validy technology

now browsing by tag

 
 

Could the computer in your car be hacked?

As vehicles are increasingly computerized, researchers and industry officials consider it inevitable that cars will face the same vulnerabilities as PCs. Internal computer networks monitor and control everything from brakes, engines and transmissions to air bags and keyless-entry functions. Wireless connections, meanwhile, are becoming more common in reporting a vehicle’s position or providing information about the car’s functions. Some auto companies are creating applications to allow users to control some features in their car with their smart phone.

On 10 March, 2011 there was a news update that “Researchers had found that Cars can be hacked and remotely controlled“. In this regard, these are some of the news collections that are covering it extensively:car-hack-to-the-future
Key findings of the research work carried out by Stefan Savage, a University of California, San Diego, computer science professor and Yoshi Kohno, a computer science professor at the University of Washington are:
  • able to “bypass rudimentary network security protections within the car”
  • “adversarially cont” adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine and so on”
  • an attack could embed malicious code in a vehicle and then erase any evidence of its presence after a crash
  • found ways to compromise security remotely, through wireless interfaces like Bluetooth, mechanics’ tools and even audio files.
  • In one example, a modified song in a digital audio format could compromise the car’s CD player and infect other systems in the vehicle.
  • Researchers were able to “obtain complete control” over the car by placing a call to the vehicle’s cell phone number and playing an audio signal that compromised the vehicle.
Key findings of Research teams at Rutgers University and the University of South Carolina:
  • showed vulnerabilities of in-car wireless networks that operate tire-pressure monitoring systems that tell motorists if their tire needs more air. From a distance of 40 meters, they bypassed security to tap into information identifying the tire and tire pressure of cars driving down the road.
Some important quotes to be noted are:
  • “I hope it’s more of a warning for the engineering groups that certain systems are vulnerable,” said Ivan Seskar, associate director for information technology at the Wireless Information Network Laboratory at Rutgers University.
  • “When people first started connecting their PCs to the Internet, there wasn’t any threat, and then over time it manifests,” said Stefan Savage, a University of California, San Diego, computer science professor who conducted the research. “The automotive industry, I think, has the benefit of the experience of what we went through.”
The United States Council for Automotive Research, a group funded by Detroit’s auto companies, is also forming a task force to study the issue, said spokeswoman Susan Bairley.
Research Papers can be accessed from here. The project Electronic Vehicle Controls and Unintended Acceleration has been completed and the reports have been generated that can be read from here:


======================

Looking for a Solution

======================

Security in automobile is becoming priority number one for the manufacturers. The share of electronic components inside cars is larger than ever and the reliability of these software components has become of prime concern. Consortia (Autosar, Jaspar,…) between manufacturers are created in order to standardize the management software of the electronic systems for the automobile industry.
Different security needs have been explored by the automobile industry including:
  • the need to secure the security software components on board the cars (starting system, braking system, and ABS urgency braking system…)
  • the securing of the control station updates for the manufacturer car dealers.
  • the need for quality control by software certification especially for subcontracted software.
Validy Technology, by ensuring the integrity of the embedded software, protects all the equipments from all possible forms of piracy.

Validy Technology: A program protection method that really works

Validy Technology (VT) is a program protection method. It uses a secure coprocessor and manipulates variables mandatory for the correct execution of the program inside this coprocessor.

The secure coprocessor uses a silicon chip which can take several different form factors: 

  • USB key, 
  • SIM Module, 
  • MMC Card, 
  • Smart card, 
  • SMD device…

VT is effective against software piracy as well as against software and data tampering: it not only prevents illicit program execution but can also ensure that program execution is not altered and that program data is not copied or modified, even when execution is taking place in an hostile environment.

VT is based on a “subtractive” protection method, hiding “critical portions” of the program in the coprocessor, but instead of securely executing “Remote Procedure Calls”, it secures part of the program state. In other words, it permanently keeps some of the program variables into the coprocessor and during execution of the program the values of the variables residing into the coprocessor are modified. VT ensures secure execution of the modifications by sending encrypted instructions to the coprocessor (instructions are encrypted at compilation time). Only when absolutely necessary, the value of one of the variables residing inside the coprocessor, or even better, information derived from one or several of those variables, is transmitted back to the main part of the program. VT security is based on the extreme difficulty for an attacker to regenerate correct values during those transmissions.

For added security, the coprocessor continuously monitors the instruction flow conformance to what was planned at program compile time. To this means, the coprocessor architecture and
instruction set are designed with the addition of special fields allowing automatic real-time monitoring of the chaining of the instructions. This security mechanism is simple to implement yet extremely powerful. If the coprocessor detects an anomaly, it can take
retaliation measures forcing the program to stop: if the coprocessor stops working, part of the program state is suddenly missing and the program cannot continue working.

With the execution of a few coprocessor “XOR” instructions or with the execution of a specially designed coprocessor “MutualCheck” instruction, this security mechanism is simply extended to mutually protect several different computations executed inside the coprocessor i.e. if one computation is modified or suppressed, another-one will fail. Mutual protection, in turn, greatly enhance VT protection abilities:

  • Mutual protection prevents an attacker to use a “divide and conquer” approach to gradually remove protections.
  • Mutual protection allows the coprocessor to verify program integrity during execution by executing integrity checks that cannot be removed. One very effective such check is to verify that the calling graph of the program is not modified.
  • Mutual protection allows a background thread to protect real time threads.
  • Mutual protection allows protected programs to mutually protect the others. For instance, to attack a client program, one must also attack the server program.
  • Mutual protection allows data protection by permitting effective generation/check of data authentication information or by permitting effective encryption/decryption of data.


VT rests on well-known computer science principles. Its implementation doesn’t present major stumbling blocks and doesn’t require secret know-how. VT doesn’t require a secure machine to execute but just a secure coprocessor. It can work with any operating system or even with embedded systems.

Protection of a program must be done by the software publisher creating or maintaining the program. During the protection of a program, most of the protection work is automatic because moving variables to the coprocessor and modifying them here is a classical compilation problem similar to the use of an arithmetic coprocessor. Also most of the program integrity verification (for instance verifying the chaining of the instructions  or protecting the calling graph) can be automated with a compiler.

Several manufacturers already build secure microcontrollers that can be used for VT. Those components are generally designed for banking cards applications; they have a low price tag and a high security level. With an appropriate program runtime and microcontroller firmware, the microcontroller can be seen by the program as a “loosely coupled” coprocessor, plugged for instance on the USB bus, without requiring any hardware change to the machine.

Despite the lose coupling between the main processor and the coprocessor, the execution inside the coprocessor takes place concurrently with the execution of the main part of the program
and the program slowdown is minimal.

We have gone all the path from inventing the concepts, protecting the intellectual property, implementing a USB coprocessor and the associated runtime for Windows, implementing two compilers (one for Java and one for .NET) to finally demonstrating that protected programs are running with acceptable performance. We now intend to grant licenses to interested parties. If anyone is interested in the Validy Technology, then feel free to contact. CYBER COPS India will be happy to provide expert services with the original inventors and the patent holders – Validy Net Inc. 





Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

Could the computer in your car be hacked?

As vehicles are increasingly computerized, researchers and industry officials consider it inevitable that cars will face the same vulnerabilities as PCs. Internal computer networks monitor and control everything from brakes, engines and transmissions to air bags and keyless-entry functions. Wireless connections, meanwhile, are becoming more common in reporting a vehicle’s position or providing information about the car’s functions. Some auto companies are creating applications to allow users to control some features in their car with their smart phone.


On 10 March, 2011 there was a news update that “Researchers had found that Cars can be hacked and remotely controlled“. In this regard, these are some of the news collections that are covering it extensively:
Key findings of the research work carried out by Stefan Savage, a University of California, San Diego, computer science professor and Yoshi Kohno, a computer science professor at the University of Washington are:
  • able to “bypass rudimentary network security protections within the car”
  • “adversarially cont” adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine and so on”
  • an attack could embed malicious code in a vehicle and then erase any evidence of its presence after a crash
  • found ways to compromise security remotely, through wireless interfaces like Bluetooth, mechanics’ tools and even audio files.
  • In one example, a modified song in a digital audio format could compromise the car’s CD player and infect other systems in the vehicle. 
  • Researchers were able to “obtain complete control” over the car by placing a call to the vehicle’s cell phone number and playing an audio signal that compromised the vehicle.
Key findings of Research teams at Rutgers University and the University of South Carolina:
  • showed vulnerabilities of in-car wireless networks that operate tire-pressure monitoring systems that tell motorists if their tire needs more air. From a distance of 40 meters, they bypassed security to tap into information identifying the tire and tire pressure of cars driving down the road. 

Some important quotes to be noted are:
  • “I hope it’s more of a warning for the engineering groups that certain systems are vulnerable,” said Ivan Seskar, associate director for information technology at the Wireless Information Network Laboratory at Rutgers University.
  • “When people first started connecting their PCs to the Internet, there wasn’t any threat, and then over time it manifests,” said Stefan Savage, a University of California, San Diego, computer science professor who conducted the research. “The automotive industry, I think, has the benefit of the experience of what we went through.”


The United States Council for Automotive Research, a group funded by Detroit’s auto companies, is also forming a task force to study the issue, said spokeswoman Susan Bairley.


Research Papers can be accessed from here.
Interested to read more related news, then click here.


============================================================

Looking for a Solution

============================================================

Security in automobile is becoming priority number one for the manufacturers. The share of electronic components inside cars is larger than ever and the reliability of these software components has become of prime concern. Consortia (Autosar, Jaspar,…) between manufacturers are created in order to standardize the management software of the electronic systems for the automobile industry.
Different security needs have been explored by the automobile industry including:
  • the need to secure the security software components on board the cars (starting system, braking system, and ABS urgency braking system…)
  • the securing of the control station updates for the manufacturer car dealers.
  • the need for quality control by software certification especially for subcontracted software.
Validy Technology, by ensuring the integrity of the embedded software, protects all the equipments from all possible forms of piracy.


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

^