Abstract
Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations is necessary to protect vehicles against cyber threats. While automotive threat descriptions, such as in UN R155, are still abstract, this creates a risk that potential vulnerabilities are overlooked and the vehicle is not secured against them. So far, there is no common understanding of the relationship of automotive attacks, the concrete vulnerabilities they exploit, and security mechanisms that would protect the system against these attacks. In this article, we aim at closing this gap by creating a mapping between UN R155, Microsoft STRIDE classification, Common Attack Pattern Enumeration and Classification (CAPEC), and Common Weakness Enumeration (CWE). In this way, already existing detailed knowledge of attacks, vulnerabilities, and mitigations is combined and linked to the automotive domain. In practice, this refines the list of UN R155 threats and therefore supports vehicle manufacturers, suppliers, and approval authorities to meet and assess the requirements for vehicle development in terms of cybersecurity. Overall, 204 mappings between UN threats, STRIDE, CAPEC attack patterns, and CWE weaknesses were created. We validated these mappings by applying our Automotive Attack Database (AAD) that consists of 361 real-world attacks on vehicles. Furthermore, 25 additional attack patterns were defined based on automotive-related attacks.
- [1] . 2006. Attacks on inter vehicle communication systems—An analysis. In Proceedings of the 3rd International Workshop on Intelligent Transportation (WIT’06). 189–194.Google Scholar
- [2] . 2021. Cyberattacks and countermeasures for in-vehicle networks. ACM Computing Surveys 54, 1 (2021), 1–37.Google ScholarDigital Library
- [3] . 2022. Risk assessment of security vulnerabilities in smart home using CAPEC and defensive goals. In Advances in Data and Information Sciences. Springer, 705–722.Google ScholarCross Ref
- [4] 2019. On the IoT Road: Perks, Benefits and Security of Moving Smartly. Retrieved February 14, 2024 from https://securelist.com/on-the-iot-road/91833/Google Scholar
- [5] . 2013. The National Vulnerability Database (NVD): Overview. Retrieved February 14, 2024 from https://www.nist.gov/publications/national-vulnerability-database-nvd-overviewGoogle Scholar
- [6] . 2014. Zubie: This Car Safety Tool ‘Could Have Given Hackers Control Of Your Vehicle.’ Retrieved February 14, 2024 from https://www.forbes.com/sites/thomasbrewster/2014/11/07/car-safety-tool-could-have-given-hackers-control-of-your-vehicle/#4986296f1481Google Scholar
- [7] . 2020. Cybersecurity in Automotive: Mastering the Challenge. Retrieved February 14, 2024 from https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/cybersecurity-in-automotive-mastering-the-challengeGoogle Scholar
- [8] . 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Security Symposium.Google Scholar
- [9] . 2020. Attacks on self-driving cars and their countermeasures: A survey. IEEE Access 8 (2020), 207308–207342.Google ScholarCross Ref
- [10] . 2015. Cars Exposed to Hacking Inside Car Dealerships. Retrieved February 14, 2024 from https://news.softpedia.com/news/cars-exposed-to-hacking-inside-car-dealerships-493572.shtmlGoogle Scholar
- [11] . 2019. Tesla car hacked at Pwn2Own contest. ZDNet. Retrieved February 14, 2024 from https://www.zdnet.com/article/tesla-car-hacked-at-pwn2own-contest/Google Scholar
- [12] . 2018. The Connected Car—Ways to Get Unauthorized Access and Potential Implications. Retrieved February 14, 2024 from https://www.computest.nl/documents/9/The_Connected_Car._Research_Rapport_Computest_april_2018.pdfGoogle Scholar
- [13] . 2022. In-depth exploration of ISO/SAE 21434 and its correlations with existing standards. IEEE Communications Standards Magazine 6, 1 (2022), 84–92. Google ScholarCross Ref
- [14] . 2018. CANDY: A social engineering attack to leak information from infotainment system. In Proceedings of the 2018 IEEE 87th Vehicular Technology Conference (VTC Spring’18). 1–5.Google ScholarCross Ref
- [15] . 2019. Cracking My Windshield and Earning 10,000 on the Tesla Bug Bounty Program. Retrieved February 14, 2024 from https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/Google Scholar
