Computer Standards & Interfaces 78 (2021) 103539
Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
A taxonomy of attack mechanisms in the automotive domain
Irdin Pekaric *,a, Clemens Sauerwein a, Stefan Haselwanter b, Michael Felderer a,c a University of Innsbruck, Department of Computer Science, Technikerstraße 21a, Innsbruck A-6020, Austria b AV-Comparatives GmbH, Grabenweg 68, Innsbruck A-6020, Austria c Blekinge Institute of Technology, Valhallavagen¨ 1, Karlskrona 371 41, Sweden
ARTICLE INFO ABSTRACT
Keywords: In the last decade, the automotive industry incorporated multiple electronic components into vehicles intro Attack mechanisms ducing various capabilities for adversaries to generate diverse types of attacks. In comparison to older types of Vehicle security vehicles, where the biggest concern was physical security, modern vehicles might be targeted remotely. As a Automotive engineering result, multiple attack vectors aiming to disrupt different vehicle components emerged. Research and practice Attack modeling lack a comprehensive attack taxonomy for the automotive domain. In this regard, we conduct a systematic Security testing Systematic review literature study, wherein 48 different attacks were identifiedand classifiedaccording to the proposed taxonomy of attack mechanisms. The taxonomy can be utilized by penetration testers in the automotive domain as well as to develop more sophisticated attacks by chaining multiple attack vectors together. In addition, we classify the identified attack vectors based on the following five dimensions: (1) AUTOSAR layers, (2) attack domains, (3) information security principles, (4) attack surfaces, and (5) attacker profile. The results indicate that the most applied attack vectors identifiedin literature are GPS spoofing,message injection, node impersonation, sybil, and wormhole attack, which are mostly applied to application and services layers of the AUTOSAR architecture.
1. Introduction camera/radar/LiDAR spoofing [9]. Since the number and complexity of corresponding attacks is Due to the openness and interconnectedness of modern embedded constantly increasing, it makes it difficult to keep track about existing systems, various security issues arise [1]. Attackers try to exploit these threats. There are existing attack taxonomies in the automotive domain vulnerabilities, which can result in numerous consequences such as such as [10] and [11]. However, a comprehensive attack taxonomy that financialloss, sabotage or an accident with a fatal outcome. An example can be applied by penetration testers in the automotive domain is still of such systems are modern vehicles, which communicate with multiple missing. Thus, we address the following two research questions: devices such as trafficlights (V2I) or other vehicles (V2V). Initially, the automotive industry focused on addressing functionality and safety as • (RQ1) What are the attack mechanisms in the automotive domain? pects of a vehicle [2]. In addition, the physical security represented the • (RQ2) What are the characteristics of identified attack vectors? biggest concern. However, modern vehicles are highly connected sys tems wherein security is becoming an important subject [3]. In order to answer the aforementioned research questions, we con Modern vehicles represent complex systems that consist of multiple ducted a systematic literature review [12]. As a result, we identifieda set Electronic Control Units (ECUs) designed based on the AUTomotive of 48 attack vectors. We systematically developed a taxonomy of attack Open System ARchitecture (AUTOSAR) [4]. Due to the fact that they mechanisms under which we classified the identified attack vectors contain multiple hardware and software components, it is possible for an according to the multi-level dimensions. Furthermore, we proposed a attacker to target such systems by applying various types of attacks. For classification scheme in order to investigate the characteristics of spe example, these attack vectors include GPS spoofing [5], altering sensor cific attacks and map them to the AUTOSAR architecture. Finally, we values [6] and modifying trafficsigns [7]. They range from very general discussed how the taxonomy and the classification scheme can be types, such as a denial of service attack to attacks that are very specific applied for the purpose of security testing. for the automotive domain, namely, traffic control attack [8] or The classificationand analysis was conducted based on the proposed
* Corresponding author. E-mail addresses: [email protected] (I. Pekaric), [email protected] (C. Sauerwein). https://doi.org/10.1016/j.csi.2021.103539 Received 20 July 2020; Received in revised form 23 February 2021; Accepted 14 April 2021 Available online 23 April 2021 0920-5489/© 2021 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/). I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Fig. 1. The AUTOSAR architecture [14]. taxonomy of attack mechanisms and the classification scheme. The re • Application Layer: It contains various types of applications that pro sults suggest that the most applied attack vectors are GPS spoofing, vide multiple functionalities and are executed depending on the use- message injection, node impersonation, sybil, and wormhole attack, case. which are mostly applied to application and services layers of the • Runtime Environment: It provides communication services to the AUTOSAR architecture. Finally, a majority of the attack vectors are application layer. applied via close proximity and remote access, wherein the affected • Basic Software Layer: It enables the abstraction between the hardware information security principles are utility as well as possession and and the application software. It consists of the following four sub- control. layers: The remainder of this paper is structured as follows: Section 2 pro • Services Layer: It offers operating system functionality, network vides background information on classifying attack vectors in the communication, memory services, diagnostic services, ECU state automotive domain. Section 3 examines related work regarding the management and program flow monitoring. classificationof attack vectors and attack taxonomies in other domains. • ECU Abstraction Layer: It provides an API in order to access pe Section 4 discusses the research questions and the applied research ripherals and devices regardless of their location and connection to method to develop the taxonomy of attack mechanisms and the classi the operating system. ficationscheme. Section 5 outlines the resulting taxonomy and provides • Microcontroller Abstraction Layer: It consists of internal drivers, the results of classificationof attack vectors. Section 6 discusses the key allowing direct access to the operating system and internal findings as well as the application of the taxonomy for security testing. peripherals. Finally, Section 7 concludes the paper and provides an outlook on the • Complex Drivers: It provides capabilities to integrate additional future work functionalities, which are not specified within the AUTOSAR architecture. 2. Classifying attack vectors in the automotive domain • Microcontroller: It runs services, microcontroller abstraction and complex drivers layers. In this section, we provide the necessary background information on attack vectors and their classification. Attack vectors are defined as 2.2. Attack domains paths or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome [13]. Attack vectors can be classifiedaccording to the domain that is being The dimensions we discuss are: AUTOSAR layers, attack domains, in affected by the attack. These domains were obtained from the Common formation security principles (Parkerian hexad), attack surfaces, and Attack Pattern Enumeration and Classification (CAPEC) [15] attack data attacker profile. base. It represents a dictionary of known attack patterns that are applied by adversaries in order to exploit known system weaknesses. These are 2.1. AUTOSAR Layers used by security experts and researchers for analysis, testing and edu cation for the purpose of developing and improving countermeasures AUTOSAR is an open and standardized software architecture for against existing security threats. According to CAPEC, attack vectors are ECUs in the automotive domain. It is a widely accepted standard for classifiedinto the following six domains: (1) Software, i.e. exploitation of automotive basic software specification.In addition, it has a strong focus software applications, (2) Hardware, i.e. exploitation of physical hard on re-usability of various functions, tools, methods and software. This ware in computing systems, (3) Communication, i.e. exploitation of was acknowledged and supported by more than 280 companies world communications and related protocols such as Vehicular Ad-hoc wide. The architecture enables the realization of functional re Network (VANET) or Controller Area Network (CAN) bus, (4) Supply quirements with the support for some non-functional requirements such Chain, i.e. disruption of supply chain by manipulation of software, as safety, portability, maintainability and efficiency[4] . As depicted in hardware or services for the purpose of espionage or theft, (5) Social Fig. 1, the general AUTOSAR layered architecture consists of the Engineering, i.e. manipulation and exploitation of people and (6) Physical following four layers: Security, i.e. exploitation of physical security.
2 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
2.3. Information security principles 3. Related work
Attack vectors can be classified based on the information security In this section, we discuss related work in the context of classifying principles that they aim to disrupt. In this context, we apply the Par attack vectors in the automotive domain and the development of attack kerian hexad [16], which is considered as an extension of the traditional taxonomies in general. CIA triad as it includes three additional attributes. The Parkerian hexad can be easily mapped to the CIA and allows more detailed classification 3.1. Classification of attack vectors in the automotive domain of identified attack vectors by providing more concrete categories. Moreover, there is a minor difference in the definition of integrity Sumra et al. [21] proposed classificationof attacks for VANETs. The because the Parkerian hexad puts emphasis on the data completeness, authors classify attack vectors into five main dimensions: spamming, whereas the CIA encompasses authorization as well. Thus, the Parkerian monitoring, social, application, and network attacks. Furthermore, hexad distinguishes among the following six dimensions [17]: (1) different stages of attacks, attacker types and communication types are Confidentiality: Preventing disclosure of information to unauthorized described. However, their work is strictly related to VANETs, while in parties; (2) Integrity: Assuring that the data has not been altered or addition to that we consider attack vectors for all the AUTOSAR layers as destroyed in an unauthorized manner; (3) Availability: Making the data well. accessible to a party that requested it; (4) Authenticity: Co-responding to Sheehan et al. [22] introduced a cyber-risk classificationframework the intended meaning of data; (5) Control: Avoiding, detecting, coun for connected and autonomous vehicles (CAV). In doing so, different teracting, or minimizing the security risks; and (6) Utility: Ensuring that attack types, attack vectors and attack surfaces are addressed. In addi the system and data remain stable and usable. tion, vulnerability data is used together with bayesian networks in order to classify cyber-risks for CAV systems. Each node represents a possible attack vector together with an additional information such as the attack 2.4. Attack surfaces complexity and scope. The Bayesian network model is validated using an out-of-sample test showing almost 100% prediction accuracy of the According to [8,18], attack vectors can be classified based on the quantitative risk score and qualitative risk level. In comparison to our attack entry point. In this context, a modern vehicular system consists of work, Sheehan et al. do not consider any automotive architectures. several layers, wherein each layer may be affected by attackers due to Sommer et al. [10] developed a taxonomy to address attacks in the the vulnerabilities in the infrastructure. This can be achieved by tar automotive domain. In order to gather the list of attacks, various geting various devices and ECUs, cables or network (VANET). Thus, vulnerability databases were investigated, from which attack related attack vectors can be classified based on the following three types of data was gathered. As a result, multiple dimensions such as attack type, access: (1) Physical Access represents the lowest layer, which involves exploitability rating, affected component, related vulnerabilities, and the access to wires and control boxes. This affects the following com vehicle type were considered. However, compared to our work, their ponents: On-board diagnostic port (OBD-II), ECUs, on-board computers, taxonomy is focused on addressing dimensions related to vulnerability modules, media systems (e.g., radio, media player, USB), navigation information. This is because their data comes from vulnerability data system, and dashboard. (2) Close Proximity describes attacks on the bases where broader attacks are not covered. Instead, we obtain our data communication layer, where an attacker attempts to either insert, from the scientific literature. replace or steal the data. This also includes providing the wrong data to Ahmad et al. [23] proposed a systematic asset-based approach for sensors. As a result, the following components pose the potential attack cyber security in VANETs. As a result, multiple vulnerabilities, threats, surface: Bluetooth, key/ignition (e.g., RKES, PKES), sensors, tire pres assets, and attacks related to VANET were identified. In addition, a sure monitoring system (TPMS), dedicated short range communication platform for the identification of various parameters during the devel (DSRC), Wi-Fi, WAVE, voice controllable and speech recognition system opment process of security frameworks was provided. However, similar (VCS/SRS). Finally, (3) Remote Access includes attacks that are con to [21], their approach is strictly related to the network layer and does ducted from large distances over the network. For example, an attacker not consider attack vectors focusing on other layers. may attempt to eavesdrop messages that are sent to a vehicle from a Finally, we identified a taxonomy of attacks and defences for command unit controlled by a vendor. The potential attack surfaces autonomous vehicles proposed by Thing et al. [11]. Consequently, the include: gps, radio, cellular or mobile network (3G/4G/5G), internet following five categories were investigated: attacker, attack vector, (using applications or a web browser). target, motive, and potential consequences. However, their research is on a very high abstraction level and does not consider attack vectors in 2.5. Attacker profile technical detail. Furthermore, their work focuses only on autonomous vehicles, while we consider attack vectors on vehicles in general. According to [19,20], an attacker profile can be described by the following bipolar categories: (1) Membership, (2) Objective, (3) Activity 3.2. Attack taxonomies in other domains and (4) Scope. In this context, according to the Membership, an attacker can be: (a) Insider: Authenticated user with knowledge about the In addition to the aforementioned attack classifications in the auto network, its structure, and topology; or (b) Outsider: Unauthenticated motive domain, there exist related attack taxonomies from other do user with little or no knowledge about the network. Based on the mains, which we discuss here. Objective, an attacker can be: (a) Malicious: Disrupts functionality of the Lai et al. [24] proposed an attack taxonomy for classificationof web network with no personal benefitsdisregarding corresponding costs and attacks. As a result, attacks were classified according to the HTTP consequences; or (b) Rational: Gains profits from attacks, which is method (GET, POST, PUT and DELETE), type of an attack, platform, considered more predictable in terms of attack means and target. damage, markup language and Common Vulnerabilities and Exposures Furthermore, according to the Activity, an attacker can be: (a) Active: (CVE) reference. Their findingsindicate that most of the attacks focus on Generates, modifies,and sends malicious packets in the network; or (b) GET and POST HTTP methods. Passive: Silently monitors and eavesdrops network activities but does not Dotter et al. [25] presented a conceptual cloud attack and risk generate packets or alter network information. Finally, based on the assessment taxonomy, wherein the following five dimensions were Scope, an attacker can be: (a) Local: Performs attacks and possesses en investigated: source, vector, target, impact and defense. In addition, the tities in limited reach and scope; or (b) Extended: Controls several en associated risk for each attack scenario was calculated by considering tities scattered across the network and in wider reach. the likelihood of a successful attack and the impact of an incident.
3 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Fig. 2. Overview of the applied research methodology.
Gruschka et al. [26] proposed another taxonomy of attacks that automotive domain. This is mainly due to the combination of specific target cloud systems. Compared to the aforementioned taxonomy, architectures and component structures used in automotive engineering. combinations of different attack surfaces were considered as well. In Therefore, it is necessary to consider attacks affecting multiple archi order to evaluate the proposed approach, the taxonomy was applied to tectures and various devices. For example, these include ECUs, CAN bus, four up-to-date attack incidents of cloud computing scenarios. VANET and media devices. Simmons et al. [27] introduced a cyber attack taxonomy, in which five major classification criteria are used: the classification by attack 4. Methodology vector, operational impact, defense, information impact and target. In addition, efficient cause, action, defense, analysis and target process As stated in Section 1, this paper addresses on the following two metrics are proposed, which are used for attack classification. The re research questions: sults show an increase in an organizations attack resiliency in all func tional areas, when applying the developed taxonomy. However, the • (RQ1) What are the attack mechanisms in the automotive domain? taxonomy is not applicable to any type of physical attacks. • (RQ2) What are the characteristics of identified attack vectors? Papp et al. [28] conducted a systematic review on the existing threats and vulnerabilities for embedded systems. According to the identified (RQ2) can be further refined into the following sub-research information, an attack taxonomy is developed, where the CVE data is questions: classified according to the following five dimensions: precondition, vulnerability, target, method and effect of the attack. The results suggest • (RQ2.1) What are the attack domains affected by attacks? that the taxonomy can assist analysis and design of embedded systems • (RQ2.2) Which layers of the AUTOSAR architecture are targeted by during the system development lifecycle. attack vectors? Joshi et al. [29] proposed an attack taxonomy to classify attacks • (RQ2.3) What is the profile of an attacker? according to their nature. Thus, the following five dimensions are • (RQ2.4) Which attack surfaces are targeted? investigated: classification by attack vector, defense, method, impact • (RQ2.5) Which information security principles are addressed? and target. The taxonomy is evaluated by classifying various types of attacks such as the blaster worm and melissa. The proposed taxonomy In order to address these research questions, we conducted a sys can be used for attack mitigation and planning of defense strategies. tematic literature review by combining the keyword search [12] and Finally, Hunt et al. [30] introduced a new approach for developing snowballing [31] methodologies (see Section 4.1). As a result, we attack taxonomies for network security. In doing so, a model is pro collected publications describing various types of attacks (see Section posed, which can be adapted for particular cases in the context of attack 4.2). Based on the identified papers, we extracted 48 different attack classificationand vulnerability detection. This model includes four main vectors. Furthermore, we systematically developed a taxonomy of attack dimensions: network categories, attack categories, attack techniques mechanisms, which was used to classify the identifiedattack vectors and and protection technologies. In addition, the proposed model is applied address RQ1 (see Section 5.1). Moreover, we built the classification to three case studies in order to demonstrate the usefulness of the schema, where we applied the proposed taxonomy of attack mechanisms developed taxonomy. (see Section 4.4). Finally, we conducted the analysis of results and The aforementioned attack taxonomies have been developed for addressed RQ2 with corresponding sub-research questions (see Section specific types of systems. Despite some commonalities between them 5). In this section, we describe the applied research methodology in and our classification,such as the categorization by attack surface, it is more detail as represented in Fig. 2. evident that none of the other taxonomies can be applied to the
Fig. 3. The search process stages.
4 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Table 1 three phases: keyword identification, database search and snowballing. Inclusion and exclusion criteria of the literature study . Keyword identification. The search string was formed by combining Inclusion Criteria Exclusion Criteria multiple terms related to attack vectors and the automotive domain. As a result, the following search string was formed: Peer-reviewed publications Grey literature Accessible in full-text Non-English articles (attack OR threat) AND (car OR vehicle OR (autonomous Published between 2014 and mid Duplicates AND (car OR vehicle)) OR automotive OR VANET OR 2019 Discussing attack vectors, attack General automotive security-related topics (intelligent AND transporation AND system)). surfaces, and attack steps Keyword Search. We conducted a database search using the afore mentioned publication libraries and the search string. Based on this, we 4.1. Search strategy obtained a set of 59 publications. However, some libraries such as Taylor and Francis, Wiley, AIS eLibrary and CiteSeer did not provide any re The literature study was based on keyword search as well as forward sults. This might be due to the fact that these libraries do not address and backward snowballing. The keyword search was managed using topics such as automotive security. multiple online publication libraries. These included the following: In a selection process, we applied the exclusion criteria (see Section ACM, Science Direct, IEEE Explore, Springer Link and Wiley [12]. We 4.3) and performed a full-text reading of each paper whereby its content chose these as they represent the standard publication libraries that are was examined regarding attack vectors. The exclusion was done in the commonly used within the domains of software engineering, electronic early stage of the search process in order to develop a good starting set engineering and hardware security, which encompass the areas relevant for the application of snowballing iterations. After that, we reduced our for the study. In addition, we complemented our search with DBLP, Sage set to 35 papers. Journals, Taylor and Francis and AIS eLibrary, allowing us to identify Snowballing. We applied the snowballing methodology after the in additional highly relevant papers that were not detected by other pub clusion and exclusion criteria. This ensured that we start with a set of lication libraries. relevant publications. As a result, we performed backward and forward In order to obtain additional publications and improve the overall snowballing to the 35 papers identifiedin the previous step using Google publication coverage, backward (cf. examining the references of a Scholar. This resulted in 17 additional publications, which were added publication being studied) and forward (cf. identification of new pub to the final set of 52 papers. lications that cite the one being examined) snowballing iterations were executed. According to Kitchenham and Brereton [12], applying mul tiple publication search methodologies achieves sufficient literature 4.3. Inclusion and exclusion criteria coverage. The selection of publications was performed based on the inclusion and exclusion criteria definedin Table 1. In order to obtain a set of high 4.2. Search process quality papers, we considered peer-reviewed articles, including aca demic publications, journal papers, conference proceeding, books and The search process demonstrated in Fig. 3 includes the following standards. In addition, we only selected publications available in full-
Fig. 4. Proposed classification scheme.
5 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Fig. 5. Taxonomy of attack mechanisms The lowest level represents identified attack vectors (see Appendix A), while the higher two levels are according to the Mechanisms of Attack: CAPEC-1000 [15]. text. This prevented us from dealing with incomplete information, The firststep (cf. Phase (a)) involved the planning process, where the thereby allowing us to determine if a paper should be part of our ideas for the classificationscheme were collected based on the proposed resulting set of publications. Furthermore, we only considered papers research questions. In the second step (cf. Phase (b)), dimensions for the within a time period from year 2014 to the middle of year 2019 in order classification of attack vectors were developed. They were drawn from to obtain a current set of publications. Finally, we only selected papers the collected literature obtained through the systematic literature re from which it is possible to extract information about attack vectors, view, CAPEC metrics [33], AUTOSAR architecture and the grouping of attack surfaces, and attack steps. the identified attacks. The latter was performed iteratively by the au We excluded grey literature including the following types of publi thors, wherein each new attack category was definedafter identification cations: technical/vendor reports, preprints, news/press, articles, work of at least two attack vectors that do not belong to any of the previously in progress, unpublished results, expert opinions/experiences based on created categories. For example, the attack vector category Eavesdrop theory, blog entries, and tweets. In addition, we excluded non-English ping or Location Tracking Attack was defined in such an iterative way. articles due to the difficulties to fully understand them. Furthermore, Furthermore, each classificationdimension was discussed and agreed by we encountered duplicate publications that were identifiedby multiple the authors internally. Finally, the classification scheme (cf. Phase (c)) publication search engines. These were selected and removed from the was constructed by combining multiple proposed dimensions and vali final set. Finally, all the papers that considered general automotive dated (cf. Phase (d)) by classifying all the identified attack vectors. security-related topics, that did not present any information regarding The classification scheme as illustrated in Fig. 4 consists of the specific attacks, were excluded. following five dimensions: (1) AUTOSAR Layers (see Section 2.1), (2) Attack Domains (see Section 2.2), (3) Information Security Principles (see 4.4. Development of the classification scheme Section 2.3). (4) Attack Surfaces (see Section 2.4), and (5) Attacker Profile (see Section 2.5). In order to classify the collected attack vectors, a classification Aside from these dimensions, we also investigated the relationship scheme was developed following the methodology proposed by Usman between security testing techniques and attack vectors (see Section 6.4). et al. [32]. Thus, we applied the following four phases: (a) Planning, (b) However, this association is only considered as a discussion point Identification and Extraction, (c) Design and Construction, and (d) because security testing techniques are not part of the classification Validation. scheme.
6 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
4.5. Classification and analysis
In order to classify the final set of attack vectors, we applied the following procedure:
1. Initially, the taxonomy and the classificationscheme was built by all four authors by discussing each dimension and revising them when necessary. 2. The second step included the classification and recording of the re sults in a spreadsheet. 3. The verification process included the division of the final set of pa pers, where the classification of each paper was verified by at least three other authors. Their results and comments were recorded in the separate spreadsheet. 4. Finally, all the classificationdiscrepancies were discussed by all four Fig. 6. Occurrence of application of the identified attack vectors in authors. When necessary, a majority vote was taken in order to the literature. resolve any differences of opinions.
The aforementioned procedure ensured that each paper was classi fied by at least three authors. All the results were documented in a separate final spreadsheet, which was used for analysis and answering the research questions.
5. Results
In this section we present the results related to the identified attack vectors. Thus, Section 5.1 addresses research question RQ1 and Section 5.2 provides answers to research question RQ2 with its corresponding sub-research questions RQ2.1 to RQ2.5.
5.1. Attack mechanisms Fig. 7. Attack vectors per AUTOSAR layer. In the initial stage, we identified 80 attack vectors from the litera • ture. However, some of these contained duplicate entries with similar Employ Probabilistic Techniques: Application of probabilistic tech naming, which were removed. In addition, the attack vectors with the niques in order to overcome security properties, which strength is same semantics were combined and grouped together. This reduced the based on the mathematical probability. • number of entries, which further simplified the classification. Finally, Manipulate Timing and State: Exploitation of a weakness related to we ended up with a final set of 48 attack vectors. application states or timing by disrupting the normal flow of In this context, the identifiedattacks were classifiedaccording to the processes. • Mechanisms of Attack: CAPEC-1000 [15] in order to provide a stan Collect and Analyze Information: Collection, gathering and theft of dardized classification of attack vectors in the automotive domain. The information by an adversary by employing an active querying as well difference between Mechanisms of Attack: CAPEC-1000 and our taxon as passive observation. Includes: (a) Interception, (b) Reverse Engi omy is that we link each attack vectors to the specificcategory and omit neering and (c) Footprinting. • all the categories that are not related to automotive engineering. The Subvert Access Control: Exploitation of weaknesses related to man taxonomy, illustrated in Fig. 5, consists of three levels where the lowest agement of identity, authentication, access to resources and autho levels are represented by specific attack vectors that we identified.The rization of functionalities. Includes: (a) Exploiting Trust in Client, (b) highest level consists of the following eight main categories with their Privilege Abuse and (c) Exploitation of Trusted Credentials. respective sub-categories: However, the Manipulate Data Structures category was not included • Engage in Deceptive Interactions: Deception of the target by mali since none of the identified attack vectors were applicable to this ciously interacting in an attempt to convince them that they are category. communicating with the trusted entity. Includes: (a) Content Spoof In addition, we present the occurrence of identifiedattack vectors in ing, (b) Abuse Existing Functionality and (c) Manipulation of Human the systematic literature review. In Fig. 6, we illustrate the ten most Behavior. appearing attacks. The most commonly identified attack vectors are: • Abuse Existing Functionality: Manipulation of standard application GPS Spoofing (11), Message Injection (11), Node Impersonation (10), functions in order to provide a functionality that was not originally Sybil (10), and Wormhole (10) attacks. In addition, we identified the designed. Includes: (a) Flooding, (b) Sustained Client Engagement and following attack vectors: Network Flooding (9), Message Tampering (9), (c) Protocol Manipulation. Replay (9), Black Hole (8), Channel Interference (8) attacks. • Manipulate System Resources: Manipulation of system resources A detailed description of each attack vector according to mechanisms including the change of system’s state in order to achieve a desired of attacks can be found in the Appendix A. goal. Includes: (a) Software Integrity Attack, (b) Infrastructure Manip ulation and (c) Obstruction. 5.2. Characteristics of attack vectors • Inject Unexpected Items: Submission of crafted data using the interface for data input or remote execution of code on a target’s system. In In this subsection we present the answers to the second research cludes: (a) Traffic Injection, (b) Local Code Execution and (c) Code question (RQ2) and corresponding sub-research questions (RQ2.1 to Inclusion. RQ2.5).
7 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Fig. 8. Attack vectors per attack domain.
Fig. 10. Attack vectors per attack surface.
Fig. 9. Attack vectors per information security principle.
5.2.1. AUTOSAR Layers In order to investigate how the identifiedattack vectors relate to the automotive architecture, we mapped them to the AUTOSAR layers. As depicted in Fig. 7, the Application (25) and Services (20) layers are Fig. 11. Attack vectors per attacker profile attribute. affected by attacks to the highest degree. The identified attack vectors include replay (eq. [34]), channel interference (eq. [35]), and pass word/key (eq. [36]) attacks. Other layers, such as Microcontroller affecting Availability (25), Integrity (25), Authenticity (24), and Abstraction (6), ECU Abstraction (5), Complex Drivers (5), and Runtime Confidentiality (18). Environment (5), are less targeted by the identified attack vectors. The attacks that are most commonly applied to these layers are ECU 5.2.4. Attack surfaces tampering (eq. [37]), rogue software update (eq. [38]), and malware With regards to the attack surfaces, we differentiate between Close (eq. [39]) attacks. Regarding the Microcontroller layer (1), the only Proximity, Remote Access, and Physical Access. Fig. 10 illustrates the applicable attack is the side-channel attack [40]. relation of identified attack vectors to these categories. The highest Finally, we included a Not Applicable category, which includes the number (43%) of total identifiedattacks are applied via close proximity. attack vectors that could not be applied to any of the layers of the This includes attacks over Bluetooth, sensors, and Wi-Fi. An example is a AUTOSAR architecture. These include attack vectors that belong to the RKES attack, which targets a remote keyless entry systems, such as the two following attack groups: Infrastructure manipulation (eq. [41,42]) doors of a vehicle (eq. [36]). In addition, 41% of attack vectors are and identity spoofing (eq. [34,43]). conducted using the remote access, such as GPS and mobile networks. For example, a radio signal jamming attack produces random noise in 5.2.2. Attack domains order to disrupt the genuine radio signal (eq. [39]). Finally, the lowest As depicted in Fig. 8, a large number of attack vectors is part of the number of identified attack vectors (16%) are applied through the ’ Communication (43) and Software (29) domain. This is due to many physical access by employing OBD ports, media systems, and the car s attacks being related to content spoofing, identity spoofing, flooding, dashboard. This includes bus-off attacks, which generate or alter CAN infrastructure manipulation, obstruction, traffic injection, interception frames to force errors on the CAN bus (eq. [44]). and footprinting. For example, a message injection attack includes arbitrary messages to the network or bus (eq. [18]). As a result, it is part 5.2.5. Attacker profile of the communication and software domains because of its impact on In order to map the identifiedattack vectors to an attacker profile,we both of them. investigated the following four dimensions: Membership, Objective, In comparison, the attacks that come from Hardware (14), Social Activity, and Scope, which are illustrated in Fig. 11. In regards to the Engineering (9), and Supply Chain (3) domains are infrequently applied. membership, internal attackers (38) are more common compared to the ’ Finally, we identifiedonly a single attack vector (key fob jamming) from external attackers (27). Concerning the attacker s objective, malicious the Physical Security domain. In this attack, an attacker attempts to jam (37) attackers prevail over the rational ones (19). Active (43) attacks are and record key fob rolling codes in order to use them for unlocking a more prevalent against passive (5) attacks. Finally, in the majority of ’ vehicle [11]. cases, the attacker s scope is local (47). On the other hand, the extended scope (14), where an attacker controls entities over a broader range and 5.2.3. Information security principles across the network, is rarely applied. As depicted in Fig. 9, the most affected information security princi ples are Possession or Control (32) and Utility (30). This is due to the fact 6. Discussion that multiple attack vectors are related to content spoofing(eq. [41]) or identity spoofing (eq. [42]). In addition, we identified various attacks In the following section, we present our key findings and open challenges. In addition, we compare the proposed taxonomy of attack
8 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539 mechanisms and the classification scheme to other taxonomies in the Table 2 field. Furthermore, we discuss how the taxonomy can be applied for Mapping of top 12 attack vectors by Upstream Security to the proposed taxon security testing. Finally, we consider possible threats to validity. omy of attack mechanisms . Attack vector Mapping to proposed taxonomy of attack mechanisms 6.1. Key findings & interpretation (Upstream Security) Keyless entry/key Manipulate system resources→Obstruction →Key fob Our findingsindicate that the most applied attack vectors identified fob jamming attack in literature are GPS spoofing (eq. [34]), message injection (eq. [37]), Servers Abuse existing functionality→Flooding→Network flooding attack node impersonation (eq. [41]), sybil (eq. [43]), and wormhole (eq. [45]) Mobile app Inject unexpected items→Local code execution→Malware attacks. This is due to the large number of approaches aiming to disrupt attack vehicle services over the CAN network or the vehicle-to-vehicle (V2V) OBD port Inject unexpected items→Traffic injection→Message communication. Compared to other attack vectors such as ECU injection attack → → tampering or password/key attack, these attacks are considered to be Infotainment Engage in deceptive interactions Content spoofing Audio attack less sophisticated. In addition, attacks such as sybil or wormhole can Sensors Engage in deceptive interactions→Content target more than one vehicle in the network. spoofing→Camera/Radar/LiDAR spoofing Regarding the AUTOSAR layers, the identifiedattack vectors mostly Wifi Engage in deceptive interactions→Identity spoofing→Node affect the services and application layers. The reason behind this is that impersonation ECU/TCU/GW Manipulate system resources→Software integrity these two layers include various applications and provide network attack→ECU tampering communication, memory services and program flow monitoring. As a Bluetooth Employ probabilistic techniques→Password/key attack result, they are the most common targets for attackers. Other layers such Cellular network Subvert access control→Exploiting trust in client→Man-in- as microcontroller and complex drivers layers are more abstracted [2]. the-middle attack → Thus, it is more difficultto apply attack vectors in order to disrupt their OBD dongle Abuse existing functionality Sustained client engagement→Spamming attack services. In addition, the services layer also provides vital functionalities In-vehicle network Collect and analyze for the vehicle such as operating system services, network communi information→Interception→Eavesdropping cation and memory management. As a result, it is a common target for attackers due to the possibility of disabling the part or the whole system. In regards to the affected attack domains, the communication and transformed into more comprehensive tests using real vehicles. Since the software domains are affected to a high extent. This observation is V2V technologies are developed only to an extent, the mentioned papers consistent with the classification of attack vectors to AUTOSAR layers, are limited to specific attack scenarios, which do not cover additional where services and application layers are impacted the most. On the factors, such as message integrity checks and the information trans other hand, the physical security domain is barely tackled by ap mitted by RSUs. Nevertheless, they provide new knowledge and infor proaches. The reasons behind this might be that the attack vectors mation relevant for future research in the security of autonomous and aiming to penetrate physical security are kept in secret in order to smart vehicles. suppress the possible vehicle thefts. Aside from looking into attack vectors separately, chained attacks With respect to the information security principles, the attacks aim to were also examined. For example, adversaries generate attacks that aim affect the possession or control, and utility information security attri to track drivers or cars by obtaining location information, such as GPS butes. The reason behind this might be that criminals attempt to take the coordinates. For that purpose, they combine trajectory tracking, loca control of a vehicle. Other information security principles, such as tion tracking, and ID disclosure attacks together with the eavesdropping confidentiality, are presumably less targeted by adversaries because attack ([49], [50], [47]). Furthermore, replay and key fob jamming they the financial gain they can obtain is very limited. attacks are applied together with channel interference, radio signal Concerning the attack surfaces, the majority of attack vectors are jamming, and Camera/Radar/LiDAR jamming attacks ([51], [6], [52]). applied via close proximity or remote access. This corresponds with the To illustrate this, consider a radio signal jamming attack wherein a time frame of this study (2014–2019) as we were only interested in the perpetrator attempts to reduce a signal-to-noise ratio in order to make it most recent approaches. Therefore, it is expected that the investigated difficultto differentiate between a valid signal and a background noise. approaches were only applied to the modern vehicles that contain This is achieved by constantly replaying different signals that can cause multiple electronic components, which are usually accessed over the interference with authorized communication [18]. Moreover, in a network. As a result, there is only a few attack vectors that require bus-off attack, an attacker injects purposely crafted messages in order to physical access (eq. [44]). isolate a defective ECU by deceiving it to assume it is faulty [44]. This It is evident that multiple identified attack vectors could be applied attack is often paired with the eavesdropping attack in order for an outside of the automotive domain. The reasoning behind this is that a car adversary to intercept the communication that goes over the CAN bus is an embedded system connected to other entities, such as other vehi ([53], [54]). Another attack that can prevent communication between cles, RSUs and data centers over multiple smaller networks. Hence, all vehicles and obstruct trafficflow is a denial-of-service (DoS) attack. For attacks that are linked to the computer networks or network security example, this attack can cause a collision of vehicles since the warning domain can be applied to the automotive domain as well. However, we mechanisms may never even activate. This can be achieved by chaining identified attacks, such as the illusion attack and the traffic control replay, jamming, interference, and bus-off attacks, thereby resulting in a attack, which are automotive domain specific (see Appendix A). complete shutdown of the vehicle system and communication [11]. According to the identified literature, there is a significant research The proposed taxonomy of attack mechanisms as well as the classi focus on the application of botnets. This can be seen from the work of fication scheme provide a valuable input for information security Garip et al. in which they show that organizing compromised vehicles practitioners. These can be applied during the process of security testing into botnets and disseminating false information is feasible [46]. In for the validation purposes by considering attack vectors separately or addition, they utilize surveillance attack based on these botnets to track crafting custom attack chains. In this context, the identified attack vehicles and drivers [47]. Moreover, multiple approaches [9,48] vectors can be easily linked to CVE entries, where the potential weak attempt to apply a large set of different attack vectors including sensor nesses and security issues can be highlighted. For example, the remote spoofing, jamming, and audio attacks in order to target on-board sen code execution attack is related to CVE-2019-12797, where an attacker sors, cameras, and the voice recognition system of modern cars. This is executes arbitrary commands to an OBD-II bus of a vehicle. Further achieved using basic experiments and simulations, which are later more, the taxonomy encompasses the relevant attacks described in
9 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Table 3 In some vehicles, global navigation satellite systems (GNSS) are Comparison of taxonomies . crucial when it comes to positioning them on the map. The manipulation Criteria \ Taxonomies [10] [11] Our paper of such data could enact inaccurate maneuvers and jeopardize the lives Classification data VDB N/A SLR of passengers. Multiple publications ([58], [6], [50], [59]) suggest that Automotive architectures ⨯ ⨯ ✓ the more innovative protective measures against location/trajectory ⨯ ⨯ ✓ Attack mechanisms tracking attacks are needed. More specifically,it is necessary to improve Attack surfaces ✓ ✓ ✓ Information security principles ✓ ⨯ ✓ securing GPS signals as well as to identify GPS spoofing and fake mes Attacker profile ⨯ ✓ ✓ sage injection. For instance, this can be achieved by using improved Attack domain ⨯ ⨯ ✓ cryptographic approaches in order to preserve the location privacy of vehicles. Moreover, we identified additional open issues that include devel practice. For example, the ”2020 Global Automotive Cyber Security oping countermeasures against the attacks targeting the CAN scheme Report” [55] by Upstream Security provides the list of the top 12 most [40], improvement of secure routing protocols [39], prevention of ma common attack vectors on vehicles in practice from the years licious code injection in ECUs/CAN bus [60], consideration of bus-off 2010–2020 (see Table 2). These were collected from various attacks early in the design phase [44], enhancement of remote keyless publicly-available online source, while strongly focusing on the most systems [61] and consideration of botnet attacks on platooning systems recent security incidents. In order to verify that the provided attack that can cause more damage [46]. vectors are covered by the proposed taxonomy, each attack vector was mapped to the respective entry in the taxonomy. In this context, a 6.3. Comparison of taxonomies keyless entry/key fob attack vector can be mapped to the Manipulate system resources→Obstruction→Key fob jamming category, wherein an In this section, we compare our taxonomy and classificationscheme attacker interrupts the communication between the key fob and the to taxonomies proposed by Sommer et al. [10] and Thing et al. [11] (see vehicle by jamming a specificfrequency. Likewise, a server attack can be Table 3). These are the only two taxonomies of attacks for the auto mapped to the Abuse existing functionality→Flooding→Network motive domain that were identified. floodingattack, in which an adversary sends a large number of messages The major difference between the taxonomies is in the attack data to the server in order to disable its services as well as the communication that was used for the classification. Sommer et al. gathered attack vec to a legitimate vehicle. Similarly, it is possible to map sensor attacks to tors from vulnerability databases (VDB), while Thing et al. did not Engage in deceptive interactions→Content spoo specify where the data was obtained. We assume that Thing et al. used fing→Camera/Radar/LiDAR spoofing category, wherein an attacker attack categories that were familiar to the authors. Contrarily, we attempts to obtain readings and falsify data from specificsensor devices collected attack vectors from the systematic literature review (SLR). that are installed in a vehicle. It is important to note that the mappings Another significant difference is that Sommer et al. and Thing et al. demonstrated in Table 2 are provided as a single example per category. do not relate their attack vector collection to any of the automotive Needless to say, there exists other mappings that would apply for the architectures. Instead Sommer et al. provide a mapping to the tool list listed categories. for the offensive security. However, this list contains also tools that are not related to the automotive domain. On the other hand, we provide the 6.2. Open challenges mapping to the layers of the AUTOSAR architecture. This provides se curity researchers and experts with the knowledge regarding which In addition to attack vectors, we also identified multiple security- attack vectors are applicable for specific layers. related challenges and open issues in automotive engineering. These Furthermore, we present all the identified attacks according to the are often connected to self-adaptation techniques applied by vehicles, as mechanisms of attacks by CAPEC. For that purpose, we provide multi- well as the GPS communication and location tracking. level classification, as well as the detailed description of every attack Modern vehicles that apply self-adaptation techniques could be tar vector. However, Sommer et al. classify their attacks in compliance with geted by utilizing new forms of attacks that can be applied to such STRIDE classification by Microsoft, while Thing et al. provides classifi systems [56]. As a result, it is necessary to dynamically adapt existing cation according to access types. security features. For example, this can be done by applying crypto In regards to the information security principles, Sommer et al. graphic operations to hardware security modules or trusted platform consider the CIA triad, while we address the Parkerian hexad as a more modules [57]. In addition, an AI-based immune system is necessary, detailed model. Thing et al. do not discuss any information security which could autonomously deal with threats and use intelligent tech principles. With respect to the attacker profile, Thing et al. only differ niques to prevent any unknown threats. entiate between the most general categories such as thieves, terrorists, spies and hacktivists. However, we address multiple dimensions such as Table 4 the attacker’s membership, objective, activity and scope. Attack vectors per security testing technique . Finally, our classification categorizes attack vectors according to Security Testing Techniques different attack domains, while Sommer et al. and Thing et al. do not
MB CB PTDA RT RB address this dimension. In regards to all aforementioned classification criteria, we consider our classification to be more thorough due to the Attack Engage in Deceptive 3 0 12 0 5 higher number of dimensions as well as the proposed taxonomy of attack Vectors Interactions Abuse Existing Functionality 0 0 5 0 0 mechanisms. Manipulate System Resources 2 0 16 0 3 Inject Unexpected Items 1 0 4 0 1 6.4. Application of the taxonomy for security testing Employ Probabilistic 0 0 2 0 0 Techniques Manipulate Timing and State 0 0 1 0 0 This paper is related to our previous study on security testing tech Collect and Analyze 1 0 5 0 2 niques in automotive engineering [2]. We performed a systematic Information mapping study, where we investigated the following five dimensions: Subvert Access Control 0 0 3 0 1 (1) security testing techniques, (2) AUTOSAR layers, (3) functional in MB = Model-based Testing, CB = Code-based Testing, PT = Penetration Testing terfaces of AUTOSAR, (4) vehicle lifecycle phases, and (5) attacks. This and Dynamic Analysis, RT = Regression Testing, RB = Risk-based Testing involved classifying 39 selected publications based on the
10 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539 aforementioned dimensions. The results indicated a high number of which intersected with a set from another contributor. In a case of any penetration testing and dynamic analysis, and model-based testing ap discrepancies, they were thoroughly discussed and re-classified.Finally, proaches addressing the application and services layer of the AUTOSAR this study has a strong focus on the AUTOSAR architecture and it might architecture in the design, production, and operation phase of the not be applicable to automotive industries that do not accept AUTOSAR vehicle lifecycle. In order to accomplish this, attacks are applied aiming as a de-facto standard. to disrupt privacy and availability using the multimedia/telematics Generalizability: The results of this study can be generalized solely to functional interface. In addition, we indicated the need for methods the automotive domain and the corresponding attack vectors. Thus, it is addressing security testing approaches combined with the consideration not possible to utilize them within any other domain. However, the of safety aspects. approach for the development of the taxonomy and the classification The developed taxonomy of attack mechanisms can be used to guide scheme can be applied to other domains and we consider it as a future security testing in the automotive domain. For that purpose, we discuss research. In addition, this study has a strong scientific literature focus. different security testing techniques [62] and relate them to identified Compared to the gray literature, which contains various claims, we only attack vectors (see Table 4). The emphasis is on penetration testing and analyze papers that include evaluated work. Nevertheless, papers still dynamic analysis, which can be applied to each identifiedattack vector. discuss the application of identified attack vectors in practice. Moreover, specificattack vectors that engage in deceptive interactions, Interpretive validity: The classification results were interpreted by all manipulate system resources, inject unexpected items, and collect and four authors. In this regard, we discussed any disagreement and applied analyze information can be tested using model-based testing [63]. Be statistical tools to study the results. However, there is a probability that sides the previously mentioned attack vectors, risk-based testing [64] the resulting interpretation was influenced by a researcher bias. can be applied by employing subvert access control. Finally, attacks that Repeatability: The full procedure of this study was documented in utilize probabilistic techniques and manipulate timing and state can detail. This is described in the methodology section (see Section 4). In only be tested by penetration testing and dynamic analysis. addition, the existing guidelines were applied according to [31], [32] Therefore, when performing security testing by applying attack and [65]. Therefore, it should be possible to replicate the procedure and vectors, penetration testing and dynamic analysis should be the leading perform an equivalent study. choice for security testers in the automotive domain. In this regard, it is still possible to apply other testing techniques such as model-based and 7. Conclusion risk-based testing. However, they may not be applicable with all attack vectors, such as the ones dealing with subvert access control, manipu In this paper, we classified and analyzed attack vectors in the auto lation of timing and state, and collection and analysis of information. motive domain. In this regard, we conducted a systematic literature review in which 48 different attack vectors were identified. In order to 6.5. Threats to validity classify them, we developed a taxonomy wherein each attack vector was related to a specific CAPEC attack mechanism. In addition, we built a Throughout the research process, we took into account possible classificationscheme and investigated the following fivedimensions: (1) threats to validity and minimized them. According to Petersen and AUTOSAR layers, (2) attack domains, (3) information security attri Gencel [65], we distinguished between descriptive validity, theoretical butes, (4) attack surfaces, and (5) attacker profile. As for the next step, validity, generalizability, interpretive validity and repeatability. we classified the selected attacks according to the aforementioned di Descriptive validity: The taxonomy of attack mechanisms and the mensions. The results showed that the most applied attack vectors are classification scheme were developed first and then used to classify all GPS spoofing, message injection, masquerade, sybil, and wormhole at the identified attack vectors. Using the taxonomy and the classification tacks, which are mostly applied to the application and services layers of scheme, it is possible to replicate the result set at any time. Additionally, the AUTOSAR architecture. Furthermore, the majority of attacks are multiple dimensions were obtained from the existing literature. applied via close proximity and remote access by affecting utility, and Theoretical validity: In order to prevent the overlooking of relevant possession and control information security principles. The presented publications, the keyword search was applied, wherein multiple publi results were obtaining by examining how many times each attack vector cation search engines were considered. There is a risk that some papers appeared in the literature. As a result, it can be seen that there is a were missed due to application of the specific search string. This was significant academic and research interest in this area. Future work addressed by applying forward and backward snowballing iterations. comprises of applying and refining the presented taxonomy of attack Since the focus of the study was on the time period from year mechanisms in case studies as well as the development of the taxonomy 2014–2019, some relevant papers written by S. Chechovay ([66], [67]) for attack mitigation approaches and T. Hoppe ([68], [69], [70], [71]) were not included in the finalset of papers. However, the attack vectors described within these publications CRediT authorship contribution statement are covered in the proposed taxonomy of attack mechanisms. These include: arbitrary code execution over the OBD port and ECU, eaves Irdin Pekaric: Conceptualization, Data curation, Formal analysis, dropping, CAN packet fuzzing, DDoS attacks, reverse engineering, and Investigation, Methodology, Writing - original draft, Visualization, malware attacks, such as using trojans against electronic throttle con Writing - review & editing. Clemens Sauerwein: Supervision, Meth trol. Furthermore, there is a risk that the selection and extraction pro odology, Writing - review & editing, Formal analysis, Conceptualization. cesses are biased. In order to counter that, a cross-validation approach Stefan Haselwanter: Data curation, Investigation, Visualization, was applied in which the classificationof each attack vector was verified Writing - original draft, Writing - review & editing. Michael Felderer: by at least two authors. In the case of any difference of opinion, a ma Conceptualization, Methodology, Supervision, Validation, Writing - re jority vote was taken and the papers were re-classified.Moreover, there view & editing, Formal analysis. is a chance that we misunderstood some activities within the investi gated approaches. This especially relates to AUTOSAR layers and secu Declaration of Competing Interest rity testing techniques because classifying these is highly complex due to the fact that the information has to be taken out of context. As a result, it The authors declare that they have no known competing financial is important to take a researcher bias into consideration. In order to interests or personal relationships that could have appeared to influence counteract this, each contributor classified a subset of publications the work reported in this paper.
11 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
Table A1 • Message tampering attack: Delete or alter data content to send Attack vectors by references . false messages; modify data content to send malicious mes Attack Vector References sages as legitimate. • Audio attack: Use inaudible voice commands to control the Engage in deceptive interactions Message tampering attack [11,34,42,45,56,57,60,72,73] speech recognition system of a vehicle (e.g., navigation Audio attack [48,74] system) Replay attack [6,34,41,45,56,57,60,75,76] • Replay attack: Repeat sending signals which happened in the GPS spoofing [5,11,20,34,38,41,42,45,52,56,57] past and did not expire; relay genuine signal (e.g., LIDAR GPS time spoofing [77] signal) from one location to create fake echoes at another Camera/Radar/LIDAR spoofing [6,9,11] Sybil attack [20,34,41–43,45,56,57,76,77] location. Falsified entities attack [34,57] • GPS spoofing: Gradually provide false position information to Node impersonation [20,34,41–43,45,56,57,60,76] other vehicles/RSUs by overpowering the authentic and Repudiation attack [39,43,78] genuine signal, e.g., to lure vehicles to a different location. Key/Certificate replication [34,42,57] • Illusion attack [20,41,45,57] GPS time spoofing: Send outdated or future time information Abuse existing functionality along with the GPS data to manipulate the time synchroniza Network flooding attack [34,39,41,42,57,60,78–80] tion mechanisms of location-based systems or RSUs. Routing table overflow [39] • Camera/Radar/LIDAR spoofing: Create fake objects at different Bus-off attack [44,53,54] locations. Spamming attack [20,34,42,56,57] TCP ACK storm [39] (b) Identity spoofing: Manipulate system resources • Sybil attack: Transmit various false messages with multiple ECU tampering [11,37,43,81,82] fake or stolen identities to other nodes. Rogue software update [38,60,72,82] • Falsified entities attack: Obtain a valid network identifier (e.g., Map database poisoning [34,57] Traffic control attack [8,59,83] certificate of vehicle or RSU) and pass for another legitimate Routing request modification [45] node. Routing cache poisoning [39] • Node impersonation: Pretend to be another legitimately Black hole attack [20,39,41,42,56,57,76,78] authenticated node and send fake or harmful messages, e.g., Gray hole attack [20,42,56,57,76,78] act as an emergency or police car to benefitmovement; variant Wormhole attack [20,34,39,41–43,45,57,76,78] Byzantine attack [39] of Sybil attack. Rushing attack [39] • Repudiation attack: Deny that malicious messages were sent by Channel interference attack [35,45,56,57,72,77,78,80] the attacker. GPS jamming [38] • Key/Certificate replication: Claim a legitimate identity with Camera/Radar/LiDAR jamming [6,9,11,34,38] Radio signal jamming [39,41] duplicate keys or certificates. Key fob jamming [11,61] (c) Manipulation of human behavior: Inject unexpected items • Illusion attack: Purposefully deceive own car sensors to Message injection attack [37,38,44,60,72,73,82,84–87] disseminate false information and create a suitable traffic sit Message fabrication attack [34,42,43,45,46,57] uation which affects the behavior of the other drivers. Malware attack [20,34,39,43,57,60,75] Remote code execution [37,82] 2. Abuse existing functionality: Employ probabilistic techniques (a) Flooding: Packet fuzzing [11,43,88] • Network flooding attack: Flood the communication channel Password/Key attack [36,38,39,50,57,81] with huge volume of messages to exhaust network resources Manipulate timing and state Timing attack [20,34,56,57,76] such as bandwidth, CPU, power, etc. Collect and analyze information • Routing table overflow: Send extreme routes (e.g., routes to non- Eavesdropping [41,45,60,72,75,82,87] existing nodes) to overflow the routing tables. Side-channel attack [11,40,43] (b) Sustained client engagement: ID disclosure attack [20,43,47,56] • Bus-off attack: Generate or alter CAN frames to force errors on Location tracking attack [39,42,50,57,76] Trajectory tracking attack [47,49,51,58] bus, and ECUs continuously entering the bus-off mode. Subvert access control • Spamming attack: Send unsolicited bulk messages to consume Man-in-the-middle attack [20,35,42,43,57] network bandwidth and increase the transmission delay. Man-at-the-end attack [43] (c) Protocol manipulation: Session hijacking [39,76,78] • TCP ACK storm: Force continuous ACKs and re- synchronization of the TCP connection between two other Acknowledgment nodes. 3. Manipulate system resources: This work was partially supported by the Austrian Science Fund (a) Software integrity attack: (FWF): I 4701-N. • ECU tampering: Disassemble binaries, change program code or system configuration,modify update scripts to bypass integrity Appendix A. Appendix checks. • Rogue software update: Update an ECU with a modified, mali In the following section, we list all the identified attack vectors ac cious, or vulnerable software not produced by the manufac cording to the Mechanisms of Attack: CAPEC-1000 [15] (see Table A.5). turer, e.g., by employing Firmware-update-over-the-air In addition, we provide a brief description of each identified attack (FOTA). vector. • Map database poisoning: Send malicious messages to impact accuracy of local map database of vehicles. 1. Engage in deceptive interactions (b) Infrastructure manipulation: (a) Content spoofing: • Traffic control attack: Compromise command center, roadside controllers/sensors (e.g., loop detector, ramp meter), or car
12 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
software and disseminate false information, e.g., to mislead • Eavesdropping: Steal personal data or network information to vehicles to exit current road, or to create undesirable wave gather knowledge about the vehicle, network, and communi effects (shock waves, traffic jams, stop-and-go traffic, pile-up cation patterns between nodes. crashes). (b) Reverse engineering: • Routing request modification: Modify the routing information or • Side-channel attack: Retrieve useful information through change the number of hops in forwarding routing requests to alternative paths by analysing power consumption, electro delay the packet delivery. magnetic leaks, acoustic signals, timing information, transient • Routing cache poisoning: Broadcast spoofed packets containing characteristics, data remanence, etc. routes to one or more malicious nodes which are stored to the (c) Footprinting: other nodes’ route caches. • ID disclosure attack: Obtain the identity of a node for tracking. • Black hole attack: Advertise having the best route to a desti • Location tracking attack: Illegitimately obtain the location in nation, consume, and never forward arriving packets. formation or track the location of a vehicle or driver. • Gray hole attack: Only suppress or modify packets originating • Trajectory tracking attack: Continuously track a vehicle’s tra from some nodes, while leaving data from other nodes unaf jectory or recover the trajectory from location samples. fected; variant of Black Hole Attack; 8. Subvert access control: • Wormhole attack: Transmit packets received at one region to (a) Exploiting trust in client: another region of the network to confuse routing mechanisms, • Man-in-the-middle attack: Eavesdrop and modify the commu e.g., two or more malicious vehicles make routing protocols nication between two nodes that assume they directly prefer communication link between them as the best route to communicate with each other. any destination. (b) Privilege abuse: • Byzantine attack: Create routing loops, forwards packets in a • Man-at-the-end attack: Abuse privileges to eavesdrop the long route instead of the optimal one and drops packets. communication channel and inject new messages but not • Rushing attack: Forward route requests more quickly than modify or delete other messages. legitimate nodes to increase the probability that the routes (c) Exploitation of trusted credentials: including the attacker will be discovered rather than other • Session hijacking: Sniff necessary information from the valid routes. communication between two other nodes and take over the (c) Obstruction: established session. • Channel interference attack: Emit an illegitimate interference signal or message to disrupt or occupy the communication channel, e.g., constantly send top-most priority messages. References • GPS jamming: Disrupt the GPS signal, e.g., radio noise on GPS frequency. [1] Michael Wood, Safety First for Automated Driving (SaFAD), 2019, https://www. • daimler.com/documents/innovation/other/safety-first-for-automated-driving.pdf. Camera/Radar/LIDAR jamming: Use reflectivematerial or light Accessed: 2020-07-05. sources to interfere with sensors, e.g., blind cameras, block [2] I. Pekaric, C. Sauerwein, M. Felderer, Applying security testing techniques to sight of sensors. automotive engineering. Proceedings of the 14th International Conference on • Availability, Reliability and Security, ACM, 2019, p. 61. Radio signal jamming: Disrupt the radio signal, e.g., generate [3] N. Lu, N. Cheng, N. Zhang, X. Shen, J.W. Mark, Connected vehicles: solutions and pulse or random noise. challenges, IEEE Internet Things J. 1 (4) (2014) 289–299. • Key fob jamming: Jam and record key fob rolling codes. [4] R. Warschofsky, Autosar software architecture, Hasso-Plattner-Institute für 4. Inject unexpected items: Softwaresystemtechnik, Potsdam (2009). [5] K.C. Zeng, Y. Shu, S. Liu, Y. Dou, Y. Yang, A practical gps location spoofing attack (a) Traffic injection: in road navigation scenario. Proceedings of the 18th International Workshop on • Message injection attack: Inject arbitrary messages to the Mobile Computing Systems and Applications, in: HotMobile ’17, ACM, New York, – network or bus. NY, USA, 2017, pp. 85 90, https://doi.org/10.1145/3032970.3032983. • [6] J. Petit, B. Stottelaar, M. Feiri, F. Kargl, Remote attacks on automated vehicles Message fabrication attack: Create and send false messages with sensors: experiments on camera and lidar, Black Hat Europe 11 (2015) 2015. selfish and/or malicious intent, without any meaning, or un [7] C. Sitawarin, A.N. Bhagoji, A. Mosenia, M. Chiang, P. Mittal, Darts: deceiving true reports, e.g., false congestion information. autonomous cars with toxic signs, arXiv preprint arXiv:1802.06430 (2018). [8] J. Reilly, S. Martin, M. Payer, A.M. Bayen, Creating complex congestion patterns (b) Local code execution: via multi-objective optimal freeway traffic control with application to cyber- • Malware attack: Employ or install hostile, intrusive, or mali security, Transportation Research Part B: Methodological 91 (2016) 366–382, cious software (e.g., trojan, ransomware, spyware, worm) or https://doi.org/10.1016/j.trb.2016.05.017. [9] C. Yan, W. Xu, J. Liu, Can you trust autonomous vehicles: contactless attacks smartphone app (e.g., self-diagnostic app). against sensors of self-driving vehicle, DEF CON 24 (2016). (c) Code inclusion: [10] F. Sommer, J. Dürrwang, R. Kriesten, Survey and classification of automotive • Remote code execution: Exploit vulnerabilities in software security attacks, Information 10 (4) (2019) 148. [11] V.L.L. Thing, J. Wu, Autonomous vehicle security: A taxonomy of attacks and components (e.g., web browser, operating system) to remotely defences. 2016 IEEE International Conference on Internet of Things (iThings) and access the target system or execute arbitrary code on the target IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical system. and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2016, – 5. Employ probabilistic techniques: pp. 164 170, https://doi.org/10.1109/iThings-GreenCom-CPSCom- SmartData.2016.52. • Packet fuzzing: Send invalid data to an ECU to trigger error con [12] B. Kitchenham, O.P. Brereton, D. Budgen, M. Turner, J. Bailey, S. Linkman, ditions or faults leading to exploits and other vulnerabilities. Systematic literature reviews in software engineering–a systematic literature – • Password/Key attack: Find passcodes, keys, or other secrets to grant review, Inf Softw Technol 51 (1) (2009) 7 15. [13] M. Morana, S. Nusbaum, Input Validation Vulnerabilities, Encoded Attack Vectors access and authorization, e.g., recover keys by performing brute- and Mitigations, 2008. force, dictionary, or rainbow table attack. [14] AUTOSAR GbR, Technical Overview. Technical Report, 2008. 6. Manipulate timing and state: [15] T.M. Corporation, CAPEC-1000: Mechanisms of Attack, Last accessed on • September 1, 2019. Timing attack: Delay transmission of high-priority, emergency, or [16] J. Andress, The basics of information security: understanding the fundamentals of safety-critical messages. infosec in theory and practice, Syngress, 2014. 7. Collect and analyze information: [17] R. Piggin, H. Boyes, Safety and Security-a Story of Interdependence, 2015. [18] S. Parkinson, P. Ward, K. Wilson, J. Miller, Cyber threats facing autonomous and (a) Interception: connected vehicles: future challenges, IEEE Trans. Intell. Transp. Syst. 18 (11) (2017) 2898–2915, https://doi.org/10.1109/TITS.2017.2665968.
13 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
[19] J. Petit, S.E. Shladover, Potential cyberattacks on automated vehicles, IEEE Trans. Mobile Networking Conference (WMNC), 2018, pp. 1–8, https://doi.org/ Intell. Transp. Syst. 16 (2) (2014) 546–556. 10.23919/WMNC.2018.8480909. [20] V.H. La, A.R. Cavalli, Security attacks and solutions in Vehicular Ad Hoc Networks : [48] G. Zhang, C. Yan, X. Ji, T. Zhang, T. Zhang, W. Xu, Dolphinattack: Inaudible voice a survey, International journal on AdHoc networking systems (IJANS) 4 (2) (2014) commands. Proceedings of the 2017 ACM SIGSAC Conference on Computer and 1–20, https://doi.org/10.5121/ijans.2014.4201. Communications Security, in: CCS ’17, ACM, New York, NY, USA, 2017, [21] I.A. Sumra, H.B. Hasbullah, I. Ahmad, D.M. Alghazzawi, et al., Classification of pp. 103–117, https://doi.org/10.1145/3133956.3134052. attacks in vehicular Ad Hoc network (vanet), International Information Institute [49] A. Banihani, A. Alzahrani, R. Alharthi, H. Fu, G.P. Corser, T-paad: Trajectory (Tokyo). Information 16 (5) (2013) 2995. privacy attack on autonomous driving. 2018 IEEE Conference on Communications [22] B. Sheehan, F. Murphy, M. Mullins, C. Ryan, Connected and autonomous vehicles: and Network Security (CNS), 2018, pp. 1–2, https://doi.org/10.1109/ a cyber-risk classification framework, Transportation Research Part A: Policy and CNS.2018.8433168. Practice 124 (2019) 523–536. [50] B. Bloessl, C. Sommer, F. Dressier, D. Eckhoff, The scrambler attack: A robust [23] F. Ahmad, A. Adnane, V.N. Franqueira, A Systematic Approach for Cyber Security physical layer attack on location privacy in vehicular networks. 2015 International in Vehicular Networks, 2016. Conference on Computing, Networking and Communications (ICNC), 2015, [24] J.-Y. Lai, J.-S. Wu, S.-J. Chen, C.-H. Wu, C.-H. Yang, Designing a taxonomy of web pp. 395–400, https://doi.org/10.1109/ICCNC.2015.7069376. attacks. 2008 International Conference on Convergence and Hybrid Information [51] C. Lin, K. Liu, B. Xu, J. Deng, C.W. Yu, G. Wu, Vclt: An accurate trajectory tracking Technology, IEEE, 2008, pp. 278–282. attack based on crowdsourcing in vanets, in: G. Wang, A. Zomaya, G. Martinez, [25] N.V. Julia Dotter, K.-K.R. Choo, Cloud attack and risk assessment taxonomy, IEEE K. Li (Eds.), Algorithms and Architectures for Parallel Processing, Springer Cloud Comput. 2 (1) (2015) 14–20. International Publishing, Cham, 2015, pp. 297–310. [26] N. Gruschka, M. Jensen, Attack surfaces: A taxonomy for attacks on cloud services. [52] K.C. Zeng, S. Liu, Y. Shu, D. Wang, H. Li, Y. Dou, G. Wang, Y. Yang, All your GPS 2010 IEEE 3rd international conference on cloud computing, IEEE, 2010, are belong to us: Towards stealthy manipulation of road navigation systems. 27th pp. 276–279. USENIX Security Symposium (USENIX Security 18), 2018, pp. 1527–1544. [27] C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, Q. Wu, Avoidit: A cyber attack [53] M. Bozdal, M. Randa, M. Samie, I. Jennions, Hardware trojan enabled denial of taxonomy. 9th Annual Symposium on Information Assurance (ASIA14), 2014, service attack on can bus, Procedia Manuf. 16 (2018) 47–52, https://doi.org/ pp. 2–12. 10.1016/j.promfg.2018.10.158.Proceedings of the 7th International Conference on [28] D. Papp, Z. Ma, L. Buttyan, Embedded systems security: Threats, vulnerabilities, Through-life Engineering Services and attack taxonomy. 2015 13th Annual Conference on Privacy, Security and Trust [54] A. Palanca, E. Evenchick, F. Maggi, S. Zanero, A stealth, selective, link-layer denial- (PST), IEEE, 2015, pp. 145–152. of-service attack against automotive networks, in: M. Polychronakis, M. Meier [29] C. Joshi, U.K. Singh, Admit-a five dimensional approach towards standardization (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment, of network and computer attack taxonomies, Int J Comput Appl 100 (5) (2014) Springer International Publishing, Cham, 2017, pp. 185–206. 30–36. [55] Upstream security: 2020 global automotive cyber security report, Network Security [30] R. Hunt, J. Slay, A new approach to developing attack taxonomies for network 2020 (1) (2020) 4, https://doi.org/10.1016/S1353-4858(20)30005-2. security-including case studies. 2011 17th IEEE International Conference on [56] M.A. Talib, S. Abbas, Q. Nasir, M.F. Mowakeh, Systematic literature review on Networks, IEEE, 2011, pp. 281–286. internet-of-vehicles communication security, Int. J. Distrib. Sens. Netw. 14 (12) [31] C. Wohlin, Guidelines for snowballing in systematic literature studies and a (2018), https://doi.org/10.1177/1550147718815054.1550147718815054 replication in software engineering. Proceedings of the 18th International [57] E.B. Hamida, H. Noura, W. Znaidi, Security of cooperative intelligent transport Conference on Evaluation and Assessment in Software Engineering, Citeseer, 2014, systems: standards, threats analysis and cryptographic countermeasures, p. 38. Electronics (Basel) 4 (3) (2015) 380–423, https://doi.org/10.3390/ [32] M. Usman, R. Britto, J. Borstler,¨ E. Mendes, Taxonomies in software engineering: a electronics4030380. systematic mapping study and a revised taxonomy development method, Inf Softw [58] K. Wang, L. Wang, M. Cui, Trajectory tracking and recovery attacks in vanet Technol 85 (2017) 43–59. systems, Int. J. Commun. Syst. 31 (17) (2018) e3797, https://doi.org/10.1002/ [33] T.M. Corporation, CAPEC-3000: Domains of Attack, https://capec.mitre.org/data/ dac.3797.E3797 dac.3797 definitions/3000.html. Accessed: 2019-08-11. [59] M. Ghanavati, A. Chakravarthy, P.P. Menon, Analysis of automotive cyber-attacks [34] J. Cui, L.S. Liew, G. Sabaliauskaite, F. Zhou, A review on safety failures, security on highways using partial differential equation models, IEEE Trans. Control attacks, and available countermeasures for autonomous vehicles, Ad Hoc Netw 90 Network Syst. 5 (4) (2018) 1775–1786, https://doi.org/10.1109/ (2019) 101823, https://doi.org/10.1016/j.adhoc.2018.12.006.Recent advances on TCNS.2017.2760865. security and privacy in Intelligent Transportation Systems [60] L. Pan, X. Zheng, H. Chen, T. Luan, H. Bootwala, L. Batten, Cyber security attacks [35] A. Yang, J. Weng, N. Cheng, J. Ni, X. Lin, X. Shen, Deqos attack: degrading quality to modern vehicular systems, Journal of Information Security and Applications 36 of service in vanets and its mitigation, IEEE Trans. Veh. Technol. 68 (5) (2019) (2017) 90–100, https://doi.org/10.1016/j.jisa.2017.08.005. 4834–4845, https://doi.org/10.1109/TVT.2019.2905522. [61] O.A. Ibrahim, A.M. Hussain, G. Oligeri, R. Di Pietro, Key is in the air: Hacking [36] F.D. Garcia, D. Oswald, T. Kasper, P. Pavlides,` Lock it and still lose it —on the (in) remote keyless entry systems, in: B. Hamid, B. Gallina, A. Shabtai, Y. Elovici, security of automotive remote keyless entry systems. 25th USENIX Security J. Garcia-Alfaro (Eds.), Security and Safety Interplay of Intelligent Software Symposium (USENIX Security 16), USENIX Association, Austin, TX, 2016. Systems, Springer International Publishing, Cham, 2019, pp. 125–132. [37] C. Miller, C. Valasek, Remote exploitation of an unaltered passenger vehicle, Black [62] M. Felderer, M. Büchler, M. Johns, A.D. Brucker, R. Breu, A. Pretschner, Security Hat USA 2015 (2015) 91. testing: a survey. Advances in Computers 101, Elsevier, 2016, pp. 1–51. [38] S. Parkinson, P. Ward, K. Wilson, J. Miller, Cyber threats facing autonomous and [63] M. Felderer, P. Zech, R. Breu, M. Büchler, A. Pretschner, Model-based security connected vehicles: future challenges, IEEE Trans. Intell. Transp. Syst. 18 (11) testing: a taxonomy and systematic classification, Software Testing, Verification (2017) 2898–2915, https://doi.org/10.1109/TITS.2017.2665968. and Reliability 26 (2) (2016) 119–148. [39] B. Mokhtar, M. Azab, Survey on security issues in vehicular ad hoc networks, [64] M. Felderer, I. Schieferdecker, A taxonomy of risk-based testing, Int. J. Software Alexandria Engineering Journal 54 (4) (2015) 1115–1126, https://doi.org/ Tools Technol. Trans. 