Received October 26, 2021, accepted November 14, 2021, date of publication November 23, 2021,

date of current version December 16, 2021.

Digital Object Identifier 10.1109/ACCESS.2021.3130495

Vehicle Security: A Survey of Security Issues

and Vulnerabilities, Malware Attacks
and Defenses
ABDULRAHMAN ABU ELKHAIL 1 , (Member, IEEE),
RAFI UD DAULA REFAT 1 , (Graduate Student Member, IEEE),
RICARDO HABRE 1 , AZEEM HAFEEZ 1 , ANYS BACHA 2 , (Member, IEEE),
AND HAFIZ MALIK 1 , (Senior Member, IEEE)
1 Electrical and Computer Engineering Department, University of Michigan–Dearborn, Dearborn, MI 48128, USA
2 Computer and Information Science Department, University of Michigan–Dearborn, Dearborn, MI 48128, USA
Corresponding author: Anys Bacha (bacha@umich.edu)
This work was supported in part by the National Science Foundation under Grant CNS-1947580 and Grant CNS-2035770, and in part by
the Deputyship for Research and Innovation, Ministry of Education in the Kingdom of Saudi Arabia (KSA), under Project DRI-KSU-934.

ABSTRACT Recent years have led the path to the evolution of automotive technology and with these new
developments, modern vehicles are getting increasingly astute and offering growing quantities of innovative
applications that cover various functionalities. These functionalities are controlled by hundreds of Electronic
Control Units (ECUs) which are connected to each other via the Control Area Network (CAN) bus. Although
ECUs are designed to offer various amenities that are associated with modern vehicles including comfort,
such features expose new attack surfaces that can be harnessed by attackers. This trend is exacerbated by
the fact that many of these ECUs rely on wireless communication for interacting with the outside world.
Therefore, making them vulnerable to common threats such as malware injection that can compromise
the overall security of modern vehicles. In this paper, we provide a detailed description of the architecture
associated with intelligent vehicles, and identify various security issues and vulnerabilities that impact such
systems. We provide an overview of different malware types and the vectors of attacks they leverage for
infecting modern vehicles. This work also presents a detailed survey of available defenses against such
attacks including: signature, behavior, heuristic, cloud, and machine learning-based detection measures.
Furthermore, this paper intends to assist researchers in becoming familiar with the available defenses and how
they can be applied to secure intelligent vehicles against emerging malware threats that can compromise the
security of today’s vehicles. It also provides future directions for researchers who are interested in developing
new defenses that can safeguard intelligent vehicles systems against malware attacks.

INDEX TERMS Vehicle security, vulnerabilities, security issues, malware, intelligent vehicle, malware
detection, intrusion detection system, defense system, cybersecurity.
I. INTRODUCTION cyber attacks. For instance, with physical access to a vehicle,
Vehicle systems have seen a great transformation since the an attacker can inject malicious messages into the CAN bus,
previous decade in many aspects going from vehicle control modify and read an ECU via vulnerable interfaces such as
to telematics and advanced driver help frameworks. Vehicular CD players, USB and OBD-II [2]. To prove the fact, some
systems have seen plenty of additions and increased their researchers have sent out fake messages using the in-vehicle
complexity of using the ECUs to provide many improvements networks to different ECU’s, peruse ECU memory and ECU
in terms of functionality and comfort [1]. With the increase security keys, peruse and alter ECU programming and control
in usage of ECUs in vehicle systems, functionalities have a wide scope of vehicle capacities at ease [3]. Such attacks
improved, but they have also exposed vehicles to be more can cause severe repercussions on the vehicle system tasks
susceptible to cyberthreat, making them more gullible to and also bring great danger to the safety of the drivers.
On the other hand, with the development of wireless tech-
The associate editor coordinating the review of this manuscript and nologies such as Bluetooth, Wi-Fi, Cellular, LTE, and 5G,
approving it for publication was Yan Huo . vehicles can no longer be considered as closed systems,

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 162401
 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

as they are increasingly equipped with functionalities that that must be appropriately handled in order to effectively
interact with the environment through these technologies, safeguard them.
which can be exposed to attacks over-the-air (OTA) [4]. For In this paper, after offering a detailed description of
example, security keys have been used by vehicle key fobs the intelligent vehicle’s architecture, this paper discusses
in order to hack a live system [5]. Radio signals are another the security issues and vulnerabilities that intelligent vehi-
way for hackers to breach security and in a few instances, cles face. It also gives an overview of malware attacks
researchers were able to transmit radio signals from a key and examines the many forms of malware that might infil-
fob to the car without disrupting any security keys, allowing trate intelligent vehicles, as well as the malware’s proba-
attackers to simply unlock doors and steal or burglarize the ble methods of infection. It also provides a comprehensive
vehicle [6]. Another very common way for Hobbyists to mis- survey of available malware defense systems, categorizing
handle systems is by tampering with the tire pressure mon- them into five categories: signature-based malware detection
itoring systems (TPMS) where one can set false readings to techniques, behavior-based malware detection techniques,
send out bogus warnings, causing confusion to the driver [7]. heuristic-based malware detection techniques, cloud-based
Also, the authors of [1]–[3], [8] were able to inject malicious malware detection techniques, and machine learning-based
firmware into a vehicle’s OTA system while performing an malware detection techniques. It also discusses the upsides
ECU firmware update. Additionally, researchers could hack and downsides of every defense system against malware
into the steering and brakes of two cars [9]. In another attacks and the various strategies that are utilized in these
report, a team of hackers was able to hack a Tesla Model defense systems. This paper aims to aid researchers in devel-
S remotely from a distance of 12 miles [10]. Other work by oping a broad understanding of malware protection systems
Miller and Valasek [11] was shown to hack and stop a Jeep that are available for protecting such systems. It also iden-
Cherokee running on a highway remotely, which led to a tifies potential research directions for researchers to pursue
recall of 1.4 million vehicles. Another example is provided in order to increase the intelligent vehicle system’s resistance
by Cai et al. [12], which revealed multiple vulnerabilities in against malware attacks. To the best of our knowledge, this is
numerous BMW models including the ability to compromise the first study that offers a detailed survey of the most recent
ECUs connected through CAN over a wireless connection. existing malware defense systems and assesses the benefits
Such a reality concerning vehicle attacks makes automotive and drawbacks of deploying such defenses onto intelligent
security one of the most critical issues. vehicle systems.
Many attacks that previously could take place through Overall, this paper makes the following contributions:
physical access only, can now be easily carried out remotely • Provides an in-depth description of the intelligent vehi-
with the help of wireless technologies. Therefore, allowing cle system’s architecture.
attackers to breach into the vehicle systems with the possi- • Describes the most prevalent types of malware that
bility of extending such attacks to multiple vehicles through might infiltrate the intelligent vehicle system.
daisy chaining. One severe threat to intelligent vehicles is • Identifies the issues and vulnerabilities that intelligent
malware which is a malicious software designed to obtain vehicles face in terms of security.
unauthorized access to data or disrupt computer operations. • Discusses all possible entry points for malware to infect
Malware can infect intelligent vehicles through a variety the intelligent vehicle system.
of vulnerabilities, including wireless communication with • Presents a detailed survey of the most recent malware
roadside networks, vehicle-based Wi-Fi hotspots, and inter- detection techniques in the last decade and discusses the
net connectivity. Another common vector of attack is con- upsides and downsides of applying such techniques to
cerned with malware-infected consumer electronic devices the intelligent vehicle system.
such as cell phones, iPods, and laptops that can be physically • Provides researchers with prospective study areas for
or wirelessly connected to the vehicle and in turn used to improving the intelligence of vehicle systems and mak-
exchange files between vehicles. Vulnerabilities in onboard ing them more resistant to malware attacks.
communication systems, software, and hardware designs, [2], Overall, this paper represents an effort of understanding
[8], [13] can also be abused by malware to infect a vehicle. how malware attacks affect vehicle systems and the best
Malware can cause a wide range of disturbances and harm practices undertaken for building safer and sturdier systems.
to the vehicle system once it is inside the vehicle [1]–[3], The paper is divided into the said sections: Section II gives a
[8]. Some examples of how malware affects the vehicle’s detailed description of the architecture of intelligent vehicles.
normal operation are: Toying with the general features of Section III identifies the security issues and vulnerabilities
the vehicle causing driver distraction, disrupting standard of intelligent vehicles. Section IV provides an overview of
functions of the vehicle like messing with the in-car radio so malware attacks and discusses the main kinds of malware that
that the driver cannot switch it on, locking the car’s features, can infect intelligent vehicles, as well as the malware’s possi-
illegitimately occupying memory space and CPU cycles, mis- ble ways of infection. Section V discusses existing malware
handling of data and invading privacy, and disabling safety defense techniques, as well as, their pros and cons. Section VI
features of the vehicle. The aforementioned examples under- discusses research problems for researchers to address and
score that intelligent vehicular systems are a high priority provides future directions along with some recommendations

162402 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

FIGURE 1. The intelligent vehicle architecture.

for developing a more effective malware defense system for each other using a single CAN interface instead of analog and
intelligent vehicles; and Section VII concludes. digital inputs [16].
Each ECU transmits CAN frames to the receiver labeled
II. THE ARCHITECTURE OF THE INTELLIGENT VEHICLE by an arbitration ID. All connected ECUs receive the frames,
Driver assistance technology is the new future in the auto- but each ECU decides whether or not it can accept the frame
motive industry. Automotive companies are leaning towards depending on the arbitration ID. Previously used electronic
developing intelligent connected vehicles that are capable of architecture technologies weren’t able to allow much space
assisting the driver by including safety features like lane- for different ECUs in intelligent vehicles. With the help of
keeping assist, adaptive cruise control, brake collision, etc. the CAN bus, intelligent vehicle manufactures are now able
However, such technologies require a high-speed communi- to fit many more ECUs while minimizing the complexity of
cation protocol that is suitable for all advanced Electronic wiring [16]. Figure 2 illustrates different ECUs and how they
Control Units (ECUs). For this particular reason, the architec- are connected to various electronic subsystems.
ture of intelligent vehicles must be designed in a way such that Each and every subsystem that we can see in Figure 2
all the different ECU modules are able to communicate with has multiple ECUs that are responsible for controlling spe-
less complexity [14]. In other words, the architecture of intel- cific functionality in the vehicle [1]. Through a high-speed
ligent vehicles requires a technological upgrade with respect communication protocol (CAN), different ECUs in differ-
to in-vehicle network architecture, computational platforms ent subsystems are able to communicate with each other.
and sensors. The architecture of the intelligent vehicle is Different subsystems use different types of subnetworks
shown in Figure 1. depending on the time sensitivity of each subsystem [15].
For instance, time-sensitive engine control, power-train, and
A. IN-VEHICLE NETWORK ARCHITECTURE safety subsystems use the high speed controlled area net-
To have a better comprehension of the threats that ECUs face work (CAN) whereas fewer safety subsystems such as
against hackers, it is worth having an understanding of the seats and windows motor control use a Local Interconnect
communication protocol between the ECUs that could serve Network (LIN) [14], [15]. The Automotive Ethernet (AE)
as a potential entry point for the hacker [15]. The Controlled and the Media Oriented System Transport (MOST) are used
Area Network (CAN) bus was developed in 1983 by an auto- in the In-Vehicle Infotainment (IVI) subsystem to control car
motive company called Bosch [16]. This protocol has now radio, navigation system, Bluetooth, etc., [14], [15], [17].
made it possible for different ECUs to communicate in a fast The MOST network is isolated from electromagnetic inter-
and reliable manner. The CAN bus has provided a durable and ference because it utilizes plastic optical fibers as its phys-
inexpensive solution that allows ECUs to communicate with ical layer which stops problems like buzzing noises in the

VOLUME 9, 2021 162403

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

FIGURE 2. In-vehicle network architecture.

infotainment system [14]. The AE has a great advantage can be used to access the vehicle functions such as door
when it comes to bandwidth capacity since it can support opening, flashlights and in some recent cases, are used to
up to 100 Mbps that is slated to increase to nearly 1 Gbps even access ignition functions. In addition, the technology
in the near future [14]. In general, the AE is considered to of intelligent vehicles nowadays has tremendously shifted
be approximately 100 times faster than the CAN protocol. towards connecting the in-vehicle network subsystem to the
Therefore, it would be a good choice to replace CAN with outside world through WiFi, Bluetooth, and cellular networks
Ethernet; however, due to the fact that Ethernet’s cost per such as LTE, 3G, 4G, and now 5G [20]. For example, a cell
ECU is higher than CAN, it will most likely not replace but phone can now connect to the infotainment system of the
rather get added on to it [18]. Flex-Ray is another in-vehicle vehicle wirelessly, using Bluetooth connectivity that allows
network that has high transmission rates and is used to obtain the infotainment system to use apple car play and android
a good control system. Flex-Ray supports drive-by-wire sys- auto through the connected phone. Furthermore, WiFi and
tems such as steer-by-wire and brake-by-wire which also 5G can be used to offer functionalities like Global Posi-
requires great error management to perform as a great driver tioning System (GPS), digital radio and traffic messages.
assistance system. The specification of the in-vehicle network Additionally, the telematics unit allows the car to commu-
buses is shown in Table 1. nicate with 3G, 4G, and now 5G networks. It can send and
Intelligent vehicles nowadays offer access to an in-vehicle receive telematics data, communicate with back-end cloud
network system to keep track of messages over this system servers, and allow access to the internet. Moreover, Dedicated
through the On-Board Diagnostics (OBD-II) port in order to Short Range Communications (DSRC) is an on-board vehi-
provide diagnostic reports. The intelligent vehicles are also cle unit that is developed to establish short-range commu-
provided with an entertainment system with either a USB nications between Vehicle to Vehicle (V2V) and Vehicle to
connectivity option or a CD player. These options enable the Infrastructure (V2I) as well. DSRC offers great autonomous
users to synchronize and access entertainment content from technology services by allowing vehicles to exchange infor-
their mobile devices and play or view them on the vehicle’s mation either with each other or with the infrastructure
entertainment systems. Besides, remote key entries and RFID such as roadside units that are surrounding the vehicle.
car keys are other modern car technologies that have been DSRC utilizes radio frequency (RF) channels to achieve this
largely applied to intelligent vehicles. These technologies communication [21].

162404 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 1. The in-vehicle network buses specification [19].

CAN Bus: The CAN bus is a standard communication

protocol that is currently the most commonly used in the
in-vehicle networks. It is a broadcast-based protocol that
provides up to 1Mb/s data rate on a single bus and it
FIGURE 3. Structure of CAN frame.
enables ECUs to exchange messages between them to con-
trol the process of vehicle components. The CAN protocol
adopts Carrier Sense Multiple Access / Collision Avoidance
(CSMA/CA) which prevents collisions on the bus when sev- transmission to all ECUs, arbitration field which consists of
eral ECUs compete for access to the bus since all nodes 11 bits as an identifier and one bit as remote transmission
share the same bus. It also doesn’t have addressing scheme request (RTR) and characterizes the priority and the type of
like TCP/IP protocol. Therefore, when ECUs broadcast their the frame, control field which consists of two reserved bits
CAN message frames on to the bus, each message frame is and four bits as data length code (DLC), data field which
allocated a unique identifier, known as the CAN ID or the includes the actual data in a range of 0 to 64 bytes. In addition,
arbitration ID, which defines the priority and the content of the cyclic redundancy check (CRC) field which consists of
the message frame. If two or more ECUs attempt to send 15 bits as CRC and 1 bit as CRC delimiter and performs the
messages simultaneously, the message with the smallest ID data error detection, the ACK field which consists of one bit
has the highest priority to transmit the message first. The as ACK part and one bit ACK delimiter part, and end of frame
CAN ID range starts from 0x000 to 0x7FF for the standard which consists of 7 bits and indicates the end of the CAN
identifier field which has 11 bits. frame by a recessive bit flag [22]. Figure 3 shows the structure
In general, the transmitted messages frames on the CAN of CAN frame.
bus are divided into four major types: the remote frame, the
overload frame, the data frame and the error frame. There B. INTELLIGENT VEHICLES’ COMPUTATION PLATFORMS
into, the remote frame is used to enable the received ECU The vehicle’s computation platform plays an important
to request the data from specific ECU, the overload frame role in high intelligent vehicle systems to make sure that
is utilized to inform that the source ECU cannot receive the the autonomous technology process is smooth, robust, and
data and the error frame is utilized to inform other ECUs efficient. Millions of lines of code must get executed in
regarding the happened error. The Data Frame is used to order to accomplish different intelligent algorithms and
carry the data from the transmitter ECU to the receiver ECU. autonomous functionalities. Generally, Digital Signal Pro-
The Data Frame is composed of the start of frame (SOF) cessors (DSPs) and Micro-controller Units (MCUs) are used
field which contains one dominant bit and informs a start of for signal processing to establish several vehicle functions.

VOLUME 9, 2021 162405

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

Furthermore, DSPs are capable of establishing more com- transmitting and receiving ultrasound waves. It also has
plicated applications that demand high quality processing the ability to measure the distance from the vehicle to
capacity and integration such as Advanced driver-assistance a target object by utilizing the time taken by the signal
systems (ADAS) [14]. Moreover, a robust and advanced com- to return back to the ultrasonic sensor after emitting it.
putation platform such as Graphics Processing Units (GPUs) However, ultrasonic sensors have a visually impaired
and Field-Programmable Gate Arrays (FPGAs) must be zone created due to nearness and common obstruction
implemented to ensure the efficiency of the autonomous which may cause incorrect readings. Furthermore, mate-
system. GPUs are a great way to perform various types of rials with sonic wave dampening abilities like acoustic
image processing which could improve obstacle detection foam have the tendency to compromise the readings
algorithms, traffic signs, and all the ADAS functionalities. from ultrasonic sensors [26].
FPGAs are also useful for similar computations with less • RADAR: Millimeter-wave RADAR technology is very
energy consumption [14], [23]. commonly used in intelligent vehicles. The RADAR
Looking at the software system of the computation plat- is designed to obtain distances as far as 250 meters,
form, the automotive industry uses many open systems such making adaptive cruise control and collision avoidance
as OSEK, JASPAR, and VDX. However, they fail to be very reliable [27]. A major advantage of RADAR lies in
reusable for the advanced ECUs. Automotive Open System its capability to penetrate nontransparent materials such
Architecture (AUTOSAR) is also another open system that is as dust, smoke, snow and fog [14]. RADAR is be able to
developed to divide the associated hardware from the appli- detect distances irrespective of the weather condition of
cation software. This open system also requires additional the operating environment. However, one disadvantage
development to further assist the artificial intelligence and of RADAR is the low side view it has which puts a limi-
machine learning algorithms [14], [24]. Software updates tation on its horizontal view [28], [29]. One way to solve
over-the-air (OTA) are also important and highly recom- this issue is by implementing a monocular camera which
mended to be implemented even after the vehicle is sold to helps in improving accuracy and precision [14], [30].
the customer to keep the operating systems up to date and • Intelligent Vision Systems: The Intelligent vision sys-
bring the latest features to the consumer. tem is a combination of various sensors to achieve
reliable driving assistance. This system consists of
C. SENSORS IN INTELLIGENT VEHICLES the monocular visual system and the stereo vision
As vehicles are becoming more technologically advanced in system [14]. These visual sensors are responsible for
order to achieve fully autonomous self-driven cars, intelli- observing the driver’s attention towards the road and
gent vehicles are using various types of sensors to achieve the environment that the vehicle is operating in [31]. AI
autonomous vision. Therefore, fusing these sensors together technology and machine learning are essential for adapt-
is an excellent way to ensure great autonomous stoutness. ing to the driver’s environment and reacting accordingly.
Some of the main physical sensors that are used include:
• High-resolution Camera: A high-resolution camera III. SECURITY ISSUES AND VULNERABILITIES OF
is used to detect various different shapes that help in INTELLIGENT VEHICLES
self-driven car technology. Through different stages of With the advancement of car innovation, intelligent vehicles
image processing, and through the camera, the system are getting progressively clever and are developing a number
is able to detect lines in the road that help the vehicle of creative applications performing different functionalities.
stay on course, as well as properly yield to other cars, These functionalities are controlled by 70 to 100 ECUs that
pedestrians, and any surrounding traffic signs. However, communicate with each other through the in-vehicle com-
cameras alone are insufficient for detecting distances munication buses [1]. While increasing the utilization of
between the intelligent vehicle and the objects that sur- about 100 ECUs improves functionality and comfort, it also
round it, be it another car, an obstacle, or a traffic sign. introduces a new cyberthreat by making vehicles a target
A great solution for this is to fuse it with a LiDAR or a for attackers. Additionally, with the advancement of remote
RADAR sensor. communication innovations, vehicles can never be considered
• LIDAR: Light Detection and Ranging (LiDAR) sensor as closed frameworks, as they are dynamically equipped with
that uses light in the form of a pulsed laser to map out functionality that interacts with the outside world [2]. Despite
the surroundings of the intelligent vehicle at the speed the fact that remote communication technology brings many
of light, namely 300 000 km/s. With the use of LiDAR, improvements in terms of functionality and luxury, neverthe-
intelligent vehicles are able to easily detect distances less, communications with the outside world exposes vulner-
between all the objects surrounding them. abilities that can be abused by an attacker and lead to infection
• Ultrasonic: This sensor is also known as sonar. It is con- of the vehicle. In this section, we discuss vulnerabilities
sidered to be an electronic device that utilizes echolo- associated with intelligent vehicles, as well as the potential
cation to identify if an object is within range of the ways an attacker could use to gain access to a vehicle and
sensor [25]. It can detect any object in its range by deliver malicious payloads.

162406 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

A. THE VULNERABILITIES OF INTELLIGENT VEHICLES have been deployed in intelligent vehicles now. The broadcast
With the advancement of automotive technologies, intelligent channels, such as GPS, Traffic Message Channel, Satellite
vehicle systems are controlled through I/O access channels Radio, and Digital Radio, are indirect channels that receivers
of the embedded ECUs. These access channels present com- tune into as part of a media system that is connected to other
mands and output to the users of intelligent vehicles. How- important ECUs. However, because it is difficult to attribute
ever, these channels are vulnerable to attack due to their lack and command multiple channels at once, these channels
of security features such as authentication scheme, access are subject to external surface attacks, which might allow
control and verification process. These access channels can an attacker to manipulate channels and their behavior. The
be categorized into four major categories: direct physical addressable Channels, as opposed to broadcast channels, are
access, indirect physical access, short range wireless access direct channels that frequently employ cellular phone and
and long range wireless access. data networks and may be accessed over arbitrary distances.
However, this type of long-range wireless is vulnerable to
1) DIRECT PHYSICAL ACCESS (V1) attack by the remote transfer system that provides continuous
Automotive vehicles have many direct physical interfaces connectivity through cellular voice and data networks [2].
that can become potential surfaces for an attacker to infect
B. ENTRY POINTS INTO INTELLIGENT VEHICLES
an intelligent vehicle and have a malicious effect. These
surfaces can provide direct access to the ECUs and in-vehicle With the evolution of vehicle technologies, in the wrong
network busses of an intelligent vehicle. Such an interface hands, these advanced technologies can lead to severe situa-
is the On-Board Diagnostics system (OBD) which is usually tions. To some degree, Intrusion Detection Systems (IDS) can
used by service professionals for performing diagnosis and block the potential ways and access channels that an attacker
ECU programming during periodic maintenance inspections. uses to gain access to a vehicle. Yet, no protection technique
The OBD system can provide direct access to the vehicle’s is absolutely efficient; a protection technique can be effective
ECUs and its internal network busses through the OBD-II today however may not remain so for long, since hackers are
port and the OBD dongle [32]. continually updating the entry points, and looking for new
ones. Therefore, in this section, we discuss the potential ways
and entry points that an attacker might use to gain access to a
2) INDIRECT PHYSICAL ACCESS (V2)
vehicle in order to deliver a malicious effect. Furthermore, the
The ECUs and in-vehicle network busses of intelligent vehi-
attacker’s presence in the vehicle, which specifies whether or
cles can be accessed through indirect physical interfaces
not the attacker should be present in the vehicle during the
without the presence of the attacker. These interfaces can
compromise process. The scale which captures the approx-
be used by the user to indirectly pass commands or receive
imate scale of the attack and the cost which represents the
communication from the targeted ECUs. Most intelligent
estimated effort involved in developing the attack capability.
vehicles nowadays offer indirect physical access through the
All of the aforementioned factors are presented for each entry
entertainment system using physical sources such as CD,
point as shown in Table 2. Some of the potential entry points
disc, USB and iPod. However, these interfaces are vulnerable
that hackers may attempt to gain access to a vehicle include:
to attack due to their lack of security features [2].
The OBD-II Port: The OBD-II port system in a vehicle is
responsible for tracking and modulating the vehicle’s perfor-
3) SHORT RANGE WIRELESS ACCESS (V3) mance by monitoring the mileage, speed and other important
Since car technology and network system has tremendously data [34]. The OBD-II port reports data acquired from its sen-
improved, vehicles are now exposed to the outside world sors that are presented in the vehicle’s infrastructure and it’s
through either the short range wireless access or the long connected to the check engine light that emits once a problem
range wireless access [33]. The short range wireless access gets reported. However, the OBD-II port may be vulnerable
provides many advantages over direct and indirect physical to malicious attacks since it lacks an authentication method
access as it would inflict many operational complexities, such as voices, facial features, retinas, irises, and fingerprints
in targeting precise locations, and the inability to control the that can be used to authenticate a vehicle’s owner identifi-
time of compromise. This type of communication method cation. Furthermore, the OBD-II port also lacks an access
works mostly on short ranges to attack the surface of automo- control mechanism that assures that it is only accessible by
tive wireless systems like Bluetooth, Remote keyless entry, the vehicle’s owner. In other words, the OBD-II port may be
Dedicated Short Range Communications (DSRC) and Wi-Fi. accessed not only by the vehicle’s owner, but also by other
For these architectures, hackers can put a wireless trans- users and parties. This vulnerability may be exploited by
mitter close to the car’s receiver, depending on the channel unauthorized users and parties to get access to the vehicle
distance [2]. and carry out malicious actions within it. For example, the
OBD-II port can be attached to a laptop in order to interrogate
4) LONG RANGE WIRELESS ACCESS (V4) the car’s ECU program and this allows easy access to an
The long-distance digital access channels, which are divided attacker to alter or delete or inject a malicious code into the
into two types: broadcast channels and addressable channels, ECUs [2]. As a demonstration, by using an ECOM cable and

VOLUME 9, 2021 162407

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 2. The entry points to the intelligent vehicles.

handmade connections to attach to the OBD-II port, Valasek turning on and off vehicles using push button start/stop, steer-
and Miller [35] were able to transmit and receive messages ing adjustments, and braking, among other things [36].
over the CAN bus. The Entertainment System: The entertainment system in
The OBD Dongle: The OBD dongles are used to access the intelligent vehicles is an indirect physical access interface to
reported data from the OBD-II port. This OBD dongle also the vehicle ECUs. Most of the intelligent vehicles nowadays
allows access to the CAN bus of the vehicle, which poses a are provided with a form of entertainment system that has
security threat to the ECUs that are connected through the a USB connectivity option, disk option, iPod, or CD player.
CAN interface. This allows attackers to easily get access to These options enable the users to synchronize and access
the CAN bus through the OBD port and send bogus messages entertainment content from their mobile devices, navigation
to all the connected ECUs [2]. Although the fact that the OBD systems, USB devices, or from CD and play/view on the
dongle is a physical connection to the OBD port, modern cars vehicle entertainment system [37]. In the advanced systems,
are implementing Wi-Fi technology to access the OBD port the entertainment system is not standalone but also has a
through a computer. This allows the hacker to do a variety CAN connection to ECUs of other systems in the vehicle.
of tasks on the vehicle, such as locking and unlocking doors, These systems enable the synchronized mobile device to

162408 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

access more features on the vehicle apart from the media Ford. They demonstrated that all of the cars they examined
system which creates a threat to the vehicle [2]. For exam- could be jammed and spoofed [44].
ple, Cai et al. [12] demonstrated that attackers can create a In-Vehicle Network Busses: Controller Area Network
backdoor in the BMW vehicle entertainment system via the (CAN) lacks sufficient communication protection. Since it
USB port. is a broadcast-based communication protocol and there are
The Infotainment System: The infotainment system sup- no sender and receiver addresses, every node receives the
plies the vehicle with information and entertainment such frame and it is not secured by any Message Authentication
as emails, text messages, voice calls, personal contacts, and Code (MAC) or digital signature [45], [46]. This creates
many forms of information that can be gotten by interfac- a threat to confidential data that could be either stolen or
ing with a cell phone such as stream music, and watch manipulated by sending false and fake frames to each and
videos [38]. The infotainment system, on the other hand, may every node which causes unintended behaviors. For exam-
be hacked using simple tools like a CD or USB flash drive. ple, an attacker can easily access the CAN bus and inject a
Such a tool might be contaminated with malicious codes malicious message in the CAN bus either directly through
and infiltrate the car’s infotainment system and spread to the OBD-II port or indirectly through the CD player, disc,
other systems, such as those that control the vehicle’s engine USB and iPod [2], [35]. Another example is provided by
and brakes systems. As a demonstration, a research group Cai et al. [12] revealed multiple vulnerabilities in numerous
demonstrated an attack by altering an audio file to broadcast BMW models, including the ability to compromise ECUs
malicious CAN messages to compromise different in-vehicle connected through CAN over a wireless connection.
systems When played on the vehicle’s media player [2]. Bluetooth: Bluetooth is currently available in most
Furthermore, researchers were able to get a permanent con- intelligent vehicles and has a range of up to 10 meters.
nection to Mazda’s infotainment system by running a bash It is commonly used to connect cell phones to the vehicle’s
script on the vehicle’s Linux working system [39]. Another infotainment and telematics system to make calls, check cal-
research group was able to access the address book, conver- endars, and listen to music streaming. The Bluetooth, on the
sation history and even location data remotely by connecting other hand, does not need pairing with the target device or
the infotainment system’s root account [40]. even being discoverable. Almost every Bluetooth-enabled
The Telematics System: The Telematics system supple- device is at risk. This can be exploited by hackers to get access
ments infotainment systems by giving information about to the vehicle, giving them full control of the vehicle and the
in-vehicular systems such as vehicle speed, acceleration, tire ability to carry out harmful operations within it. For example,
pressure, fuel efficiency, oil life, door locking, seat belts, an attacker can link his or her smartphone with the intelligent
transmission issues and engine failures [41]. Furthermore, the vehicle’s Bluetooth. Then the attacker can send a malicious
telematics unit in the intelligent vehicles allows the vehicles code to get uploaded into the system. This could be problem-
to communicate with 3G, 4G, and now 5G networks. This atic and implementing confirmation Bluetooth connectivity
allows attackers to get access to the vehicle through 3G, 4G on the infotainment system should be considered to make it
and now 5G and do a variety of harmful actions on the vehicle. harder for a hacker to connect via Bluetooth [2], [47].
For example, researchers previously exploited a car’s telemat- Remote Keyless Entry (RKE): This type of communica-
ics unit remotely without user interaction [2]. They also were tion uses radio frequency communication in order to control
able by using reverse-engineering techniques to gain access various functionalities of the intelligent vehicles remotely
to the operating system of the telematics ECU. Additionally, such as open doors, control lights, activate alarms, and even
work by Jo et al. [42] investigated security risks in Android start and lock the ignition of the vehicle. The remote keyless
OS-based telematics frameworks that allow drivers to access entry, on the other hand, is open to attacks since it doesn’t
and lock vehicle doors remotely, as well as start and stop the have a security mechanism such as cryptographic to protect
vehicle engine the confidentiality of radio signal that will be transmitted
Sensors: As vehicles are turning out to be more inno- from the vehicle’s key. This vulnerability can be exploited
vative to accomplish fully autonomous self-driven vehicles, by hackers to get access to the vehicle without possessing
intelligent vehicles nowadays are utilizing different kinds of the key. The attack operates by eavesdropping the signal
sensors to accomplish the autonomous vision. Hence, com- transmitted when a driver presses his or her key fob to open
bining those sensors is an extraordinary method to guarantee their vehicle. With $30 cost of equipment, the signal may be
incredible autonomous strength. However, because there are cloned, allowing the hacker to have access to the vehicle in the
no adequate security mechanisms in place to restrict the future. The attack can be within 100 meters of the car to clone
usage of sensors by installed apps, vehicles are exposed to the key’s signal and the hacker can steal the car in less than
sensor based threats and attacks. For example, the sensors in two minutes [87]. For example, Liu et al. [48] demonstrated
intelligent vehicles can be hacked easily either remotely or that many attacks can be infected to the Hitag2 cipher which is
physically. As a demonstration, Petit et al. have shown the used in many remote keyless entry systems. Another example
efficacy of relay and spoofing attacks against LiDAR [43]. is by Dibaei et al. [49] showed that two hackers were able to
Furthermore, Liu et al. used ultrasonic sensor attacks like steal a Mercedes-Benz vehicle by manipulating the keyless
jamming and spoofing to test Tesla, Audi, Volkswagen, and entry system.

VOLUME 9, 2021 162409

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

Wi-Fi: The intelligent vehicles are currently equipped with Human-Machine Interface (HMI) screen that supports smart-
Wi-Fi and consequently, they can connect to the internet via phone applications such as Google Android Auto and Apple
Wi-Fi hotspots on the roadway within the same range of the Car Play. However, those vehicle applications can cause secu-
vehicle. However, some of these wireless hotspots might put rity threats and can create a path to inject malicious attacks
the vehicle at risk for a variety of reasons. For instance, these into the HMI and obtain unaccredited access to vehicle func-
wireless hotspots may employ outdated encryption standards, tions. There is a chance where that automobile application can
putting the vehicle security at risk. One of the initial encryp- be infected with an attack on the phone itself, thus creating
tion standards for wireless networking devices, the Wireless a potential threat to the vehicle’s functions if those infected
Encryption Protocol (WEP), is deemed weak and vulnerable apps are being used by the vehicle’s HMI. Those automo-
to hacking. Wi-Fi protected access (WPA) was supposed to bile applications support wireless mobile telecommunication
take the place of WEP as the wireless networking standard, technologies such as 3G, 4G, 5G as well as WiFi and Blue-
but it, too, was proven to have flaws. Furthermore, these tooth to communicate with the vehicle which makes intel-
wireless hotspots may expose vehicles to a rogue or fake ligent vehicles to be an open system that causes a potential
Wi-Fi hotspot [51]. For example, in the case of the vehicle threat [15]. For example, an attacker can penetrate the appli-
connect to a malicious hotspot, this allows the hacker to cation itself and utilize this to get to a vehicle. Researchers
operate many activities on the vehicle such as transfer mali- discovered several vulnerabilities in seven popular applica-
cious code to the vehicle. As a demonstration, Nie et al. [50] tions that permit attackers to gain entry to vehicles [57].
were able to remotely hack a Tesla vehicle by exploiting the Furthermore, Symantec researchers explored fake malicious
way that the secret key to an installed Wi-Fi was saved in applications that are created to look legitimate as the Uber
plain text. Furthermore, Nakhila et al. [51] showed that by application [58].
connecting to an illegitimate Wi-Fi access point, an attacker
may eavesdrop on Wi-Fi activity. Vanhoef et al. also looked IV. AN OVERVIEW OF MALWARE AND HOW ITS SPREAD
at the possibility of Denial of Service attacks against Wi-Fi In this section, we first present an overview of malware
Protected Access [52]. and common malware types. Second, we discuss the main
DSRC: DSRC is an on-board vehicle unit that is developed motivations of an attacker to spread malware to the vehicle
to operate short-range communications between Vehicle to systems. Finally, we present the potential ways for Malware
Vehicle (V2V) and Vehicle to Infrastructure (V2I). DSRC to infect the vehicle systems.
offers great autonomous technology services by allowing
vehicles to exchange information either with each other or A. AN OVERVIEW OF MALWARE AND ITS COMMON TYPES
with the infrastructure such as roadside units that are sur- Malware is a malicious code that embeds itself into a soft-
rounding the vehicle. DSRC utilizes radio frequency (RF) ware program that intentionally meets the harmful pur-
channels to achieve this communication. However, this con- poses of the malicious attackers who target any computing
cept could create an entry point for attacks to enter the DSRC device [59]–[61]. Malware can enter any device through dif-
system and cause serious damage by transmitting fake infor- ferent channels such as files and directories from removable
mation. This can trick the vehicle’s system and cause catas- media, downloaded applications and files, and through email
trophic consequences if the hacker was successful. Therefore, attachments. Once the malware reaches the device, the exe-
serious safety measures have to be taken into consideration to cution of the malware is easy by going through the interact-
protect V2V and V2I communications [21], [53]. ing user authorization privileges or by bypassing the PC’s
Cellular: The intelligent vehicles are currently equipped authentication strategies to run without the device victim’s
with cellular network technologies such as LTE,3G,4G and permissions. Once it’s executed on the device, it can harm
now 5G [20] and consequently, they can communicate to the infected device by compromising its functions, disturb-
either another vehicle (V2V) or the infrastructure (V2I) at ing its operations, stealing data or evading access controls,
long distances on the scale of miles [54]. Cellular networks, gathering personal sensitive information without the victim’s
on the other hand, are prone to eavesdropping and jamming permission. It also can obtain unauthorized access to a net-
attacks [56]. Cichonski et al. demonstrated that LTE can work system to create destructive damage to its subsystems.
be hacked easily by jamming attacks and eavesdropping Malware can be categorized into many categories based on
attacks [56]. Other work by Muhammad and Safdar [55] the way in which they cause harm and proliferate systems.
demonstrated that the LTE and 5G-based vehicular networks This section provides an overview of the most common sorts
are vulnerable to a huge number of attacks. This allows of malware, including virus, worm, trojan, spyware, rootkit,
attackers to track vehicle whereabouts in order to get access backdoor, botnet, adware, scareware, and ransomware [62].
to the vehicle and carry out harmful operations inside of it. • Virus: It is a type of malicious software that can repli-
For instance, Miller and Valasek [11] have been able to hack cate itself into other programs and only attach them-
and stop a Jeep Cherokee running on a highway remotely selves to other files, data, and computers when it is
through 4G. activated [63]. Viruses cannot cause much harm unless
In-Vehicle Applications: The new development of the the infected transporter program is executed. The virus
vehicle industry has implemented a new system in the usually runs with user involvement [64] and it can

