Part 2 : The Standards Helping You Build Compliant Connected Motorbikes
Delve into Part 2 of our Beam Connectivity series, where we continue our in-depth analysis of the latest cybersecurity regulations for connected motorbikes. We explore their implications for manufacturers, operators, and consumers alike.
The New Cybersecurity Rules for Connected Motorbikes: What Do They Mean for You?
Explore the latest blog post from Beam Connectivity, where we delve into the new cybersecurity regulations for connected motorbikes and what they mean for manufacturers, operators, and consumers alike.
From concept to reality: how we validated CHERI for real automotive use cases
Building on our last article, we put CHERI to the test in real-world automotive scenarios. From lab simulations to on-track testing, our latest insights show how CHERI enhances vehicle cybersecurity.
Driving Cybersecurity Forward: How CHERI is transforming automotive cyber-resilience
Enhancing Automotive Cybersecurity with CHERI: A New Era of Cyber Resilience –Discover how CHERI technology is transforming vehicle cybersecurity, strengthening hardware security, and protecting against evolving threats.
AutoCHERI project validates new approach to automotive cybersecurity
London, UK, 16th September 2024 — The AutoCHERI consortium (Beam Connectivity, Applus+ IDIADA, Swansea University, University of Exeter, and the Compound Semiconductor Applications Catapult) led by Beam Connectivity is proud to announce the successful completion of the AutoCHERI project.
Beam Connectivity and EVMI Solutions Unveil Partnership to Transform Last-Mile Delivery with Cutting-Edge Connectivity Solutions
Cirencester, 14/12/2023 — In a new collaboration, Beam Connectivity and EVMI Solutions have joined forces to revolutionise urban logistics using cutting-edge and highly secure vehicle connectivity.
Beam Connectivity wins Self-Driving Industry Award for Innovation in V2X Technology
Cirencester, UK, 20.11.2023 — Beam Connectivity has been honoured with the prestigious Self-Driving Industry Vehicle-to-Anything (V2X) Award. This marks a major milestone as the company’s maiden triumph in the competition, recognising their pioneering contributions to connected vehicle systems and innovations in V2X technology.
Mitigating vulnerabilities in open source with CHERI part 1: cURL
by Rob Potter and Hardeep Chahal
cURL is a completely ubiquitous tool used for making network requests over every protocol you have heard of, including: HTTP, HTTPS, IMAP, DICT, FTP, Kerberos, LDAP, MQTT, POP3, FTPS, Gopher, RTSP, RTMP, SCP, SMTP, SMB, SFTP, Telnet, TFTP, LDAPS, proxies, and more.
Basically a Swiss Army Knife for network comms.
It is used in EVERYTHING you can imagine and more – at least 20 billion devices run cURL, 100 million of which are vehicles🤯
Daniel Stenberg, solo author of curl, has disclosed a high severity memory safety issue that was found by a security researcher.
The vulnerability: heap overflow
First, we wanted to provide a high level description of the problem, with a few excerpts from the public disclosure:
SOCKS5 allows the host name field to be up to 255 bytes long, meaning a SOCKS5 proxy cannot resolve a longer host name.
curl builds a protocol frame in a memory buffer, and it copies the destination (host name) to that buffer. Since the code wrongly thinks it should pass on the host name, even though the host name is too long to fit, the memory copy can overflow the allocated target buffer.
Thus it pretty much requires a malicious actor to feed a super-long host name into this equation to trigger this flaw. To use it in an attack. The name needs to be longer than the target buffer to make the memory copy overwrite heap memory.
Yes, this family of flaws would have been impossible if curl had been written in a memory-safe language instead of C, but porting curl to another language is not on the agenda.
This has been registered as CVE-2023–38545 with MITRE, the organisation that identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
Mitigating memory safety vulnerabilities: CHERI
At Beam, we are leading research into the application of CHERI into automotive systems — Capability Hardware Enhanced RISC Instructions. CHERI provides hardware-level enforcement of memory access, ensuring that software can only access the areas of memory that have been allocated.
One major benefit of CHERI is that it works without requiring a rewrite. For reference, the KDE desktop environment needed only 0.026% of the 6 million lines of C code modifying to support CHERI runtime.
CHERI doesn’t stop all known classes of memory vulnerabilities, but one it does stop is out-of-bound writes, which is what would be exploited here. Learn more about CHERI protections from Microsoft Security Response Center.
The hardware enforcement is done by using capabilities, which are pointers with additional metadata. Part of this metadata includes the bounds of the memory region that can be written to and any accesses outside of this would raise an “in-address-space” exception. If unexpected and not handled, this would still cause the program to exit, but the attacker can no longer overwrite memory.
So in summary, anyone exploiting this vulnerability on CHERI would crash the program, but not be able to use the exploit for more serious, nefarious purposes (arbitrary code execution, escalation of privilege, etc).
Learn more about CHERI
This is just one example of what is a prevalent challenge to the automotive industry.
If the average L2 ADAS vehicle has 120+ million lines of code, the question isn’t just how can we minimise the number of vulnerabilities, it is how can we minimise the impact on our systems when they are found.
We believe the answer is a combination of high quality software development methodology, low-friction over-the-air software update, and secure hardware foundations, like CHERI.
If CHERI sounds relevant to you, please take a look at our project website: https://autocheri.tech
We would love to talk to anyone interested in discussing this further: hello@autocheri.tech or hello@beamconnectivity.com
We will finish this post with some other pictures of cURL in the wild…
Mitigating vulnerabilities in open source with CHERI part 1: cURL was originally published in Beam Connectivity on Medium, where people are continuing the conversation by highlighting and responding to this story.
Demonstration of AutoCHERI project — Cenex-LCV
Beam Connectivity and the AutoCHERI consortium will be demonstrating a connected vehicle solution running on CHERI security processor at Cenex-LCV on 6th and 7th September.
Project announcement: SecureTCU
Beam Connectivity are delighted to have won funding under the UK-South Korea Bilateral Phase 2 competition. We have built a strong project consortium with Secure Elements in the UK, AUTOCRYPT and KATECH (Korea Automotive Technology Institute) in South Korea.
Overview of MOVE 2023
An interesting and honest overview of our journey to date from our CEO Thomas Sors, kicked off our MOVE 2023 visit.
WAE make strategic investment in Beam
We are pleased to announce strategic investment into Beam Connectivity from WAE Technologies! 🎉
AutoCHERI🍒: Integrating Morello into vehicle systems
Following on from our last public update on AutoCHERI in October, we wanted to run a workshop to share our experience working on Morello with the community working on DSbD technologies.
MQTT Explorer: Our favourite test client
Using the AWS IoT Core test console UI can be a pain at times. The connection can sometimes be lost, and if you [leave the page | look away | sneeze] you can be logged out and lose the message payloads you were working with and any unsaved topic subscriptions.
Monitor Anywhere with OxTS and Beam Connectivity
At Beam Connectivity, our vision is to become the partner of choice for connected systems in the vehicle sector.
Measuring the performance-security trade-off
Last week we were invited to present at the AESIN Conference 2022 — the UK automotive industry suppliers’ innovation network.
Project AutoCHERI🍒: Technical update
The Digital Security By Design programme (DSbD) is an initiative that we have been involved in for the past 18 months.
Beam announced as winners on Zenzic CAM Scale-up programme
We are delighted that Beam Connectivity have been recognised as an SME to watch and have won a place on the Zenzic CAM Scale-up programme 🚀
Onboarding with Convex, the Global Mobility Data Exchange
Beam Connectivity onboard CaaS onto Convex, the global mobility data exchange run by Chordant.
Connected vehicle UX expectations
I recently sat down with Zenzic, the driving force behind the UK’s Connected and Autonomous Vehicle industry, to discuss today’s connected vehicle solutions and our progression through the Zenzic CAM Scale-Up programme.
Update: CAM Scale-Up programme
Last week I sat down with Zenzic, the driving force behind the UK’s Connected and Autonomous Vehicle industry, to discuss our progression through the Zenzic CAM Scale-Up programme.
Join us at Highways UK 2021
We will be at Highways UK this week — an event that brings together the people responsible for planning, developing, managing, maintaining, and future-proofing the nation’s roads networks.
MOVE21 — The world’s most important mobility event
We are at MOVE21 in London’s ExCel Docklands exhibition centre along with 3000 of the world’s leading experts in the mobility sector.
Project AutoCHERI🍒: Announcement
The AutoCHERI consortium including Beam Connectivity, Applus IDIADA, Compound Semiconductor Applications Catapult, Coventry University and University of Exeter will review how Digital Security by Design technologies can improve the cyber security and safety of connected vehicles.
CAN bus support in Windows 11
When working on automotive software development, being able to test CAN data transmission is essential. An easy way to test this without requiring CAN hardware is to use a Virtual Local CAN Interface (vcan).
Cybersecure connected vehicles with CHERI
On 15th December, the Cabinet Office released a Policy Paper outlining the National Cyber Strategy 2022 (www.gov.uk).
Does firmware have a place in the modern vehicle?
Firmware is a category of software responsible for configuring and controlling hardware.