See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332587902

Challenges in Automotive Security

Conference Paper · June 2018

DOI: 10.1109/ECAI.2018.8679052

CITATIONS READS

3 254

2 authors:

Irina-Georgiana Oancea Emil Simion

2 PUBLICATIONS 3 CITATIONS
Polytechnic University of Bucharest
118 PUBLICATIONS 330 CITATIONS
SEE PROFILE
SEE PROFILE

All content following this page was uploaded by Irina-Georgiana Oancea on 08 February 2023.

The user has requested enhancement of the downloaded file.

 ECAI 2018 - International Conference – 10th Edition
Electronics, Computers and Artificial Intelligence
28 June -30 June, 2018, Iasi, ROMÂNIA

Challenges in Automotive Security

Irina-Georgiana Oancea Emil Simion

Faculty of Computer Science Faculty of Applied Sciences
Department of Information Security Department of Mathematical Models and Methods
University of Iasi, Romania Politehnica University of Bucharest, Romania
irinageorgiana.oancea@gmail.com emil.simion@upb.ro

Abstract – The modern cars are becoming more and the size of the impacted fleet. This last issue
more complex, allowing us to connect our phone to marked a steep progression of the number of
graphical interfaces of the car or have the vehicle potentially affected cars, which is in the order of
system directly connected to external networks. magnitude of 100 million vehicles. [6]
These transformations include major advantages • Yet another example is the recent hack of Tesla
in efficiency, comfort and safety mechanisms, but
electric cars, requiring a software update for the
the systems developed in a car are becoming
car operating system. [7]
targets for cyber security attacks. The software
level in the automotive industry is increasing so the
systems are becoming vulnerable to threats from II. ATTACK SURFACE
the IT world. In this paper we present the entry Due to the distributed architecture of applications,
points, the weaknesses in vehicle systems and called driving functions in automotive, or the level of
emerging threats. automation which is aimed to be achieved in 2020 [8],
the threats of automotive systems are constantly
Keywords-automotive,security threat, communication
buses, denial of service, ransomware, stride evolving. Figure 1 from [2] highlights the main entry
points that exist on a modern vehicle. The attacks are
mainly on the communication interfaces used by the
target and the threat model that identifies the system
I. INTRODUCTION vulnerability is based on a black box approach [9]. A
Due to high complexity of embedded systems the generic classification can be used to group the access
evolution of vehicle systems is increasing, making points, as presented in the following subchapters.
security a risk-oriented development that is required
through the entire life cycle of a product. In the A. Short-Range Wireless access
development of a product, security begins before the
In this category the attacks use wireless interfaces that
system architectural design starts, process step known
operate over short ranges (between 5 and 300 meters
as security by design. Therefore, security is taken into
depending on the channel). The entry points could be,
account before safety and it has an impact on the
but not limited to Remote Keyless Entry ([12], [11]),
design of embedded systems (e.g. safety critical
RFIDs, Bluetooth ([13],[14],[15]), Tire Pressure
systems can be connected to potentially unsecure in-
Communications (TPMS) (for details, see [5], chapter
vehicle bus systems, connectivity and open channels
12) or dedicated short-range communication (DSRC)
allow security attacks). [1]
for vehicle-to-vehicle communication (V2V) [5].
According to [1] cyber security is becoming an issue
to car manufactures or Tier-1 suppliers and the B. Long-Range Wireless Access
number of recalls is increasing due to security threats: The modern cars include, but not limited to, a group
• Charlie Miller and Chris Valasek made a of receivers for long-range signals, such as Global
spectacular proof-of-concept of remote attacks Positioning System (GPS) [16] and the telematics
by taking control of a Jeep and sending it off- control unit (TCU). For a security survey for
the-road, forcing 1.4 million cars to be recalled; automotive telematics, please see [17], [19], [37].
[4] C. Physical Access
• Security researchers hacked the BMW
Current vehicles have several physical interfaces that
ConnectedDrive4 and managed to remotely
offer access to vehicle communication networks. In
unlock cars, with even more industrial impact this chapter an overview of these interfaces is
than the Miller/Valasek hack (2.2 million cars presented.
had to be recalled); [5]
• More recently, even more vehicles (including
most Volkswagen cars produced since 1995)
have been shown vulnerable to an attack on
remote keyless entry, thus once again increasing
 attacks, such as ransom or miner attacks, are brought
to attention.
The current threats from IT infrastructure, such as
WannaCry, CryptoLocker, CryptoWall, Petya, are
becoming real threats to vehicles. The target could be
large vehicle fleet owners, public vehicles that serve
critical situations, but also cars with high level
functions of automation; in any case, a high ransom
will be paid to unlock critical functions.
A. Ransomware - overview
Ransomware is a type of malicious software that
blocks user access to files or systems, holding files or
Fig. 1. Digital I/O channels appearing on a modern car. [2] entire devices hostage using encryption until the
victim pays a ransom in exchange for a decryption
The OBD connector, known as the diagnostic link key, which allows the user to access the files or
connector, is used for communication with the systems encrypted by the program. [23]
vehicle’s internal buses and for diagnostics analysis. The ransomware attack has been proved to be very
For further details, please see ([5], chapter 4). successful in plant manufactures, industrial domains
The diagnostic interface is a dedicated interface for or [20], [21], [22].
several activities, such as service maintenance, In these cases, the payment is anonymous and it is
debugging, updating, flashing, or system verification. using cryptographic currency such as Bitcoin.
An attacker can use this interface to read diagnostic In IT infrastructure the ransomware can be spread
flags and to interpret the system behavior based on through malicious email attachments, infected
specific inputs and responses. Also, this entry point software applications, infected external storage
devices or compromised websites. Figure 2 represents
can be used to inject code or to gain elevated
a generic scheme flow of how this type of attack can
privileges that can allow access to confidential or
be spread. The example considered is for WannaCry
restricted data. attack. A detailed spreading scheme for WannaCry
The infotainment system is considered the most and other malwares, such as Spora or DMA Locker,
important part, due to the user-friendly interfaces that can be found in [24].
allow the interaction between driver and car. This part
of the vehicle system allows access to components via B. Ransomware attack scheme
physical interfaces such as USB ports [38], CD-ROM,
knobs, etc., but it also represents a point to external As presented in [25], launching a ransomware attack
wireless inputs, such as Bluetooth, Cellular in vehicle systems requires, at least, the following
connection, Wi-fi, etc. If an attacker gains access to conditions:
the infotainment system, then he/she can modify the a) A ransomware malware client and server
behavior of this component (e.g. show wrong software;
information on the dashboard or random/unknown b) An anonymous botnet for global distribution
data, pictures, etc.) or the attack can have an impact to and remote control of the ransomware
different functions (e.g. steering, enforce wrong vehicle clients;
braking, deactivation of critical functionalities, such c) An in-vehicle security exploit; the
as engine, etc.). For details, please see [5] chapter 9. vulnerabilities could be found in the wireless
These known entry points may have specific interfaces (section II) which use the
countermeasures that ensure a security and privacy infotainment system or telematics, especially
level for a limited period of time. The attack methods for functions that are connected to trust
will evolve over time and new vulnerabilities in the centers for updates over the air or for
implemented countermeasures and/or in vehicle functions that allow communication between
applications will be found and exploited. The car and outside world. Also, the
increasing number of applications/services that vulnerabilities can be conducted using
provide car connectivity will lead to new attack physical wired interfaces (section II);
surfaces and the complexity of the vehicle’s
distributed systems will increase the chance for an
exploitable security vulnerability.
The severe attack that could happen to a vehicle is the
unavailability or inoperability (Denial of Service
attacks) of critical functions.
III. MALWARE ATTACKS
Due to the increasing number of software applications Fig.2. Generic scheme flow ransomware attack
the embedded systems are becoming targets to new
types of attacks. Nowadays some types of malware
 d) An on-board lock command for a critical The distribution can be done indirectly (c1), using
vehicle component; an unlocking command wireless interfaces (6a) or physical interfaces (6b), by
is necessary to release the locked component infecting and misusing wireless host systems that
when the ransom has been paid; have a communication channels (14) to the vehicle.
e) An anonymous payment scheme, to receive The host systems or communication channels could
the ransom and to protect the attacker. be grouped, at least as the following:
a) User (e.g. driver, tester) devices connected to
Based on these conditions, the attack scheme (Figure vehicle (e.g. smartphones, USB, service
3 from [25]) could be the following: maintenance/ diagnosis connected to a
The attacker (3) has the possibility to create or to use backend)
ransomware-as-a-service ( Raas) (1) offers, such as b) OEM, supplier or 3rd party devices connected
TOX [29], which is free, Stampado [27],[28], or to the vehicle (e.g. update over the air,
Philadelphia [26]. This could be only a matter of remote diagnosis, cloud services [35] )
financial decision for an attacker to pay for a c) Traffic infrastructure (e.g. VANET
ransomware, depending on the target, scope or infrastructure [36], emergency services e-
motivation. The available operating systems from cars call, other services)
are at least the following: Windows, Windows Once the ransomware finds a potential target, it uses
Embedded Automotive 7 is used for In Vehicle the vehicle primary security exploit (d) to install and
Infotainment (IVI) systems such as Ford or Nissan execute the ransomware client (8) on a vehicle
Leaf; Linux, Automotive Grade Linux Platform [30] electronic component unit (ECU) such as the
used by Toyota; QNX [31] or AUTOSAR infotainment system or a central gateway ECU.
environments [32]. Even if today’s ransomware kits At this point the ransomware could have at least two
target mainly Windows environments, it’s considered option:
a matter of time that ransomware kits will provide a) To create an online connection back to the
automatic creation of Linux based ransomwares [25]. attacker in order to receive more data (e1) or
Usually such ransomware kits also provide some control commands (e2)
common security exploits for the ransomware b) To communicate (f) with the target ECU via
distribution (secondary exploit) and target infection in-vehicle communication buses (9a) in
(primary exploit) or enable the cyber-criminal to order to perform the locking commands (g)
provide individual, much more powerful undisclosed
(so-called “zero day”) exploits to be supplied for
integration into the ransomware software. The target ECU could be anything (e.g. from
As a last step, the ransomware kit automatically encrypting driver personal files to block (Denial of
creates a complete ransomware software package (2) Service attacks) critical functionalities and
including the ransomware target client, the primary components, such as ignition, steering or braking) that
and secondary security exploits (if possible), and the can force the victim (12) to pay the ransom. For more
actual extortion mechanism together with the details, please refer to [25]. Now the ransomware
necessary ransomware remote control facilities ( (5), informs the driver (h) with a detailed message in the
“bot master”) [25]. dashboard monitor as shown in Figure 4 from [25].
To distribute the malware, the attacker could use an
anonymous botnet [33], applying TOR technology
[34].

Fig.3. Vehicle ransomware attack scheme

 could be an ECU (Electronic Component Unit).
Reference [35] presents the Tesla’s compromised
cloud platform which was running mining malware
cryptojacking campaign. Particularly public cloud
platforms are increasingly popular targets for
cryptojackers, because they offer a huge amount of
processing power in an environment where attackers
can mine under the radar since CPU (Central
Processing Unit) (and electricity use is already
expected to be relatively high [35], but the detection
Fig. 4. Example of message displayed at the dashboard unit rate is high due to network scanning.
If the target is a vehicle hardware component, there
The payment procedure should be user-friendly for are some resource limitations, such as CPU or
the victim using smarphone apps that can change and memory. This form of attack could lead to resource
transfer cryptocurrencies and it should provide an exhaustion [39]. Also, the increasing load of CPU can
anonymous payment scheme (13). Figure 5 from [25] be trigger condition for security resource monitoring
systems in order to launch specific countermeasures.

IV. SECURITY PROTECTION MECHANISMS

As the number of attack entry points is increasing, the
security mechanisms should be continuously
improved to offer a high security level for embedded
systems. The security workflow should start at least
within the vehicle life cycle development, meaning
organization level security awareness, security by
Fig. 5. Smartphone application used to change or transfer ransom design, security implementation and risk assessments,
Figure 7.
After the driver pays the ransom, the attacker should
contact the ransomware to execute the unlocking
commands (f) in order to release the target. To unlock
the target, the procedure shall include a specific
vehicle identifier, at least a target address, to associate
the corresponding vehicle with the paid ransom.
Figure 6 from [25].

