Intra-computer buses like PCI get by without that.
Linux and automotive computing security
Posted Oct 10, 2012 21:12 UTC (Wed) by dlang (subscriber, #313)
and how much security do you have on a PCI bus protecting you from a rouge card?
(although, PCI actually does have a slot ID, so the main system can do some source validation. This is actually used with some virtualization systems, but answering the question in the spirit asked, rather than being picky about the particular bus used as an example)
the problem is that the CAN bus is not within a computer, it's connecting many different computers together to form the car's overall network. Not all of the devices on the network should be equally trusted.
Posted Oct 10, 2012 21:29 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
I shudder to think that my car's tire pressure sensors would use IPv6 to talk to the central computer. That's just... inelegant.
Posted Oct 12, 2012 13:34 UTC (Fri) by peter-b (subscriber, #66996)
Posted Oct 12, 2012 15:13 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
Posted Oct 12, 2012 17:21 UTC (Fri) by rgmoore (✭ supporter ✭, #75)
OTOH, security researchers have successfully hacked a car's computer system through the tire pressure sensors, which displays a certain inelegance in the current system. The tire pressure sensors are actually an especially vulnerable point, because the only mechanically elegant way of transmitting information between the wheels and the rest of the car with some kind of wireless communications.
Posted Oct 12, 2012 22:06 UTC (Fri) by Cyberax (✭ supporter ✭, #52523)
The car-local network is a postcard example for a local airgapped network. It makes no sense to try to make every component secure, it's much better to have a secure perimeter where any external data input is treated as potentially malicious.
Tire-sensors and the law
Posted Oct 13, 2012 2:29 UTC (Sat) by Max.Hyre (guest, #1054)
Now who would want that?
(/me puts on tinfoil hat back on)
Posted Oct 14, 2012 21:57 UTC (Sun) by rgmoore (✭ supporter ✭, #75)
I think I've actually described it wrong; the problem is not with the tire pressure sensors, per se, but with the receiver. The designers seem to have treated the pressure sensor and receiver as a unit that was entirely inside the car, rather than treating the signal from the pressure sensors as an untrusted input. Researchers were able to crack the receiver by sending a spoof signal.
I think this is a good example of the drawback of relying on perimeter security; it's brittle. If you fail to consider one source of potentially malicious data (or consider it but fail to secure it adequately), the whole system falls apart. I think you'd be much better off with some kind of defense in depth so that a single security failure doesn't bring down the whole system. Otherwise, you're left with a car that can be hacked because the designers didn't think that somebody might spoof the signals from the wireless tire pressure sensors.
Maybe a full encrypted and authenticated TCP/IP stack is overkill, and a better CAN implementation can provide an adequate level of protection. But basing everything, including the internal message bus, on a standardized platform that's known to have good security seems like a big step forward.
Posted Oct 15, 2012 1:36 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
If you try to replace it with Ethernet then you'll get loads of problems, starting with a requirement to have point-to-point connections between endpoints and switches and then moving on to DoS protection and priority-based transmission.
And security guarantees won't get any better - Ethernet does not guarantee anything.
Posted Oct 10, 2012 21:18 UTC (Wed) by smurf (subscriber, #17840)
funny - thanks
Posted Oct 11, 2012 5:03 UTC (Thu) by ds2horner (subscriber, #13438)
Posted Oct 16, 2012 17:55 UTC (Tue) by Baylink (guest, #755)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds