In episode 26 of Software Security Gurus, Matias Madou chats to Sven Schran, Program Manager, Security Engineering at Robert Bosch.
They discuss the rapidly growing embedded systems software industry, including the general security considerations during the development lifecycle. They also go in-depth on automotive security, where technological advancements and global demand shape an ever-evolving threat landscape. Finally, Sven gives us insight into ASRG, the community of automotive security enthusiasts that are making a splash all over the world.
Want to nominate a guru? Get in touch!
Visit ASRG
Security considerations in embedded systems software development: 03:16
Automotive security in the autonomous vehicle era: 09:04
ASRG: A community of automotive security enthusiasts: 18:50
Matias Madou:
Welcome to the Software Security Gurus webcast. My name is Matias Madou. I'm the CTO and co-founder of Secure Code Warrior. With me today, I'm very pleased to have Sven Schran.
Matias Madou:
And welcome, Sven.
Sven Schran:
Hello. I'm glad to be with you today.
Matias Madou:
Fantastic. Sven, do you mind saying a few words about yourself?
Sven Schran:
Sure. So, like Matias mentioned, my name is Sven Schran. I'm working now for nearly 14 years in the automotive industry. I started with development of basic software, which means network communication, diagnostics, memory stick things, and so on. And since a little bit more than four years now, I take care about the product security in the automotive business. My company is the Robert Bosch [inaudible 00:01:03], which is one of the biggest automotive suppliers in the world, so we have business with nearly every car manufacturer, which is placed somewhere in the world.
Matias Madou:
Nice.
Sven Schran:
And every... I think we have also a very good overview.
Sven Schran:
And, in my free time, I'm engaged in the Automotive Security Research Group, which is an open community where we share also information between hobbyists, professionals, and also academic people. And in this organization, I lead the European Region.
Matias Madou:
Fantastic. And I definitely want to chat about that during the webcast. But the first thing that strikes me already is I see that a lot when, back 20 years ago, people were working in open source in their spare time, and it became critical components in all systems. Same for web security. There's OWASP. People do that in their spare time but it is super important and seems that you have a very similar story. And, in general, the automotive industry has a similar story.
Matias Madou:
You do this in your spare time but, at the same time, it's hugely important and super critical in the world.
Sven Schran:
Yes, it is.
Matias Madou:
So, thank you very much. Thanks for coming on. And I actually have three topics in mind, and I'll park the ASRG one for now because you're the, I think, the first one that has real embedded security and systems experience for 14 years. So, I would love to dive a little bit deeper because, quite often, people on the webcast have web experience but not really C, I guess, C++, a very low level, assembly level, quite often, experience with systems.
Matias Madou:
So, when I think about web development and companies in web development, I quite often see, well, they have a breach and then they do a pen test and from a pen test, and they go to static analysis because they want to find more of these problems. And from static analysis, they go to educate the developers.
Matias Madou:
Is there like a natural progression in embedded systems where people go through a couple stages before they really grasp on to securing and designing embedded systems with security in mind?
Sven Schran:
Yes, it is. So, for the automotive industry, let me start with this. We are compared with other industries like the web application or the IT industry. In general, we are very late to take care about security, to be honest. So, we woke up, I would say, seven or eight years ago, really by this famous publication from the guys, Miller and Valasek, this famous Jeep hack. So, this publication, the whole industry start investing a lot of money in this direction because they phased out it is possible to hack a car and to take the control away from the driver. And this is a very important thing because the automotive industry before took a lot of care about functional safety. So, to prevent horrible accidents and accidents by folds in the hardware, and so on, and just shows, okay, you can take care about safety, but if a hacker is possible to take over the control, then he can make malicious attacks, which leads again to some accidents, right?
Sven Schran:
And then, therefore, we started to take care. So, what we do in the time, we can learn a lot from the IT industry, for example. But we have to challenge that. Especially in my work area, we take care, like you mentioned, of embedded systems, and here the big difference is mainly the resources. So, we have not huge resources like the servers in the web application, for example. We have only small room. And also, you need to take care about... and the run time of the functions, and so on. But we need to take handle security measures to mitigate the risks, finally, with these reduced resources. And this is one of the main challenges that we have. So, we cannot install, for example, 100 certificates for each user or develop or test engineers, something like that. And we can also not let run on the embedded device some functionalities, which consumes a lot of runtime in the background for security calculations because the runtime is, for sure, also used for the critical calculation.
Sven Schran:
So, if you imagine your car is going instable in the curve, you would not take the complete runtime for security calculations. You want to control somehow the brake system and the steering systems of the car, we're not going away from the street.
Sven Schran:
And we have also placed the process, a security process, where we learned, on one hand, from the safety experience from the past but also from the security best practices from the other industries. So, normally, we start also to do a threat and risk analyses, to know which threats really available for the different products or systems or the whole cars itself, or the [inaudible 00:07:19] and systems which are communicating with the cars, and so on.
Sven Schran:
And there, we figure out what we have for big risks. And this risk, we take care to develop security concepts, which are possible in the embedded world as well, and to mitigate the risks, finally.
Sven Schran:
And also, if you look on the software side, we do also static or dynamic code analyses, [inaudible 00:07:49] testing, pen testing, on the systems to find also out additional threats that we might not have in mind before in the theoretical analyses.
Matias Madou:
One thing I'm always learning too, because now you're talking about the embedded systems and the limited resources, but I thought there were.... These embedded systems, they become larger and larger. What's on a chip today is almost a computer of 10 years ago or even 5 years ago.
Sven Schran:
Yes.
Matias Madou:
I don't know.
Sven Schran:
Yes.
Matias Madou:
So, while you say limited resources, at the same time, if that becomes a full computer, I think that poses a risk as well because suddenly you can... It is so powerful, that embedded system, that more powerful attacks are possible, or taking control of that chip makes more powerful attacks and possible against other components in the car, for example.
Matias Madou:
So, I would say that poses a risk as well, no?
Sven Schran:
Yes, this is true. So yes, there is reduced resources for several devices. The interest of the car manufacturers is to have cheap systems, right?
Matias Madou:
Yeah.
Sven Schran:
And if this is the requirement, then we are limited and we have to look on the chip who can fulfill the requirement but not have... is too powerful and too expensive. But now we are changing also in the automotive industry. And we're going in the direction, for example, to the automated driving. And for the automated driving, quite powerful, we say it also computers inside the car are needed. They are also connected via internet, and as a WiFi, and so on. Bluetooth and all these interfaces for sure increase the risk for threats because then also the experienced guys from the IT world has now an interest to hack cars as well because they can use the same interfaces, the same weaknesses or vulnerabilities to come into the car.
Sven Schran:
And you are right, for the car computers or vehicle computers, then we have also microprocessors, and we have the known operating systems with known weaknesses onboard, and so on. And from us, as security engineers, this is not a really good development because we have a lot of more challenges that we had in the past. But we need to handle it somehow because the world is going in the direction of automated driving and everything is connected, and so on.
Matias Madou:
Yeah. And so, the chips and the systems that you're designing right now, is that solely for the car industry? Or are these chips, for example, also used in... Gosh, I don't know... refrigerators because-
Sven Schran:
Yeah.
Matias Madou:
... These days we connect everything to the internet.
Sven Schran:
Yeah. It's a mixture, to be honest. So, there are some. It depends on the device as well. So, for example, if you have an entertainment system in the car, this could use chips that are also in the electronic industry are used, more or less. And if, in the real safety-critical systems, like the brake system, or the steering system, they are very often will be used chips, which were really designed for the automotive industry.
Matias Madou:
Okay. But even if it's the same-
Sven Schran:
But not completely.
Matias Madou:
Okay.
Sven Schran:
Yeah. Not completely. So, they normally took from a open family, a device, but they add something or change something, which is automotive industry. [crosstalk 00:11:45].
Matias Madou:
Yeah. But the software is different. The software is unique to the car industry then.
Sven Schran:
Yes.
Matias Madou:
The interactions.