162410 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

spread from one program to another and from one PC • Scareware: It is malicious software that is designed
to another [65]. to mislead users into purchasing and downloading
• Worm: It is a malicious program that may infect any unneeded and potentially harmful software and pro-
machine, spreads over computer networks, and takes grams, such as fake antivirus protection, which have
advantage of system flaws to further its malicious pur- posed serious financial and privacy risks to the
poses. It utilizes networking protocols to inspect its victims [79].
local network and grows once it comes upon possible • Ransomware: It is a malicious program that allows the
victim systems [66]. Worms can easily spread and exe- attacker to either lock the victim’s computer or encrypt
cute within a system and also have the ability to repli- the victim’s data, aiming to deny service to the victim
cate itself in a PC to tamper with important documents and restrict the victim access to his data in return for
and the information on it [67]. It also has the ability ransom. The malware then demands a ransom payment
to encrypt data and deliver spam messages. Worms, from the victim in order to restore access, and decrypt
unlike viruses, have their own containers via which they the victim’s data on the infected computer [80].
spread [68].
• Trojan: It is sometimes called a Trojan horse. It is B. MOTIVATIONS FOR INSTALLING MALWARE ON
malicious software that can look legitimate with a useful VEHICLE SYSTEMS
purpose while in fact, it is executing whatever task the There are a various number of motivations behind attackers
hacker intended. It can compromise computer security choosing to spread malware across vehicles. Here are some
by gaining unauthorized access to the compelling PC of the few motivations:
and extract user confidential information such as credit • Financial Gain (M1): An attacker can restrict the
card information and user credentials and it can cause driver’s access to his vehicle by infecting the vehi-
much damage by executing unknown and unwanted cle remotely with ransomware which can disable the
activities [69]. vehicle’s functionalities such as immobilize the motor,
• Spyware: It is a malicious program that is installed on locking the in-vehicle radio and locking the doors.
any electronic device without the user’s knowledge and Such an attack could restrict the vehicle’s functional-
it continuously spies on the user activities without the ities in a way that the proprietor’s car keys can no
user’s permission [70]. Spyware presents its danger only longer activate them. The attackers would then be able
if the device is connected to the internet since It can be to demand payoff before these functionalities were re-
used to steal sensitive data like credit card information, enabled. As a demonstration for academic research pur-
government and medical records without one’s knowl- poses only, work by Wolf et al. [81] showed that vehicle
edge. Spyware collects this information and sends it to ransomware can be easily created and deployed. Addi-
the hacker, who can easily misuse the obtained data [71]. tionally, researchers from McAfee security [82] demon-
• Rootkit: It is a collection of malicious software strated that the ransomware can block the use of the
designed to allow hackers to access and change oper- vehicle until the ransom is paid. Furthermore, fraud can
ating systems and kernel data structures for harmful be a major route for hackers to bring in cash. Hacked
purposes [72]. Rootkits also give access to other types vehicles could give access to stalkers to be able to track
of malware to enter into a system and conceal their the vehicle identification number of any potential victim
presence on the computer [73]. through GPS since all intelligent vehicles nowadays
• Backdoor: It is one form of malware that gets the have GPS. So in an event that an attacker can track
infected PC to be remotely accessed without the user’s any vehicle, the attacker can begin assistance for any-
permission by opening a backdoor in the victim PC [74]. body that needs to track someone can in exchange for
• Botnet: It is malicious software that allows attackers money. As a result, the attacker can gain a lot of money
to remotely manipulate a group of infected and con- by tracking hundreds of vehicles. It’s an extraordinary
trolled devices such as cellphones, PCs, tablets, and business. As an example of that, according to a report
internet of things devices. It happens without the users from Boston 25 News [83], an attacker was able to track
being aware that their PCs have been infected by botnet a vehicle for many years by hiding a GPS tracking
malware [75]. It is typically used for sending unruly device on the victim’s car. Another way of hackers to
commands and spamming computer systems and per- bring cash is automated toll booth payments, it may
forming denial of service attacks [76]. create more points of entry for hackers to steal individual
• Adware: It is malicious advertising-supported software information, for example, visa or banking data. Hackers
that brings advertisements to the computer. It can infect are hoping to put forth the greatest benefit for the base
any system when a user tries to download free applica- attempt since the intelligent vehicles are going to have a
tions and software such as free playing games [77]. The lot of payment systems in order to provide the comfort
main sole purpose of this malware is to scrutinize the for the driver to pay via his vehicle when he goes to toll
user’s activities while they are networking [78]. roads and parking lots [84].

VOLUME 9, 2021 162411

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

• Infringement on the Driver’s Privacy (M2): An and encourage the attacker’s activities. Consider bot-
attacker could infringe the privacy of drivers by infusing nets, systems are compromised to enable them to then
spyware into a vehicle. An attacker could steal and attack other systems [88]. In this way, an attacker might
access sensitive and private data about the driver for hack a victim’s vehicle system in order to track the
example, where he is located, his driving propensities, victim aiming to attack the victim’s home and such.
his credentials, his visa and banking information, his Furthermore, hackers might be less intrigued by the
telephone number and call history, the music he tunes victim’s vehicle’s systems and more intrigued by the
in to, and considerably more. According to an IBM vehicle’s connected devices such as cell phones, laptops,
Security report [85], a third party was able to gain access and tablets which can give them admittance to charge
to the personal information of 27.7 million Texas drivers. card data, passwords, and monetary information, and
• Vandalism (M3): The malware can make a wide scope considerably more. In the event that they’re ready to
of disruptions to a driver. Malware might deactivate the get into the victim’s vehicle’s systems and locate the
brakes or force the car to abruptly slow down while victim’s connected devices, the victim’s data might be
driving, resulting in an accident. Furthermore, malware in danger. For example, [85], demonstrated that millions
can be used to lock up infotainment systems in a vehi- of drivers’ devices have been accessed by a third party.
cle to a random radio station, tampering with the tire
pressure monitoring system’s displays or false messages C. THE POTENTIAL WAYS FOR MALWARE TO INFECT THE
that force the driver to make important decisions while VEHICLE SYSTEMS
driving, such as changing the audio level or displaying In addition to the potential ways presented in Table 2 for an
arbitrary messages or images on the head unit display. attack to infect the vehicle systems. There are other numerous
Any such disturbance could make the driver commit factors that influence the way malware can enter a vehi-
dangerous errors while driving, cause auto collisions, cle and exploit any vehicle network interface, physical or
and harm a carmaker’s reputation. A team of hackers wireless. Some of the factors are: F1) weaknesses in the
was able to hack a Tesla Model S remotely from a design of the software. F2) weaknesses in the hardware.
12-mile distance [10] for academic research purposes. F3) weaknesses in the in-vehicle applications. F4) weak-
The authors of [81] demonstrated that ransomware can nesses in the in-vehicle network system. F5) The driver’s
be easily deployed and disabled the vehicle’s braking inability to protect document downloads into the vehicle
system. Furthermore, a research group [86] were able when the driver accesses websites and downloads apps from
to disable the braking system of a 2009 Chevy Impala, external sources. F6) External information may be laced with
which can harm both the passengers and their properties. weaknesses that can enter a vehicle, for example, a software
Additionally, the authors of [11] were able to remotely update bundle that can be infected with malware before it
hack and halt a Jeep Cherokee running on a highway, gets stacked onto a vehicle. F7) weaknesses in the operating
resulting in a 1.4 million car recall. systems utilized on the vehicles. There are various methods in
• Hobby and Fun (M4): Several hackers target just which malware can abuse these weaknesses to infect a vehicle
PCs or cellphones for the sake of amusement or to as shown in Table 3:
demonstrate their security expertise. It is foreseen that • Direct Access: An attacker can infect the vehicular sys-
numerous hackers will see the increasing populace of tem with malware by getting direct access to the vehicle.
vehicles as profoundly intriguing targets. Hacking vehi- For example, Valasek and Miller were able to hack a
cles could create more prominent exposure than hacking Jeep Cherokee’s infotainment system using the cellu-
purchased PCs or smartphones. To prove the fact, Miller lar network from a laptop. Upon scanning the network
and Valasek [11] were able to demonstrate that for aca- for other vehicles with high vulnerability, 2,695 more
demic research purposes they were able to hack and stop vehicles were discovered, which possessed similar vul-
a Jeep Cherokee running on a highway. nerabilities that exposed the jeep to be hacked [11].
• Theft (M5): The malware attack may be used by an Computerizing the attack with a laptop having all the
attacker to unlock a car’s doors, disable its alarms, and programming steps, the same laptop could be used to
disable its immobilizer in order to steal the vehicle. As hack other vehicles directly.
proof of the concept, a research group [87] was able • Updates Over The Air (OTA): Intelligent vehicles as
to prove that for academic research purposes the ability of now have millions of lines of code and the intricacy
to steal a Tesla vehicle in few seconds by injecting the of in-vehicle programming keeps on developing. In this
malware through the firmware update into the key fob way, remote OTA ECU firmware update turns out to be
via Bluetooth. progressively significant and expected, which increases
• Facilitation Extraneous (M6): Attackers most of the the chances of malware infecting vehicles from remote
time use intermediaries and different frameworks to locations [89]. For instance, the authors of [87] were
attack their final target. For this reason, it is important able to hack a Tesla vehicle OTA and steal it in few
to note that a few associations and frameworks may seconds by injecting a malicious firmware update into
essentially be advantageous focuses on that empower the key fob.

162412 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

• Web Browsers: Web browsers in intelligent vehicles of internet services in intelligent vehicles that permit
allow drivers to access the internet and download infor- Internet access from a browser, it is achievable to convey
mation and other applications into their vehicles from another kind of spam dependent on geographical loca-
application stores provided by the vehicle maker. This tion and travel. For example, as you approach a fast-
proves as a way for the malware to be downloaded food restaurant, imagine a pop-up discount. Not only is
into the vehicle. For example, It has been demonstrated this type of behavior likely to be unpleasant, but it may
that over 80% of the malware comes from well-known also cause drivers to get distracted. Additionally, those
sites [90], [91]. kinds of spam and advertising are well-known infection
• Aftermarket Equipment: Aftermarket infotainment vectors for malware that can convey the malware to
systems use fastened or implanted devices to provide infect the vehicle systems [77], [78].
network connectivity and also support in hosting third- • Third-Party Applications: Intelligent vehicles have
party applications. Many aftermarket equipments are been allowing third parties to create applications for
used widely to replace original factory installed hard- extended services. For instance, an application on a
ware, making it a huge threat to vehicles. For example, smartphone can be used to open or close vehicle doors.
infotainment system head units, which are mostly Linux, These applications can harm vehicle systems as they
Android, or Windows-based devices that can be readily are open-ended and is accessible to everyone, making
hacked to run malicious software. It has been demon- them an easy target to hackers. Smartphone applications
strated [85] that a third party was able to access the are an easy target for hackers when compared to ECU’s
details of millions of drivers in Texas. as applications provide many resources and are more
• Removable Media USB Flash Drive: Most intelligent flexible and offer more resources. Vehicle applications
vehicles have USB connections to attach their newly are also susceptible since certain third parties employ
acquired devices. These connections permit the installed shoddy security methods and credentials are frequently
system on a vehicle, for example, the infotainment sys- stored in cleartext [50]. These applications may also
tem, to get to information documents like music records store individual data, for example, GPS information,
on the removable media. However, these removable vehicle models, and other data. This situation has just
media can be contaminated with malware, which can been shown by the OnStar application that permitted a
then infiltrate into the vehicle’s embedded systems in a hacker to open a vehicle remotely [97].
variety of methods. Such a method includes storing the • Vehicle-to-Vehicle Communications (V2V) technol-
malware on the removable media under a benign name ogy: V2V technologies establish communications in
such as firmware update in order to trick the vehicle’s vehicles on the road using Wi-Fi connections. V2V tech-
embedded system and consequently, introduce and run nology acts as a security layer to the vehicle while on the
the malware when the removable media is connected. road and also assists in decreasing vehicle speed when
Another way is by adding malware to music records and it is very close to another vehicle. This technology can
consequently, run the malware when the music record also be used to speak with street sign device’s vehicle
is played. A research group demonstrated an attack by to infrastructure (V2I) [98]. The data obtained can be
modifying audio file to transmit malicious CAN mes- used to improve the driving experience and also safety.
sages to compromise various in-vehicle systems when The possibility of this technology being exploited by
played on the vehicle’s media player [2]. malware will result in many connected vehicles being
• Operating Systems: While practices vary by the affected in an adverse way [99], [100].
automaker, the bulk of software running in intelli- • Mobile Device to Vehicle: Intelligent vehicles nowa-
gent vehicles is not written by the automakers and days have gotten typical to connect smartphones to the
some of it comes from free open-source software, vehicle, usually by Bluetooth. This association permits
such as Linux and Android and most of the intelligent hands-free calling while the driver is driving, playing
vehicles nowadays use LINUX or Android operating sound from the driver’s smartphone on the vehicle’s
system [92], [93]. Although the LINUX systems are speaker framework, and different comforts [37]. It is
proved to be less affected by malware than other oper- additionally a potential vector for malware [101]. A
ating systems like windows, and android since they are widespread smartphone virus or other smartphone mal-
owned by limited repositories and operated by trusted ware probably won’t influence the smartphone’s behav-
distributors. Nevertheless, it has been demonstrated that ior at all but could stand by quietly for the smartphone
the LINUX systems are not immune to malware and to pair with a vehicle, at that point transfer malware to
LINUX malware has been on the rise [94], [95] and the vehicle [37].
what’s more, Linux apps and users can be tricked into • Supply Chain: Vehicles built with parts from various
permitting malware to enter and execute [96]. manufacturers and suppliers might be having clashes
• Spam and Advertising: Although adding more ser- and wrong intentions with each other. This might cause
vices to vehicles brings comfort for the driver it like- malicious software to embed into the creation cycle.
wise adds greater security risks. With the appearance This malware is inactive until an external stimulus, for

VOLUME 9, 2021 162413

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 3. Various methods for malware to infect the vehicle systems.

example, a signal arriving over the vehicle’s internet at which point the hotspot can transfer malware to the
connection, causes it to release its fatal impacts. As a vehicle. These attacks can also spread to other vehicles
demonstration, the supply chain attack of Shadow Ham- just by turning ON the Wi-Fi in the infected vehicles
mer with ASUS systems led to 57,000 users having a which might to the creation of additional malicious
backdoored version of the live update utility [102]. hotspots. Vehicles moving next to each other on roads
• Home Base: Intelligent vehicles exchange information can act as transfer agents of malware almost like biolog-
with the maker’s PCs, including software updates, which ical viruses transmitted between humans [50]–[52].
are a compelling method to get malware into vehicles. • Software Bugs: The software bug is an instance of
This implies the well-being of the fleet is just on par software failing to behave as it was designed, usually
with the security of the producer’s corporate servers. On caused by mistakes made during the process of writ-
the off chance that similar attacks effectively completed ing the software [104]. Bugs can cause software-based
routinely against retailers, banks, and sites are utilized systems to be unreliable, commit errors, or give access
on vehicle manufacturers, it could place the maker’s and control to unauthorized parties [104]. The larger
whole fleet in danger [103]. and more complex the body of code, the more bugs it
• WiFi Hotspot: Intelligent vehicles are currently is probably going to contain [104]. Today’s intelligent
equipped with WiFi and consequently interface with vehicles can contain over a hundred million lines of code
close-by hotspots with recognizable names. For and the intricacy of in-vehicle programming keeps on
instance, on the off chance that the vehicle previously developing. In this way, it will increase the software
connected with a hotspot with the name free WiFi, at bugs in the vehicles that hackers can exploit to infect the
that point, the vehicle will probably interface with any malware on the vehicles [105], [106].
hotspot with a similar name automatically. A hacker Once the malware infects any subsystem on a vehicle,
can use this feature to setup a malicious hotspot with for example, an infotainment system, it will have the option
a common name and will have the option to get within a to harm other subsystems in the vehicle, as many subsys-
close range of the vehicle to connect to it automatically, tems are connected internally creating a cross-framework

