Penetration Testing: Beating Hackers to the Chase Through Offensive Security

As a basic rule of any defense system, knowledge of the opponent is imperative. In The Art of War, Sun Tzu states that “He who knows his enemy and knows himself need not fear the result of a hundred battles.” The wisdom behind these words undoubtedly applies to defense in the cyber realm as well. Hackers trained to exploit and break into a system think in entirely different ways from a system engineer, programming a cyber-security system. Given that someone with that set of skills is the most likely party to break through one’s cyber-defense, would a complete defense strategy be complete without the hacker’s perspective?

This reality is what spurs the penetration testing industry – an amplification of cyber defense based on offensive defense. By employing professional hackers to intrude upon one’s system, companies have the opportunity to discover weaknesses in their security in a controlled environment well in advance of product finalization. Defects discovered after deployment of a product can lead to expensive recalls if they can’t be remotely patched. In areas as heavily regulated as the automotive industry, heavy penalties can be incurred and the damage to the affected brand’s reputation may persist for years.

As new connectivity platforms get added to vehicles, the previously isolated internal networks become exposed to a sea of threats, many of which have never been explored in an automotive environment. The marriage between resource-constrained, streamlined ECU designed to only perform a limited number of tasks to the dynamic environment that is long-range wireless communications has brought about large numbers of unforeseeable data vulnerabilities. This has fueled a slew of programs dedicated to training personnel capable of testing these new connected car systems for exploits.

The demand for automotive penetration testing services is today high and is only expected to grow. With legislation threatening heavy fines for misuse of consumer data like the GDPR becoming more common, automotive OEM and fleet owners are more wary than ever. The long-term benefits to investing in pre-market penetration testing of automobiles and their accessories far outweigh the initial costs.

In order to ensure the integrity of any security solution, it must be as a high priority from the outset of any product design. By involving experts trained in the hacking and exploiting vulnerabilities early on in the phase of any project the risk of a costly exploit being found later on is heavily mitigated.

Trillium’s secure platform is built with a hacker first mind-set and the SecureGO, SecureIXS, SecureOTA and SecureSKYE modules are perpetually tested by an internal Red Team, the Car Hacking Community at conventions like Defcon and on-going partnerships with external actors. Continuous work with eco-system partners allow Trillium to ensure that its platform is the market leading solution for keeping connected and autonomous vehicles safe from hacker attacks.

When Cars Talk: An overview of V2X Technologies

Cars are no longer self-contained mechanical modes of transportation. Thanks to added connectivity, they are interactive members of their environment, with the ability to communicate with other vehicles, surrounding infrastructure and more. This subset of connected car features are referred to as Vehicle to Everything (V2X) systems.
V2X systems require high-speed connectivity to implement the real-time functionalities they seek to implement. This connectivity is provided by DSRC, or Dedicated Short-Range Communications. DSRC uses a protocol similar to the IEEE Wi-Fi standard, using 75 MHz of spectrum in the 5.9 GHz band exclusively for intelligent transportation systems. These systems broadcast useful data about their host vehicle including GPS position, path data, velocity, future paths, and more. Broadcast over 300 meters away at a frequency of 10 Hz, this information can be picked up by other vehicles and connected infrastructure to implement advanced vehicle safety and convenience-enhancing systems.
Vehicle to Vehicle (V2V) systems let vehicles communicate with one another wirelessly in real time, allowing them to inform their drivers of upcoming threats and obstacles. This leads to improved road safety, as cars using DSRC can be alerted of emergency vehicles coming around a corner, cars travelling in their blind spots, or hidden cars occupying a pass lane. Even in a car driven by a human, notification of these conditions can greatly reduce the risk of an accident or other incident. In cars with autonomous driving capabilities, V2V communication can be used to implement efficient platooning, improving mileage and trip time for all cars in the platoon.
Vehicle to Infrastructure (V2I) technology can be used in similar ways to V2V, increasing road safety and enhancing driver experience. Traffic signals can broadcast their color and how much time remains before they change – giving drivers ample time to adjust their behavior before approaching an intersection. Parking areas can advertise open parking spots to vehicles over DSRC, reducing time wasted roaming a parking lot to find an empty space.
Apart from V2V and V2I systems, there exists another classification of systems called Vehicle to Pedestrian (V2P). These systems involve interacting with pedestrians around a vehicle, alerting them via smartphone notification of a passing emergency vehicle, the arrival of their rideshare, or where their vehicle is located.
These technologies are a clear example of the benefit to be gained from a transportation environment occupied by connected vehicles. Allowing vehicles to interact with their surroundings and users wirelessly and in real time improves both the safety and the quality of our roads and other transportation infrastructure. As vehicles move closer to perfect autonomy, the value of their ability to communicate will only increase. As cutting-edge technologies like 5G come to fruition, the scale on which these applications can be applied will widen drastically, and new ways to improve transportation will make their way into the world.