Sven Schran:
I would say like this, normally, they tried also to standardize it in the last 15 years, I would say, so it did basic software. It's a basic functionalities like, and diagnostics, operating system, memory stick handling, or a communication network. This is now, yeah, defined in a standard, which is called [inaudible 00:12:19] in the most of the car manufacturers are requesting to follow this architecture, finally. And this is fully-
Matias Madou:
Oh, okay. Okay, there's a [crosstalk 00:12:28].
Sven Schran:
... automotive. Yeah, it's automotive-related then.
Matias Madou:
And I'm always wondering, like back in the day, even computers were not designed to be connected. Like we always say, "Well, things were not-
Sven Schran:
Yes.
Matias Madou:
... designed to be on the internet." Well, even the computer that we're using was not designed to be connected because there was a personal computer before there was the internet. And people are just doing things on their machine by themself without being connected. But we've learned from that experience. So, suddenly, we started to connect all our computers and we saw, "Well, gee. We need to take care of the security." In general, did we learn from that experience, now that we're doing the same thing in cars? And now that cars were not designed to be connected, we wanted to connect them? Did we learn from that experience?
Sven Schran:
So, it's really the same in our industry. So, 20 years before nobody could imagine that the car is communicating with some server force or some internet services, or there's the smartphones, or something like that. And today, these interfaces are existing, right? And so, it was also kind of a surprise in our business. And we have also to learn about that is also the communication systems, which was used 20 years ago, was not taking care about it. So, it was, for example, no security mechanism planned at this time for the communication between the different devices in the car because nobody could imagine that there is a communication to some devices outside like computers or smartphones.
Sven Schran:
But I think we try to learn from the other businesses, but sometimes it's not so easy because the automotive businesses... Yeah, some dedicated business, which some own rules and normally distress level is very high, so that it's not so much time to be connected with other industries to share the information in a regular base, I would say. But we try, when it is possible then, for sure, we look to learn.
Matias Madou:
Do you think it's going fast enough, that change from when the incident seven years ago happened? Do you think enough progress is made in the last seven years? Or is it going too slow, in your opinion?
Sven Schran:
I think there was a good process. The awareness is increasing. You can feel it. So, everyone today talk about security. This seven or six years ago, it was not the case. But it's also not so easy to introduce every security measures to mitigate the risks, right? So...
Sven Schran:
And it's also, like in the other industries as well, it's a question of the budget or the cost and for sure too, it could be more faster but then it's also needed to invest more budget. And this is also a problem. And that's the problem is you need a lot of experience. So, if you want to design really security measures which are effective, then it's needed that you have also a good experience and knowledge about the systems in the car and how they work, and how they interact between the devices in the network, and all this stuff. And, for this, you need also some years to understand it, really, to have it in the head, in that case, that you understand really the devices' behaviors and in such things. And on top, you need also very good security experience. And this was also, in the last years, a big problem to get the people that have really this level to design very good measures because not only my company was looking for it, right? It was the complete industry. And so much people was not available in the market. And this was another factor why it's not going so fast, like we would have it.
Matias Madou:
Yeah. I do think it's super important. It's a critical part of the way we live today, a car?
Sven Schran:
Yes.
Matias Madou:
And, as well as... Well, if you think about it, if you say, "Well, seven years ago, there was an incident," well, these cars, remote updates are pretty hard for all the components in the car. Yes, it's possible to update certain components but definitely not all the components over the wire-
Sven Schran:
Yeah.
Matias Madou:
... which means that, you know what? You have to get all the cars in to do an update if there is a security issue.
Sven Schran:
Yes.
Matias Madou:
So, that's a major problem because I would assume that nobody is driving particular cars, or people with knowledge will not drive certain cars because they're aware of problems in the car-
Sven Schran:
Yes.
Matias Madou:
Without naming names, are there cars that you avoid, or would avoid, without naming names, for security reasons?
Sven Schran:
For security reasons, to be honest, my opinion is that the older cars are better than the new ones because they have not so much in [inaudible 00:18:08] and so much computers onboard, and so on. Right?
Matias Madou:
You're not a great salesman for the car industry.
Sven Schran:
Yes.
Matias Madou:
No. So, let's-
Sven Schran:
It was my private opinion, right?
