History lessons 4: What to do when an anomaly is detected?

David Rogers continues his blog series — commissioned by on-chip monitoring experts UltraSoC (now part of Siemens) examining security through the ages and highlighting lessons for emerging and future technologies.

There are many tales from history where things have been detected that have led to plots being uncovered. Some of this has been driven by prior knowledge, sometimes the actors involved are already under suspicion in some way and in other cases it is pure chance and luck.

Guy Fawkes
Source: Edgar Wilson “Bill” Nye (1850-1896 [Public domain]

The gunpowder plot to blow up England’s parliament in 1605 was ultimately discovered because of a message to a Catholic parliamentarian warning him to stay away from the opening of parliament on November 5th. It was dismissed as a hoax at the time, but the King’s suspicions were raised and he instigated searches of parliament, increasing security. On the night of November 4th, Guy Fawkes was discovered and caught as he was leaving the place where he had stored the gunpowder underneath parliament. It appears that this was genuinely an artefact of the increased vigilance, as a few days before, Guy Fawkes had reported to his co-conspirators that “he found his ‘private marks’ all undisturbed” at the site where the gunpowder was stored. This seems to indicate that Guy Fawkes had taken his own precautions against the discovery and potential sabotage of the plot.

Another interesting story of discovery and detection is the Babington plot against Queen Elizabeth I. Queen Elizabeth’s spymaster, Francis Walsingham, discovered that a group of Catholic plotters led by a man called Anthony Babington were communicating with Mary Queen of Scots in order to depose Elizabeth and put Mary on the English throne. Walsingham first used an agent to change and control the channel by which Mary was communicating, ensuring that messages to and from her were hidden in the corks of beer barrels. This allowed him to have them intercepted and deciphered. The plot was allowed to continue, while Walsingham waited and gathered further evidence through the letters.

In the technology space, detection and response mechanisms exist on the network side mainly. Network traffic analysis tools are now backed by AI and machine learning techniques. The techniques for handling large volumes of network traffic and processing this at scale to discover anomalies have come a long way but are yet to really properly take into account what is going on with the end points and certainly not the innards of them to a chip level.

Attackers already have a variety of ways to evade detection, having fought a cat-and-mouse game for many years. Intrusion detection and anti-virus systems often whitelist domains – so if an attacker is exfiltrating data through a legitimate service – Amazon AWS, or Google for example, it may be that a compromise is never detected. Equally, modern malware often protects its command and control channels by using encryption, a logical thing to do given that many enterprises and tools will be looking for maliciousness within traffic. Another factor is that the barriers to entry have been lowered significantly through free encryption certificate issuing services such as Let’s Encrypt. For a defender, deciding exactly what to look for is driven by external factors and intelligence feeding into systems that look for anomalies.

If something is infiltrated into a device it may also never exfiltrate its data out over a corporate IP-connected network and may never need to connect to a command and control server that way. There are now a multitude of connection types available to devices and many of these will both leave and not be in control of the business. Bluetooth, low-power radio networks and mobile radio connections could all be used at the right time to move data from a compromised device.

Of course the attacker may not want to take any data at all, they might just want to compromise as many devices as possible and lie in wait to turn on some form of destructive attack at a later date, such as a Distributed Denial of Service, ransomware or wiper-style deletion attack.

All of these types of compromise point to the need to have additional intelligence from devices themselves rather than just relying on the network traffic and there is no better place to do this than the foundations of the device itself, inside the hardware.

No matter where anomaly and intrusion detection are taking place, false positives are always going to be a problem and a risk. They could cause a defender to become fatigued with the number of alerts they are getting or to misplace resources. For safety critical systems, taking the wrong action on a security anomaly could create an unsafe situation for a system’s users.

What if the attacker deliberately behaves in a way that causes the system to do something?

Sophisticated attacks may seek to trigger false positives. Bruce Schneier’s book ‘Secrets and Lies’ talks about Mujahedeen attacks on Soviet bases in 1980s Afghanistan, where fence sensors would deliberately be triggered by throwing a rabbit near them. By doing this repeatedly, eventually the sensors would be turned off and next thing there would be a vehicle through the fence.

One could imagine this happening against monitoring at a low level in devices and the trick to dealing with this is to resist the temptation to take immediate action. Events should be appropriately assessed and systems designed in such a way that they do not tip-off or alert the attacker that the system is aware of anything out of the ordinary happening. This in the long-term also allows the defender to potentially gather intelligence on the attacker for later attribution efforts or for forensic purposes. Deciding exactly when to take action relies on taking a measured approach to whether damage or harm is going to be caused. This may be a human decision, but it may also be automated, so making sure the right decision is made is paramount.

‘Babington with his Complices in St. Giles Fields’, 1586
(Public domain)

In the Babington plot, Walsingham even manipulated Mary’s communications, adding text to a letter from her, requesting that the conspirators were named. This caused Babington to reveal their names, leading to the unravelling of the plot.

Manipulating attacker traffic in a system to send back false data or to lead the attacker into blind traps is much more sophisticated and a potentially risky operation, but could be possible, with the defender significantly regaining the initiative over an attacker.

In the case of Mary Queen of Scots, Walsingham waited until exactly the right moment to trap her having taken control of the situation to this point. The evidence in the end was so damning that it caused the linguist who deciphered her messages to draw a gallows on the letter before he passed it to Walsingham.


For more on how historical security measures and failures can help instruct the future of security design for hardware in connected devices, check out the webinar (co-hosted by UltraSoC CSO Aileen Ryan and Copper Horse founder and CEO David Rogers) accompanying this series of blog posts.

Next blog post in the series >> 5/5 The game of defence and attack

Previous blog post in the series << 3/5 Confusing the guards and what it means for future hardware chip design

About the author

David Rogers is Founder and CEO at Copper Horse.

Many consumer IoT companies failing to adopt fundamental security measures despite the threat of legislation and regulation

Latest report finds that providers of consumer IoT are less likely to have a readily detectable vulnerability disclosure policy in place than firms operating in the business-to-business space.

Published today (4 November 2021), the latest IoT Security Foundation (IoTSF) report examining the adoption of vulnerability disclosure in IoT – commissioned by the IoTSF and prepared by Copper Horse – finds little improvement on last year’s figures. The overall trend, while moving in the right direction, remains far short of what’s needed to bolster confidence in the security of IoT products. Given the persistently slow pace of voluntary adoption, regulatory wheels have started turning to force companies to think more seriously about their vulnerability disclosure processes.

Slow progress: 100% adoption is a long way off based on the survey results.

2021 headlines 

  • The adoption of vulnerability disclosure in the IoT sector remains unacceptably low (just 21.6% of firms surveyed had a readily detectable policy in place). Based on these findings, almost 4 out of 5 companies are failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed. 
  • The slow pace of vulnerability disclosure adoption by IoT providers continues to put users at risk by failing to maximise the opportunity to close gaps in product security (the percentage of firms surveyed with a readily detectable policy in place is up just 2.7% on findings for 2020). 
  • Anticipating forthcoming legislation, only 21 out of the more than 300 IoT providers surveyed would meet modest regulatory requirements. 
  • Business-to-business IoT providers are much more likely to have a readily detectable policy in place compared with firms operating in the consumer sector. 
  • Lack of information is no longer an excuse for IoT providers as best practice guides have been updated and new tools made available to streamline putting a vulnerability disclosure policy in place.

Security benefits are too good to ignore 

Reporting a product security issue should be made simple so that a vendor can get to work on investigating and developing a fix as soon as possible.  Coordinated Vulnerability Disclosure (CVD) policies cover all stages of the process from advertising the correct point of contact, through to the timescale for fixing any issues and recognition for any bugs discovered. 

Vulnerability disclosure, backed by a Vulnerability Disclosure Programme (VDP), benefits multiple parties – governments, businesses, security researchers and customers – so much so, that the process is well on its way to becoming a mandatory requirement at an international level.

Free guides and online tools 

2021 has seen a jump in the provision of information to help firms, which includes the IoTSF’s updated Best Practice Guide and a time-saving policy-maker tool, developed by disclose.io. More details and links can be found in the report. 

Legislative wheels are turning 

With governments around the world turning to legislative and regulatory means to tackle the lack of improvement in the market, it is surprising to us that there hasn’t been an increase in the rate of adoption of CVD, particularly in the last year. These companies will find it difficult to sell their products if they don’t change their ways, and soon. 

David Rogers, the CEO of Copper Horse said, â€œThe report provides measurable evidence of IoT manufacturer and brands’ lax attitudes towards security in general. There is nowhere to hide for these companies – international standards are there to be used and coordinated vulnerability disclosure is recognised good security practice. The question for consumers globally is: ‘why should I buy products from these companies if they don’t look after security?’”

Race report: Spa, 19 October 2021

Qualification was the big highlight as setup issues and aero damage hampered progress in the race

Spa’s high-speed sections reward drivers that can push to the limit, but only if the car setup is fully dialled in. And, unfortunately, for Copper Horse Racing in the last race of Season 8 it wasn’t. But if you never try, you’ll never know and with three top ten finishes out of the six races entered, the team is more than happy with the performance overall. 

Uphill battle: Copper Horse Racing’s laps of the Spa circuit did not go to plan. 

Unfortunately, due to a lot of work and travel in the week before the race, the time to perfect Car 59’s setup just wasn’t there for the final event of the season. A crash early in the practice race on the Sunday prior to Tuesday’s main race gave some indications that the setup wasn’t where it should be, with the car feeling very nervous through the two main high-speed corners, Eau Rouge and Radillion, when fully loaded with fuel.  

Testing the tyre model 

This unsettling of the car unsettled the driver too! However, it was an opportunity to bank some very important lessons about tyre ‘flat-spotting’. As the car begins to lose traction and spin at high-speed, the instinct in the cockpit is to keep your foot on the brakes, but this makes a bad situation worse. Wheel rotation impeded, the tyre rubber quickly scrubbed off against the track surface and left a flat spot on each that made the car almost undriveable after recovering from the crash. 

Mercedes power: Daniel Molina goes through Les Combes on Lap 1. 

To the qualification on Tuesday and David put in a decent performance with a credible 2:20 lap earning him 10th on the grid for the race. Nerves about the car state at full fuel made David back off through the high-speed corners for the race, but staying within the limits of the suboptimal setup proved to be impossible. On lap 3, the rear end went at the fast Radillion section and the white and green Lamborghini HuracĂĄn careered into the barriers (thankfully no foot on the brake through the slide this time – noting the lessons learned from the practice race).  

Suboptimal setup: Car 59 just before heading into the barriers through Radillion. 

Quickly recovering, but with places lost, David made a beeline for the pits. The mandatory pit stop would have to be served early, including an additional thirty-some seconds of repairs. Back on track, fighting through the pack to regain lost time wasn’t as easy as planned. Further hampering this effort was the need to nurse the poorly setup Lamborghini through the high-speed combination of Eau Rouge and Radillion, losing out on the speed that’s vital to carry into the Kemmel Straight that follows it. 

