Secure Communication?

Cas Cremers

Summary:Security protocols are hard.

It's scary to attach a (large) vehicle to them.

Attacks on AV can be critical

Attacker controlhas serious

consequences

OBD2 telematics hack lets remote attackers mess with car’s brakesDevices used by insurance companies, fleet managers open doors to remote attack.Aug 11, 2015 5:25pm BST

AV software updates are not easy

Repairing bugs(enforcing updates)is expensive/hard

Volvo Recalls 59,000 Cars For Faulty Software In 40 Markets02/20/16 AT 11:13 AM

What if something goes wrong?

Remote influence oncontrol systems?

3G

Bluetooth

Wifi

...

Control systems

Secure communications are crucial for AV

CAV

Remote influence oncontrol systems?

Attacker controlhas serious

consequences

Repairing bugs(enforcing updates)is expensive/hard

Who to turn to for secure communications?

● Reminder: these standards can not be local

● ISO/IEC?

● ETSI (European Telecommunications Standards Institute)?● 3G, UMTS, ...

● IETF (Internet Engineering Task Force)?● TLS, ...

TLS: Transport Layer Security

TLS over time

TLS over time

Our work in this space

● Develop mathematical frameworks to reason about security protocols & threat models● Side effect: new attack types, new guarantees

● Develop (automated) tools to analyse protocols● E.g., Scyther, Tamarin, ...

● Use the results to improve standards● ISO 9798 & 11770, TLS 1.3, ...

Cas Cremers – http://www.cs.ox.ac.uk/people/cas.cremers/intro.html

Automated analysis of TLS 1.3

Automated analysis of TLS 1.3

● Resources● Lots of manpower● Hardware (mostly

memory currently)

● Outcome:● Proof of rev 10● Attack on one

suggested variant

Automated Analysis of TLS 1.3: 0-RTT, Resumption and Delayed Authentication C. Cremers, M. Horvat, S. Scott, T. van der Merwe. IEEE Symposium on Security and Privacy (Oakland), 2016.

The ISO/IEC 9798 Standard

● Entity Authentication Mechanisms

● 18 base protocols● Symmetric-key encryption,

Digital signatures, Cryptographic check functions

● Unilateral or Mutual authentication● Additional protocols with TTP

● Further variants from optional fields

Results● No strong authentication properties

Aliveness < Agreement < Synchronisation

● Under some conditions no authentication

Open issues

● Secure protocols quite elusive

● TLS possibly most scrutinized

● No reason to believe protocols such as WPA2 etc more secure● rather the opposite

Conclusions

● Assurance for secure communications is critical for CAV● Attacker controlled CAV is a nightmare● Security protocol can be only barrier between attacker and control● Classic problem that is still hugely challenging● Hard to patch the AVs once out there

● Expertise is available – need to collaborate!● IETF has set a good example in involving experts

● We would like to avoid reading on a forum:● "AV-Botnet for sale..."

Cas Cremers – http://www.cs.ox.ac.uk/people/cas.cremers/intro.html