Fig. 7. Security Life Cycle

To keep a better overview for a security and risk

assessment analysis of a driving function, several
methodologies can be used; the most used one is
Fig. 6. Example of message displayed at the dashboard unit after
demanded ransom has been paid
STRIDE presented in [18], in which each letter
represents a threat category: spoofing component
Until now, there has not been a real world identity, tampering with data, repudiation of actions,
ransomware attack published, but the authors from information disclosure, denial of service and elevation
[25] present a technical proof of concept approach for of privilege. The countermeasures that apply to these
a vehicular ransomware (in Section 4 from [25]). categories, but not limited to, are detailed in Table I
from reference [19].
To secure an embedded system, the architects should
C. Mining vehicle attack consider the current and know threats in order to
WannaMine attacks could use strategies of WannaCry design a solid and secure architecture. During a threat
distribution, such as the distribution scheme presented analysis and risk assessment, the security analysts can
in section C, in order to spread something completely evaluate the safety, financial, operational and privacy
different from ransomware. The attacker target could impact of the attack and based on the function
be a host system (14), that has a digital capabilities and description, they can find new
communication channel to the vehicle or the target vulnerabilities. [42]. The OEMs (Original Equipment
Manufacturer) should be aware that a security level [11] Aurelien Francillon, Boris Danev, Srdjan Capkun, “Relay
Attacks on Passive Keyless Entry and Start Systems in
could be ensured for a short or medium period of time Modern Cars”, 2011
and that security gaps will always be found. [12] Andy Greenberg, “Just a pair of these $11 radio gadgets can
In order to reduce the attack surface and protect most steal a car”, in press, 2017
critical assets in a car system against the variety of [13] Pauric Doherty, Alan Molly, Martin Glavin, Fearghal
threats, several effective security countermeasures can Morgan, “A review of Bluetooth Security in the Automotive
be applied such as: Environment”, 2004
a) Protection of vehicle interfaces: wireless or [14] A. Dardanelli et all, “A security Layer fo Smartphone-to-
vehicle Communication Over Bluetooth”, 2013
physical interfaces; this include, but are not
[15] R. Boyle, “Trojan-Horse MP3s could let hackers break into
limited to network security, role-based your car remotely, researchers find”, in press, 2011
access for authorized entities; [16] Farzan Hussain, “Hacking GPs Signals of Smartphones and
b) End-to-end security strategy by protecting In-Car Navigation System”, in press, 2015
the chain-of-trust from the car architecture to [17] S.Duri et al, “Framework for Security and Privacy in
the servers and the cloud; Automotive Telematics”, 2002
c) Protection of vehicle components: ECU [18] The STRIDE Threat Model, https://msdn.microsoft.com/en-
hardening or system isolation strategies; us/library/ee823878(v=cs.20).aspx
d) Intrusion Detection System (IDS) and [19] Alex Oyler, Hossein Saiedian, “Security in automotive
telematics: a survey of threats and risk mitigations strategies
Intrusion Prevention Systems (IPS) to detect to counter the existingand emerging attack vectors”, Security
and prevent malicious activity in embedded Comm. Networks, 2016
systems; [20] Financial Times, “Honda plant hit by WannaCryransomware
e) Automotive Firewall to filter, monitor and attack”, in press, 2017
control in-vehicle communication data, [21] The Telegraph, “Cyber-attack hits German train stations as
hackers target Deutsche Bahn”, 2016
based on specific rules.
[22] Rambus, “Ramsomware could target connected vehicles”,
2017
V. CONCLUSIONS [23] Digital Guardian, “ A history of Ransomware Attacks: The
Biggest and Worst Ransomware Attacks of All Time”, 2017
Embedded systems are more software oriented and [24] Pasca Vlad-Raul, Simion Emil, “Challenges in cyber security
the IT threats are becoming real threats to vehicle – Ransomware Phenomenon”, 2018
systems. Hence, the vehicle system should have the [25] Marko Wolf et al “WannaDrive?. Feasible Attack Paths and
possibility to distinguish between a safety failure and Effective Protection Against Ransomware in Modern
Vehicles”, Escrypt, 2017
a security attack. If the vehicle detects and identifies a
[26] ShophosLabs – Dorka Palotay, “Ransomware as a Service
threat, it should react according to specific (Raas): Deconstructing Philadelphia”, 2017
countermeasures. [27] Atinderpal Singh, “A look at recent STAMPADO
Since security is a new topic for most OEMs, new and ransomware variant”, Zscaler Blog, November 2016
adaptive prevention methods for security attacks [28] Lawrence Abrams, “Stampado Ransomware campaign
should be researched; future work should be focused decrypted before it started”, bleepingcomputer.com, July
2016
on monitoring systems for embedded systems in order
[29] McAfee Labs, “Meet ‘Tox’: Ransomware for the Rest of Us”,
to achieve a secure state for the attacked system. May 2015
In case of a successful attack, the system car should [30] Automotive Grade Linux, “Automotive Grade Linux Hits the
be able to work, in order to drive the passengers to a Road Globally with Toyota; Amazon Alexa Joins AGL to
safe lane ( parking slot, specialized garage, etc.). Support Voice Recognition”, January 2018
[31] Norbert Struck, “Realtime operating systems in automotive
infotainment”, March 2007
REFERENCES [32] AUTOSAR, https://www.autosar.org/
[33] PentaSecurity, “Top 5 Botnets of 2017”, December, 2017
[1] ENISA,”Cyber Security and Resilience of smart cars”, [34] The TOR Anonymity Network Project, www.torproject.org
December 2016 [35] Wired, “Hack Brief: Hackers enlisted Tesla’s public cloud to
[2] Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak mine cryptocurrency”, February 2018
Patel, and Tadayoshi Kohno “Comprehensive Experimental [36] Irshad Ahmed Sumra, Iftikhar Ahmad, Halabi Hasbullah,
Analyses of Automotive Attack Surfaces”, 2010 Jamalul-lail bin Ab Manan "Classes of attacks in VANET",
[3] Craig Smith, “The Car Hacker’s Handbook”, 2010 April 2011
[4] Charlie Miller and Chris Valasek, “Remote Exploitation of an [37] Ian Foster, “Fast and Vulnerable: A Story of Telematic
Unaltered Passenger Vehicle”, 2015 Failures”, USENIX Workshop on Offensive Technologies
(WOOT), 2015.
[5] Martyn Wiliams, “BMW cars found vulnerable in Connected
Drive hack,” in press, 2016 [38] Jay Turlay, Mazda Infotainment USB Port PoC Attack,
https://github.com/shipcod3/mazda_getInfo
[6] Jonathan M., “Almost every Volkswagen sold since 1995 can
be unlocked with an Arduino”, in press, 2016. [39] Toshihiro Tabata, Satoshi Hakomori, Kazutoshi Yokoyama,
Hideo Taniguchi, “A CPU Usage Control Mechanism for
[7] Tesla updates software after car hack, in press, 2016.
Processes with Execution Resource for Mitigating CPU DoS
[8] Brian Solis, “Level Up: An Introduction to the 5 Different Attack”, 2007
Levels of Self-Driving Cars”, in press, 2016
[40] Karsten Schmidt et al., “Hardware and Software Constraints
[9] Andreas Fuchs and Roland Riecke, “Identification of for Automotive Firewall Systems”, SAE Technical Paper
authenticity requirements in systems of systems by functional 2016-01-0063
security analysis”, 2010
[41] Pesé, M., Schmidt, K., and Zweck, H., "Hardware/Software
[10] Charlie Miller and Chris Valasek, “ A Survey of Remote Co-Design of an Automotive Embedded Firewall," SAE
Automotive Attack Surfaces”, 2016 Technical Paper 2017-01-1659, 2017
 [42] Heavens guideline, available online: http://autosec.se/wp-
content/uploads/2018/03/HEAVENS_D2_v2.0.pdf

View publication stats