Hoovering up the tarmac: the aerowork on Jamie Sterritt’s Ferrari floats close to the track, with Car 59 just visible from behind. 
Newer model: Dominik Szymanski drives the black and yellow Lamborghini Huracån GT3 Evo. 

Bumped at the bus stop 

However, another incident was to have a bigger impact on Copper Horse Racing’s success at Spa. Turning into the slow Bus Stop chicane on lap 16, a car smashed into the rear of the Lamborghini, wrecking the aerodynamic bodywork. Taking another pit stop would be an instant write-off for the race. But with the aero damage came a further worry – more vehicle instability. And, sure enough, Car 59 took another spin at the top of Radillion, collecting more damage. David continued to complete the race, gathering points in the process and finishing 18th. A less than ideal second-half of the race and a disappointing end to the season, which had been very positive up until Spa. But as the late, great Murray Walker once said, “That’s history. I say history because it happened in the past.” 

Talking telemetry 

Hands on the wheel: Copper Horse’s vehicle hacking simulator uses in-game telemetry to drive real world vehicle components such as the instrument cluster shown here. In the image, the turn signal is illuminated in response to the left indicator signal generated within Euro Truck Simulator 2. The fluffy dice are an optional extra. 

It was interesting to hear from Edward Green, McLaren’s Head of Commercial Technology, at this year’s Splunk conference as the presentation nicely validated the power of driving game telemetry. In our case, we are using the data to provide inputs for the vehicle hacking rig’s real world components such as the instrument cluster. And for McLaren, the telemetry feed was an efficient way for them to explore new approaches to race analysis and visualization during lockdown. Green noted some perks of the game data too – you get everything without interruption. On track, teams have to be more selective about which of the up to 300 sensors per car to examine due to bandwidth and weight considerations. Plus, there can be gaps in the wireless transmission depending on the geography and architecture of the circuit, although the full data set can be recovered when cars return to the garage.   

Tier 10 final standings 

Top spot in the Tier 10 leaderboard: Steffen Bley, driving a Porsche 991 II GT3 R. 
Race winner: Matthew North took first place at Spa-Francorchamps. 

With Nico Urbantat unable to start the final race, his lead at the top of the standings was vulnerable. And thanks to another second place finish (his fourth in the season), Steffen Bley took the top spot, nudging Nico Urbantat into the runner-up position. Matthew North, who missed last week’s event at Monza, took maximum points at Spa, which was enough to take third place overall and push Teis Hertgers into fourth. 

Look out for the logos: a close up view of Car 59. 

Copper Horse Racing held on to its P16 in the standings out of the 32 eligible drivers competing in Tier 10.    

About the authors  

James Tyrrell is a Threat Modelling Analyst at Copper Horse.  

David Rogers is Founder and CEO of Copper Horse and Driver of Car 59.

Secure-CAV whitepaper: Addressing the challenges of securing connected and autonomous vehicles

Over the summer, Siemens commissioned Copper Horse to write a whitepaper that captured the key themes of the Secure-CAV project and gave readers a headstart in navigating the status of automotive cyber security as well as a glimpse at its future.

Executive Summary 

Vehicles are becoming the most sophisticated connected objects in the ‘Internet of Things’ as designers consider a fully autonomous future. But integrating such features causes the attack surface of the vehicle to grow â€“ for example, as systems make use of remote connectivity at multiple points. 

At the same time, the automotive industry has a challenge in that legacy technologies are both insecure and take a long time to age out. Unlike many other connected products, vehicles can have a very long lifespan, which demands an innovative approach when it comes to cyber security concerns. 

Beginning in late 2019, the Innovate UK-sponsored Secure-CAV consortium set out to develop and prove hardware-based security technology that will allow the automotive industry to leap ahead of the threats that it faces currently and – in the near-term – put the industry into a much more tenable cyber security posture than it currently holds. 

Secure-CAV partner, Siemens, has developed Intellectual Property (IP) as well as anomaly detection software, which is able to monitor protocols and transactions at the lowest level in hardware. This is backed by unsupervised machine learning algorithms and statistical analysis, with expert input from consortium member University of Southampton.  

The solution has been integrated into Field-Programmable Gate Array (FPGA) technology and linked to two vehicle demonstrators developed by teams at Coventry University and cyber security specialists Copper Horse – also part of the Secure-CAV line up.  

Building mitigations to a number of real-world and theoretical attacks into a demonstrator enabled the consortium to prove the theory that security anomalies can be detected and responded to appropriately, forming the foundation and basis for future developments in this emergent security solution space. 

Security perspective 

Setting the scene, the Secure-CAV whitepaper – authored by Copper Horse CEO David Rogers – provides examples of representative vehicle hacking scenarios and dissects the methodologies that adversaries rely upon. 

Briefing document: the Secure-CAV whitepaper covers a wide range of topics from the history of car hacking to the use of on-chip monitoring to boost the response times of automotive cyber security.

Moving ahead, the discussion then turns to solutions and looks at what the industry can do to improve its cyber security posture, which includes adopting hardware-based techniques that have the potential to adapt as the threat landscape evolves. 

Discover all of the details 

Published this month, the 22-page whitepaper is now available as a free PDF download. 

Race report: Monza, 12 October 2021

Sent spinning off track in lap 1, Car 59 battles back to finish P9

Season 8 is back-loaded with a testing trilogy of iconic circuits â€“ Suzuka, Monza and Spa â€“ as AOR’s virtual GT3 series nears the end of its eight-race run. Last week’s laps of Suzuka certainly pushed drivers to the limit, but how about the sim-racing rigs? In the case of Copper Horse Racing’s setup, there were definitely some complaints from the pedal board, which started to cause throttle fluctuations in the closing stages of the event. 

