See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/301419935

An Overview of Automotive Cybersecurity

Conference Paper · October 2015

DOI: 10.1145/2808414.2808423

CITATIONS READS

18 5,997

1 author:

Andre Weimerskirch
University of Michigan
18 PUBLICATIONS 612 CITATIONS

SEE PROFILE

All content following this page was uploaded by Andre Weimerskirch on 28 May 2022.

The user has requested enhancement of the downloaded file.

 An Overview of Automotive
Cybersecurity: Challenges and
Solution Approaches

André Weimerskirch

University of Michigan

TrustED 2015 – Trustworthy Embedded Devices

October 16, 2015
MOTIVATION
 Introduction

Denial-phase
should be over:
Several teams
demonstrated that it
is possible to hack
critical traffic
systems
Traffic Light Controller Security

Several teams were able

to hack into traffic light
controller systems,
highway signs, and traffic
surveillance cameras
[e.g. Halderman et al.]
No (direct) safety-critical
vulnerabilities, so far
It is not possible to turn all lights to green
It might be possible to annoy people to such a
degree that they start ignoring traffic laws
Vulnerabilities due to unprotected networks, missing security
standards, lack of awareness, unclear responsibilities
Potential risk unclear
 Aftermarket Devices

Every car sold in the US since 1996 has to have an on-

board diagnostics port (OBD2)
Recent reports indicate that OBD2 dongles can be
hacked
Not really a surprise
Once an attacker has access to the OBD2 port, the
attacker can inject messages that modify the behavior
of the vehicle
E.g. deactivate brakes, depending on car model
 Automotive

Luckily never happend in the field so far

[Checkoway et al.] and [Miller and Valasek] demonstrated

that by injecting packets to the OBD2 port, it is possible to
disable brakes, turn-off head-lights, and take-over steering
(for cars equipped with a parking assistant)
[Checkoway et al.] demonstrated that it is possible to
Source: Center for Automotive
remotely hack into car via remote telematics connection. Embedded Systems Security
[Miller and Valasek] demonstrated that it is possible to
hack into a car via Internet.
Once they hack into the telematics or infotainment unit, the
attacks are similar to the previous ones via OBD2
A mobile device attached to a vehicle infotainment system
can inject malicious code.
Even an MP3 song downloaded from Internet, burned on a
CD and insert to the infotainment unit can inject malicious
code and change the vehicle behavior.
CYBERSECURITY RISKS
History of Internet Cyber Attacks

If transportation cyber security follows path of Internet,

we might see real-world automotive cyber attacks
 Should we be concerned?

There isn‘t much incentive to hack into a car

in order to harm the passengers

 No need to be concerned?

The motivation of hackers might eventually

root from financial motivation. Once a hacker
figures out how to hack into a vehicle for
financial reasons, it‘s a small step (or even
accident) to abuse it in other ways.
 Financial Damage

Vehicles are already hacked

today every day:
Counterfeit black market
is a gigantic problem
Up to $45 billion damage Source: http://www.ebay.com

Odometer rollback
6 billion Euro damage per
year in Germany
Chip tuning
Damage due to warranty
fraud Source: http://www.ebay.com
 Theft

Increasingly based on “magic boxes“

Disclaimer: Probably many hoaxes around!
 Infrastructure

Central infotainment server

could be hacked and
modified to push out
malware to all vehicles
Attacker searches entire
Internet IPv4 address space
for vulnerable vehicles, and
then attacks those
Using ZMap [zmap.io] ,
searching the entire IPv4
address space takes less
than 5 minutes
Today and Near Future: Advanced
Driver Assistance Systems
ADAS provide features
such as adaptive cruise
control (ACC), pre-crash
systems, and automated
parking.
These systems allow
electronics to take control
of the vehicle (e.g. steering
for automatic parking or
lane assistance, and
accelerating and breaking for Source: http://www.mirror.co.uk/news/technology-
science/technology/new-bmw-7-series-self-parks-5555297
ACC)

If these systems can be remotely controlled or if the behavior can

be modified, there are obvious threats.
Near Future: Connected Vehicles

Vehicle-to-vehicle (V2V) communication via

wireless interface
Day-1 applications will be a driver safety
notification
V2X could be used as additional sensor for ADAS
Every vehicle will come with a standardized
wireless interface with a range of at least 300m
 If the V2V wireless interface can be
compromised, malware can potentially spread
rapidly
 Future: Automated Vehicles

Combines many ADAS/control

application features (e.g. radar and
camera based driver assistance
systems) and connected vehicles
technologies (wireless
communication)
Combines the risks that are coming
with ADAS and connected vehicle
technology:
Input from sensors could be
manipulated (e.g. to make car
believe of a threat)
Control systems could be directly
manipulated (e.g. to remotely
control brakes and steering)
Driver might not be able to take
control if necessary
Who would ever attack vehicles?

Already today for financial gain:

Odometer manipulation
Chip-tuning
To collect privacy sensitive data
Attacks on functional safety will probably follow the
Internet history
Curiosity and “fame“
Targeted paid attacks Driven by illegal
business models
Organized actions
Note: The majority of safety-critical attacks probably
do not even target safety but are “accidents“ of
flawed attacks with a financial background.
 What‘s special about cars?

More than 50 million lines of code

50+ electronic control units (ECUs)
Several miles of wire
Wireless and wired interfaces
Safety critical systems
Lifetime of a vehicle at least 10 years, life-cycle much slower than
IT and entertainment.

But also increasingly similar to other embedded systems and

PCs: embedded Linux, Windows, Bluetooth, software updates,
etc.

