Automotive security
Automotive security refers to the branch of computer security focused on the cyber risks related to the automotive context. The increasingly high number of ECUs in vehicles and, alongside, the implementation of multiple different means of communication from and towards the vehicle in a remote and wireless manner led to the necessity of a branch of cybersecurity dedicated to the threats associated with vehicles. Not to be confused with automotive safety.
This article is part of a series on |
Information security |
---|
Related security categories |
Threats |
|
Defenses |
Causes
The implementation of multiple ECUs (Electronic Control Units) inside vehicles began in the early '70s thanks to the development of integrated circuits and microprocessors that made it economically feasible to produce the ECUs on a large scale.[1] Since then the number of ECUs has increased to up to 100 per vehicle. These units nowadays control almost everything in the vehicle, from simple tasks such as activating the wipers to more safety-related ones like brake-by-wire or ABS (Anti-lock Braking System). Autonomous driving is also strongly reliant on the implementation of new, complex ECUs such as the ADAS, alongside sensors (lidars and radars) and their control units.
Inside the vehicle, the ECUs are connected with each other through cabled or wireless communication networks, such as CAN bus (Controller Area Network), MOST bus (Media Oriented System Transport), FlexRay or RF (Radio Frequency) as in many implementations of TPMSs (Tire Pressure Monitoring Systems). It is important to notice that many of these ECUs require data received through these networks that arrive from various sensors to operate and use such data to modify the behavior of the vehicle (e.g., the cruise control modifies the vehicle's speed depending on signals arriving from a button usually located on the steering wheel).
Since the development of cheap wireless communication technologies such as Bluetooth, LTE, Wi-Fi, RFID and similar, automotive producers and OEMs have designed ECUs that implement such technologies with the goal of improving the experience of the driver and passengers. Safety-related systems such as the OnStar[2] from General Motors, telematic units, communication between smartphones and the vehicle's speakers through Bluetooth, Android Auto[3] and Apple CarPlay,[4] and RKES (Remote Keyless Entry Systems) are just examples of how the vehicle has become externally connected to devices and, in some cases, to the internet. Furthermore, since 2016, with the development and implementation in marketed vehicles of V2X technologies, the long- and short-range communication interfaces of the vehicle have become considerably bigger.
Although the implementation of new technologies and devices improved the safety and driving experience of the vehicle, the increasingly high number of externally-communicating units inside each vehicle has led to an increment in the dimension of the attack surfaces of each vehicle. As electronic control units nowadays have the capability of modifying the behavior of the vehicle, it is necessary to ensure that an attacker cannot have the capabilities to take control of critical systems inside the vehicle. Due to this, in the last ten to fifteen years, the new concept of automotive security started to become more and more important when designing new vehicles.
Threat Model
Threat models of the automotive world are based on both real-world and theoretically possible attacks. Most real-world attacks aim at the safety of the people in and around the car, by modifying the cyber-physical capabilities of the vehicle (e.g., steering, braking, accelerating without requiring actions from the driver[5][6]), while theoretical attacks have been supposed to focus also on privacy-related goals, such as obtaining GPS data on the vehicle, or capturing microphone signals and similar.[7]
Regarding the attack surfaces of the vehicle, they are usually divided in long-range, short-range, and local attack surfaces:[8] LTE and DSRC can be considered long-range ones, while Bluetooth and Wi-Fi are usually considered short-range although still wireless. Finally, USB, OBD-II and all the attack surfaces that require physical access to the car are defined as local. An attacker that is able to implement the attack through a long-range surface is considered stronger and more dangerous than the one that requires physical access to the vehicle. In 2015 the possibility of attacks on vehicles already on the market has been proven possible by Miller and Valasek, that managed to disrupt the driving of a Jeep Cherokee while remotely connecting to it through remote wireless communication.[9][10]
Controller Area Network Attacks
The most common network used in vehicles and the one that is mainly used for safety-related communication is CAN, due to its real-time properties, simplicity, and cheapness. For this reason the majority of real-world attacks have been implemented against ECUs connected through this type of network.[5][6][9][10]
The majority of attacks demonstrated either against actual vehicles or in testbeds fall in one or more of the following categories:
Sniffing
Sniffing in the computer security field generally refers to the possibility of intercepting and logging packets or more generally data from a network. In the case of CAN, since it is a bus network, every node listens to all communication on the network. It is useful for the attacker to read data to learn the behavior of the other nodes of the network before implementing the actual attack. Usually, the final goal of the attacker is not to simply sniff the data on CAN, since the packets passing on this type of network are not usually valuable just to read.[8]
Denial of Service
DoS in information security is usually described as an attack that has the objective of making a machine or a network unavailable. DoS attacks against ECUs connected to CAN buses can be done both against the network, by abusing the arbitration protocol used by CAN to always win the arbitration, both targeting the single ECU, by abusing the error handling protocol of CAN.[11] In this second case the attacker flags the messages of the victim as faulty to convince the victim of being broken and therefore shut itself off the network.[11]
Spoofing
Spoofing attacks comprise all cases in which an attacker, by falsifying data, sends messages pretending to be another node of the network. In automotive security usually spoofing attacks are divided in Masquerade and Replay attacks. Replay attacks are defined as all those where the attacker pretends to be the victim and sends sniffed data that the victim sent in a previous moment. Masquerade are, on the contrary, all those spoofing attacks where the data payload has been created by the attacker.[12]
Real Life Automotive Threat Example
According to Miller, he states he have successfully gained total control of the vehicle, the model he attacked was Jeep Cherokee. By gaining the access of the vehicle, he were able to control the speed, temperature, and everything that can be done by computational effort.
