DOCSLIB.ORG

Security and Privacy in Automotive On-Board Networks Hendrik Schweppe

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security and Privacy in Automotive On-Board Networks Hendrik Schweppe Security and privacy in automotive on-board networks Hendrik Schweppe To cite this version: Hendrik Schweppe. Security and privacy in automotive on-board networks. Networking and Internet Architecture [cs.NI]. Télécom ParisTech, 2012. English. NNT : 2012ENST0062. tel-01157229 HAL Id: tel-01157229 https://pastel.archives-ouvertes.fr/tel-01157229 Submitted on 27 May 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. ! !! ! ! ! 2012-ENST-062 EDITE ED 130 Doctorat ParisTech T H È S E pour obtenir le grade de docteur délivré par Télécom ParisTech présentée et soutenue publiquement par Hendrik SCHWEPPE le 8 novembre 2012 Sécurité et protection de la vie privée ! ! dans les systèmes embarqués automobiles ! ! ! ! ! ! ! Directeur de thèse : Yves ROUDIER ! ! Jury M. Erland JONSSON , Professeur, Chalmers, Göteborg, Suède Rapporteur T M. Jean-Marc ROBERT , Professeur, École de Technologie Supérieure, Québec, Canada Rapporteur M. Joaquin GARCIA-ALFARO , Maître de Conférences, Télécom SudParis, France Examinateur H M. Renaud PACALET , Directeur d’Études, Télécom ParisTech, Sophia-Antipolis, France Examinateur M. Panagiotis PAPADIMITRATOS , Professeur, KTH, Stockholm, Suède Examinateur È M. Yves ROUDIER , Maître de Conférences, EURECOM, Sophia-Antipolis, France Examinateur M. Benjamin WEYL , Docteur-Ingenieur, BMW Group, München, Allemagne Invité S E Télécom ParisTech Ecole de l’Institut Télécom – membre de ParisTech 46, rue Barrault – 75634 Paris Cedex 13 – Tél. + 33 (0)1 45 81 77 77 – www.telecom-paristech.fr Security and Privacy in Automotive On-Board Networks Thesis Hendrik C. Schweppe [email protected] Ecole´ Doctorale Informatique, T´el´ecommunication et Electronique,´ Paris ED 130 November 8, 2012 Advisor: Examiners: Prof. Dr. Yves Roudier Prof. Dr. Joaquin Garcia-Alfaro, EURECOM, Sophia-Antipolis T´el´ecom SudParis Prof. Renaud Pacalet, T´el´ecom ParisTech, Sophia-Antipolis Reviewers: Prof. Dr. Panagiotis Papadimitratos, Prof. Dr. Erland Jonsson, KTH, Stockholm Chalmers, Gothenburg Invitee: Prof. Dr. Jean-Marc Robert, Dr.-Ing. Benjamin Weyl, ETS, Qu´ebec BMW AG, Munich To Annette and my parents. Acknowledgements I would like to express my gratitude to the people who have helped me to pursue my Ph.D. studies. First and foremost, this is Prof. Dr. Yves Roudier, my di- recteur de th`ese , who always supported me with ideas, fruitful discussions and trusted me to oversee a large part of the research done in the EVITA project. My peer at BMW Forschung und Technik, Dr.-Ing. Benjamin Weyl is equally important: He was the driving force behind the project, and at the same time gave me many inspirations and ideas for the concepts of this thesis. Benjamin made it possible for me to visit BMW in the scope of the project, and to get to know the industrial side of research. Thank you. I also would like to thank the jury members and especially the reviewers of my thesis, Prof. Dr. Erland Jonsson and Prof. Dr. Jean-Marc Robert. The early feedback I received from Prof. Jonsson was very detailed and helpful. Furthermore I express my appre- ciation to my colleagues and friends at the EURECOM institute. My deepest gratitude belongs to my family and Annette, who continuously supported me at every hour of the day. Abstract In recent decades, vehicles have been equipped with an increasing number of electronic features and controllers. They have become a vital part of automo- tive architecture. This architecture consists of an internal network of micro- controllers and small computers, called Electronic Control Units ( ECU s). Such ECU s may be part of an entertainment system, which will interact with the driver, or they complement technical and mechanical systems such as power steering, brakes, or engine control. Every ECU is usually connected to one or more networks as well as a number of sensors and actuators. Vehicles have become multi-connected places: i) Entertainment systems al- low data to be retrieved directly from the internet, typically traffic conditions, weather or navigational information, ii) Increasingly consumer devices are being connected by wired and wireless interfaces in order to control vehicle functions or distribute multimedia content, iii) Assistance functions to augment traffic safety and efficiency are currently being standardized, allowing vehicles and in- frastructure units to communicate autonomously via dedicated radio channels. All of these new communication interfaces should be properly secured, as failure to do so could have severe consequences, such as loss of control over the vehicle or private data being accessed by third party applications, which could, for example, record conversations or track usage behavior. Recent security analyses show that current vehicle architectures are vulnerable to the above described threats. It has been shown that by exploiting implementation flaws, attackers can control the vehicle’s behavior from a device inside the car or even remotely. This dissertation focuses on securing in-vehicle networks. Historically, vehicle buses such as the Controller Area Network ( CAN ) were considered as isolated embedded systems. However, an effective isolation of on-board networks is difficult if not impossible to achieve with the rises of connectivity inside the vehicle for internal functions and, at the same time, for third party devices and internet services. Upcoming safety and assistance functions use Car-to-Car and Car-to-Infrastructure communication ( Car2X ). These assistance functions rely on remotely received data. It is imperative that these data are trustworthy. A high level of trust can only be achieved by securing the on-board platform as a whole, and by protecting both the integrity and the authenticity of network communication as well as software execution. v vi The main contributions of this thesis are i) an approach to securing the com- munication of in-vehicle networks, ii) an approach to applying dynamic data flow analysis to the distributed embedded applications of on-board networks, by using taint-tag tracking in order to detect and avoid malicious activities, iii) working prototypes for different aspects of the overall security problem, showing simulations and real-world results of the techniques developed in this thesis. The approach that is presented combines multiple mechanisms at different layers of the vehicular communication and execution platform. Cryptographic com- munication protocols are designed and implemented in order to authenticate data exchanged on the buses. Hardware Security Modules ( HSM s) are used to complement the actual microcontroller by providing a secure storage and by acting as a local root of trust. We distribute usage-restricted symmetric key material between HSM s. Their use is limited to certain functions, like generat- ing or verifying authentication codes. Thereby, they can be used asymmetrically for group-communication patterns. This is a common communication paradigm in automotive applications, in particular for distributing vehicle-wide signals. A proof of concept system has been implemented as part of this thesis, showing the feasibility of integrating security features on top of automotive buses and for use with Car2X communication. We simulated the behavior of a CAN network and compare our results for different network designs with data collected from a real vehicle and with simulations based on a Simulink toolkit. In order to account for untrusted program code, we use a distributed data flow tracking based approach for securing code execution on the ECU s of the automotive network. This means that a high level of trust can be placed in applications even when mechanisms, such as software review and applications signatures, fall short of the desired security levels, or cannot be applied at all. If this approach is taken then the use of applications of unknown origin along side those controlling critical functions becomes possible. In addition to plain policy rules, we use a declarative approach to represent the kind of data used on communication links. Binary instrumentation techniques are used to track data flows throughout the execution and between control units. For the Car2Car Communication Consortium Forum in November 2011, a part of the prototype implementations was integrated into two research vehicles to demonstrate an “Active Brake” safety scenario using secure in-vehicle and Car2X communication. It demonstrated the effectiveness and applicability of our com- munication security solution. Ph.D. Thesis — Hendrik C. Schweppe Zusammenfassung Die Entwicklungen und Neuerungen rund um das Automobil ist in den let- zten Jahren in zunehmendem Maße von elektronischen Funktionen und einer Ausweitung der Kommunikationsschnittstellen gepr¨agt. Durch die Zunahme an Schnittstellen ist das Automobil zu einem Knotenpunkt der Vernetzung gewor- den. Applikationen verarbeiten interne Fahrzeugdaten, Daten aus dem Internet und von Mobiltelefonen, sowie in Zukunft auch von anderen Fahrzeugen mithilfe der sogenannten Car2X Kommunikation. Durch Abh¨angigkeiten k¨onnen
Load more

Recommended publications
  • Intrusion Detection System for Automotive Controller Area Network (CAN) Bus System: a Review Siti-Farhana Lokman* , Abu Talib Othman and Muhammad-Husaini Abu-Bakar
    Lokman et al. EURASIP Journal on Wireless Communications and Networking (2019) 2019:184 https://doi.org/10.1186/s13638-019-1484-3 REVIEW Open Access Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review Siti-Farhana Lokman* , Abu Talib Othman and Muhammad-Husaini Abu-Bakar Abstract The modern vehicles nowadays are managed by networked controllers. Most of the networks were designed with little concern about security which has recently motivated researchers to demonstrate various kinds of attacks against the system. In this paper, we discussed the vulnerabilities of the Controller Area Network (CAN) within in- vehicle communication protocol along with some potential attacks that could be exploited against it. Besides, we present some of the security solutions proposed in the current state of research in order to overcome the attacks. However, the main goal of this paper is to highlight a holistic approach known as intrusion detection system (IDS) which has been a significant tool in securing networks and information systems over the past decades. To the best of our knowledge, there is no recorded literature on a comprehensive overview of IDS implementation specifically in the CAN bus network system. Thus, we proposed an in-depth investigation of IDS found in the literature based on the following aspects: detection approaches, deployment strategies, attacking techniques, and finally technical challenges. In addition, we also categorized the anomaly-based IDS according to these methods, e.g., frequency- based, machine learning-based, statistical-based, and hybrid-based as part of our contributions. Correspondingly, this study will help to accelerate other researchers to pursue IDS research in the CAN bus system.
    [Show full text]
  • Automotive Cybersecurity: Foundations for Next-Generation Vehicles
    Automotive Cybersecurity: Foundations for Next-Generation Vehicles Michele Scalas, Student Member, IEEE Giorgio Giacinto, Senior Member, IEEE Department of Electrical and Electronic Engineering Department of Electrical and Electronic Engineering University of Cagliari University of Cagliari Cagliari, Italy Cagliari, Italy [email protected] [email protected] Abstract—The automotive industry is experiencing a serious Vehicle-to-Vehicle), with a generic infrastructure (V2I) or with transformation due to a digitalisation process and the transition pedestrians (V2P). The typical application of these models is to the new paradigm of Mobility-as-a-Service. The next-generation smart cities, with the aim of optimising traffic management, vehicles are going to be very complex cyber-physical systems, whose design must be reinvented to fulfil the increasing demand sending alerts in case of incidents, coordinating a fleet of of smart services, both for safety and entertainment purposes, vehicles. causing the manufacturers’ model to converge towards that of As regards autonomous driving, it consists in expanding the IT companies. Connected cars and autonomous driving are the current Advanced Driver Assistance Systems (ADASs), such preeminent factors that drive along this route, and they cause the as lane keeping and braking assistants, in order to obtain a necessity of a new design to address the emerging cybersecurity issues: the ”old” automotive architecture relied on a single closed fully autonomous driverless car. The Society of Automotive network, with no external communications; modern vehicles are Engineers (SAE) provides, in fact, six possible levels of going to be always connected indeed, which means the attack autonomy, from level 0, with no assistance, to level 5, where surface will be much more extended.
    [Show full text]
  • Securing the Modern Vehicle: a Study of Automotive Industry Cybersecurity Practices
    Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices An independent study commissioned by and Table of Contents Executive Summary ............................................................................................ 1 Organizational Dynamics and Challenges ........................................................... 3 Technical Dynamics and Challenges .................................................................... 6 Product Development and Security Testing Practices ......................................... 9 Supply Chain and Third-Party Component Challenges ........................................ 13 Conclusions ........................................................................................................ 14 Methods ............................................................................................................. 15 Appendix: Detailed Survey Results ..................................................................... 18 Ponemon Institute .............................................................................................. 29 Executive Summary Today’s vehicle is a connected, mobile computer, which has introduced an issue the automotive industry has little experience dealing with: cybersecurity risk. Automotive manufacturers have become as much software as transportation companies, facing all the challenges inherent to software security. Synopsys and SAE International partnered to commission this independent survey of the current cybersecurity practices in the automotive
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • Specification-Based Automotive Intrusion Detection Using Controller Area Network
    This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication. The final version of record is available at http://dx.doi.org/10.1109/TVT.2019.2961344 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. XX, NO. XX, XXX 2019 1 SAIDuCANT: Specification-based Automotive Intrusion Detection using Controller Area Network (CAN) Timing Habeeb Olufowobi, Clinton Young, Joseph Zambreno, Senior Member, IEEE, and Gedare Bloom, Senior Member, IEEE Abstract—The proliferation of embedded devices in modern and attacks [2]. Vulnerabilities across the autonomous vehi- vehicles has opened the traditionally-closed vehicular system to cles, vehicular ad-hoc networks, vehicle-to-vehicle, vehicle-to- the risk of cybersecurity attacks through physical and remote infrastructure, connected car, intelligent transportation system, access to the in-vehicle network such as the controller area network (CAN). The CAN bus does not implement a security and even traditional (non-connected) automobiles motivate protocol that can protect the vehicle against the increasing cyber adversaries to launch cyberattacks against vehicles [3]. Unfor- and physical attacks. To address this risk, we introduce a novel tunately, today’s car lacks the necessary security mechanisms algorithm to extract the real-time model parameters of the CAN to protect the vehicular system from attack. bus and develop SAIDuCANT, a specification-based intrusion A critical asset to secure is the automotive in-vehicle detection system (IDS) using anomaly-based supervised learning with the real-time model as input. We evaluate the effectiveness of network, which facilitates communication between ECUs over SAIDuCANT with real CAN logs collected from two passenger multiple physical networks and protocols, with the most preva- cars and on an open-source CAN dataset collected from real- lent being the controller area network (CAN).
    [Show full text]
  • Security Control Mechanism for Safety Critical Functions Operating on an Automotive Controller Area Network
    Security Control Mechanism for Safety Critical Functions Operating on an Automotive Controller Area Network A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science in the Graduate School of The Ohio State University By Matt Appel, Graduate Program in Electrical and Computer Engineering The Ohio State University 2020 Master's Examination Committee: Prof. Girogio Rizzoni, Advisor Prof. Ness Shroff Prof. Qadeer Ahmed c Copyright by Matt Appel 2020 Abstract Safety-critical systems in automotive design are facing new challenges associated with advancements in autonomous functionality and connectivity. One of those chal- lenges is security in these systems. There are a multitude of different problems with all of these additional connectivity and sensing units. The focus of this thesis is on the internal communication of Network Control Systems(NCS) of a vehicle. The Controller Area Network (CAN) is the primary network used in safety-critical vehi- cle operation and is lacking inherent security. This thesis presents a security control mechanism for CAN that uses vehicle models to detect and mitigate malicious mes- sages on CAN. The security control mechanism is an Intrusion Detection System (IDS) that uses an unknown input observer implementation to address stealth, re- play, and covert attacks. The goal of this method is to address performance challenges in the authentication of an entire CAN bus. It uses vehicle dynamic behavior to au- thenticate messages rather than using encryption methods to require CAN message authentication when the vehicle is not under attack reducing the burden caused by implementing and continually using secure communication protocols on top of CAN.
    [Show full text]
  • Kaspersky Transportation Systems Security Portfolio
    Driving automotive cybersecurity Introduction IHS Markit forecasts that by 2023, worldwide sales Connected cars are more than just physical cars of connected cars will reach 72.5 million units, with digital technology – they are vehicles with up from 24 million units in 2015. That means almost connected infrastructures that include mobile 69% of passenger vehicles sold will be exchanging data with external sources, bringing new services systems and more. As a result, we end up with and business models to bear in automotive connected car ecosystems with multiple entry markets*. points that are vulnerable to cyberattacks. But there’s still a long way to go to guarantee Kaspersky has introduced a set of products connected vehicles are safe and secure for and serv passengers. For that to happen there needs cybersecurity to connected cars and their to be a transformation in the multiple approaches infrastructures and to support the development used across the automotive industry. of new mobility technologies, including autonomous, electric and shared technologies. Transportation System Security Automotive In-vehicle Infrastructure services security security Kaspersky Kaspersky Kaspersky Transportation Kaspersky Kaspersky Kaspersky Kaspersky Security Penetration Tailored Threat Cybersecurity Automotive Mobile Security Fraud Threat Assessment Testing Intelligence for ECUs Adaptive SDK Prevention Intelligence Reporting Platform for Vehicle SOC * Ihsmarkit.com/topic/autonomous-connected-car.html Uncover the Security Risks Security Assessment The Security Assessment service is the ideal starting point for addressing the cybersecurity agenda for connected cars and their infrastructures. It detects vulnerabilities, software architecture inconsistencies, and gaps in ECUs, hardware and software security mechanisms both in manufactured vehicles and future models and their components.