- [16] . 2017. ICS Advisory (ICSA-17-208-01): Continental AG Infineon S-Gold 2 (PMB 8876). Retrieved February 14, 2024 from https://www.cisa.gov/uscert/ics/advisories/ICSA-17-208-01Google Scholar
- [17] . 2019. Out of control: Stealthy attacks against robotic vehicles protected by control-based techniques. In Proceedings of the 35th Annual Computer Security Applications Conference. 660–672.Google ScholarDigital Library
- [18] . 2018. Dark Web Identity Theft Used to Steal Accident Replacement Hire Cars. Retrieved February 14, 2024 from https://www.fleetnews.co.uk/news/car-industry-news/2018/09/06/dark-web-identity-theft-used-to-steal-accident-replacement-hire-cars?utm_source=Adestra&utm_term=&utm_content=Dark+web+identity+theft+usedGoogle Scholar
- [19] . 2014. Cursory Evaluation of the Tesla Model S: We Can’t Protect Our Cars Like We Protect Our Workstations. Retrieved February 14, 2024 from https://www.dhanjani.com/blog/2014/03/curosry-evaluation-of-the-tesla-model-s-we-cant-protect-our-cars-like-we-protect-our-workstations.htmlGoogle Scholar
- [20] . 2007. A Security Assessment of Trusted Platform Modules. Retrieved February 14, 2024 from https://digitalcommons.dartmouth.edu/cgi/viewcontent.cgi?article=1052&context=senior_thesesGoogle Scholar
- [21] . 2018. Hackers can steal a Tesla model S in seconds by cloning its key fob. WIRED. Retrieved February 14, 2024 from https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/Google Scholar
- [22] . 2002. Denial of service attacks at the MAC layer in wireless ad hoc networks. In Proceedings of MILCOM 2002. IEEE, 1118–1123. Google ScholarCross Ref
- [23] . 2021. Towards practical cybersecurity mapping of stride and CWE—A multi-perspective approach. In Proceedings of the 2021 29th Conference of the Open Innovations Association (FRUCT’21). 150–159.Google ScholarCross Ref
- [24] . 2018. Spoofing attack using bus-off attacks against a specific ECU of the CAN bus. In Proceedings of the 2018 15th IEEE Annual Consumer Communications and Networking Conference (CCNC’18). 1–4.Google ScholarDigital Library
- [25] . 2018. Zingbox identifies cybersecurity threat for cars and drivers; reveals SMS-commanded malware infection to car ‘infotainment’ system. IoT Innovator. Retrieved February 14, 2024 from https://www.iotinnovator.com/zingbox-identifies-cybersecurity-threat-for-cars-and-drivers-reveals-sms-commanded-malware-infection-to-car-infotainment-system/Google Scholar
- [26] . 2006. ISO 14229:2006: Road Vehicles—Unified Diagnostic Services (UDS)—Specification and Requirements. ISO.Google Scholar
- [27] . 2018. ISO. 2018. ISO 26262-1:2018: Road Vehicles—Functional Safety: Part 1: Vocabulary. ISO.Google Scholar
- [28] . 2021. ISO/SAE 21434:2021: Road Vehicles—Cybersecurity Engineering. ISOGoogle Scholar
- [29] . 2017. Experimental Security Assessment of BMW Cars: A Summary Report. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdfGoogle Scholar
- [30] . 2019. Experimental Security Research of Tesla Autopilot. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdfGoogle Scholar
- [31] . 2020. Exploiting Wi-Fi Stack on Tesla Model S. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/Google Scholar
- [32] . 2009. The STRIDE Threat Model. Retrieved February 14, 2024 from https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)Google Scholar
- [33] . 2010. Experimental security analysis of a modern automobile. In Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE, 447–462. Google ScholarDigital Library
- [34] . 2018. Connected car data handover headache: There’s no quick fix . . . and it’s NOT just Land Rovers. The Register. Retrieved February 14, 2024 from https://www.theregister.com/2018/08/21/connected_car_data_handover_mess/Google Scholar
- [35] . 2018. Shock Land Rover discovery: Sellers could meddle with connected cars if not unbound. The Register. Retrieved February 14, 2024 from https://www.theregister.com/2018/07/27/jaguar_land_rover_connected_car_privacy/Google Scholar
- [36] . 2021. Threat analysis and risk assessment for connected vehicles: A survey. Security and Communication Networks 2021 (2021), 1–19. Google ScholarDigital Library
- [37] . 2020. ISO/SAE DIS 21434 automotive cybersecurity standard—In a nutshell. In Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops, , , , , and (Eds.).
