Automotive security


Automotive security refers to the branch of computer security focused on the cyber risks related to the automotive context. The increasingly high number of ECUs in vehicles and, alongside, the implementation of multiple different means of communication from and towards the vehicle in a remote and wireless manner led to the necessity of a branch of cybersecurity dedicated to the threats associated with vehicles. Not to be confused with automotive safety.

Causes

The implementation of multiple ECUs inside vehicles began in the early '70s thanks to the development of integrated circuits and microprocessors that made it economically feasible to produce the ECUs on a large scale. Since then the number of ECUs has increased to up to 100 per vehicle. These units nowadays control almost everything in the vehicle, from simple tasks such as activating the wipers to more safety-related ones like brake-by-wire or ABS. Autonomous driving is also strongly reliant on the implementation of new, complex ECUs such as the ADAS, alongside sensors and their control units.
Inside the vehicle, the ECUs are connected with each other through cabled or wireless communication networks, such as CAN bus, MOST bus, FlexRay or RF as in many implementations of TPMSs. It is important to notice that many of these ECUs require data received through these networks that arrive from various sensors to operate and use such data to modify the behavior of the vehicle.
Since the development of cheap wireless communication technologies such as Bluetooth, LTE, Wi-Fi, RFID and similar, automotive producers and OEMs have designed ECUs that implement such technologies with the goal of improving the experience of the driver and passengers. Safety-related systems such as the OnStar from General Motors, telematic units, communication between smartphones and the vehicle's speakers through Bluetooth, Android Auto and Apple CarPlay, and RKES are just examples of how the vehicle has become externally connected to devices and, in some cases, to the internet. Furthermore, since 2016, with the development and implementation in marketed vehicles of V2X technologies, the long- and short-range communication interfaces of the vehicle have become considerably bigger.
Although the implementation of new technologies and devices improved the safety and driving experience of the vehicle, the increasingly high number of externally-communicating units inside each vehicle has led to an increment in the dimension of the attack surfaces of each vehicle. As electronic control units nowadays have the capability of modifying the behavior of the vehicle, it is necessary to ensure that an attacker cannot have the capabilities to take control of critical systems inside the vehicle. Due to this, in the last ten to fifteen years, the new concept of automotive security started to become more and more important when designing new vehicles.

Threat Model

s of the automotive world are based on both real-world and theoretically possible attacks. Most real-world attacks aim at the safety of the people in and around the car, by modifying the cyber-physical capabilities of the vehicle, while theoretical attacks have been supposed to focus also on privacy-related goals, such as obtaining GPS data on the vehicle, or capturing microphone signals and similar.
Regarding the attack surfaces of the vehicle, they are usually divided in long-range, short-range, and local attack surfaces: LTE and DSRC can be considered long-range ones, while Bluetooth and Wi-Fi are usually considered short-range although still wireless. Finally, USB, OBD-II and all the attack surfaces that require physical access to the car are defined as local. An attacker that is able to implement the attack through a long-range surface is considered stronger and more dangerous than the one that requires physical access to the vehicle. In 2015 the possibility of attacks on vehicles already on the market has been proven possible by Miller and Valasek, that managed to disrupt the driving of a Jeep Cherokee while remotely connecting to it through remote wireless communication.

Controller Area Network Attacks

The most common network used in vehicles and the one that is mainly used for safety-related communication is CAN, due to its real-time properties, simplicity, and cheapness. For this reason the majority of real-world attacks have been implemented against ECUs connected through this type of network.
The majority of attacks demonstrated either against actual vehicles or in testbeds fall in one or more of the following categories:

Sniffing

in the computer security field generally refers to the possibility of intercepting and logging packets or more generally data from a network. In the case of CAN, since it is a bus network, every node listens to all communication on the network.
It is useful for the attacker to read data to learn the behavior of the other nodes of the network before implementing the actual attack. Usually, the final goal of the attacker is not to simply sniff the data on CAN, since the packets passing on this type of network are not usually valuable just to read.

Denial of Service

in information security is usually described as an attack that has the objective of making a machine or a network unavailable. DoS attacks against ECUs connected to CAN buses can be done both against the network, by abusing the arbitration protocol used by CAN to always win the arbitration, both targeting the single ECU, by abusing the error handling protocol of CAN. In this second case the attacker flags the messages of the victim as faulty to convince the victim of being broken and therefore shut itself off the network.

Spoofing

s comprise all cases in which an attacker, by falsifying data, sends messages pretending to be another node of the network. In automotive security usually spoofing attacks are divided in Masquerade and Replay attacks. Replay attacks are defined as all those where the attacker pretends to be the victim and sends sniffed data that the victim sent in a previous moment. Masquerade are, on the contrary, all those spoofing attacks where the data payload has been created by the attacker.

Real Life Automotive Threat Example

According to Miller, he states he have successfully gained total control of the vehicle, the model he attacked was Jeep Cherokee. By gaining the access of the vehicle, he were able to control the speed, temperature, and everything that can be done by computational effort.
The method he used to hack the system was implementation of pre-programmed chip into the controller area network bus. By inserting this chip into the CAN bus, he were able to send arbitrary message to CAN bus. One other thing that Miller have pointed out is the danger of the CAN bus, as it broadcasts the signal which the message can be caught by the hackers throughout the network.
The control of the vehicle was all done remotely which he were able to manipulate the system without any physical interaction. He states that he were able to control any of 1.4 million vehicles in United States regardless of the location or distance, the only thing he needed was waiting for passenger to turn on the vehicle to gain access.

Security Measures

The increasing complexity of devices and networks in the automotive context requires the application of security measures to limit the capabilities of a potential attacker. Since the early 2000 many different countermeasures have been proposed and, in some cases, applied. Following, a list of the most common security measures: