Protecting Connected Vehicles App Ecosystem

Attack Surface Size

Vehicle's interet connection is the biggest attack surface

• Reaction from technical peers
• Internet is a hostile environment

Genivi Security Expert Group

Sound Practices

• Education
• Coding Guidelines
• Code Analysis
• Threat Modeling
• Architecture
• Layering
• ...

High Level

• Connection Accounting
• External Site Security Evaluation
• Imposing Rigid Network Access
• Guidelines

Ecosystem

We are building a framework for 3rd party apps (FB, Waze, Pandora)

• HTML5/QT/Headless
• Signals
• Nav/LBS
• Media (services, library)
• Notifications
• Payments
• Wishlist: traffic, weather, speech...

See yesterday's Genivi / W3C Liaison presentation

Other day job - Head of IT

• Domain hijacking
• DDoS
• State actor probes
• Phishing
• Misuse of services we provide
• Code Audits
• Penetration Testing
• Compromise Forensics
• Counter measures

Memories...

Remember when you could account for every network connection?

• ran IP logger in simpler times
• CDN, trackers, adverters, "like us" makes this less feasible
• Blockers: Flash, Ads, Trackers, JS

Connected vehicles should be able to account for every connection

Development and Testing

• Know every connection you require
• Run traffic monitors during testing phases
• W3C's DTD traffic problem - example of what not to do in dev lifecycle

Lock it down

Possible package requirements for 3rd party apps. Suggestions partially address OWASP top ten

• DNS zone files
• Accompanying Firewall rules
• Apparmor/SELinux/Smack rules
• Static SSL Certificates in /etc/ssl/certs
• All Javascript permitted to run should be packaged not fetched
• Might as well package all needed images, css, html etc

SSL hardening

merely using SSL alone is not enough

• HTTP Public Key Pinning (HPKP)
• Cert strength requirement - beyond merely no SHA1
• Site SSL evaluation tools
• HTTP Strict Transport Security (HSTS) & Upgrade Insecure Requests (UIR)
• Content Security Protection (CSP)
• Follow W3C's WebAppSec WG

Web Application Firewall (WAF)

Another idea

• Web Application Firewall - car does its own MiTM to outside world
• Can run same or another WAF as security layer to Web Sockets and HTTP REST services on vehicle
• Apache mod_security example
• Limit methods (GET POST), inspect permitted parameters
• restrict which apps (token or other id)
• Control what data is allowed to leave the vehicle

Web Application Firewall (WAF)

Continued

• These rules for a given 3rd party app could again be part of package
• Limit content types - no Javascript from outside world
• Verify content types, ensure no injection of malicious (eg tainted media files)
• Sensitive needed content can be signed with W3C WebCrypto API
• It can cache content too, useful for intermitten connectivity and performance

Open Browsing

Hearing some are considering allowing full open browsing

• WTF, seriously?
• Yes the guy from W3C is saying he doesn't want your car on the web - personal opinion
• OK, understand this is a sales decision
• Fine, put it in its own vm
• Zero connection capabilities to APIs being exposed
• Immutable/Read-only FS or clean image on each reboot?

Feasability?

Purpose of this presentation was to start the conversation

• Fragmented industry / multiple platforms
• Marketing & Business forces
• W3C Guidelines
• Genivi Platform implementation
• Get Involved!

Thank You

• Questions
• Follow up: ted+auto@w3.org
• https://www.w3.org/auto