The method he used to hack the system was implementation of pre-programmed chip into the controller area network (CAN) bus. By inserting this chip into the CAN bus, he were able to send arbitrary message to CAN bus. One other thing that Miller have pointed out is the danger of the CAN bus, as it broadcasts the signal which the message can be caught by the hackers throughout the network.
The control of the vehicle was all done remotely which he were able to manipulate the system without any physical interaction. He states that he were able to control any of 1.4 million vehicles in United States regardless of the location or distance, the only thing he needed was waiting for passenger to turn on the vehicle to gain access.[13]
Security Measures
The increasing complexity of devices and networks in the automotive context requires the application of security measures to limit the capabilities of a potential attacker. Since the early 2000 many different countermeasures have been proposed and, in some cases, applied. Following, a list of the most common security measures:[8]
- Sub-networks: to limit the attacker capabilities even if he/she manages to access the vehicle from remote through a remotely connected ECU, the networks of the vehicle are divided in multiple sub-networks, and the most critical ECUs are not placed in the same sub-networks of the ECUs that can be accessed from remote.[8]
- Gateways: the sub-networks are divided by secure gateways or firewalls that block messages from crossing from a sub-network to the other if they were not intended to.[8]
- Intrusion Detection Systems (IDS): on each critical sub-network, one of the nodes (ECUs) connected to it has the goal of reading all data passing on the sub-network and detect messages that, given some rules, are considered malicious (made by an attacker).[14] The arbitrary messages can be caught by the passenger by using IDS which will notify the owner regarding with unexpected message.[15]
- Authentication protocols: in order to implement authentication on networks where it is not already implemented (such as CAN), it is possible to design an authentication protocol that works on the higher layers of the ISO OSI model, by using part of the data payload of a message to authenticate the message itself.[12]
- Hardware Security Modules: since many ECUs are not powerful enough to keep real-time delays while executing encryption or decryption routines, between the ECU and the network it is possible to place a hardware security module that manages security for it.[7]
Notes
- "Trends in the Semiconductor Industry: 1970s". Semiconductor History Museum of Japan. Archived from the original on 27 June 2019. Retrieved 27 June 2019.
- "OnStar system website main page". Retrieved 3 July 2019.
- "Android Auto website page". Retrieved 3 July 2019.
- "Apple CarPlay website page". Retrieved 3 July 2019.
- Koscher, K.; Czeskis, A.; Roesner, F.; Patel, S.; Kohno, T.; Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D.; Shacham, H.; Savage, S. (2010). "Experimental Security Analysis of a Modern Automobile". 2010 IEEE Symposium on Security and Privacy: 447–462. CiteSeerX 10.1.1.184.3183. doi:10.1109/SP.2010.34. ISBN 978-1-4244-6894-2.
- "Comprehensive Experimental Analyses of Automotive Attack Surfaces | USENIX". www.usenix.org.
- "Securing Vehicular On-Board IT Systems: The EVITA Project" (PDF). evita-project.org.
- Le, Van Huynh; den Hartog, Jerry; Zannone, Nicola (1 November 2018). "Security and privacy for innovative automotive applications: A survey". Computer Communications. 132: 17–41. doi:10.1016/j.comcom.2018.09.010. ISSN 0140-3664.
- Greenberg, Andy (1 August 2016). "The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse". Wired.
- Greenberg, Andy (21 July 2015). "Hackers Remotely Kill a Jeep on the Highway—With Me in It". Wired.
- Palanca, Andrea; Evenchick, Eric; Maggi, Federico; Zanero, Stefano (2017). "A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks". Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science. Springer International Publishing. 10327: 185–206. doi:10.1007/978-3-319-60876-1_9. ISBN 978-3-319-60875-4. S2CID 37334277.
- Radu, Andreea-Ina; Garcia, Flavio D. (2016). "LeiA: A Lightweight Authentication Protocol for CAN" (PDF). Computer Security – ESORICS 2016. Lecture Notes in Computer Science. Springer International Publishing. 9879: 283–300. doi:10.1007/978-3-319-45741-3_15. ISBN 978-3-319-45740-6.
- Miller, Charlie (December 2019). "Lessons learned from hacking a car". IEEE Design & Test. 36 (6): 7–9. doi:10.1109/MDAT.2018.2863106. ISSN 2168-2356.
- "CycurIDS". ESCRYPT. Retrieved 5 July 2019.
- Gmiden, Mabrouka; Gmiden, Mohamed Hedi; Trabelsi, Hafedh (December 2016). "An intrusion detection method for securing in-vehicle CAN bus". 2016 17th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA). Sousse, Tunisia: IEEE: 176–180. doi:10.1109/STA.2016.7952095. ISBN 978-1-5090-3407-9.