网络安全职业道路_汽车安全我们的道路

网络安全职业道路

意见 (OPINION)

In 2010, security researchers at the University of California San Diego and the University of Washington demonstrated that messages can be injected into the Controller Area Network (CAN) of a vehicle.

2010年，加利福尼亚大学圣地亚哥分校和华盛顿大学的安全研究人员证明，可以将消息注入到车辆的控制器局域网(CAN)中。

控制器局域网 (Controller Area Network)

The CAN, is essentially the raw representation of byte code running on a vehicle’s electric wiring. The bus architecture was released in 1986 at the SAE Conference in Detroit, MI. Since then, every vehicle past 1991 has used this architecture. There are many other architectures that precede CAN, to learn more about it click here.

CAN本质上是在车辆电线上运行的字节码的原始表示。 该总线体系结构于1986年在密歇根州底特律举行的SAE会议上发布。 从那时起，1991年以后的每辆车都使用这种架构。 在CAN之前还有许多其他架构，要了解更多信息，请单击此处 。

It wasn’t until four years after, the concept of injecting CAN messages into the CAN bus that two researchers — Charlie Miller and Chris Valesek demonstrated the first Remote Code Execution (RCE) in 2014. By chaining multiple vulnerabilities on the vehicle stack they were able to fully control a vehicle. In many video interviews they demonstrate to reporters the abilities of what a malicious actor can do when they are on your CAN bus. This includes controlling your steering wheel, braking, ignition, and even killing the engine completely.

直到四年后，将CAN消息注入CAN总线的概念才由两名研究人员Charlie Miller和Chris Valesek于2014年演示了第一个远程代码执行 (RCE)。通过在车辆堆栈上链接多个漏洞，他们能够完全控制车辆 。 在许多视频采访中，他们向记者展示了恶意行为者在您的CAN总线上时所具有的能力。 这包括控制方向盘，制动，点火，甚至完全杀死发动机。

The fact that security researchers were able to remotely communicate with the CAN bus over a remote connection paints a dark picture for the future of mobility.

安全研究人员能够通过远程连接与CAN总线进行远程通信，这一事实为未来的移动性描绘了一片黑暗。

黑客死亡 (Death From Hacking)

We’re lucky to see that in the past 5 years there has been no vehicle-related deaths involving a remote attack. The paper published by Miller and Valesek required vulnerabilities in OnStar, misconfigurations in cell towers, and in-vehicle infotainment to mount this attack. The fact stands that this is a real threat. Given this, is death by a cyber attack inevitable? We will take a look back at history to answer this question.

我们很幸运地看到，在过去5年中，没有因远程攻击而导致与车辆有关的死亡。 Miller和Valesek发表的论文要求OnStar中存在漏洞，手机发射塔中的配置错误以及车载信息娱乐系统才能发动这种攻击。 事实证明，这是真正的威胁。 鉴于此，网络攻击是否不可避免？ 我们将回顾一下历史来回答这个问题。

Dana White/Unsplash Dana White摄影/ Unsplash

骇客的先驱 (The Pioneers of Hacking)

Phone freaks “Phreakers” were known as one of the first hackers dating back to the 1970s, they reverse engineered the frequency emitted by rotary phones to enable free calls. At this point, telephone switches were used to connect callers together, what hackers did was they emitted the same 2600Hz frequency to bait the telephone switch into thinking the call was over, while it actually kept the phone line open for them to use in long-distance calls. Other early adopters of phreaking included Steve Wozniak and Steve Jobs.

电话狂 “ Phreakers ”是最早的可追溯到1970年代的黑客之一，他们反向设计了旋转电话发出的频率以实现免费通话。 在这一点上，电话交换机被用来将呼叫者连接在一起，黑客所做的是他们发射相同的2600Hz频率诱使电话交换机认为呼叫已结束，而实际上却保持电话线开放供他们长期使用，远距离通话。 其他早期采用Phreaking的人包括Steve Wozniak和Steve Jobs 。

Anastasia Dulgier/Unsplash Anastasia Dulgier / Unsplash

It was around this time that the ARPANET was established as the first four nodes of what is to become the backbone of the internet. It was founded and used by the Department of Defense. The advancements of technology up until it’s dismantlement included telnet, DNS, FTP, SMTP, and of course, the World Wide Web (WWW).

大约在这个时候， ARPANET被确立为成为互联网骨干网的前四个节点。 它是由国防部建立和使用的。 直至被淘汰的技术进步包括telnet，DNS，FTP，SMTP，当然还有万维网(WWW)。

Securing technology is standing on the shoulders of giants and trying not to fall at the same time.