162414 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

functionality. Malware can transmit signals that cause a vehi- on the host environment. The infected files in this
cle’s regular operation to be disrupted. It may also launch method are analyzed in a simulated environment such
denial-of-service (DoS) attacks by flooding various subsys- as an emulator, virtual machine and sandbox in order to
tems and in-vehicle networks with bogus messages in order make the environment invisible to the malware [115].
to bring down various subsystems [107]. In some cases, Although this method is efficient in detecting malware,
malware may simply impact vehicle system performance and nevertheless, it may fail to detect malware that uses
make over-burden processes or making unauthorized access obfuscation code and evasion techniques.
to ECUs and harasses the passengers [91]. In the case of Hybrid Analysis. It’s a malware analysis method that
spying, the malware conceals itself in the system, steals combines both dynamic and static analysis. It examines
sensitive information about the driver, and delivers it to the almost all of the static features of any malware code
attackers [91]. Identifying malware is important as there is then combine them with other behavioral features to
an increase in the damage to a large surface area and plenty better the overall analysis process. Despite this method
of potential entry points could be taken by the hacker if the can overcome the limitations of both static and dynamic
situation was not seriously taken. analysis methods. However, it may result in a rise in the
execution time’s total overhead [116].
V. EXISTING DEFENSE TECHNIQUES AGAINST MALWARE 3) Target Operating System (OS). It refers to the oper-
In the last decade, researchers have explored a wide range ating system analyzed by the system. It can be LINUX,
of malware defense solutions for computer and mobile sys- Windows, or Android [92], [93].
tems. Those solutions can be categorized into signature- 4) Detection Time. It refers to the time between the
based, behavior-based, heuristic-based, cloud-based, and analyzed event and the detection itself. It can be real-
machine learning-based techniques [108]–[113]. In this time (online) detection, which enables an automatic
section, we present a detailed review of the main factors of response such as blocking the attacker and killing the
applying these defense systems to protect intelligent vehicles malware process, or non-real-time (offline) detec-
against malware. These factors include the used approach, tion [117].
the used data analysis method, the targeted operating sys- 5) Detection Response. The relevant outcome of the sys-
tem, the detection time and the detection response, the tem, which can be a passive response which is an
data source, the main advantages and disadvantages of each event notification such as printing an alert message,
defense system. Figure 4 shows the taxonomy dimensions or an active response which is an automatic reaction
distributed into six classes. We also briefly describe these such as blocking the attacker or killing the malware
classes below. process [117].
1) Technique. We classify the existing malware detec- 6) Data Source. It refers to the source of the input data
tion techniques into five categories, i.e. signature- analyzed by the system. It can be host logs which are
based malware detection techniques, behavior-based data from the operating system and system applications
malware detection techniques, heuristic-based mal- or application logs which are data directly generated by
ware detection techniques, cloud-based malware detec- applications, or network traffic which are data gener-
tion techniques, and machine learning-based malware ated by the network layer [117].
detection techniques. Each of these techniques has
certain advantages and disadvantages, we discuss the A. SIGNATURE-BASED MALWARE DETECTION
benefits and drawbacks of each technique. The signature-based malware detection process occurs in
2) Analysis Methods. The whole detection process is two sequential phases. First, after identifying the malware,
accomplished with static, dynamic and hybrid analysis a unique representation or signature for each malware must
methods. The description of each method is presented be created. This process is generally achieved by using a
below. combination of manual and automated analysis of the data
Static Analysis. It’s a malware analysis method that obtained from networks and user devices. Second, every
analyzes an executable code without actually executing device restores the malware signatures. It can then detect
the code itself. In static analysis, the low-level informa- if a file or data stream is infected by malware or not by
tion from codes is extracted by disassembling the codes scanning the contents of malware signatures and uniquely
by using any disassembler tools. The main advantage identifying each malware [91]. The signature-based detection
of this method is revealing the code structure of the technique is the most often used in commercial antivirus
program without executing it. However, this method tools which create different unique signatures using produc-
may fail in analyzing unknown malware. It may also tivity by looking at the disassembled codes of the malware
fail to detect malware that employs obfuscation and binary. The binary executable files are disintegrated using
evasion techniques in its code [114]. various disassemblers and debuggers [118]. The features of
Dynamic Analysis. It’s a malware analysis method that the disassembled code are extracted and analyzed further.
entails running the malware and monitoring its behav- Then, these features are used to create the malware family’s
ior, interactions with the host system, and its impacts signature. The signature-based detection is simpler, faster and

VOLUME 9, 2021 162415

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

FIGURE 4. Malware detection system taxonomy.

safer to implement on intelligent vehicles when compared Additionally, the researchers in [122]–[124], [126]–[130]
to other techniques. It’s also efficient at detecting known have used the dynamic analysis (data acquired from running
malware. However, it is insufficient for detecting unknown application) to detect malware. For instance, the authors
malware and it is also subject to obfuscation and evasion of [122], [123] have used opcode sequences to detect mal-
techniques [119]. ware. Similarly work in [129] and [130] have used Instruction
Researchers have proposed several approaches to detect sequences and application permissions in order to detect
malware based on the digital footprints of program files or malware. Demme et al. [124] proposed a novel method to
applications like [120]–[135]. Table 4 shows a detailed com- detect malware based on hardware performance counters.
parison of the signature-based detection for several published Despite these methods are effective at identifying known
articles in the last decade. These state-of-the-art approaches malware and have a high level of accuracy compared to static-
have used different log files (i.e., application logs, host logs, based approaches, however, in addition to the high compu-
network traffic logs) to find the digital footprints. Most of tational time required and hardware modifications needed,
the works can detect malware on windows operating system these methods are also insufficient for detecting new mal-
(OS). Researchers in [125], [130], [132], and [133] have ware. Additionally, these approaches are incapable of iden-
demonstrated their work on android OS. Works by [124] tifying malware in real time, rendering them unsuitable for
and [135] remain the only two works that can detect Linux use in intelligent vehicles. Other works focus on a hybrid
OS-based malware. Apart from the OS dependencies, the approach that performs both the static and the dynamic
detection approaches differ in their way of analysis. Some analysis [131], [134] in order to detect malware. For example,
researchers like [120], [121], [132], [133], [135] tried to Fan et al. [131] used instruction sequences to detect malware.
detect malware by only considering the program bit file. That Similarly, work by Ojugo et al. [134] proposed a method
means detection has been done without executing the code, to detect malware by using Boyer Moore string matching
i.e., static analysis. For example, Shang et al. [120] proposed algorithm. These approaches could guarantee efficiency and
a novel malware detection method based on function call accuracy higher than static and dynamic based approaches.
graph similarity. Other work by Shankarapani et al. [121] However, these approaches are not capable of real-time mal-
used API call sequences and assembly instructions to detect ware detection, which makes them impractical for implemen-
malware. The authors of [132], [133] have used control flow tation in modern cars.
graph signatures to detect malware. Wan et al. [135] was The signature-based detection technique is simpler and
able to detect malware based on using byte sequences of safer to implement compared to other detection techniques
executable files. Although these approaches are efficient at since it typically requires less processing power. However,
detecting known malware and provide high accuracy, how- it has numerous drawbacks when applied to defending intel-
ever, these approaches are insufficient for detecting unknown ligent cars. For example, signature-based detection is ineffec-
malware. Furthermore, these methods are incapable of detect- tive in detecting new malware (zero-day malware) for which
ing malware in real-time, making them unsuitable for use in no signatures have been generated. It’s also vulnerable to
intelligent cars. obfuscation and evasion techniques [119]. Furthermore, the

162416 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 4. Survey of signature-based malware detection techniques.

VOLUME 9, 2021 162417

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

existing huge quantity of malware can result in an excessively detection approaches, the majority of the presented solutions
big malware signature database for a resource-constrained use the data file logs and have been demonstrated on Win-
in-vehicle device to store and analyze, which can increase dows, Android, Linux OS. Another similarity between the
considerably during a vehicle’s lengthy lifespan [136]. A typ- behavior-based and signatures-based techniques is using the
ical malware signature database now comprises over a mil- same data analysis methods (static, dynamic, and hybrid).
lion malicious signatures, resulting in tens of gigabytes of For example, Sheen et al. [152] proposed a novel method for
data [137]. As a result, when a car is manufactured, a huge detecting malware based on static analysis of API calls and
malware signature database must be loaded. However, it will permissions. Similarly, the authors of [148], [149] have devel-
be difficult to anticipate how large a database should be put oped a method to detect malware based on hybrid analysis of
on a car when it is manufactured, so that it would be able to API call sequences. Although the fact that these approaches
handle all potential new malware during the vehicle’s long have a high detection rate, nevertheless, cost efficiency, over-
lifespan [136]. As a result, a vehicle’s storage capacity may head, and detection time are the main drawbacks of these
need to be increased over time. Additionally, as the number approaches. Because of these drawbacks, these approaches
of malware signatures rises [138], the amount of processing are unsuitable for intelligent vehicles.
power required to scan files for malware signatures will also In addition, multiple bodies of work examined the use of
increase. That is to say, the needed CPU capacity on a vehicle dynamic analysis for detecting malware [144]–[147], [150],
confronts the same problem as the required storage space [151], [153]–[159]. For instance, Nikolopoulos et al. [155]
for malware signatures. Furthermore, when new malware is proposed a dynamic malware graph-based detection approach
detected and new malware signatures are created, the mal- based on converting system calls to a temporal graph. Despite
ware signature database on each vehicle must be updated on this approach provides a high detection rate, nevertheless,
a regular basis. However, frequent malware signature updates it has high time consumption and high complexity, which
to millions of vehicles will be difficult to handle and can be makes it unsuitable for use in intelligent vehicles. Other work
costly to vehicle owners. by Marhusin et al. [157] proposed a malware n-grams-based
detection method based on extraction of API sequences. This
B. BEHAVIOUR-BASED MALWARE DETECTION method has a low false-positive rate, on other hand, this
The behavior-based malware detection technique is used to method has high detection time and high complexity, which
analyze the execution of a program in order to determine makes it unsuitable for use in modern cars. Similarly, the
whether it is malicious or not [139]. This approach analyzes authors of [158], [159] proposed a dynamic malware detec-
the execution of a program in a secure environment such as tion approach based on analysis of API calls and permissions.
a virtual machine or a sandbox environment. This technique Other work by Das et al. [154] proposed a dynamic hardware-
also uses monitoring tools in order to monitor and determine based method for detecting malware based on system call pat-
the behaviors of a program and decide if the program is terns by using processor and field-programmable gate array
malicious or benign based on its behaviors [140], [141]. This (FPGA). In this method, the system calls first are extracted
technique allows the vehicle to detect malware without rely- and the features are constructed. Then, the extracted features
ing on off-board systems, even with zero-day malware that from the benign and malware samples are utilized to train
has never been seen before [142]. The main purpose of this the multilayer perceptron machine learning classifier. The
technique is to examine the behavior of any type of malware. evaluation results of this method showed that this method can
Although the malware codes can be developed in different detect malware in real-time and block their execution within
ways depend on the malware makers, however, the malware’s the first 30% of their execution. Although this method [154] is
behavior remains the same, consequently, the majority of the only solution that can detect malware in real-time and has
new malware may be discovered using this technique [143]. an active detection reaction, while the remaining approaches
This is the main advantage of this technique, however, some are not capable of real-time detection. However, this solu-
malware samples on the other hand do not run properly in tion [154] is highly complicated, not cost-effective, and not
a secured environment such as a virtual machine and sand- adaptable for intelligent vehicles since it requires hardware
box environments. As a result, malware samples may be modifications to be made into the vehicle devices. As a result,
incorrectly classified as benign. Furthermore, this approach the hardware changes that will be made to millions of vehicles
is insufficient for identifying all behaviors for a program will be difficult to handle and may be costly to vehicle owners
and classifying them as malicious or benign. Additionally, and automakers as well.
the advanced code obfuscation and evasion techniques can The behavior-based detection technique has an advantage
simply prevent malware from being correctly evaluated [143]. over the signature-based detection technique in detecting
Multiple bodies of work have adopted behavior-based new malware generations (zero-day malware) that has never
malware detection technique as a solution against mal- been seen before. The behavior-based detection technique,
ware [144]–[159]. Table 5 presents a detailed comparison of on other hand, is difficult and complex to implement com-
the behavior-based detection solutions. These state-of-the-art pared to the signature-based detection technique since it typ-
approaches use the application’s potential behavior in order ically requires higher processing power and more resources.
to detect suspicious activities. Similar to the signature-based Although the fact that the behavior-based detection technique