 Common vulnerabilities will increasingly apply to vehicles

 Common countermeasures can be applied as well
SOLUTION APPROACHES
 Security Solutions:
Defense in Depth
Secure platform
development
In- Back-
Secure applications and
vehicle secure access • Secure diagnostics
end
Application Layer: integrity
• secure software update
of applications • secure boot

• Hardened OS
Operating System: secure • Secure OS
operating environment • Micro-kernel
• Virtualization
Hardware Layer: support
• Secure boot
for higher layers • Theft protection
• Secure data and key storage (e.g.
for odometer)
Architecture • Secure in-vehicle communication
Legend:
• Dedicated central gateway Common
• Firewall and intrusion detection
system
Coming
R&D
 Hot Topics:
Secure Hardware
Basis for many
security applications
EVITA Full: V2X (one
per car)
HSM - EVITA Medium:
for advanced ECUs
(gateway, head-unit,
engine control)
Available 2014/2015
SHE - EVITA Light: for
sensors, actuators, …
Already available
 Hot Topics:
Secure Software Update
Software-
There is a need to Development
load/update software
over-the-air in a secure 1

manner Program 4
Fix safety issues code
Introduce new features 2 database
(More or less) digital
understood for signature
infotainment and 5
already offered
Details not well
3 ECU Signature
verification
understood for non- Trust Center
Public
6

infotainment ECUs key

Private Secured
E.g., how to update 50
components? key computer
 Hot Topics: Authenticated CAN

Prevent packet injection and manipulation, e.g.

Protect against forged sensor data
Component theft protection / immobilizer
Authenticated ECU-to-ECU communication
Identifier Anonymized CAN
Use sender authentication (instead of message authentication) to save bytes in
payload

Protects against
Utilizing CAN ID Field replay and Optional: protects
injection against
modification
11 bits 0 - 64 bits

ID … CTL Payload CRC

Priority
AID AID Data MAC
bits
 Hot Topics: Separated
Architecture, Firewall and IDS

OBD2 Telematics
Report attack Filter
pattern
Infotainment
Authenticated CAN
CGW
Filter + IDS
OK Ping
Filter (+ IDS)
ECU ECU ECU

fail-safe
mode
 Especially useful with a central gateway architecture that separates safety-critical network segments from
external interfaces
 Protects safety-critical systems if infotainment system has been compromised
 Protects vehicle electronics from attacks via OBD2, or from a compromised OBD2 (e.g. insurance) dongle
 Firewall and IDS

Detect and log attack attempts

Possibly react after successful intrusion
attack to stop attack early (e.g. separate
any communication between safety-
critical network segments)
UMTRI is working on test platform and
framework
 Hot Topics:
Connected Vehicle Security
32,000 deaths on the road in the US in 2012
Significant reduction may be possible from V2V
wireless communications for 360o warning
applications.
300 m range, 802.11-derived medium access
Basic Safety Message (BSM): Location, velocity, steering
angle…
Allows receiving unit to predict collisions
Warn driver, driver action can prevent or reduce impact of
collision
USDOT (NHTSA) announced Feb. 3rd, 2014, to move
on with the process of mandating this system for
inclusion in new light vehicles
 Connected Vehicles
To enforce security in V2X systems we need to ensure that
a message originates from a trustworthy and legitimate device
a message was not modified between sender and receiver

Central authority (Public Key

Infrastructure) as trust anchor
Change credentials on
regular basis to
prevent tracking

Digital signatures to
guarantee integrity
 SCMS Overview
SCMS Manager
Privacy against insiders
Policy Technical
and outsiders
Separation of SCMS duties
Root CA and information: a single
SCMS component cannot
link any two certificates to
Certification
Intermediate
CA Misbehavior Authority
same device (no tracking)
Services Internal
Blacklist Global CRL No information stored within
Manager Detection Generator
SCMS that links certificates
Enrollment Pseudonym
to a particular device,
CA CA vehicle or owner
Linkage
Authority 1
Linkage
Authority 2
CRL
Store
CRL
Broadcast Registration Authority (RA)
Request
shuffles all requests from
Coordination
Registration
device
Authority Location Obscurer Proxy
(LOP) acts as anonymizer
Device Config.
Manager
Location proxy
Obscurer Proxy
Butterfly keys to minimize
effort of device
Device 1 Device 2 Device 3 Efficient privacy-preserving
revocation
Safety Pilot Model Deployment
Conducted by UMTRI
More than 2,800 vehicles equipped with
DSRC wireless communication devices in
a concentrated geographic area (Ann
Arbor)
Equipped roadside units.
Full-blown cybersecurity tested.
Safety Hot Topics: Automated Cars

Safe platoon
Redundant
sensors

Secure platoon
Redundant V2V
sensors and
confidence levels
 On-going work
whether
cybersecurity is
limiting factor
 Mobility Transformation Center
and M City

MTC Public-private partnership of car

20,000 secure connected makers, suppliers, chip makers,
vehicles in South East Michigan insurance companies, MDOT, etc.
2,000 secure automated Cybersecurity identified as cross-
vehicles in Ann Arbor by 2021 layer topic
 Conclusions

Automotive cybersecurity is real

Attackers will likely not target safety but seek financial
profit.
Attackers might accidentally impact safety.
If automotive cybersecurity follows the Internet history,
we will see attack waves in the future.
Automotive cybersecurity is unique
There is no one size fits all cybersecurity
solution, but a good security design follows a
defense-in-depth strategy
Future technologies will require new
cybersecurity solutions
 Contact

Dr. André Weimerskirch

2901 Baxter Road, Ann Arbor, MI 48109

Email: andrewmk@umich.edu
Office: 734-936-1046
Mobile: 734-474-5255

View publication stats