On March the 31st, I gave a quick talk on automotive security at VTM titled "UN ECE 155 Threats in the real world: Wireless Networking Attacks and Mitigations. A case study" (slides here).
The idea was to create some content about one of the most hyped topics in the automotive cyber security world over the last year, without keeping it just theoretical;
UN/ECE 155 and ISO/SAE 21434 whose concerns are about the implementation of a CSMS (Cyber Security Management System) which consists in performing, for each vehicle, several high level security tasks, such as Threat Analysis and Risk Assessment (TARA), supply chain security issues tracking, implementation of the mitigations, update management and so on.
The following schema shows the product development lifecycle model, called V-Model, used in the automotive industry and the cybersecurity processes in each phase of the V-Model.
The most interesting point that can help mitigating the risks and performing attack surface analysis is the TARA which can really help to minimize the risk in the earliest stage. In particular it will give its best, well when the technologies that are going to be implemented, are well known from a security perspective.
The following figure describes the steps that must be covered to perform a TARA by the ISO 21434:
Since the audience was expected to be mixed technical/non technical I decided to keep it in the middle as well, which, alas, sometimes means the hard way.
Also, how to go practical without going vehicle specific? mmm, take something that is already on every vehicle and talk about attacks, risks and remediations in the context of UNECE R155 and ISO 21434 requirements.
Digital Radio Broadcasting!
Now, the problem is to research on those topics without being too obvious and condense all in a limited span of 30 minutes which is quite challenging.
With the goal of identifying some unexplored attack surface, I took a couple of weeks to go into RDS and DAB+ specifications and their previous research in the security context.
As briefly described in the slides in IMQ Minded Security I created a lab testbed with:
- A RDS transmitter using Raspberry PI and this wonderful piece of software
- Several non automotive RDS receivers and their software and a Renault Scenic 2015 Head Unit with RDS support.
- A DAB+ transmitter using HackRF One, and this essential set of software together with this very useful tutorial.
- A RTL-SDR for local tests and a DAB+ USB Dongle receiver that is also used in the automotive world with the most used Android Automotive OS software DAB-Z and several other applications that are mostly used in desktop environments. Alas, apart from DAB-Z we had no immediately available automotive head units supporting DAB+ :/.
The most interesting turned out to be DAB+ which has much more perimeter.
and has already at least one known real world issue.