For Monza, the issue has been dealt with by a squirt of contact cleaner â€“ with the can kept handy for the mandatory pit stop, adding an element of real-world vehicle maintenance to the already impressive on-screen action. 

Tough driving conditions: traction loss was an issue in the wet at Monza .

Track knowledge 

Monza is one of Copper Horse Racing’s most-driven tracks, which bumped up the potential to deliver a good result – at least in the dry. However, the constant rain during both qualifying and race sessions nudged Car 59 towards a more cautious strategy. 

Not all drivers took this route though, as – like clockwork – a three-wide tangle between competitors on lap one of the main event sent cars spinning. Unfortunately for Copper Horse Racing, the casualties included Car 59 – with the white and green Lamborghini rejoining the track almost at the back of the pack, scrubbing out any gains made during qualifying. 

Moving up through the order: Car 59 passes the Audi of Spaniard Manu Prieto at the Variante della Roggia.

Trading places 

What followed was the most epic battle yet for Car 59 as it worked its way up the order and chased down the Lexus of A. Bayer â€“ from the 9th lap right through to the end of the 90 minute race, trading places back and forth throughout. Both drivers showed the other respect, each leaving just enough space to avoid any incident and clearly enjoying the opportunity to practice their race craft.  

Inside line: A. Bayer in the Lexus goes through into Retifillio, but the battle with the white and green Lamborghini would continue.
Advancing again: the Lexus edges ahead once more as spray from both vehicles leaves a cloud of water behind. 
Yet another overtake: this time it’s Copper Horse Racing that gets in front with the Lamborghini finishing P9 ahead of the Lexus in P10 at the chequered flag – concluding an epic battle.

Rig updates 

As regular readers of our race reports will know, the driving rig also doubles as a vehicle hacking simulator and we’ve been making some upgrades to add to the experience and also help people feel safer when we’re out on the road at events, including the addition of a seatbelt. These additions also pave the way for us to further integrate other elements of the instrument cluster and other components â€“ such as various cabin warning signals. With modern vehicles containing a raft of sensors, there are lots of options to explore on this theme as we build on our Secure-CAV work and continue to the develop the rig.  

Buckle up for the ride: a race-grade 4-point harness is the latest upgrade to the Copper Horse vehicle hacking simulator as we prepare to take the rig out on tour (stay tuned @CopperHorseUK on Twitter for more details on our whereabouts in November). 

Monza podium 

Teis Hertgers, third-place finisher at Suzuka last week, won in convincing style at Monza – leading the race from lap five. Steffen Bley came in second, followed by Matheus Martins in P3 to complete the podium. 

Dominant drive: Teis Hertgers led the race from lap five at Monza in a white and black Aston Martin.

With race seven complete, competitors have just one more event to bag points as season 8 draws to a close at Spa-Francorchamps. Look out for the next race blog to see if Car 59 can round out the calendar with a trio of top ten finishes.  

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse.

History lessons 3: Confusing the guards and what it means for future hardware chip design

David Rogers continues his blog series — commissioned by on-chip monitoring experts UltraSoC (now part of Siemens) examining security through the ages and highlighting lessons for emerging and future technologies.

The city walls of York
Source: David Rogers

Previously, I talked about how expensive defences can be subverted by a determined and clever adversary. This time I continue the theme of access, but consider the problem of confusion.

In considering the story in the last blog, I was thinking about whether the carpenter’s entry into Conwy Castle should be classed as (what is known in the technology world as a) ‘confused deputy attack’ (it isn’t). This type of attack often happens in web applications in cross-site request forgery (CSRF) attacks in order to confuse the browser, as the agent of the attacker, into getting a website to do something it shouldn’t.

Keeping enemies out

Another example from history can better explain the concept of a confused deputy attack. Firstly, a bit of background. There are many stories in the UK of historic laws and bylaws that stem from medieval times that give an insight into how towns controlled access from people who they would consider to be “enemies”. Some of these are true and others are mere rumour. For example:

  • “Welsh people were allowed to enter the towns by day but kept out at night and forbidden to either trade or carry weapons”
  • “In the city of York, it is legal to murder a Scotsman within the ancient city walls, but only if he is carrying a bow and arrow”
  • “In Carlisle, any Scot found wandering around may be whipped or jailed”
  • “Welshmen are prohibited from entering Chester before the sun rises – and have to leave again before the sun goes down”
  • “It is still technically okay to shoot a Welshman on a Sunday inside the city walls – as long as it’s after midnight and with a crossbow”

As a note – the law commission looked into some of these stories and clarifies that:
“It is illegal to shoot a Welsh or Scottish (or any other) person regardless of the day, location or choice of weaponry. The idea that it may once have been allowed in Chester appears to arise from a reputed City Ordinance of 1403, passed in response to the Glynd?r Rising, and imposing a curfew on Welshmen in the city. However, it is not even clear that this Ordinance ever existed. Sources for the other cities are unclear.”

In York however (a northern English city which was walled to keep the Scots out), we do know that at the Bootham Bar, an entrance to the city, a door knocker was installed in 1501. Scotsmen who wanted to enter the city had to knock first and ask for permission from the Lord Mayor.

Bootham Bar Roman gateway
YORK, YORKSHIRE, UK: JULY 22, 2008: Bootham bar Roman gateway in York city wall .

The confused deputy

We have to assume that the Lord Mayor himself was not there all the time to give permission in person and delegated the authority for checking whether someone could come in to the guards. The guards still had to come to him for sign-off though.