16 (5) (2014) 559–568. 10.1016/j.aej.2015.07.011. [65] K. Petersen, C. Gencel, Worldviews, research methods, and their relationship to [40] S. Jain, Q. Wang, M.T. Arafin, J. Guajardo, Probing attacks on physical layer key validity in empirical software engineering research. 2013 Joint Conference of the agreement for automotive controller area networks. 2018 Asian Hardware 23rd International Workshop on Software Measurement and the 8th International Oriented Security and Trust Symposium (AsianHOST), 2018, pp. 7–12, https://doi. Conference on Software Process and Product Measurement, IEEE, 2013, pp. 81–89. org/10.1109/AsianHOST.2018.8607166. [66] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, [41] F. Sakiz, S. Sen, A survey of attacks and detection mechanisms on intelligent K. Koscher, A. Czeskis, F. Roesner, T. Kohno, et al., Comprehensive experimental transportation systems: vanets and iov, Ad Hoc Netw 61 (2017) 33–50, https://doi. analyses of automotive attack surfaces.. USENIX Security Symposium 4, San org/10.1016/j.adhoc.2017.03.006. Francisco, 2011, pp. 447–462. [42] M. Buinevich, A. Vladyko, Forecasting issues of wireless communication networks [67] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, cyber resilience for an intelligent transportation system: an overview of cyber B. Kantor, D. Anderson, H. Shacham, et al., Experimental security analysis of a attacks, Information 10 (1) (2019), https://doi.org/10.3390/info10010027. modern automobile. 2010 IEEE Symposium on Security and Privacy, IEEE, 2010, [43] E.G. AbdAllah, M. Zulkernine, Y.X. Gu, C. Liem, Towards defending connected pp. 447–462. vehicles against attacks. Proceedings of the Fifth European Conference on the [68] T. Hoppe, S. Kiltz, J. Dittmann, Security threats to automotive can Engineering of Computer-Based Systems, in: ECBS ’17, ACM, New York, NY, USA, networks–practical examples and selected short-term countermeasures. 2017, pp. 9:1–9:9, https://doi.org/10.1145/3123779.3123794. International Conference on Computer Safety, Reliability, and Security, Springer, [44] K.-T. Cho, K.G. Shin, Error handling of in-vehicle networks makes them vulnerable. 2008, pp. 235–248. Proceedings of the 2016 ACM SIGSAC Conference on Computer and [69] T. Hoppe, S. Kiltz, J. Dittmann, Automotive it-security as a challenge: Basic attacks Communications Security, in: CCS ’16, ACM, New York, NY, USA, 2016, from the black box perspective on the example of privacy threats. International pp. 1044–1055, https://doi.org/10.1145/2976749.2978302. Conference on Computer Safety, Reliability, and Security, Springer, 2009, [45] Y. Sun, L. Wu, S. Wu, S. Li, T. Zhang, L. Zhang, J. Xu, Y. Xiong, X. Cui, Attacks and pp. 145–158. countermeasures in the internet of vehicles, Ann. Telecommun. 72 (5) (2017) [70] T. Hoppe, S. Kiltz, J. Dittmann, Adaptive dynamic reaction to automotive it 283–295, https://doi.org/10.1007/s12243-016-0551-6. security incidents using multimedia car environment. 2008 The Fourth [46] M.T. Garip, M.E. Gursoy, P. Reiher, M. Gerla, Congestion attacks to autonomous International Conference on Information Assurance and Security, IEEE, 2008, cars using vehicular botnets. NDSS Workshop on Security of Emerging Networking pp. 295–298. Technologies (SENT), San Diego, CA, 2015. [71] S. Schulze, M. Pukall, T. Hoppe, It security in automotive software development, GI [47] M.T. Garip, P. Reiher, M. Gerla, Botveillance: A vehicular botnet surveillance Softwaretechnik-Trends 29 (3) (2009) 23–28. attack against pseudonymous systems in vanets. 2018 11th IFIP Wireless and
14 I. Pekaric et al. Computer Standards & Interfaces 78 (2021) 103539
[72] P. Carsten, T.R. Andel, M. Yampolskiy, J.T. McDonald, In-vehicle networks: [80] S. Mukherjee, H. Shirazi, I. Ray, J. Daily, R. Gamble, Practical dos attacks on Attacks, vulnerabilities, and proposed solutions. Proceedings of the 10th Annual embedded networks in commercial vehicles, in: I. Ray, M.S. Gaur, M. Conti, Cyber and Information Security Research Conference, in: CISR ’15, ACM, New D. Sanghi, V. Kamakoti (Eds.), Information Systems Security, Springer York, NY, USA, 2015, pp. 1:1–1:8, https://doi.org/10.1145/2746266.2746267. International Publishing, Cham, 2016, pp. 23–42. [73] J. Takahashi, Y. Aragane, T. Miyazawa, H. Fuji, H. Yamashita, K. Hayakawa, [81] S. Jafarnejad, L. Codeca, W. Bronzi, R. Frank, T. Engel, A car hacking experiment: S. Ukai, H. Hayakawa, Automotive attacks and countermeasures on lin-bus, When connectivity meets vulnerability. 2015 IEEE Globecom Workshops (GC Journal of Information Processing 25 (2017) 220–228, https://doi.org/10.2197/ Wkshps), 2015, pp. 1–6, https://doi.org/10.1109/GLOCOMW.2015.7413993. ipsjjip.25.220. [82] S. Nie, L. Liu, Y. Du, Free-fall: hacking tesla from wireless to can bus, Briefing, [74] R. Iijima, S. Minami, Z. Yunao, T. Takehisa, T. Takahashi, Y. Oikawa, T. Mori, Black Hat USA (2017) 1–16. Audio hotspot attack: An attack on voice assistance systems using directional sound [83] M. Wei, Z. Lu, W. Wang, On modeling and understanding vehicle evacuation beams. Proceedings of the 2018 ACM SIGSAC Conference on Computer and attacks in vanets. 2017 IEEE International Conference on Communications (ICC), Communications Security, in: CCS ’18, ACM, New York, NY, USA, 2018, 2017, pp. 1–7, https://doi.org/10.1109/ICC.2017.7996463. pp. 2222–2224, https://doi.org/10.1145/3243734.3278497. [84] M.R. Moore, R.A. Bridges, F.L. Combs, M.S. Starr, S.J. Prowell, Modeling inter- [75] S. Woo, H.J. Jo, D.H. Lee, A practical wireless attack on the connected car and signal arrival times for accurate detection of can bus signal injection attacks: A security protocol for in-vehicle can, IEEE Trans. Intell. Transp. Syst. 16 (2) (2015) data-driven approach to in-vehicle intrusion detection. Proceedings of the 12th 993–1006, https://doi.org/10.1109/TITS.2014.2351612. Annual Conference on Cyber and Information Security Research, in: CISRC ’17, [76] R. Mishra, A. Singh, R. Kumar, Vanet security: Issues, challenges and solutions. ACM, New York, NY, USA, 2017, pp. 11:1–11:4, https://doi.org/10.1145/ 2016 International Conference on Electrical, Electronics, and Optimization 3064814.3064816. Techniques (ICEEOT), 2016, pp. 1050–1055, https://doi.org/10.1109/ [85] P. Urien, Designing attacks against automotive control area network bus and ICEEOT.2016.7754846. electronic control units. 2019 16th IEEE Annual Consumer Communications [77] S. Bittl, A.A. Gonzalez, M. Myrtus, H. Beckmann, S. Sailer, B. Eissfeller, Emerging Networking Conference (CCNC), 2019, pp. 1–4, https://doi.org/10.1109/ attacks on vanet security based on gps time spoofing. 2015 IEEE Conference on CCNC.2019.8651708. Communications and Network Security (CNS), 2015, pp. 344–352, https://doi.org/ [86] Y. Zhang, B. Ge, X. Li, B. Shi, B. Li, Controlling a car through obd injection. 2016 10.1109/CNS.2015.7346845. IEEE 3rd International Conference on Cyber Security and Cloud Computing [78] M. Nema, S. Stalin, V. Lokhande, Analysis of attacks and challenges in vanet, (CSCloud), 2016, pp. 26–29, https://doi.org/10.1109/CSCloud.2016.42. International Journal of Emerging Technology and Advanced Engineering 4 (7) [87] Y. Burakova, B. Hass, L. Millar, A. Weimerskirch, Truck hacking: An experimental (2014) 831–835. analysis of the SAE j1939 standard. 10th USENIX Workshop on Offensive [79] B. Pang, R. Li, P. Yue, Research of the interest packet popple broadcast diffusion Technologies (WOOT 16), USENIX Association, Austin, TX, 2016. attack in ndn vanet. Proceedings of the Symposium on Applied Computing, in: SAC [88] F. Majeric, B. Gonzalvo, L. Bossuet, JTAG combined attack - another approach for ’17, ACM, New York, NY, USA, 2017, pp. 617–620, https://doi.org/10.1145/ fault injection. 2016 8th IFIP International Conference on New Technologies, 3019612.3019888. Mobility and Security (NTMS), 2016, pp. 1–5, https://doi.org/10.1109/ NTMS.2016.7792458.
15