Springer eBook Collection , Vol. 12235. Springer International Publishing, Cham, 123–135. Google ScholarDigital Library - [38] . 2015. Hacking a Tesla Model S: What We Found and What We Learned. Retrieved February 14, 2024 from https://blog.lookout.com/hacking-a-teslaGoogle Scholar
- [39] . 2019. Autonomous vehicles: State of the art, future trends, and challenges. In Automotive Systems and Software Engineering. Springer, Cham, 347–367. Google ScholarCross Ref
- [40] . 2013. Adventures in automotive networks and control units. DEF CON 21 (2013), 260–264.Google Scholar
- [41] . 2014. A survey of remote automotive attack surfaces. In Proceedings of the 2014 Black Hat USA Conference.Google Scholar
- [42] . 2015. Remote exploitation of an unaltered passenger vehicle. In Proceedings of the 2015 Black Hat USA Conference.Google Scholar
- [43] . 2016. CAN Message Injection. Retrieved February 14, 2024 from https://dl.packetstormsecurity.net/papers/attack/remote-attack-surfaces.pdfGoogle Scholar
- [44] . 2019. Made My Old Merc Put on a Small Lights Show Using an Arduino. Retrieved February 14, 2024 from https://github.com/rnd-ash/W203-canbusGoogle Scholar
- [45] . 2019. Legal GNSS spoofing and its effects on autonomous vehicles. In Proceedings of the 2019 Black Hat USA Conference.Google Scholar
- [46] . 2019. CVE-2019-14951. Retrieved February 14, 2024 from https://nvd.nist.gov/vuln/detail/CVE-2019-14951Google Scholar
- [47] . 2019. Smart alarms left 3 million cars vulnerable to hackers who could turn off motors. CNET. Retrieved February 14, 2024 from https://www.cnet.com/news/privacy/smart-alarms-left-3m-cars-vulnerable-to-hackers-who-could-turn-off-motors/Google Scholar
- [48] . 2018. Over-the-Air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars. In Proceedings of the 2018 Black Hat USA Conference.Google Scholar
- [49] . 2019. A meta language for cyber-physical systems and threats: Application on autonomous vehicle. In Proceedings of the 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA’19). 1–8.Google ScholarCross Ref
- [50] . 2017. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 506–519. Google ScholarDigital Library
- [51] . 2021. A taxonomy of attack mechanisms in the automotive domain. Computer Standards & Interfaces 78 (2021), 103539.Google ScholarCross Ref
- [52] . 2015. Remote attacks on automated vehicles sensors: Experiments on camera and LiDAR. In Proceedings of the 2015 Black Hat Europe Conference.Google Scholar
- [53] . 2019. How I hacked Volkswagen and Skoda. A story about Volkswagen Group Car Remote Hacking. Vensis Cyber Security. Retrieved February 14, 2024 from https://blog.vensis.pl/2019/11/vw-hacking/Google Scholar
- [54] . 2015. Survey on vehicular attacks—Building a vulnerability database. In Proceedings of the 2015 IEEE International Conference on Vehicular Electronics and Safety (ICVES’15). IEEE, 208–212. Google ScholarCross Ref
- [55] . 2018. Daimler Mercedes Me App 2.11.0-846 on iOS Certificate Pinning Information Disclosure. Retrieved February 14, 2024 from https://vuldb.com/?id.125081Google Scholar
- [56] . 2020. An overview of automotive service-oriented architectures and implications for security countermeasures. IEEE Access 8 (2020), 221852–221870.Google ScholarCross Ref
- [57] . 2015. Keyless Gone: Autodiebe Tricksen Kontaktlose Schließsysteme aus. Retrieved February 14, 2024 from https://www.heise.de/select/ct/archiv/2015/26/seite-80Google Scholar
- [58] . 2016. SAE J3061: Cybersecurity Guidebook for Cyber-Physical Automotive Systems. SAE.Google Scholar
- [59] . 2006. Embedded cryptography: Side channel attacks. In Embedded Security in Cars. Springer, 187–206.Google ScholarCross Ref
- [60] . 2019. IEEM-HsKA/AAD: Automotive Attack Database (AAD) V3.0. Retrieved February 14, 2024 from https://github.com/IEEM-HsKA/AAD/blob/master/Automotive_Attack_Database_(AAD)_V3.0.dbGoogle Scholar
- [61] . 2019. Survey and classification of automotive security attacks. Information 10, 4 (2019), 148.Google ScholarCross Ref
- [62] . 2022. Attack path generation based on attack and penetration testing knowledge. In Proceedings of the 7th International Conference on Cyber-Technologies and Cyber-Systems. 36–41.Google Scholar
