Attached are the slides from my talk at the Fall 2013 Automotive Linux Summit. My session was entitled “Linux and the Automotive Security Lab,” and it was a survey of all of the security research that I’m aware of that dealt with actual cars—as opposed to theory.
Not that there’s anything wrong with theory in my book, mind you, but there are only so many times you can read “CAN bus lacks sender authentication and payload encryption” before your eyes glaze over. It does, and that means that there are a lot of places where it needs major changes. So many, in fact, that I referred to it in my talk as “Theseus’s ship.” According to Plutarch, the museum of state relics in Athens included a ship used by Theseus in some daring adventure or other, and the Athenians took such good care of it that they replaced a part whenever it wore out … so much so that by Plutarch’s time, the Athenians had replaced every part, which led some of them even then to ask whether the museum still had Theseus’s ship at all. The point is, if you need to replace all of CAN bus’s constituent parts to make it usable, you’d might as well just use something else to begin with.
But that’s kind of beside the point, since that’s a hypothetical. In reality, as the research linked to here shows, there are a giant heaping metric Athenian boat-load of attacks that can be waged against existing cars right now. Looking at some of them should give developers pause. Because yes, CAN bus can be used to mount all manner of attacks—but there are a lot inroads into the vehicle that have nothing to do with vehicular network protocols at all. Some are freshmen-level security programming mistakes, others are systemic flaws inherent to multi-sourced component supply chains, and some are just weird.
I probably ought to publish my speaker notes, too, but one thing at a time. I hope the slides will be a good reference and starting point for anyone interested in reading more about IVI and automotive computing security. And if you see any papers or presentations that I’ve missed, please, drop me a line; I’ll happily add them to the list.