Matias Madou:
I know. I know. I know. I know. Absolutely. Absolutely. But I agree, like... No, but also from a hands-on work, what you can do with a car, a car, 20 years ago, if it broke down, with your bare hands, you could actually go in there and fix it-
Sven Schran:
Exactly, yeah.
Matias Madou:
... with a little bit of tools, of course.
Sven Schran:
Yeah, yeah.
Matias Madou:
Today, if a car breaks down, there is no way that you can actually get the car back up on the road with just the two hands and a little bit of tools.
Sven Schran:
Yeah.
Matias Madou:
You need a computer.
Sven Schran:
The complexity was increasing amazingly in the last, I would say 12, 15 years, yeah?
Matias Madou:
Yeah, absolutely. So, let's switch gears, and let's go to the ASRG. The way I think about the ASRG, and correct me if I'm wrong. Well, there's the OWASP for RAP applications. It's a community where people help out each other. You do research. It's mainly in the spare time but the idea is, "Hey, let's do some knowledge sharing. And as a group, we will do better."
Matias Madou:
So, the way I think about the ASRG is something similar for the automotive industry where, "Hey, let's share knowledge. Let's come together. Let's share information. Let's pitch ideas. Let's see what we can do." You're the European coordinator?
Sven Schran:
Yes.
Matias Madou:
Tell me a little bit more. Do you have a US counterpart? Do you have a counterpart in Asia? How does it look like?
Sven Schran:
Yes, exactly. So, we have a management team, let me say like this, where we have leaders for the different continents and different regions. So we have one for the Asia and for the APEC region. Then we have one for the Americas and we have one for the Middle East and Africa. And me, for the European region. And we coordinate, more or less, the different regions. And we synchronize us regularly as well to know what is happening in the other regions, and so on, and to plan something which we want to roll out worldwide or in this directions, that's organized in that direction.
Sven Schran:
But what is also important, what we want to support, is that every region or also every location, can do a little bit their own things. So, we want to have this localized organization to support all topics, which are specially taken care in one particular region in the world, for example,
Matias Madou:
And is the European branch bigger than Asia, for example? Or than the US? What's the little bit of the-
Sven Schran:
Yeah.
Matias Madou:
... sizes?
Sven Schran:
It's based so the foundation of the [inaudible 00:21:09] chief was in Germany, a little bit more than four years ago now. And it was growing first also in Germany. And during the last two years, we are all out it worldwide. And finally, today, we are present in all continents, which we are really appreciated. But from the founding aspects, I think it's the main part that the European region is still the biggest of our regions.
Matias Madou:
Good.
Sven Schran:
But the Asia is growing very fast.
Matias Madou:
Oh, okay. And I was wondering, do you have all the major players covered? Or are you happy with the people in there? Or is it like, "Well, you know what? We're still missing a couple that should be in there."
Sven Schran:
Yeah, sure. There are still a couple of partners which can be come in and we would happy to have it. But I think we have covered a lot of them. So we, like I said, from the region, we are present in every region, and also from the members and the participants, we cover a lot of different people. There are some people from the car manufacturers participating, from the suppliers participating, from some infrastructure companies are participating. But not only from the industry or from the academics, which we are really proud about that because we also recognize that it's not so easy to bring together the academic researchers with the industry. And, at this point, we want also to support, and it seems that it's work out very well, and we are so happy about it.
Sven Schran:
And we have also hobbyists or-
Matias Madou:
Okay.
Sven Schran:
... people which work maybe in a different area but are interested to know about how the security is going on in the automotive industry. And also, this is from our point of view, very good to make it possible to bring these people also together. And this is also an opportunity where the automotive industry can also learn from other industries.
Matias Madou:
And if you say universities, are these people then more on the embedded software or more on the security side? Or where do academia come in here? Or on every front?
Sven Schran:
So, we look at least for partners which combine two areas here.
Matias Madou:
Okay. Okay.
Sven Schran:
It should be related to an automotive industry, and should be related to security. So, from the academics, it can come from both of these sides but we want to have somehow a relation, so we don't look for it, but we are open for everyone, right? And so, like I said-
Matias Madou:
Mm-hmm (affirmative).
Sven Schran:
... If there's a private interest or it's just enough to be part, a member of us, or contribute something, it's possible. But dedicated, we looking for people who has to do something with security for the automotive industry.
Matias Madou:
Okay. So, in-
Sven Schran:
But...
Matias Madou:
Go ahead. Sorry.
Sven Schran:
... Maybe to add something. We say automotive industry, we don't want to focus on the vehicles itself, right? And so, today, we know we have all this connectivity. We want to go in a direction of smart cities. We have this electrification where we have charging stations, for example, and all these infrastructure parts, as well as the servers in the background is also in the focus, not only the vehicles.
Matias Madou:
Okay. The entire ecosystem, essentially.
Sven Schran:
Yes.
Matias Madou:
Okay. So, in Asia, I would assume that more companies produce cars, that there's more suppliers of cars, and they also take security seriously because they joined the ASRG-
Sven Schran:
Yes.
Matias Madou:
... then.
Sven Schran:
Yeah.
Matias Madou:
Okay. And, over there, is it a huge increase? Is it a lot of new startups? Or do you see a lot of old existing companies in there?
Sven Schran:
It's a mixture of both. So, maybe one interesting story about it. We was, for example, also contacted by a security department of the police in India. So, they have a mega-partnership with us, and we have made also a joint conference there, where they brought also students from some academics to the police department, and learn together about security. This was also really interesting-
Matias Madou:
Oh, nice.
Sven Schran:
... that it was the police contacted us.
Matias Madou:
Well, I think there's good reasons because the black box out of planes, well, I would assume there's something in a car that logs, and I can see why the police wants to be involved in security-
Sven Schran:
Yeah, sure.
Matias Madou:
... Because, naturally, there's also tampering with the black box, and can it be done, and so on and so forth.
Sven Schran:
Yeah. That's right.
Matias Madou:
So, Sven, I have a last question for you. I know you're a car guy. You like cars. And I know that you like visiting places. I know that you visited Europe back in the day. As a car guy, how do you visit Europe?
Sven Schran:
Not by car. In the most cases, I use, really, the planes,
Matias Madou:
The planes. I've also heard the story where you visited Europe by boat.
Sven Schran:
Yes. I visited also by a big boat, say like this. I made a cruise of in the north of Europe but my travels was a plane is more in the direction of the south of Europe. And so, I liked the beaches there and the sun, and so on.
Matias Madou:
Yes. If there's one car you would pick to travel around Europe, which car would it be?
Sven Schran:
Oh, I think a good car to travel around Europe would be the... I don't know what to say... the current model, the T6, I guess, from Volkswagen.
Matias Madou:
Okay. Yeah. [crosstalk 00:27:43].
Sven Schran:
So, this camping business.
Matias Madou:
Yeah, yeah, yeah, yeah, yeah.
Sven Schran:
I think, yeah, this is a real nice car if you want to travel by car, a lot of kilometers to see a lot of places in Europe.
Matias Madou:
Yes. But if you break down with the T6, you can't do anything. If it was a T1, you would be able to dig in and get it fixed, right?
Sven Schran:
This is correct, yes. The T1 will be... Yeah. Also a very good experience, right? And you have [crosstalk 00:28:09] really the feeling that you drive a car.
Matias Madou:
Absolutely. If you still can find one because they go a lot of money these days.
Sven Schran:
Yes, yeah. So, in the South America, you'll find a lot of still.
Matias Madou:
Yeah. Yeah, that's interesting, right?
Sven Schran:
It will not produced anymore because... And now, they have also some safety regulations in place there.
Matias Madou:
Okay.
Sven Schran:
But you can still buy a lot of used cars, which are also in a good situation.
Matias Madou:
Condition. Yeah, okay.
Matias Madou:
Sven, thank you very, very much for accepting this chat to come on the Software Security Gurus webcast. It was a fantastic chat. Thank you very much.
Sven Schran:
Yeah. Thank you as well to having me. And it was a pleasure to be with you here.
Matias Madou:
Absolutely. Thank you.