Car Hackers at Work: DefCon CTF Challenges in Full Swing

A staple part of the DefCon experience, the Car Hacking Village and its Capture the Flag challenge is going strong into its second day. The competition is fierce, with teams from all over the world competing for the grand prize – a Polaris ATV! Stay tuned for more updates from the floor.

 

Car Hacking Village: A Fruitful First Day

After a long day of car hacking the Hack Across America brigade rests under palm trees and the starry sky of Las Vegas. See you again tomorrow, DefCon!

Back to the Hack! Trillium at Defcon’s Car Hacking Village Two Years in a Row!

The Trillium team is back at Defcon’s Car Hacking Village, running the Pass GO CTF challenge and encouraging interest in automotive cyber security. Stop by for a chance to win an all-expenses paid week in Tokyo!

Educational Playtime: Penetration Testing Sandboxes

Cybersecurity is not an easy field to get into. The hours of training and prerequisite knowledge needed for one to fully participate in such an environment are daunting and often prohibitive of newcomers in the field. Despite being present for decades, the topic has seen some of the most rapid expansion and shift in scope of any technical field in history. While there is no shortage of resources detailing the ins and outs of all types of cyber-security, they are often locked behind thousands of dollars’ worth of classes and training. With the help of the internet, however, many firms around the world have begun sharing their experience through free, online “sandbox” systems that allow an aspiring hacker or cybersecurity developer to hone their skills.
One well-known example of this type of free-to-play sandbox is run by microcorruption.com, a website dedicated to teaching the basics of embedded software security. By giving the user a virtual disassembler to analyze embedded assembly code reverse-engineered from a mock target, the user gets to follow the entire process of cracking the password to a “warehouse” located somewhere in the world. The challenges are by no means easy, increasing in difficulty as the user proceeds through the levels, however they aren’t impossible either – every level has a way forward, it’s just up to the user to find their way through.
In line with our dedication to bring awareness to the need for cybersecurity in connected and autonomous vehicles, Trillium is developing an online remote penetration testing module specifically designed to introduce users to the basics of automotive security. By guiding the user through the process of discovering and exploiting vulnerabilities in an imaginary vehicle’s telematics unit and putting them in contact with the vehicle’s CAN bus, visitors will have the opportunity to see the security needs at every level in connected vehicle communications. By bringing the user to a terminal in contact with a real-life Trillium BrainBOX hardware module, the highest-quality user experience is achieved, along with a peek into the profound protection provided by Trillium’s SecureGO IVN security.
Community-driven, free-to-use educational platforms such as those listed above are the manifestation of what cybersecurity is all about – preparing the world to be safer and more secure for everyone. Without a culture of security by design emphasized at every level of society, humanity sees no greater threat to the connectivity-driven future than cyber-crime.

Security for the Next Generation: SAE Cyber Auto Challenge

For the last seven years, the Society of Automotive Engineers (SAE) and Battelle corporation have hosted a worldwide event called the Cyber Auto Challenge aimed at introducing the next generation of engineers and software developers to the landscape of connected cars and their cyber-security needs. The Cyber Auto Challenge, in tandem with the Cyber Truck Challenge also hosted by SAE, gathers talented high school and university-class students from around the world for a week of intense training by automotive industry veterans and cyber-security experts in the techniques used to find and fix cyber vulnerabilities in connected vehicles.

The techniques taught and practiced at the Cyber Auto Challenge are none other than those used in the real world of automotive cyber-security and penetration testing, with the instructors being subject-matter experts in hardware, software, and automotive penetration testing. Mohammad Kamel Ghali, a field-applications engineer and penetration tester at Trillium gave the following reflection on the week-long event.

“During the week of the Cyber Auto Challenge, I had the pleasure of working alongside long-time colleagues and budding automotive cyber-security zealots alike. Getting to share experiences and exchange tips and tricks with fellow researchers and penetration testers from firms such as Grimm, Intrepid Control Systems and Battelle was a great opportunity. Each participant in the challenge brought forth their unique perspective on the challenges faced by the connected car security industry, making this week of collaborating with experts in the field an enlightening experience for everyone. I hope that together with Trillium I can continue to participate in and support the SAE and Cyber Auto Challenge for years to come, helping to ensure the continued cyber-security of the transportation of the future.”