    [Show full text]
  • Extracting and Mapping Industry 4.0 Technologies Using Wikipedia
    Computers in Industry 100 (2018) 244–257 Contents lists available at ScienceDirect Computers in Industry journal homepage: www.elsevier.com/locate/compind Extracting and mapping industry 4.0 technologies using wikipedia T ⁎ Filippo Chiarelloa, , Leonello Trivellib, Andrea Bonaccorsia, Gualtiero Fantonic a Department of Energy, Systems, Territory and Construction Engineering, University of Pisa, Largo Lucio Lazzarino, 2, 56126 Pisa, Italy b Department of Economics and Management, University of Pisa, Via Cosimo Ridolfi, 10, 56124 Pisa, Italy c Department of Mechanical, Nuclear and Production Engineering, University of Pisa, Largo Lucio Lazzarino, 2, 56126 Pisa, Italy ARTICLE INFO ABSTRACT Keywords: The explosion of the interest in the industry 4.0 generated a hype on both academia and business: the former is Industry 4.0 attracted for the opportunities given by the emergence of such a new field, the latter is pulled by incentives and Digital industry national investment plans. The Industry 4.0 technological field is not new but it is highly heterogeneous (actually Industrial IoT it is the aggregation point of more than 30 different fields of the technology). For this reason, many stakeholders Big data feel uncomfortable since they do not master the whole set of technologies, they manifested a lack of knowledge Digital currency and problems of communication with other domains. Programming languages Computing Actually such problem is twofold, on one side a common vocabulary that helps domain experts to have a Embedded systems mutual understanding is missing Riel et al. [1], on the other side, an overall standardization effort would be IoT beneficial to integrate existing terminologies in a reference architecture for the Industry 4.0 paradigm Smit et al.
    [Show full text]
  • Detecting and Preventing Automotive Hardware Security Vulnerabilities
    Detecting and Preventing Automotive Hardware Security Vulnerabilities Ensuring hardware security, one chip at a time. VISIT: TORTUGALOGIC.COM Automating the Automotive Security Development Lifecycle Connected and autonomous vehicles present a exposed not one but a chain of security issues. promising target, much like retailers or banks, For Fiat-Chrysler vehicles, it was a remote attack where hackers can troll for personal details and that could be performed against vehicles located identity theft. anywhere in the United State that caused a 1.4 million vehicle recall as well as changes to the Is your vehicle secure? Tesla found out the hard Sprint carrier network. way. Hacking typically begins by finding a series of vulnerability issues that create a path through European vehicles are also not immune. A study the car’s maze of defenses. So, when research- by German auto club ADAC found hackers could ers at the Chinese firm Tencent revealed they wirelessly open any BMW, Mini and Rolls-Royce could burrow through the Wi-Fi connection of vehicles in minutes. An estimated 2.2 million a Tesla S, all the way to its driving systems and vehicles equipped with BMW’s ConnectedDrive then remotely activate the vehicle’s brakes, they service were vulnerable. Connected and autonomous vehicles present a promising target, much like retailers or banks, where hackers can troll for credit card numbers, home addresses, e-mail information and other personal details required for identity theft. Hackers bent on identity theft are expected to infiltrate vehicles through the infotainment portal, as the Jeep hackers did, as well as with malicious apps that appear harmless or even helpful but steal personal information.