On-the-Road Improvements: The Value of Aftermarket Connectivity Solutions for Automobiles

The age of highly connected vehicles brings with it an armada of benefits, making use of the vehicles’ connectivity to share environmental and traffic information between cars, platooning services, and other cooperative systems that enhance the driving experience. Many of these systems also improve the safety of the roads, with collision detection and prediction systems being a key selling point of connected and autonomous vehicles.

From cars anonymously reporting what route they take in a given direction to later be used by another passenger to pick a quicker route to alerting vehicles in the area of an accident down a certain road, there is a lot of benefit to be obtained from being part of the grid. The reality is, however, that many of these systems are developed with a stringent minimum level of connectivity required in the vehicle – a level not met by many vehicles on the road today. This results in legacy vehicles becoming blind spots in a transportation environment thriving off data it gets from vehicles as they make their way throughout a city.

As the introduction of connected cars is still in its early stages, the majority of vehicles on the road will be legacy, unconnected ones. The ability for a vehicle to have internet access on the road is largely thanks to embedded telematics modules that use cellular networks to connect vehicles to cloud-based services. Services that don’t operate in real time, such as mileage statistics, diagnostic information, and over-the-air software updates can be accomplished using a home’s Wi-Fi connection, however most cars on the road today lack even this technology, much less dedicated SIM cards to provide data over cellular networks. The aforementioned benefits are ready to make their impression on society; however, the number of non-participating vehicles limits their effectiveness. For services like traffic prediction that rely on data aggregated from large numbers of vehicles, a low participation rate results in an ineffective system, putting the technology to waste. How then, can these innovations find their way into today’s society? Enter, after-market connectivity solutions.

The automotive after-market is a booming industry set to see a total net worth of close to $300 Billion by 2020, and added connectivity is a large driver of this trend towards growth. Automotive suppliers already offer advanced telematics modules that can seamlessly integrate to any vehicle, with many talking directly to the CAN bus to receive fuel economy information, data on driving patterns, vehicle diagnostics, and other data to be used in big data analytics. Many of these modules include over-the-air update capability, guaranteeing that they remain up to date with any innovations that take place in the connected automotive industry. Rather than invest several thousands of dollars on a new vehicle, drivers have the ability to purchase a new head unit or telematics box for a fraction of the price, letting them share the benefits as well as improve the quality of the services offered. Some connectivity add-ons don’t even require such an intrusive installation and can just be plugged into the OBD-II diagnostics port, offering vehicle location services, driving logs, and more.

Some providers offer connectivity solutions through OBD-II dongles that interact with the user’s smartphone. The phone becomes a high-functioning remote control for the car, giving access to remote features as well as data analytics. Others provide aftermarket devices that fill in the connectivity holes found in most mid-high grade vehicles on the road today such as Bluetooth cellphone connectivity and tire safety monitoring devices. Finally, several firms offer advanced telematics in the form of universally-adaptable head units, giving users cutting-edge connectivity for the fraction of the cost of a new car. These units communicate directly with In-Vehicle Networks such as CAN without use of the OBD-II port, giving them more customization options for each individual vehicle.

For users not willing or able to invest in a top-of the line connected vehicle, the aftermarket is a valuable source for the ability to participate in these user-experience and safety-oriented systems. Along with the outfitting of legacy vehicles with cutting-edge connectivity, however, is the concern of cyber security for those vehicles. Every new connection channel added to a vehicle is a potential attack vector, one that can lead to a loss of personal data, property, or life. The need for security alongside such connectivity cannot be ignored, and as such security measures that can co-exist with aftermarket add-ons are the only feasible solution.

As the features offered as a result of this connectivity increase, so will the value one gains from having a vehicle capable of integrating with them. The need for cars to be able to be retrofitted with connectivity options cannot be understated in the effort to improve road safety through connectivity-based strategies.

Meet Trillium at the #MobileWorldCongress !

Our telematics and connectivity team is onsite to meet with partners in mobility, telecommunications, and cellular wireless industries. To schedule a meeting with a Trillium representative, please contact event@trilliumcyber.com

The Returning Champ: Meet Trillium at Pioneers.Mobility 2018

If ever you wanted an illustration of why a startup might want to attend an event like Mobility.Pioneers, look no further than automotive cyber security company Trillium Secure. Having travelled all the way from Japan to Germany for the first edition of Mobility.Pioneers last year, they impressed the jury enough to enjoy the glory and publicity that came with victory in the autonomous track, one of three broad categories in which startups competed.

