I visited last week the IAA in Frankfurt, Germany. IAA stands for International Automobile Exhibition and takes place every year in Frankfurt, Germany.
This is the place where every year the latest cars are being presented but also the newest technologies around cars.
This year it was a lot about mobility, interaction, autonomous parking and driving, interconnectivity between cars and IoT.
I went there to address more the car parts suppliers (Tier 1 and 2) than the car manufacturers. For us it was more interesting to get involved in the devices that are easily and directly attackable. Things like entertainment systems, connected devices of the car, GPS devices,etc..
Not a single car parts manufacturers we talked to wants to openly speak about security. Not because they don’t have it or because they don’t address it. My impression was that speaking about security is like speaking about something that nobody wants to happen?
The most used argument was: “Why would anyone hack us/our device? They don’t have anything to gain.”
I wrote a dedicated post about this visit and what I think about the state of cyber security in cars.
The other argument I’ve heard was:
But the connection to all backend(s) is encrypted, so the device is secure!
Because cars run also (a lot of) software, I decided to write this post about Encryption and IT security.
Encryption is a measure to enhance security because it can protect files and data. It is important, but alone, it definitely doesn’t make a system secure.
Security has the following aspects which are called the “CIA triad”. This definition is highly disputed by the security community and there are also other models that extend these three aspects (Parkerian hexad (Confidentiality, Possession or Control, Integrity, Authenticity, Availability and Utility) and the non-repudiation model).
But, what is the “CIA triad”?
No, “CIA” in this case is not referring to the “Central Intelligence Agency”. CIA refers to Confidentiality, Integrity and Availability.
Applied to IT, we can talk further on about “Confidentiality of Information”, “Integrity of Information” and “Availability of Information”.
It is not the scope of this post to go into details about what they mean, I just want to round the story behind “Encryption”.
For more details about the CIA triad please check Wikipedia.
Confidentiality: protecting the information from disclosure to unauthorized parties.
You got it: Encryption in particular, and cryptography in general, helps to protect information from being disclosed to unauthorized parties.In other words, it keeps information confidential.
Integrity: protecting information from being modified by unauthorized parties.
As with Confidentiality, cryptography plays a very major role in ensuring data integrity. Hashing helps to protect data integrity. However, this means that the hash of the original data must be provided to you in a secure fashion.
Availability: ensuring that authorized parties are able to access the information when needed.
Information that you can’t access for whatever reason, is useless.
Encryption of information helps a lot to increase the security of the data, especially of the data in transit. The entire transfer security across the web (SSL, TLS) is based on cryptography and encryption in particular (but not only!).
A system is as secure as its weakest component. If the component resides behind the encryption layer (which usually is the one where the data leaves or enters the system), then the Integrity and possibly Availability of the data is compromised, despite the fact that it is transferred encrypted.
And if this happens, the compromised data is going to be transmitted encrypted, so very secure, but nevertheless compromised.
Going back to the car, if you look at the pictures in the article, you will see that all those lights are sensors and processors which communicate with each other via the CAN BUS (Controller Area Network). If one of them is compromised, it will send invalid data to the others and the consequences are unpredictable. The data will leave the car encrypted and will be decrypted on destination, but the information is compromised. This means that the Encryption did its job to protect the confidentiality and integrity, but overall the car is not at all secure.
Sorin Mustaca, CSSLP, Security+, Project+
Independent IT Security Consultant