    [Show full text]
  • Architecture for a Remote Diagnosis System Used in Heavy-Duty Vehicles
    Institutionen för datavetenskap Department of Computer and Information Science Final thesis Architecture for a remote diagnosis system used in heavy-duty vehicles by Anders Björkman LIU-IDA/LITH-EX-A--08/034--SE 2008-06-30 Linköpings universitet Linköpings universitet SE-581 83 Linköping, Sweden 581 83 Linköping Linköping University Department of Computer and Information Science Final Thesis Architecture for a remote diagnosis system used in heavy-duty vehicles by Anders Björkman LIU-IDA/LITH-EX-A--08/034--SE 2008-06-30 Supervisor: Jan Lindman Scania Fleet Management Department at Scania CV AB Examiner: Petru Eles Dept. of Computer and Information Science at Linköpings universitet Abstract The diagnosis system of a Scania vehicle is an indispensable tool for workshop personnel and engineers in their work. Today Scania has a system for fetching diagnostic information from field test vehicles remotely and store them in a database, so called remote diagnosis. This saves the engineers much time by not having to visit every vehicle. The system uses a Windows based on- board PC in the vehicle called an Interactor. The Interactor has a telematic unit for communication with Scanias Fleet Management System and the CAN-bus in the vehicle. In the next generation of the Interactor, its telematic unit is to be replaced by a Linux based telematic unit called the Communicator 200 (C200). The purpose of this master project is to create a new architecture for a remote diagnosis system that uses the new telematic unit Communicator 200. The thesis gives an analysis of the current remote diagnosis system used at Scania and proposes an architecture for a new generation remote diagnosis system using the C200.
    [Show full text]
  • Comprehensive Experimental Analyses of Automotive Attack Surfaces
    Comprehensive Experimental Analyses of Automotive Attack Surfaces Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage University of California, San Diego Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno University of Washington Abstract This situation suggests a significant gap in knowledge, Modern automobiles are pervasively computerized, and and one with considerable practical import. To what ex- hence potentially vulnerable to attack. However, while tent are external attacks possible, to what extent are they previous research has shown that the internal networks practical, and what vectors represent the greatest risks? within some modern cars are insecure, the associated Is the etiology of such vulnerabilities the same as for threat model — requiring prior physical access — has desktop software and can we think of defense in the same justifiably been viewed as unrealistic. Thus, it remains an manner? Our research seeks to fill this knowledge gap open question if automobiles can also be susceptible to through a systematic and empirical analysis of the remote remote compromise. Our work seeks to put this question attack surface of late model mass-production sedan. to rest by systematically analyzing the external attack We make four principal contributions: surface of a modern automobile. We discover that remote Threat model characterization. We systematically exploitation is feasible via a broad range of attack vectors synthesize a set of possible external attack vectors as (including mechanics tools, CD players, Bluetooth and a function of the attacker’s ability to deliver malicious cellular radio), and further, that wireless communications input via particular modalities: indirect physical access, channels allow long distance vehicle control, location short-range wireless access, and long-range wireless tracking, in-cabin audio exfiltration and theft.
    [Show full text]
  • Document Title Security Models
    HEAVENS – HEAling Vulnerabilities to ENhance Software Security and Safety Dnr 2012-04625 Document Title Security models Document Type Deliverable Document Number D2 Aljoscha Lautenbach, [email protected], Chalmers Document Responsible Mafijul Islam, [email protected], Volvo AB Document Version 2.0 Document Status Released (March 18, 2016) Dissemination Level Public Last Change March 18, 2016 Project Acronym HEAVENS Project Title HEAling Vulnerabilities to ENhance Software Security and Safety Research Program Vinnova/FFI (Fordonsutveckling/Vehicle Development), Sweden Diary Number 2012-04625 Project Duration April 2013 – March 2016 Project Coordinator Mats Olsson, [email protected] , Volvo AB © 2016 The HEAVENS Consortium HEAVENS (Dnr 2012-04625) Deliverable D2 Security models This page is intentionally left blank © 2016 The HEAVENS Consortium 2(100) HEAVENS (Dnr 2012-04625) Deliverable D2 Security models Executive Summary This deliverable (D2 Security models, Release 2, Version 2.0) presents the results and achievements of work package WP2 (Security models) of the HEAVENS project. The goal of this deliverable is to present a systematic approach of deriving security requirements for the automotive Electrical and/or Electronic (E/E) systems. It suggests an adaption of generic security engineering process for the automotive domain. The deliverable presents state-of-the-art threat analysis and risk assessment methodologies, processes, frameworks and tools, considering various industrial domains, for example, IT security, telecommunications, software engineering and defense. It presents the results obtained from performing a critical review of the state-of-the-art threat analysis and risk assessment in the context of the automotive industry. Based on this, a new security model − HEAVENS security model − for the automotive industry is proposed to facilitate deriving security requirements for the automotive E/E systems.
    [Show full text]