确保技术安全已站在巨人的肩膀上，并试图避免同时跌落。

In 1988, the first internet worm infected 7,000 computer systems and slowed them to a halt. This was known as the Morris Worm, with just 90 lines of code the worm had the ability to wipe out 10% of the computers online at the time. The diaspora of protocols and network infrastructure enabled the Morris Worm to be as destructive as it was.

1988年，第一批互联网蠕虫病毒感染了7,000个计算机系统，并使它们停滞了下来。 这就是所谓的Morris蠕虫 ，该蠕虫仅用90行代码就能清除当时在线10％的计算机。 协议和网络基础设施的分散使Morris Worm像以前一样具有破坏性。

In 2007, Apple released the first iPhone which gave way to the computers in our pockets we hold so dearly today. The first attacks included an attempt on the GSM network to break encryption, WiFi attacks on WPA, and jail-breaking. The painting is on the wall, Even with modernized computers such as our mobile devices, they are still as vulnerable as the WWW during it’s hayday. A car accident induced by vulnerabilities within it’s technology stack is inevitable. This is the curse of innovation, there will always be a need to manipulate it.

2007年，苹果发布了第一款iPhone，让我们今天如此珍惜的口袋里的计算机取代了它。 最初的攻击包括尝试在GSM网络上破坏加密，对WPA进行WiFi攻击以及越狱。 这幅画是挂在墙上的，即使使用现代化的计算机(例如我们的移动设备)，它们在干草期间仍像WWW一样脆弱。 由技术堆栈中的漏洞引发的车祸是不可避免的。 这是创新的诅咒，始终需要操纵它。

This parasitic relationship between technology and security is the harsh reality.

技术与安全之间的这种寄生关系是残酷的现实。

It will always be easier to break things than to fix and maintain them.

破坏事物总是比修复和维护容易。

With cars, it’s only been five years, since the first attack on CAN. Vehicles have many other layers of abstraction to secure besides the CAN protocol including: Bluetooth, wireless, hardware, cellular, and radio. How can these be future-proofed as well?

对于汽车而言，距第一次攻击CAN仅五年。 除CAN协议外，车辆还有许多其他抽象层可以保护安全，包括：蓝牙，无线，硬件，蜂窝和无线电。 这些又如何适应未来？

机密性，完整性，可用性和……安全性？ (Confidentiality, Integrity, Availability and… Safety?)

Conor Samuel/Unsplash Conor Samuel / Unsplash摄

With car-related incidents, the attacker motivation shifts to that of chaos and disruption. The cyberspace before then has only exploited things in the virtual realm. As devices are being connected, our privacy and safety is at risk. The CIA model security professionals hold on a pedestal will soon include “Safety” (CIAS).

在与汽车有关的事件中，攻击者的动机转向混乱和破坏的动机。 此前，网络空间仅利用虚拟领域中的事物。 连接设备时，我们的隐私和安全受到威胁。 拥有基座的CIA模型安全专家将很快加入“安全”(CIAS)。

There is also a war that is occurring behind closed doors, a virtual war that consists of espionage and politics. Nation states will often fund hacking groups as an arm of their military to mount attacks on enemies to ex-filtrate data and spy. How enticing would automotive exploits be to these groups? All they would need to do is buy a vehicle or exploit on the dark web for a specific make/model (possibly the most common car in the US), send malicious packets to the vehicle and V2X infrastructure, have all of those cars turn right and kill their engine. A total shutdown of interstate highways.

还发生了一场关门大战，这是一场由间谍活动和政治活动组成的虚拟战争。 民族国家通常会资助黑客组织作为他们的军队，对敌人发动攻击，以窃取数据和进行间谍活动。 汽车攻击对这些群体有多诱人？ 他们所需要做的就是购买汽车或在深色网上利用特定品牌/型号的汽车(可能是美国最常见的汽车)，向汽车和V2X基础设施发送恶意数据包，使所有这些汽车转向正确并杀死他们的引擎。 州际公路完全关闭。

If you think the traffic was bad in California or New York, think again.

如果您认为加州或纽约的交通状况不佳，请再考虑一遍。

Human lives are on the line, and the wave of connected mobility and devices are coming, securing the devices on edge is more important now than ever. Taking a look back at history, you realize that these physical attacks and cyber-related deaths aren’t too far from reality. The industry of automotive is coming out of the recent recession and it’s hard to imagine that security is high on their list.

生命正在逼近，而连接的移动性和设备的浪潮即将来临，确保设备处于边缘状态比以往任何时候都更加重要。 回顾历史，您会发现这些物理攻击和与网络相关的死亡与现实相距不远。 汽车行业正从最近的衰退中走出来，很难想象安全性在他们的名单中居于首位。

演示地址

翻译自: https://medium.com/lotus-fruit/automotive-security-the-road-ahead-of-us-3fa60c9c6a9

网络安全职业道路