- [63] . 2018. Remote smart car hacking with just a phone. Medium. Retrieved February 14, 2024 from https://medium.com/@evstykas/remote-smart-car-hacking-with-just-a-phone-2fe7ca682162Google Scholar
- [64] . 2019. Lojack’d: Pwning smart vehicle trackers. Pen Test Partners. Retrieved February 14, 2024 from https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-trackers/Google Scholar
- [65] . 2022. Common Attack Pattern Enumeration and Classification (CAPEC). Retrieved February 14, 2024 from https://capec.mitre.org/index.htmlGoogle Scholar
- [66] . 2022. Common Weakness Enumeration (CWE). Retrieved February 14, 2024 from https://cwe.mitre.org/Google Scholar
- [67] . 2022. MITRE ATT&CK®. Retrieved February 14, 2024 from https://attack.mitre.org/Google Scholar
- [68] . 2016. Autonomous vehicle security: A taxonomy of attacks and defences. In Proceedings of the 2016 IEEE International Conference on Internet of Things (iThings), IEEE Green Computing and Communications (GreenCom), IEEE Cyber, Physical, and Social Computing (CPSCom), and IEEE Smart Data (SmartData). 164–170.Google ScholarCross Ref
- [69] . 2021. UN Regulation No. 155—Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management System: E/ECE/TRANS/505/Rev.3/Add.154. Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-03/R155e.pdfGoogle Scholar
- [70] . 2021. UN Regulation No. 156—Software Update and Software Update Management System: E/ECE/TRANS/ 505/Rev.3/Add.155. Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-03/R156e.pdfGoogle Scholar
- [71] . 2019. Cyber-security internals of a Skoda Octavia vRS: A hands on approach. IEEE Access 7 (2019), 146057–146069.Google ScholarCross Ref
- [72] . 2013. Dismantling Megamos Crypto: Wirelessly lockpicking a vehicle immobilizer. In Proceedings of the USENIX Security Symposium. 703–718.Google Scholar
- [73] . 2018. Used cars increase identity theft chances, BBB finds. Action News. Retrieved February 14, 2024 from https://www.actionnews5.com/story/39022826/used-cars-increase-identity-theft-chances-bbb-finds/Google Scholar
- [74] . 2020. Proposals for Interpretation Documents for UN Regulation No. 155 (Cyber Security and Cyber Security Management System). Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-02/ECE-TRANS-WP29-2021-059e_0.pdfGoogle Scholar
- [75] . 2019. Fast furious and insecure: Passive keyless entry and start systems in modern supercars. IACR Transactions on Cryptographic Hardware and Embedded Systems 2019, 3 (2019), 66–85. Google ScholarCross Ref
- [76] . 2012. Towards secure vehicular clouds. In Proceedings of the 2012 6th International Conference on Complex, Intelligent, and Software Intensive Systems. 370–375.Google ScholarDigital Library
- [77] . 2014. Retrieving relevant CAPEC attack patterns for secure software development. In Proceedings of the 9th Annual Cyber and Information Security Research Conference (CISR’14). ACM, 33–36. Google ScholarDigital Library
- [78] . 2022. ThreatSurf: A method for automated Threat Surface assessment in automotive cybersecurity engineering. Microprocessors and Microsystems 90 (2022), 104461. Google ScholarDigital Library
Index Terms
- Combining Cyber Security Intelligence to Refine Automotive Cyber Threats
Recommendations
Cyber security quantification model
SIN '10: Proceedings of the 3rd international conference on Security of information and networksSecurity of information systems is a major concern today because the existing threats are getting new dimensions. Information Security (IS) is to protect our important information assets from accidental or deliberate damages. Cyber Security (CS) is a ...
Automotive Cyber Security: Lessons Learned and Research Challenges
CS2 '18: Proceedings of the Fifth Workshop on Cryptography and Security in Computing SystemsThe automotive industry is undergoing a major transformation process where everything from the car key to the vehicle diagnostics is becoming digital. Modern vehicles have several wireless interfaces, and are interconnected with various consumer devices,...
Comments