天天射天天干天天透综合网,国产精品VA在线观看无码,夜夜嗨老熟女av一区,亚洲乱亚洲中文字幕,国产精品资源在线免费观看,91亚洲精品视频在线,欧美 在线 免费 不卡,193在线免费观看黄页网,欧美成人精品色午夜免费观看

SAE 2016全球汽車年會(huì)之互聯(lián)技術(shù)論壇(2016 SAE Congress forum on Connectivity)聽起來更像是一場(chǎng)在作戰(zhàn)室內(nèi)召開的軍事作戰(zhàn)會(huì)議，隨時(shí)都會(huì)蹦出“攻擊通知”、“資產(chǎn)部署”等專業(yè)詞匯，大家聊的也都是“全新聯(lián)盟”和“全球風(fēng)險(xiǎn)”等話題。從某種意義而言，本次論壇的確是一場(chǎng)“作戰(zhàn)會(huì)議”。

當(dāng)下，網(wǎng)絡(luò)安全問題刻不容緩，行業(yè)必須拿出先進(jìn)措施，積極抵御網(wǎng)絡(luò)攻擊。在這個(gè)問題上，汽車行業(yè)給出的答案與航空業(yè)很類似，那就是成立一個(gè)信息共享分析中心（Information Sharing and Analysis Center，即ISAC）。

航空ISAC中心執(zhí)行總監(jiān)Faye Francy解釋說，這個(gè)中心可以提供一個(gè)信息收集的框架，并匿名分析任何可能攻擊所有廠商架構(gòu)的普遍威脅。與航空ISAC類似，剛剛進(jìn)入運(yùn)營(yíng)的汽車ISAC中心也將作為一個(gè)中心情報(bào)收集樞紐，追蹤汽車行業(yè)內(nèi)的網(wǎng)絡(luò)威脅，并識(shí)別具有普遍性的電子元件漏洞，也就是說將主要集中在可能會(huì)對(duì)不止一家廠商造成影響的威脅。

汽車ISAC中心由兩個(gè)行業(yè)協(xié)會(huì)組成，目前共有22個(gè)成員。Francy表示，“從某種程度而言，可以說我們一直都處于被攻擊的處境之下。”

在本屆大會(huì)上，論壇專家從多個(gè)角度強(qiáng)調(diào)了由惡意軟件入侵汽車而帶來的問題。采埃孚天合(ZF TRW)安全卓越部全球總監(jiān)Brian Murray表示，黑客的威脅將“摧毀人們的信任。”

美國(guó)國(guó)土安全局（Department of Homeland Security，簡(jiǎn)稱DHS）網(wǎng)絡(luò)安全項(xiàng)目經(jīng)理Dan Massey表示，“如果人們感覺有什么東西不安全，那事實(shí)究竟是不是如此，其實(shí)已經(jīng)不重要了，即使至今為止并沒有發(fā)生任何實(shí)質(zhì)性傷害，也不會(huì)改變大家的看法。”此外，Kaprica Security公司CEO Doug Britton提出，“只要存在傷害，就會(huì)引發(fā)人名的擔(dān)憂，而具體存在多少次，通常并不重要。”

“個(gè)別事件已經(jīng)足夠引起公眾的警覺，你并不需要統(tǒng)計(jì)出事故數(shù)量是不是五萬起，”Britton表示，“通常10個(gè)案例就夠引起人們注意的了。”

“ABS防抱死”系統(tǒng)的維護(hù)命令存在漏洞

美國(guó)密歇根大學(xué)網(wǎng)絡(luò)安全專家Andrew Weimerskirch指出，汽車在進(jìn)行維護(hù)時(shí)，經(jīng)常會(huì)用到一條禁用車輛防抱死系統(tǒng)(ABS)的命令，而該命令可能存在暴露嚴(yán)重漏洞的風(fēng)險(xiǎn)。很多年以來，汽車維修技師一直在使用這條命令，排空車輛液壓制動(dòng)系統(tǒng)中防抱死模塊內(nèi)的氣體。舉一個(gè)最常見的例子，技師在更換車輛制動(dòng)調(diào)節(jié)管時(shí)，就會(huì)先用這條命令，排清回路中的所有氣體，保證制動(dòng)液可以充滿整條回路。

一般來說，市面上幾乎所有哪怕最基礎(chǔ)的掃描工具都內(nèi)置了ABS禁用功能，黑客可以通過OBD II網(wǎng)關(guān)或裝入的電子狗訪問該命令，該功能也因此成為一個(gè)汽車網(wǎng)絡(luò)安全漏洞。Weimerskirch表示，“這一功能根本不應(yīng)該存在。”

然而，按照當(dāng)下大多數(shù)車型的ABS控制配置，隔絕這一功能可能并不簡(jiǎn)單。更重要的是，ABS禁用功能僅僅是我們面臨的威脅之一。采埃孚天合公司的Murray談到了保護(hù)“車輛維護(hù)安全”的整體問題，他告訴與會(huì)者，電子維護(hù)設(shè)置與故障代碼修正一般在汽車研發(fā)的后期進(jìn)行，主要是出于保修的目的。

國(guó)土安全局的Dan Massey也提出了一些內(nèi)置功能可能暴露的弱點(diǎn)。他說，“有時(shí)候我才上5年級(jí)的女兒都能用自己的手機(jī)配對(duì)到別人家的車。”

