rates of specific packets and every any issues which detect a rate which is not according to the model it has first created will raise an alert and then when it comes to the network base so we have two researchers who propose an approach looking on the entropy of the the packets so basically here the idea if you know for instance if you compute the entropy according to the different identifier that you see on your network so you know there is a certain number of different identifier on the network if you start doing a packet injection attack what usually will happen is that you increase very drastically the rate of the message that you want to send and therefore if you have a certain entropy and let's say the more random the higher the entropy which means if you start inserting or injecting more packets it will be less random more packets from the same number you will have a drop in the entropy in red this is an attack and like we mentioned we can also combine the forces of the the two approaches so this is exactly what Charlie Miller and Chris Vela said did when they propose an hybrid ideas so they looked at the attack and say hey look there is only two ways to make an attack either you use diagnostic messages which normally I only use in the garage or you send messages standard messages with just an higher rate so they come up with this device that you plug directly in the OBD2 port and basically as knowledge-based they look for diagnostic messages behavior base they learn for a few seconds what is the normal communication pattern what is the normal behavior and then any deviation will be flagged as an intrusion and then you also have in order to counter the problem of like we just mentioned behavior base in which you can have a lot of false positive because let's say every user is driving a different way you could also come up with an behavior specification base so here the idea is you don't create the model based on what is normal according to what you see or you don't even use machine learning machine learning techniques to build the model you first gonna look at the specification of the protocol what is the protocol or what is the the package supposed to do according to the specification and the good idea for instance that's exactly what the maternal proposes you come up with some sensors looking at for instance in S4 the range so here the idea if you know that for instance a car according to specification can only ride let's say from 0 to let's say 200 kilometer an hour if you start seeing packet with 500 or bogus values you know there is something going wrong according to the specification and not according to what you previously seen so this approach as theoretically the same advantage of behavior base building a model but with the same detection rate of knowledge base which is pretty high then comes another question like my Alex you mentioned at the beginning how do we react you are driving then an alert pops up on the dashboard warning you are under attack what do you do so here some research of proposed let's say of three different approach so depending on the criticality of the attack if it's let's say non-critical an attack aiming at let's say turning on and off your light not really critical you just have a visual like little light blinking but let's say if you have something aiming to for instance kill your engine will be very let's say critical and life threatening you would have an optic notification meaning for instance yeah something vibrating or even like with the case for instance of ABS for instance you could also have your car shut off but again how do we react on the on this without an engineering the life of the passengers because this is exactly what we are looking for so limitation of the ideas that we already have seen in the literature is only focused on can there is nothing focused or looking at other protocols so therefore according also to the limitation of can and there is still a lot of work to be done again question how do we react not very straightforward and also it's very hard to come up with metrics meaning that when you look at ideas for desktop IT usually you have let's say a test benchmark or you also have like certain data set that you could use you are for instance a famous data set for of the DARPA and basically researcher when they propose a new approach is they test the system with such a data set and they know okay I've been detecting 98% so this gives you know quite some straightforward result that you can rely on and say okay this is a good one or not so finally we would like also to discuss about the going or don't going work that we are currently working on so maybe Alex you want to say some more no can I have okay great so so we are currently working as I said before in a project that actually is founded by Bosch and an eclipse and an Ericsson as well so the project is about securing cars but also on the other aspect of developing an open platform that is able to interconnect different vehicles but also to focus on in-vehicle communication so here are all the partners of their collaboration we are here as you can see and here so the the fact that here is that actually we don't focus only on developing ideas but we or security in general but we focus on developing an ecosystem that is able to be transparent for every vehicle and be used in open source for from everyone and and the platforms on the cloud can be also part of this equation so so in this sense what is important actually to to deal with and in this kind of research let's say study is first to focus on the practical side how do you be are able to detect a threat or a misconfiguration and you distinguish between them so how actually I'm able to to say that I don't know Volkswagen put this thing in the car and the car is malfunctioning not because it's a threat it's just because actually it's not calibrated collect correctly so another thing is that of course how do you recognize a threat in this kind of manufacture specific context where actually each manufacturer can do whatever he likes inside the payload they can encode whatever they like inside the the priorities mechanism so what we would like to do is to build a database of the known threats and the malfunctions and how to assess them and be able to actually not only defend but also be able to make something robust and many tenable so what we would like to make actually here is as I said before a device that is able to detect all those things and have actually some kind of commands or an API and also this is one thing that security matters does they do industrial intrusion detection they have ITL systems in order to be able to assess threats and also if the third is in the PLC or whatever then you have actually immediate detection and response so to an alert so what we would like to do is this device that tells us actually how severe is the third how likely is that this threat actually really happen how this man functionality will affect the whole architecture so the idea here is that when we start seeing ideas is to constraint we just expand the focus and we really make something robust and sustainable so here the focus is of course that we would like to focus on the other vehicle protocols so what happens actually if I don't take on I just say okay can is protected enough and I want to focus actually on the other on the other ways that they can enter the vehicle because this is the thing that as I explained before all the other protocols are the ones actually that are used to get inside so what you can do when you're inside you can do whatever you like in order to defend it but as soon as you enter you block it there so it doesn't go any further so this is actually what we what we focus on and and what we see actually is that all the different kinds of protocols they have master oriented solution so this means that with the master actually is compromised then you are able to set down all the others to use nothing is working the system and you don't care about Khan anymore so you just don't have active safety you don't have suspension so yeah so this is the my major question to answer here and I think what actually is the main challenge of this work and of course here we just demonstrated let's say a small subset of the work we didn't go too deep into details we gave literature overview and a state actually of the communication but if you like to and if I'm sure you will you can I mean we have this let's say length of ten minutes I guess I don't know how much it is it for questions and answers and if you want to you can also reach us because we are also in the camp so this is from us and we would like to hear from you thank you very much yeah a big thanks for this talk for every Q&A please go to the microphones that we can record it also for the streams so the first person here in front of me yeah to what extent do you think this fits into a security by design approach to be honest actually if you are securing the system by design it does work in different Ethernet based protocols but in in vehicle it's not really flexible in the sense that you don't apply AutoSAR so AutoSAR is a high level methodology that you are on the application level and you can specify requirements and security by design but in this sense most of the times you you do trial and error in the cars so you try actually to get the single decoded and if it works with the current voltage it works so you don't give the requirements on the design you give the requirements on the fly especially for security yeah so this is a bolt-on approach yeah yeah but I think also when it comes to ideas what we just discussed earlier is that it's one way to address security so like you mentioned security by design is not about just having let's say a silver bullet let's say we put an idea and we all safe no it's one of the layer of out of many that we need to apply to cars in order to secure them indeed indeed yeah the second so about the reaction I mean if you detect something what do you think will happen will there be this pop-up and the user is supposed to do something now or what would you do in a car so would you like to answer yeah thank you so that's a good question and I think here we have different approaches so what we have seen in literature is that first of all we often see we raise an alert people don't really think about okay but concretely tell me what does that mean raising an alert so we see like the case of okay we maybe blink lights like we just discussed or there is some also some sound notification what do we do there is also a way that we can think about having cars connected to a sock for security operation center what if upon detection you have first the alert send to a sock you know for further analysis but if it's life-threatening you know you need to react also real time so you cannot just expect an analyst to pick up the let's say the ticket or the the alarm and say okay I'm gonna look to that give me 10 15 minute minutes that doesn't work so I think here this is still question that we have to answer and that we really have to put some a good thought about it especially when it comes to cars and cyber physical systems every impact of let's say cybersecurity on the car have real impact and also safety related consequences to the users so that definitely a question we don't have yet the answer but we will definitely have to have the right answer to that yeah and also to complement on that what happens actually if the car is in limbo mode and it's you are driving on the highway and actually some of the functionalities of the car are stopped or gradually stopped so and you are forced actually to to find in the parking spot nearby and you don't know what happened somebody else actually takes the action for you so this kind of a question is actually our research oriented and there's still actually no actual answer that is that holds in every scenario yeah and just sorry just one quick also remark there are so laws in countries