That in itself was a great return for a company making its first foray to a European event. But there was more to cheer than that. Trillium also got talking to automotive giant Volkswagen at the event, a connection which directly led to an ongoing collaboration with the corporate. And the impression they made last year also earned them an invitation to return, this time to take part in a panel discussion that reflects their growing status in the industry. Trillium’s CEO David Uze will be taking part in the What Could Future OEM Business Models Look Like? discussion on stage.

“We were humbled that the jury recognized the importance of securing vehicles and how that is fundamental to enabling autonomous drive,” recalls their Strategic Business Development Manager Adrian Sossna, who will also be present in Munich once again. “Without cyber security, there’s no autonomous drive.

“On the opening night, at the ice-breaker event, I happened to sit at the same table as Dr Zach Izham. He’s Project Manager of the Volkswagen Data:Lab in Munich. We kept in contact and he was very interested in what we were doing. Then in October last year we were selected for the VW Data:Lab program, and are now working continuously with them. So that contact was made at Mobility.Pioneers. On the day itself we had a demo set up and we got a lot of attention at our little booth. We got a lot of leads and discussions from that too.”

Fond as those recollections are, Trillium is looking forwards rather than backwards as the company continues to grow fast. And they see great value in taking part in the panel discussion next week.

“What these panels give you is the opportunity to begin a conversation about things that are industry-wide problems, with the right parties,” says Sossna. “Cyber security solutions won’t come from a startup. Nor from an OEM. And nor from a Tier 1. They’ll come from a group of companies coming together to solve different parts of a major problem. Panels enable us to start that conversation.

“One of the key reasons we’re coming back is to meet the right people from the right mobility companies. People who have an interest in our type of disruptive business model and want to do this together with a startup like ours. Having deployed and built our value system for Japan, we’re looking to have the right Go To Market partners for Europe this year.”

So which are the startups jostling for a chance to emulate Trillium’s success when the second edition of Mobility.Pioneers rolls around next week? Having narrowed down the invitation list to 100 startups, we can now also name the 20 who we’ve selected to pitch on stage – and the experts who’ll judge them. The program has been expanded from last year, and now includes four pitching tracks.

The details for each track are as follows:

SHARED USE TRACK

Startups: Caroo Mobility, MOVTZ, 2hire, Getaway, Utopian Future Technologies

Judges: Julius Rüßmann (Earlybird Venture Capital), Tian Tian Feng (Cherry Ventures) and Jens-Philipp Klein (Atlantic Labs).

ELECTRIFICATION TRACK

Startups: CIRRANTiC, AVILOO, EcoG, Lennahc, ChargeX

Judges: Olaf Joeressen (High-Tech Gründerfonds), Julien Etienne (Aster Capital)

AUTONOMOUS TRACK

Startups: TheWhollySee, Sensible 4, Humanising Autonomy, emotion3D, embotech AG

Judges: Ulrich Eisele (Fluxunit), Boris Shulkin (Magna International), Phillip Stangl (Pioneers Ventures)

CONNECTIVITY TRACK

Startups: Capricode, WeNow, High Mobility, German Autolabs, Susi & James

Judges: Christian Lindener (Wayra), Gitte Bedford (Robert Bosch Venture Capital), Marie-Helene Ametsreiter (Speedinvest)

The winning startup from each track will then get the chance to pitch on the Muffatwerk’s biggest stage at the end of the day, as they shoot for a chance to win overall. Picking the best of the quartet will doubtless be a tough job, and one we’ve entrusted to Tobias Jahn of BMW i Ventures, David Murray-Hundley of Tech London Advocates Automotive and our own Pioneers Ventures expert Stangl.

Perhaps the final word on pitching should go to Sossna, who was happy to share some advice on what helped get Trillium the thumbs-up from the judges a year ago.

“Focus on the problem that you’re solving, but be mindful of the applicability and the feasibility of what you’re doing,” he suggests. “Tie things into reality by presenting a clear business case for what you’re doing and how you’re doing it. If you have excellent tech and you don’t have the business model that goes with it, then you won’t be able to win. And if you have an excellent business model, but don’t have the tech for it, you won’t be able to win either. You have to marry the business with the technology.”

One last thing: our Match & Meet networking service is now live ahead of Mobility.Pioneers. If you need to get set up to use this great piece of tech, read on!

First head here and log in, using the same email address that you used to buy your ticket for Mobility.Pioneers. The next step is to check out the agenda and then fill out the slots in which you’ll be free for meetings. Then, if you haven’t previously filled out your match-making preferences – whom you’d like to meet, in other words – please do so.

Your personalised meeting schedule will be ready for you on February 6th, two days before the start of Mobility.Pioneers. It will also be sent in the form of Google Calendar or Outlook invites. Look out, too, for the PioBot link we’ll send out the night before Mobility.Pioneers. This is our on-event chatbot assistant, which is now even smarter at handling and redirecting queries. The latest iteration also has speaker profiles, agenda information and Match & Meet built in, so you’ll have the option to arrange your entire event via Messenger.