《維修權(quán)利法》的影響

根據(jù)各州的維修權(quán)利法，比如馬塞諸塞州即將出臺(tái)的法規(guī)，所有汽車修理廠，哪怕并不是經(jīng)過授權(quán)的獨(dú)立修車廠，都可以獲知整套車輛故障診斷命令。也就是說，只要愿意支付使用費(fèi)，基本上任何人都能拿到這些命令。盡管經(jīng)銷商的技師應(yīng)該是“值得信任的”，但包括Weimerskirch在內(nèi)的多名網(wǎng)絡(luò)安全專家均明確了一條信息，那就是對(duì)汽車的安全防護(hù)必須建立在“安全流通車輛原廠信息”的前提之下，也就是說要確保包括技師在內(nèi)的所有人員均不能通過外部功能對(duì)車輛進(jìn)行修改。

然而，這些網(wǎng)絡(luò)安全專家必須親自解決這些汽車命令帶來的問題。舉個(gè)例子，在《維修權(quán)利法》之下，大眾汽車就必須公布控制電動(dòng)轉(zhuǎn)向器運(yùn)行，以及關(guān)閉發(fā)動(dòng)機(jī)的軟件相關(guān)信息。

采埃孚天合的Murray表示，遠(yuǎn)程入車鑰匙也已經(jīng)變成了一個(gè)嚴(yán)重漏洞。他提醒觀眾，“如果你車鑰匙丟了，你應(yīng)該把這把鑰匙變成“磚”。

”

Weimerskirch在研討會(huì)上表示，現(xiàn)在出現(xiàn)了很多優(yōu)化汽車網(wǎng)絡(luò)安全的思路。但首先必須存在一個(gè)測(cè)試平臺(tái)，這樣研發(fā)人員才能對(duì)這些思路進(jìn)行驗(yàn)證。Kaprica公司的Britton也談到了相關(guān)問題：我們要確保這些各式各樣的想法“不會(huì)僅存在于一堆堆的文件材料之中。”

作者：Paul Weissler
來源：SAE《汽車工程》雜志
翻譯：SAE上海辦公室

New auto "ISAC" is framework for improved cybersecurity

The 2016 SAE Congress forum on Connectivity sounded like a meeting in a war room—peppered with terms like "notification of attack" and "assets deployed" along with talk of "new alliances" and "global risks." And in a sense, it was such a discussion.

The urgency of the cybersecurity topic has created the need for advanced approaches to defense. The auto industry has formed an overarching answer that is similar to what already has been done in aviation—an Information Sharing and Analysis Center (ISAC).

The aviation ISAC is a framework to collect for analysis, anonymously, anything that could attack all OE architectures, explained Faye Francy, executive director. The automotive equivalent, which has just become operational, also will serve as a central hub for gathering intelligence to track cyber threats and identify weaknesses in vehicle electronics that are common to more than one manufacturer.

Auto-ISAC, formed by two industry associations, has 22 members. "We're all getting attacked at some level," Francy said.

The openness of the automobile to malware intrusion was one issue addressed in different ways by the forum panelists. The threat of hackers "drives a wedge into people's trust," said Brian Murray, ZF TRW Global Director of Safety and Security Excellence.

If there's a perception that something is not safe, it doesn't matter to the public, even if there is no physical or kinetic damage to date, added Dan Massey, program manager on cybersecurity at the U.S. Department of Homeland Security (DHS). And when there is damage, the absolute numbers often aren't important, claimed Doug Britton, CEO of Kaprica Security.

"A small number is enough; you don't need 50,000," Britton noted. "You could do it with 10."

ABS service command an issue

A serious issue could be posed by so common a vulnerability as the command to disable the vehicle’s ABS (anti-lock brakes) actuator, noted Andrew Weimerskirch, cybersecurity researcher at the University of Michigan. Automotive service technicians have had to use this command for many years to permit bleeding the ABS section of the hydraulic brake system, particularly when a new brake pressure modulator valve assembly is installed, so as to purge any air and fill the circuits with brake fluid.

The ABS disabling capability is routinely built into all but the most basic scan tools, and a hacker accessing it through an OBD II gateway or an installed dongle could raise it to the level of a threat. "This command should not exist," Weimerskirch said.

However, with current ABS control configurations, isolating is not necessarily simple on many cars. And it’s just one example. The entire problem of secure service access was observed by ZF TRW's Murray. He told the attendees that electronic service decisions and trouble code modifications typically come late in the vehicle design cycle, when warranty concerns may be raised.

The present level of built-in vulnerability was raised by the DHS's Dan Massey.  "Sometimes my fifth grade daughter has been able to pair her phone with another car," he reported.

Effect of Right-to-Repair laws

The effect of Right-to-Repair laws, such as the impending one in Massachusetts, means that access to problematic commands will be available to all garages, not just independent ones—effectively to anyone willing to pay the access fees. Although the dealer technician may be "more trustworthy," cybersecurity specialists including Weimerskirch have made it clear that the protection must be based on passing through packets of needed OE information without an externally-inserted ability to change it.

However, the cybersecurity specialists must deal with the issue of the commands themselves. Under Right to Repair, Volkswagen for example, would have to release the software that permits operating the electric power steering rack and shutting off the engine.

The remote key fob, an established entry point, also has become a serious vulnerability, ZF TRW's Murray said. "If you lose the keys to a car, you can effectively turn it into a 'brick,'" he told the audience.

There are many ideas to improve automotive cybersecurity, Weimerskirch told the session. But first a test platform is needed, to enable researchers to validate them. A related issue was cited by Kaprica's Britton: it's important that the flow of ideas "doesn't also translate into a big bill of materials."

Author: Paul Weissler
Source: SAE Automotive Engineering Magazine