and regulations that state that a car shouldn't have any decision when it comes to life threatening events so you should always as a user be in control of your vehicle so we cannot expect the car to do too much for you when it comes to life-threatening situations thank you microphone one yeah so as you stated cars are well pretty dangerous things so at some points you will have to react immediately upon detection which is very problematic you also stated that can is limited to a frame size of eight bytes eight payload bytes but for instance the UDS specification has support for multi-frame messages which could easily be used internally also but don't you think that macking would be a far more reliable way of preventing these kind of attacks I think in this sense actually again you need to update to in the sense of so if you have a local network that actually you try to put something in there some kind of others in scheme so I think it's not really good in the sense of it's restraining and then you have to fragment the data that you have to send because to be honest actually the car manufacturers in this kind of payload which I showed they don't encode just one functionality but they encode for so for instance you can have all the windows inside one frame so the state of all the windows so it can happen that actually if you encode something in there or you put some other things in there then actually some critical information cannot be interpreted correctly and of course what happens if I am someone which actually does not care about security and I do diagnostics which means actually that I really need to interpret this and I don't care about addressing any longer I just want to interpret the payload itself that's it so what what you say is really valuable if you do it in automotive ethernet is it valuable if you do it on flexory it doesn't mean that actually this is like a the best solution but there actually you have more capabilities on doing things but we still have a long way to go until ethernet becomes the standard and to the current actually analysis to be able to extend ethernet to the actually be able to capture everything which is there in the can it will be at least 60 years so basically we should try to get rid of can in order to yeah so this could be this could be a solution but well you cannot get rid of something which is stable and for many years that easily thank you yeah and also just one thing regarding mac and encryption the premise if you compromise at the ECU all the packet that you're gonna send from that ECU will be proper according to the security mechanism you would have in place so that's also a problem as soon as the ECU is compromised whatever comes out of it it's legit so that's why we also need more than just mac and encryption microsoft one continuing on that last remark why don't you get rid of can obviously because it would be too expensive right now what you could consider is that because it's a bus anything that you can invent somebody can inject it to against you definitely so I think the only way is to move to a start apology and make the hub of that relay all the can messages all over the place so you can still leverage all your existing equipment but have that central item with a more heavy processor and do all the decisions for you yeah but that will cost a lot of extra wiring in the car yes and this is not good because already actually Khan was invented for this reason to reduce the wiring harness inside this car okay but now the question is how much extra wiring do you think it will take in a normal car to get back to a start apology I guess about 30% so to my experience from the time that actually I worked with manufacturers I guess that actually the main difficulty there is not to really make the topology the main difficulty is to be able to calibrate all those units and to give to make them in proper state in order to actually do what you want them to do so the even even if the wire we leave the hard the wire luxury additional wiring we leave it aside then okay this comes to to a question as well because well you cannot force someone that actually really does simple functionalities in order to calibrate then it goes to some kind of other topology where he really needs to know everything and for every unit let's say that he needs to calibrate where actually in in Khan you just need to know the ideas and the payload that you need to encode and that's it so I guess well I mean I understand that this is like a this is like in scope but there are a lot of considerations I mean we can go there but let's say it require it has some risk so I mean to my perspective as a as I see it also in most you have a risk so because most is a ring topology already so yeah but I think also one key consideration to take into account when it comes to start topology there has been some work proposing like let's say what they call a master ECU and they relay basically every connection of every communication from one ECU to another via such a master ECU and there also have been work proposing like hey we could also harden this we can also have you know some the TPM or the trusted platform model on the chip we can also use this one you know in order to hand over certificates or keys to the ECUs but the problem is always the same thing you are something that could be eventually compromised so as soon as this is compromised what do you do and plus there is also the real time problem that as a constraint you need to guarantee that every message are delivered as soon as possible so if you would relay everything through a central unit and having some processing there you might also impede the real-time capabilities of the bus so that's why also yeah having a start topology might be a bit trickier than what we expect does that answer the question well we can discuss it offline we are still outside so don't hesitate to to come and discuss further we'll be more than happy to to share your thoughts thank you very much yeah