Original article: “Mobility.Pioneers Top Startups & Jurors Revealed: Let the Pitching Begin!” by Richard Asher
(https://pioneers.io/blog/post/mobilitypioneers-top-startups-jurors-revealed-let-pitching-begin)

Trillium an “International Success Story” at CyberTech Tel-Aviv 2018

The Trillium team is at Cybertech Tel Aviv 2018 in Israel this week, from the 29th to 31st of January.

Invited as part of the CyberTech Japan – Israel “International Success Story” summit, Trillium president and CEO, David M. Uze joined a panel of business and government influencers set on bringing the two countries closer. A big thank you to both the Japanese and Israeli embassies for arranging this excellent event.

Trillium technology will be on display at the Startup Pavilion during the conference.  To join the list for private demonstrations, kindly contact us at adrian.sossna@trilliumcyber.com

Trilliumsuccess
DavidUzeatCyberTech

Cybertechdisplay

Meet Trillium Secure, Inc. and Infineon Technologies at Automotive World Tokyo, January 17-19

Trillium Secure, Inc. and leading semiconductor chip manufacturer Infineon Technologies are showcasing Automotive Cyber Security solutions at Automotive World in Tokyo, January 17-19th. The joint display follows mutual efforts to develop and deploy security solutions to protect Connected and Autonomous Cars from hacker attacks.
At Infineon’s Booth No.: E55-48 Trillium will demonstrate SecureCAR, its in-vehicle network protection module, running on Infineon’s next generation Aurix platform.  The demonstration will show both hardware (HSM) and software enhanced protection for CAN FD in-vehicle network communication.
To schedule an appointment and private demo, please contact Yukihiro.Yamamoto@trillium.co.jp.
Infineon & Trillium

 

Trillium at CYBER SECURE CAR JAPAN, September 26-27th in Tokyo, Japan

On September 26 and 27th Trillium participated in the first ever CYBER SECURE CAR Event in Japan, held in Shinjuku, Tokyo. Apart from moderating and presenting at the conference, Trillium provided demonstrations of the SecureCAR SDK and BrainBOX automotive cyber security development platform.

A special thank you to all our customers and partners that came by our booth!

trilliumsec2

sec4

trilliumSec

trillium_at_cybersec

trillium_at_cybersec_ceAc4

 

A Vision for Safety 2.0: Automotive Cybersecurity

Autonomous vehicles are here today, and unbeknownst to many, they are already on public roads, test driving next to unsuspecting traffic – this is done before proper legislation to protect innocent bystanders is put into place.

This reality is one that causes great concern among the few who are aware of it. There is almost no regulation at a local level, and the technology is still very much in the development phase. Even worse, much of the development is conducted on public roads, right alongside human drivers. What will prevent an experiment from turning into an accident, potentially taking lives in the process?

Luckily, you will not have to fear for the safety of public roads much longer. On Tuesday, September 12th, the US National Highway Traffic Safety Administration (NHTSA) administered their updated guidelines on development of Autonomous Drive Systems (ADS). This document helps local governments develop their own regulations, as well as providing businesses developing ADS a clear message of what will and will not be tolerated.

It is no surprise that vehicle cybersecurity is listed as one of the 12 essential safety design elements. Without cybersecurity, a vehicle becomes a hacker’s plaything – allowing them to take complete control of the car, including steering, braking, and acceleration. The possibilities for malicious abuse of autonomous cars are endless, ranging from extortion to remote cyber terrorism. The NHTSA stresses the importance of cybersecurity, stating that entities developing ADS “should insist that their suppliers build into their equipment robust cybersecurity features. Entities should also address cybersecurity, but they should not wait to receive equipment from a supplier before doing so.” The message is clear and urgent; implement cybersecurity at every level, and do it quickly.

Trillium agrees, and we are ready to help suppliers, developers, and OEMs implement these guidelines today. Trillium has partnered with the world’s largest automotive IC vendor, NXP, to provide support for Trillium’s SecureCAR platform on NXP’s next-generation S32K automotive microcontrollers (MCU). Our modular, multilayered approach also allows for developers of ADS technology to add cybersecurity directly onto their existing hardware today – without requiring costly changes to their underlying systems.

It is essential that the industry adopts these guidelines quickly and immediately, especially as autonomous vehicles are deployed on an increasingly larger scale. As connectivity and reliance on machine learning increase, so will the damage hackers can cause. Autonomous cars are set to shift the entire transportation landscape, with companies rolling out entire fleets within the next ten years. One rogue autonomous car is a hazard, an army of hacker-controlled vehicles is an avoidable, unnatural disaster.