[Dev] [Multiuser] Security Policy Proposal for Multi-User Environment

Carsten Haitzler (The Rasterman) tizen at rasterman.com
Wed Mar 19 14:20:19 GMT 2014

On Wed, 19 Mar 2014 15:07:38 +0200 Jussi Laako <jussi.laako at linux.intel.com>

> On 19.3.2014 7:23, Carsten Haitzler wrote:
> >
> > secure device would even disallow jtag override), or we leave a hole,
> > that requires a fair bit of effort and jumping through hoops, but allows
> > you to regain control of your device, BUT this means that this hole is
> > known and can be used to break the password of the device owner.
> At least my car came with a key card for unlocking the IVI system in 
> case it becomes locked (for example if battery goes empty or is 
> disconnected). This card is supposed to be stored in safe place, not in 
> the car.
> It is not much different from SIM card's PUK code. If you enter it 
> incorrectly five times, your SIM is bricked forever.
> Some cars allow reprogramming key system in case keys are lost, but it 
> usually costs around 200 EUR and needs to be performed at official dealer.
> There's always risk in these, there was recently a case where BMW's were 
> being stolen in about two minutes by using key system reprogramming API 
> left open in the OBD port (and OBD II port was powered up also when the 
> car wasn't). This was, IIRC, partially fault of standardization body 
> because they required for certification the port to be always powered...
> Some cars come with a special programming key fob, if you loose all your 
> keys and the programming key fob, your car is bricked.
> If you leave a backdoor, someone can always utilize it.

sure. but in the case of ivi, it'll neever protect your car. its for
infotainment. at least thats ostensibly the purpose. if ivi is meant to totally
take over all functions of a car... including door locks etc... it's going to
be a big problem.

the problem is - with phones, no one expects to have to pay 200eur to unlock
it. same for a pc. also a phone is a $500 or $1000 purchase. a care is
$20,000-$100,000 or more purchase. and phones are not parked along on the side
of a street for hours, days or weeks at a time... etc. :)

you can't apply the same assumptions on security to both ivi/cars and
phones/tablets/pc's or even tv's etc. (tv's might be much more likely to be
publicly unattended though).

Carsten Haitzler (The Rasterman) <tizen at rasterman.com>

More information about the Dev mailing list