As the prospect of automotive cyber-security shifts from an afterthought into a high priority for carmakers and legislators alike, the importance of standards-defining bodies such as the SAE cannot be understated. It is through cooperation with such entities that Trillium hopes to inspire an era of connected-car security to facilitate the next generation of cooperative connected transportation.

Cybersecurity for Defense on the Rise: New Cyber Range Operations Center in MI

On Friday, July 20th, federal, state and local officials convened for the opening of the Velocity Hub of the Michigan Cyber Range. The Michigan Cyber Range is a long-standing center for critical training of cyber security professionals, and the newly added Velocity Hub seeks to expand the range’s scope further than before.

A collaboration between private industry players and government bodies – both federal and state-level – the Velocity Hub aims to bridge the gap between cutting-edge cyber technologies and the environments they serve. By providing the necessary training, equipment, and secure-sandbox environments for the development and proliferation of cyber secure technologies and business practices, the Velocity Hub will establish Michigan as a key player in the cyber security field.

The necessity for pre-emptive drafts of cyber security standards in vehicles is not lost on the Brigadier General – the traditional method of waiting for an incident to occur before thinking of cyber legislation can result in a drastic loss of life when it comes to automobiles.

This need for vehicular security regulation is the driving force behind Trillium’s participation in projects such as the Velocity Hub, the SAE, and other standards-developing bodies to prepare the future of connected and autonomous vehicles. Trillium’s “security by design” mentality applies not only to technology, but to the design of society as a whole. Through working together with government agencies, our industry partners and standards committees, Trillium hopes to drive the next wave of cyber legislation in the US from the heart of the Midwest.

Buy it and Fly it: The Aftermarket Autonomy Market

As technology continuously moves towards making human life better and more effortless, transportation is a field that receives a lot of attention. From improving the speed of airplanes to the congestion in traffic, it seems that transportation has the most potential to benefit from technological advances. Self-driving cars are no small part of this. The ability for one’s car to take them along their every-day commute without the driver’s full attention will be a great leap towards the society of tomorrow, increasing road safety and allowing for more productive hours throughout the day. So anticipated is this revolution that tools are already being developed that can offer the same sort of functionality to vehicles already on the road – the aftermarket autonomy industry.

Far away from Tesla’s custom autopilot system or any other state of the art self-driving platform under development by Google or another large corporation, the startup scene has given birth to many self-driving solutions of its own. Focusing on the average consumer’s reluctance to buy a new vehicle solely for the sake of self-driving functionality, the players in the aftermarket autonomy market have developed “kits” that aim to be installed in cars already on the road to offer them self-driving capabilities. As the number of players in this market increases, so does the number of supported makes and models of vehicles. This technology opens the convenience to a larger number of people than would be able to buy a brand-new autonomous vehicle, expanding the connected and autonomous car sector to include older makes and models to make the roads safer for everyone.

These solutions often incorporate an external sensor (like a camera) with a device that allows commands to be sent to the OBD-II port found in most vehicles, granting direct control of the vehicle’s inner mechanisms. While the technology used in these products is remarkable, it raises the concern of unsecured connectivity being introduced to a diagnostic port – a situation that could potentially end in disaster if exploited. The merit to be gained by using such products cannot be understated, however just as with all things related to a connected ecosystem, security needs to be taken into account.

Infrastructure Hacking: Cyber Crime on the Rise

Last month in Detroit, Michigan, a gas station on 7 Mile and Southfield roads was the target of a crime – a robbery, specifically. What makes this incident different from the more commonplace robberies that frequently target gas stations is that the theft was not of cash or goods from within the store, but of gas itself. All the more puzzling though, is how it was achieved.

ClickOnDetroit reports that the gas pump was hacked. Two thieves armed with what can only be called “a device” were able to gain unauthorized control of a gas pump and freely discharge gasoline from it for over 90 minutes. In that time they were able to discretely steal 600 gallons of gas, a value of over 1,800 dollars without anyone catching on. By having cars come and fill up directly instead of filling up barrels that might draw suspicion, the thieves were able to avoid detection, abusing the fact that the station in question was almost always busy by blending in with the natural traffic.