This is where we can explain the concept of the confused deputy more clearly. Imagine that there is a Scottish attacker who wants to get into York to cause some damage. He’s knocked on the Bootham Bar gate door knocker and convinced the guards he’s authorized because he tells them he’s there to do work (he succeeds in confusing them – they become the confused deputy, conferring trust on the Scotsman where there should be none). However, our attacker still has to gain authority – through the Lord Mayor himself.

The guards carry the message to the Lord Mayor that the Scotsman is legitimate and should be allowed to enter. The Lord Mayor assumes trust and authorizes our Scotsman to enter the city to do work.

The attacker didn’t need to convince the Lord Mayor at all, all he had to do was convince the guards and use them to gain the authority he wanted. The Lord Mayor trusted his guards, but wouldn’t trust the attacker – however he’ll never see him. This is how some website and technology attacks work, by escalating the privilege level of access via an unwitting, trusted agent. To avoid this, additional measures need to be in place for the Lord Mayor to independently validate that the Scotsman is not actually an attacker, before providing further authority to him.

One concern about chip-level attacks is that the vast majority of the communications inside the chip are not integrity checked or validated in any way. An attacker can abuse existing authorities to gain trust in other parts of the system. Changing this is going to be a long-term task for the industry as attacks become more sophisticated. In the meantime, we need to put in measures to be on guard and look for unusual activity going on, rather than automatically assuming everything within the ‘city’ is trusted; perhaps the technological equivalent of using a bow and arrow after sundown.

Sources:


For more on how historical security measures and failures can help instruct the future of security design for hardware in connected devices, check out the webinar (co-hosted by UltraSoC CSO Aileen Ryan and Copper Horse founder and CEO David Rogers) accompanying this series of blog posts.

Previous blog post in the series << 2/5 Who has access?

About the author

David Rogers is Founder and CEO at Copper Horse.

Race report: Suzuka, 5 October 2021

Copper Horse Racing puts in fast laps under the stars to bag another top 10 finish  

In season 7, Car 59 raced around Zolder and now â€“ in season 8 – it’s time to add another John Hugenholtz designed track to the list – the mighty Suzuka circuit. Built in the 1960’s to fulfill Honda’s test track needs, the technical layout wastes no time in discovering a driver’s limit thanks to iconic features such as ‘the Esses’ (or ‘Snake’) and ‘Spoon curve’. 

Esses from the air: after navigating turn one, competitors then snake through a series of â€˜S’ curves.

Also, if that wasn’t enough to contend with, series organisers Apex Online Racing have made this event a night race, although sparingly, a dry night race.  

Fully committed: Car 59 positions itself for the high-speed 130R bend followed by Sweden’s Mathias Alenmalm in an underrated LEXUS RC F GT3 – one of the best handling models on the grid. 

Green lights and away 

Qualifying mid-pack in P12, it was important to survive the opening laps without incident. A couple of bumps from neighbouring drivers threatened to send the white and green 2015 Lamborghini Huracan GT3 off-track. But lead driver David Rogers had confidence in the vehicle settings and managed to keep Car 59 between the white lines. So began the 60 minutes slog around a very physically demanding circuit (yes, that’s right – sim racing can be both physically and mentally demanding!).  

First lap action at Suzuka in Season 8 of AOR’s GT3 sim-racing series.

Under race conditions, the Lamborghini performed well across all three sectors as grip levels allowed it to find more time through the Hairpin and two Degner corners – sequences that had been more costly in qualification with less rubber on track. A conscious choice had been made to increase the level of rear wing for this race and to keep the traction control at a reasonable level as the cold night air made the track slippery than usual. 

Overtaking opportunity: Copper Horse Racing’s white and green Lamborghini pulls ahead of Davy Melin in a McLaren.

Playing the long game, Car 59 had moved up five places to 7th by lap 10, picking its battles to keep within the limits of track and driver. As the leaders pitted, the Secure-CAV liveried Lamborghini enjoyed a short spell at the front of the race until it too had to stop for new tyres. 

Cockpit view: Copper Horse racing spent much of the race behind Brazilian driver Matheus Martins who drove well in a Mercedes AMG GT3. 

Rejoining the action, the biggest concern was obeying track limits, particularly around the tricky ‘Spoon’. With ten minutes to go, a second track limits warning was received; one more and it would be a stop-go penalty. Careful driving in that section for the remainder allowed the Lambo to steer clear of last minute disaster! 

Penalties avoided, it was an encouraging night’s work as Car 59 registered its best race result in the competition so far – P8. 

X-section: Suzuka’s figure of eight layout is enabled by an overpass. Race leader Nico Urbantat heads under the bridge, stuck in traffic between the yellow number 87 McLaren of Northern Ireland’s Willy Cranston in 13th and 14th-placed number 878 of Poland’s Robert. Davy Melin’s number 22 McLaren 720s GT3 in 9th place crosses over the top. 

Secure-CAV makes its YouTube debut 

With our race reports in double figures, you probably know a great deal about our exploits on track. But there’s plenty that happens when we’re not racing. One of our biggest projects currently is Secure-CAV, where Copper Horse is contributing threat modelling and security testing expertise. And a quick way of finding out more, is to check out this short film commissioned by the project partners and made over the summer by Suited & Booted studios

Podium positions 

No change from Last week with Nico Urbantat taking the win once again and Matthew North coming second. But the third spot has proven to be less predictable with Teis Hertgers taking P3 this time around. 

Top spot: Nico Urbantat in a Porsche 991 takes the win at Suzuka.

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

History lessons 2: Who has access?

David Rogers continues his blog series — commissioned by on-chip monitoring experts UltraSoC (now part of Siemens) — examining security through the ages and highlighting lessons for emerging and future technologies.