The threat identified by this incident is no laughing matter. The root cause stems from the over-specialization of computer systems that carry out simple transactions like gas purchases. The devices used for these applications are often only designed to carry out that specific function, making them cheap but unable to implement peripheral systems, such as cyber security. This lack of security could result in not only theft of gas, but the credit card information of previous customers at the pump.

It is to secure resource-constrained devices such as those found in so many Internet of Things edge-nodes that the SecureGO module of Trillium Secure platform was originally developed. With its ability to add robust cyber security features to even the most basic automotive-grade hardware, SecureGO has the potential to introduce cyber security to the entire IoT edge-node ecosystem, securing every link in the chain that defines the interconnected world of tomorrow. As incidents like this become more frequent, the world will constantly be reminded that any defense – cyber or otherwise – is only as strong as its weakest link.

 

Connected Car Data: More Than Just a Byproduct

Given the number of computers residing in modern vehicles, it is no wonder that they generate a large amount of data during their operation. That data is used by the vehicle to facilitate its operation in real-time, but when aggregated and analyzed over long periods of time, that same data can be utilized in a myriad of ways to enhance road safety and user experience. Indeed, analysis of the data generated by vehicles is a valuable undertaking, offering both real-time and long-term benefits to consumers.

With an increasing number of sensors being used to assist drivers during travel, vehicles have the ability to learn about their environments during operation. For self-driving and other drive-assist functions, data on the locations of obstacles is a given, however the same tools used for these services can also provide data such as road conditions, wind speeds, precipitation status and traffic conditions. Vehicles receiving this data, if communicating with a common cloud server, can share information about their mutual environment to shorten commutes and increase safety. Even simple knowledge of the vehicle’s weight during operation can allow for optimization of the car’s performance, saving fuel and time for the user.

Despite the seemingly endless use-cases for vehicular data analysis, there are still some hurdles that need to be overcome. The sensitivity of the data collected is one such example, with studies showing that while users are more likely to share “objective” data such as road conditions and the technical status of their vehicles, they are more reluctant to share more personalized data such as personal driving preferences or GPS data. The personal value of this data cannot be undermined, and legislation is quickly taking steps to enforce its sanctity. Recognizing this, Trillium is dedicated to providing GDPR (and other future legislation) compliant data management technology that preserves the privacy, confidentiality and anonymity of all consumer data it manages. Without such a solution in place, the monetization of consumer vehicle data will never become the $500 billion industry it is destined to be.

Excerpts from escar USA 2018: Making the Michigan Market

Known as one of the first regular, automotive cyber security-focused events, the escar conference series has made itself a key part of the automotive security ecosystem. Showcasing new products, strategies, and research from industry veterans and newcomers alike, escar brings cutting-edge developments together in every major automotive market. As in previous years, Trillium attended the conference alongside its industry partners and customers to help spur the innovation of the automotive cyber-security and data management field.

Escar USA 2018 is no exception, gathering automotive and security industry professionals in the Metro Detroit for the sixth year in a row. The myriad of thoughtful presentations held at the venue came from both industry and academic experts, detailing possible technological solutions to problems facing connected and autonomous vehicles, new innovative technologies, and in-depth analysis of hacks performed on vehicle subsystems by researchers.

A trend that saw a significant rise in popularity at escar is the use of cyber-security methods at relatively lower abstraction levels. This includes hardware and digital signal analysis-based intrusion detection and protection systems, such as the analysis and subsequent phishing attack on clock-based intrusion detection systems by researchers at the University of Michigan, Dearborn. The university was not the only one bringing attention to hardware, with industry players also giving lectures on low-level, highly integrated embedded design analysis.

The sheer number and variety of talented individuals present at this year’s escar USA is all the proof needed to vouch for Michigan’s importance in the development of automotive cyber-security. Serving as the crossroads for the traditional automotive industry in Motor City and the new-age artificial intelligence research done in the Ann Arbor area, the mitten in the Midwest is poised to distinguish itself on a global scale. This reality is the driving motivation behind the opening of Trillium’s new Midwest Development and Operations Center. With a base of operations from which critical partnerships will be nurtured and maintained, Trillium hopes to be a leader in the advancements to come from the Great Lakes State.