Conway Castle, North Wales.
Image (edited) source: Adrian J Evans
CC-BY-SA-4.0

Conwy Castle is an imposing castle. Built towards the end of the 13th of century in North Wales, as part of Edward I’s Iron Ring around the country, its curtain walls are interspersed with eight round towers, complete with arrow slits and ramparts. Its two barbicans guarded entrances to the castle. It still stands today, within the further walls of the town of Conwy itself with a further 21 towers. What is amazing is that it was built within only five years. It was designed by the best castle designer of the day, Master James of St George, and was state-of-the-art when it came to defensive security. It withstood one siege – when the Welsh besieged King Edward in the castle in 1295. It was on Good Friday in 1401 however, that the most interesting events happened at the castle during Owain Glyndwr’s uprising against the English.

Nearly all of the garrison of the castle were at church in the town attending Mass. There were two guards left behind on the gate. A carpenter from the castle approached the guards saying that he needed to perform some work with two of his assistants. They were admitted and then immediately stabbed both guards. They then quickly let in the rest of their men, locking the gates behind them. When the garrison arrived back from church they were unable to gain access to the castle.

Unfortunately, the cleverness of this takeover was undermined by the fact that there were few stores in the castle and the Welsh were not prepared for it. It also upset the King of England, Henry IV, who immediately besieged the castle. Within three months, with no edible stores, the Welsh were starved out.

Why is this story particularly interesting in a technology context? This kind of strategy has many parallels with the way in which hackers often use guile and skill to attack seemingly impenetrable defences. The attack was planned to happen when the castle would be least defended and a way of gaining access via an authorized method had been found. The guards authenticated that the carpenter was real and he was clearly authorized to be there. The defenders were not correctly using their layers of defence within the castle and showed complacency and over-familiarity.

The story also gives a lesson for attackers looking to compromise and remain in a system. When defences have been subverted, one thing that more advanced attackers do in the technology world is what’s called ‘living off the land’. In this case the attackers were not able to sustain their takeover of the castle because they lacked those resources to hold out for a long time. Indeed, they’d misperceived the real situation. In the technology world, it is good practice to minimize in advance the things that an attacker can use once they’re “in the castle” or onto a system, such as software libraries not used for the core operation of a system. In the case of the story above, it was bad luck for the attackers that the garrison had so few usable supplies and food.

Containing access

We know that Conwy has two barbicans. The purpose of a barbican is to provide additional defence in front of an access point or gate. It functions as a mechanism for control over hostile entrants. Barbicans are typically narrow and often contain traps such as murder holes to throw things down on the enemy, as well as adjacent spaces on the same level and a floor above from which defenders can attack the enemy from the side or from height, whilst safely behind their own defences. The defenders have the advantage because low resources are needed to defend whilst the attacker is narrowly channelled into a place of the defender’s choosing.

Layout of Conwy castle showing the East and West Barbicans
Source: CADW

In technology terms, we see very little of this kind of defensive mechanism. Where there are inputs to a system, typically via an Application Programming Interface (API), inputs are often blindly accepted, in some cases from anyone who accesses the interface. Good practice dictates that input is validated – ie that a number is indeed a number and within the expected range. However, there is clearly an opportunity to go further than that. Where an interface or system is under attack there is an opportunity to defend against that. Examples of attacks go from fuzzing (throwing structured and unstructured data at an interface in the hope of breaching it in some way), repeated brute-force attempts at getting in, or denial of service (DoS) attacks hoping to overload and consume system resources. Abstractly, a system, once it identifies such kinds of attack, could provide some kind of pre-interface – ie a barbican before the data hits a real interface. This gives the opportunity to do something about an attack as it happens – for example, it could choose to drop the data that is sent during a DoS attack rather than consume system resources responding to it. More sophisticated versions could waste an attacker’s time and resources through other clever means. This is a form of ‘active defence’, without actually ever touching an attacker’s system. It is all performed locally on the system that is under attack.

However, all of this depends on whether the system is always on guard. History shows that in the Conwy castle case, the garrison were complacent – even though the Welsh had started to rebel the year before. The ‘trusted’ carpenter should have been let in on his own without anyone else and there should have been additional guards within the main castle such that the attackers were confined to the barbican itself, to be dealt with.

The castles of yore often included  other mechanisms for access control including the use of a portcullis (or sometimes several of them) which could be dropped very quickly if needed to block access or to trap attackers at entry points. Similarly, entrances were often guarded by drawbridges which could be closed, or turning bridges which could easily be destroyed by defenders. Castle buildings often had entrances on the 1st floor and above – well above head-height. This meant that wooden stairs could be destroyed and burnt in a hurry if necessary, causing an attacker further trouble if the castle was under attack. All of these were primarily designed for defending against sieges. As we’ve seen in this blog however, sometimes costly defences can be undermined by guile, intelligence, defender complacency and choosing the right timing.


For more on how historical security measures and failures can help instruct the future of security design for hardware in connected devices, check out the webinar (co-hosted by UltraSoC CSO Aileen Ryan and Copper Horse founder and CEO David Rogers) accompanying this series of blog posts.

Previous blog post in the series << 1/5 Doing nothing in a hostile environment is never going to work out well

Next blog post in the series >> 3/5 Confusing the guards and what it means for future hardware chip design

About the author

David Rogers is Founder and CEO at Copper Horse.

Race report: Zandvoort, 28 September 2021

An early spin puts a dent in the final result, but the signs are encouraging for future races 

Dry conditions at the Zandvoort circuit meant that drivers could make the most of its fast and flowing layout. And Copper Horse Racing’s white and green Lamborghini HuracĂĄn 2015 did just that, at least until the end of lap 4. 

Qualification boost 

There were clues in free practice that Copper Horse Racing could be starting towards the front of the grid. In the pre-race warm-up, David Rogers topped the leaderboard for a large part of the session with a 01m:38.439s and lapped even quicker (01m:37s:788) in qualifying to grab P6.  

At the very front, last week’s winner Matthew North impressed again. His Aston Martin V8 Vantage took just 01m:36.570s to complete the lap, taking pole position by more than half a second. 

Racing highs and lows 

The good times continued briefly for Car 59, which moved up to 4th in the first lap of the race. 

Flying start: Copper Horse Racing’s Lamborghini moves up into 4th on the first lap

But clipping the inside high kerb on the long sweeping ‘Arie Luyendijk Bocht’ — easily done when navigating the Lamborghini’s 2m plus width around Zandvoort’s famously narrow track — on lap 4 proved to be costly. The slight detour unsettled the car into the start/finish straight, leaving the Lamborghini sat perpendicular to the traffic.  

David was forced to sit and wait with seconds ticking by as the traffic went through and it was safe to turn back into the circuit. The incident meant that going into lap 5, Copper Horse Racing had dropped to P14.   

Yellow flag incident: clipping the kerb proved costly for Car 59 

What’s more, the aero damage sustained in the lap 4 incident had pushed the tuned setup slightly out of the window and made the fast right-hander the ‘Scheivlak’ a nervy trip each lap. Navigating other cars as they made mistakes and getting hit by a car attempting to overtake under yellow flags added to the challenge now facing Copper Horse Racing.  

With lap times increasing, it was time for a pit stop. But with the damage that had to be fixed, a tyre change and a 30 second stop-go penalty (from the previous race) to be served, it was going to be a long one. All that could be done was to sit and wait for the traffic to pass through to lap the forlorn Lamborghini. 

Out of the pits with a freshly repaired vehicle and new slicks and into traffic â€“ Car 59 came out behind the green and black Porsche of Ethan Boudreaux who was in 7th place, with Copper Horse one lap behind. If we couldn’t fight at the front, we could at least try and work our way up as far as we could during the last half of the race. It would be a tough challenge â€“ sat in 15th place with 14th place over 20 seconds ahead. So began a few laps of pressure as the faster Lamborghini attempted to get past the cars ahead on the tight circuit. 

Eventually, success! A slick move through the inside of the tight ‘Hans Ernst Bocht’, gave a free stretch of track towards the next car – 6th placed Latvian, Armands Petrovics in his number 96 bright pink Mercedes-AMG. 

Apex moment: unlapping the leading cars allowed Car 59 to make up time on its closer rivals.

It didn’t take long to hunt down Petrovics and a couple of laps later, he moved aside on the start-finish straight – car 59 wasn’t in his fight. As the race was coming to a close, the Lamborghini was now rapidly advancing on the Aston Martin of Dutchman Damian Herfkens. 12 seconds ahead, 6 seconds ahead, 2 seconds!  

With the race leader (Nico Urbantat) on the final lap, it was time to make the move on Herfkens. And noticing that his Aston Martin had gone wide in turn 1, the Lamborghini took the inside â€“ and through! Briefly! Traction control kicking in, the Aston accelerated out and caught the corner of the Lambo, pit-manoeuvring the car around to face the other way. A racing incident, nothing more.  

The race over, David took the car back and over the line. P15 didn’t do it justice, but what a race! 

Last lap drama: after lunging ahead on the final corner, the Lamborghini gets tagged by the Aston Martin. 

Talking automotive cybersecurity 

If previous race reports have piqued your interest in automotive cybersecurity, then you might enjoy the upcoming Secure-CAV webinar ‘Effectively Addressing the Challenge of Securing Connected and Autonomous Vehicles’ (live on Thursday 7 October 2021, 15:30 BST and then available on-demand). 

During the 60 min webinar session you will learn – 

  • The best use of threat modelling techniques
  • Methods for staying one step ahead of malicious hackers in the automotive space
  • Effective methods for hardware-based attack detection
  • How the Secure-CAV project looks at the problem of future vehicle security   

Race results 

Congratulations to Nico Urbantat of Germany who took his third win of the season at Zandvoort and sits at the top of the overall standings in Tier 10. The other drivers on the podium were P1 qualifier Matthew North in second place and Polish driver Robert in third. 

Tune in next week to discover how Copper Horse Racing gets on at the legendary Suzuka circuit. 

About the author 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

Race report: NĂźrburgring, 21 September 2021

Under wet conditions, Copper Horse Racing gains 7 places from qualifying to finish P11

If you are looking for tough racing then the NĂźrburgring is not going to disappoint. Drivers in season 8 of AOR’s GT3 league were spared the â€˜Green Hell’ of the epic Nordschleife circuit, racing instead on the Grand Prix loop. But they still had to contend with the region’s notoriously bad weather, which pushed up the difficulty of navigating a mix of fast and technical circuit features another notch. 

Built in 1984, NĂźrburgring’s GP track is home to a wide range of racing formats including the ‘Eco Grand Prix’, held since 2013. 

81% changing conditions 

Series organisers AOR kept sim-racers on their toes by advertising changeable dry and wet weather conditions. That being said, tier 10 entrants received a particularly bad roll of the dice with the track becoming wet, wet and wetter as the race unfolded. However, drivers in other tiers did experience drier spells as Yorkie065’s livestream on YouTube shows. 

Qualifying low down the order in P18 with a wet setup that never felt quite right, Car 59 driven by David Rogers had to focus hard to stay out of trouble in the main pack. If previous races are a guide – taps, tangles and off-track excursions are almost guaranteed at some point as opponents jostle for position on cold tyres (especially in the wet). And there was nothing to suggest that things would be any different this time around. 

A hard slog 

Driver perspective:

The first lap was less eventful than usual and I managed to pick up five places going into lap 2. However, a tap from behind as the car turned into the tight Castrol ‘S’ meant lost places and the accident caused other cars to go off too. In the split-second that was available to make decisions and relatively unsighted (a problem with sim racing), I attempted to move out of the entirely blocked road. My car was then hit again by another car trying to manoeuvre around a stranded vehicle; my movement ultimately caused the stewards to penalise me for dangerous driving. This was warranted as sim racing requires you to remain stationary if stuck on the track during an incident, precisely because of this awareness issue. For drivers using VR headsets or TrackIR, they have a better appreciation of what’s going on around them, but it is still never going to be the same as a real car.

First full lap of the race: Secure-CAV sponsored Car 59 moves up through the race order.

Another challenge for everyone, is that the cars all have different setups and braking points and in the wet this can cause a lot of issues especially where cars can also be carrying damage from their own incidents. The 2015 Lamborghini has quite a long braking distance in comparison with other cars on the track. 

In fact, racing at the NĂźrburgring generated the most Tier 10 DNF’s of the series so far, with five drivers failing to make it to the chequered flag – a measure of the challenging conditions. 

Plus, this week’s race was run in the longer 90 minute format, which gives an extra 30 minutes for things to go wrong as concentration levels fade. The final stint certainly proved tricky for Copper Horse Racing’s white and green Lamborghini HuracĂĄn, with a late spin — caused simply by being momentarily distracted — dropping the car from P8 to P12. 

The race’s mandatory pitstop was taken 10 minutes from the end, with only a splash of fuel needed and opting for no repairs to the minor damage to the vehicle. The minimal time in the pits brought the car out behind a rapidly slowing damaged McLaren. On the final lap and driving hard and being chased by Chris Maitland in his Footwork liveried 2016 Lexus RC F GT3, I made a move on the McLaren in the Mercedes Arena complex of corners. Taking a different, inside line to the slow driver, the move resulted in a clash between the two cars, and I backed off, allowing the McLaren to return to racing. A couple of corners later at the Valvoline-Kurve, the McLaren opened the door wide, so I moved in again, this time getting through with the McLaren hitting the side of the car and losing time, allowing Maitland’s Lexus through too behind me. A post-race stewards’ inquiry was inevitable, but I didn’t have much choice in the moment, not knowing what was going on with the McLaren or why it was driving slowly. 

Rapid refuel: the white and green Lamborghini of Copper Horse Racing takes a short pitstop ahead of the final few laps.

To be competitive, drivers have more to consider than just watching out for other opponents and keeping the car between the white lines. Other demands include monitoring the in-game telemetry, which represents the sensor data that would be available in a real GT3 car, to keep tabs on brake temps, fuel load, tyre pressures and much more besides. 

Data protection and threat modelling 

In Formula One, cars reportedly run with over 300 sensors per vehicle, up from just 24 when teams began using the technology more than three decades ago. The trend can be seen in road vehicles too, especially those fitted with advanced driver assistance systems (ADAS), which rely on a range of vehicle and environmental data to operate.  

Sensor data brings tremendous knowledge to racing teams and, on the road, can boost safety by helping drivers to navigate otherwise unforeseen hazards. But as vehicles rely more heavily on the exchange of information â€“ connected and autonomous vehicles being the most extreme example â€“ security measures will need to evolve to mitigate the corresponding threats. 

In a previous race report, we discussed the manipulation of algorithms used to recognise road signs. More recently, security researchers have shown how projected (or phantom) images can confuse vehicle cameras. But it’s not just vehicle safety that’s at risk. Attacks on sensors (or their data) could impact privacy or have other consequences. For example, what if payment information could be extracted, or other personal details such as trip history and location?  

There are many angles for carmakers and their suppliers to consider, but there’s also a process that can help – threat modelling (one of our security activities at Copper Horse), which at the highest level boils down to answering four key questions

  1. What are we working on? 
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job? 

Also, cleverly designed card decks can make threat modelling sessions much more interactive and engaging for participants.  

Talking of fun, let’s return to the race details.  

Race results 

Victory at the NĂźrburgring went to Swiss driver Matthew North in an Aston Martin V8 Vantage, who managed to get one up on pole sitter Teis Hertgers of The Netherlands. Copper Horse’s David Rogers kept it together to finish P11, gaining 7 places (5 in the first lap) overall. But this week, the most positions gained award goes to Davy Melin in a McLaren 720S, who passed the chequered flag in fifth position, up 8 places on his qualifying spot. 

Race winner: Matthew North crosses the line driving an Aston Martin V8 Vantage.

The post-race stewards’ inquiry found against David Rogers in the final lap incidents, resulting in points deductions and license penalties. In the cold light of day, it is easy to make retrospective analyses of on-track incidents. But during the race it is very different with drivers in difficult conditions making split-second decisions – as real-life driver Alex Fontana, also driving a Lamborghini discovered at Valencia at the weekend. This makes racing what it is – an exciting battle between competitors who all really want to win. 

 The series continues with racing at Zandvoort, where Tier 10 drivers might get to enjoy sunnier weather with only a 30% chance of rain, according to the forecast. 

About the authors 

James Tyrrell is a Threat Modelling Analyst at Copper Horse. 

David Rogers is Founder and CEO of Copper Horse and Driver of Car 59. 

On the move: the driver’s viewpoint from car 59 in the wet mid-race at the NĂźrburgring GP circuit