162418 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 5. Survey of behaviour-based malware detection techniques.

VOLUME 9, 2021 162419

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

has the advantage of detecting most of new malware gener- of identifying malware in real-time since they require high
ations. However, it has a lot of drawbacks when applied to time for detecting malware, making them unsuitable for use
safeguarding intelligent vehicles. For instance, the behavior- in intelligent vehicles.
based detection approach is insufficient for recognizing and Additionally, researchers in [167], [174], [176] have relied
categorizing all of a program’s behaviors as malicious or on dynamic analysis for detecting malware. For instance,
benign. As a result, an abnormally high rate of false posi- Shabtai et al. [167] proposed a dynamic method for detecting
tives or false negatives may occur [144], [158]. Furthermore, malware based on monitoring system opcode n-gram pat-
complex code obfuscation and evasion techniques might sim- terns. The authors of [174], [176] have proposed a dynamic
ply prevent malware from being properly assessed [143]. graph-based method for detecting malware based on con-
Additionally, when compared the behavior-based detection verting system calls to a graph. However, in addition to the
technique to signature-based detection, the behavior-based high complexity and high computational time needed by these
detection approach is much more difficult to install and methods to detect malware, these methods are invalid to
resource-intensive to execute on each vehicle. As a result, this detect malware if malware can hide its malicious behaviors.
technique might not be appropriate for resource-constrained They are therefore unfit for use in intelligent cars. Other
in-vehicle devices that also require a lightweight solution. researchers have used hybrid analysis for detecting mal-
Furthermore, any behavior-based approach implemented on a ware [163], [164], [166], [168], [169], [171], [173], [175].
vehicle today will almost certainly become obsolete over time For example, the authors of [163], [164] have used API
and will need to be modified or replaced during the vehicle’s calls and opcode sequences to detect malware. The remaining
long lifecycle [136]. works [166], [168], [169], [171], [173], [175] relied on the
graph-based method, in which the classification is done on
C. HEURISTIC-BASED MALWARE DETECTION the basis of a graph. For instance, in [166], the authors have
The heuristic-based malware detection technique is used to implemented a solution against malware based on opcode
examine program files for suspicious characteristics or emu- similarity, in case of malware attack, the commands are
late the execution of a program or chosen ports of the program present in the code which should not be present in a normal
to identify if it will perform malicious activities or not [160]. set of code. Other work by Narayanan et al. [173] proposed a
This technique is known for its complexity since it relies on hybrid method for detecting malware through online learning.
previous experiences and other methods such as data mining, The online machine learning-based framework was used to
rule-based and machine learning to learn the characteristics learn the new malware features over time. This approach was
of a program in order to assess whether it is malicious or not. able to detect both known and unknown malware in real-
It is also used by a lot of existing antivirus software [161]. time. However, this method [173] has high complexity and
It is also capable of detecting a wide range of known and requires high computational power, hence, is not feasible for
unknown malware [162]. This methodology can also allow intelligent vehicles due to the limited computing power of
the vehicle to identify malware without relying on off-board the ECUs to procedure such a complex process. Furthermore,
systems, even with zero-day malware that has never been the response time of this method, from data collection to
detected before [3]. Although this technique is capable of detection, frequently results in a partially damaged vehicle
detecting a wide range of known and unknown malware system, putting drivers at risk.
with a high degree of accuracy, however, it fails to identify The heuristic-based detection technique outperforms both
most new malware generations and sophisticated malware as signature-based detection and behavior-based detection tech-
well [160]. Furthermore, it is vulnerable to the advanced code niques in detecting unknown malware. In contrast to
obfuscation and evasion techniques that might simply prevent signature-based detection and behavior-based detection tech-
malware from being correctly detected [143]. niques, the heuristic-based detection technique is more dif-
Several researchers have proposed various heuristic-based ficult and complex to execute since it generally needs
malware detection techniques in the last decade [163]–[177]. more computing power and resources. Despite the fact
A thorough comparison of heuristic-based detection solu- that heuristic-based detection offers the benefit of detecting
tions is included in Table 6. Some researchers like [165], unknown malware. When it comes to protecting intelligent
[170], [172], [177] have relied on static analysis to detect cars, however, it has a number of limitations. For example,
malware. For example, the authors of [165], [172] have this technique might fail to detect new malware generations,
proposed a method for detecting malware based on con- as well as sophisticated malware [160]. It’s also vulner-
trol flow graphs and extracted opcodes from disassembled able to complex code obfuscation and evasion techniques,
executable files. Work by Zaker et al. [170] used Dynamic which might prevent malware from being identified appro-
Link Libraries (DLLs) to detect malware. Other recent work priately [143]. Additionally, this technique is known for its
by Suryati et al. [177] relied on API calls network for complexity because it depends on prior experiences and other
detecting malware. These methods are effective at identifying approaches such as data mining and machine learning to learn
known malware; however, they are insufficient for detecting the features of a program in order to determine whether it
unknown malware. These approaches are complex and prone behaves maliciously or not [160]. As a result, this technique
to high false-positive rates. These methods are also incapable might not be suitable for resource-constrained in-vehicle

162420 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 6. Survey of heuristic-based malware detection techniques.

VOLUME 9, 2021 162421

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

gadgets that also need to be light. Furthermore, any heuristic- In addition, several studies have looked into the use of
based solution deployed on a vehicle today would almost hybrid analysis to detect malware [179], [180], [182]–[187].
definitely become obsolete over time, requiring modification For example, Jarabek et al. [180] have proposed a web-
or replacement at some point throughout the vehicle’s lengthy based method for detecting malware based on file scanning
lifespan [136]. services. However, this method can’t keep track of all files in
the cloud in real-time. The authors of [182], [186] have pro-
D. CLOUD-BASED MALWARE DETECTION posed monitoring system parameters, such as API calls, file
Cloud computing has grown a lot in popularity in the last contents and permissions as features for detecting malware.
decade since it provides a lot of benefits, including easy However, these approaches might fail in detecting malware
access, on-demand storage, and reduced prices. Because the in the cloud if the malware can disguise its harmful activities.
cloud became so popular in the last ten years, it has also Other work by Yadav et al. [187] proposed a hybrid approach
been utilized recently to detect malware. The Cloud-based for detecting malware by utilizing fuzzy k-means and deep
malware detection technique employs a variety of detection neural network in the cloud. However, this technique requires
agents that are hosted on cloud servers and provides security a large quantity of data for training, hence, this technique
as a service. Furthermore, a user can submit any type of file consumes enormous time for training, making it unsuitable
and obtain a report indicating whether the submitted file is for use in current intelligent cars.
malware or not [178]. The main advantage of the Cloud- The cloud-based malware detection technique has a num-
based malware detection technique is that it can enhance the ber of advantages over conventional malware detection tech-
detection performance of PCs, mobile devices and vehicu- niques, including quick access, on-demand storage, and lower
lar systems with significantly huge malware databases and pricing. The major benefit of using a cloud-based malware
ponderous computing resources. Other advantages of this detection approach is that it may improve the detection per-
technique are Installations, configurations, setups are updated formance of any system with large malware databases and
regularly. However, the cloud-based malware detection tech- a lot of processing power. Other benefits of this approach
nique, on the other hand, has significant drawbacks. For are installations and setups are all updated on a regular basis.
example, the internet connection must constantly be fast and However, it has a lot of drawbacks when it comes to protect-
always available in order to work properly, but this is not ing intelligent vehicles. For example, this technique is subject
always the case. Furthermore, in the cloud, real-time moni- to sophisticated code obfuscation and evasion techniques,
toring of all files is not possible. Additionally, this technique which may make malware difficult to detect in the cloud [17].
is vulnerable to obfuscation and evasion techniques [17]. The other issue of this approach is real-time monitoring of
Recently, several researchers have used cloud-based tech- all files in the cloud is not possible, making it impractical
niques to analyze and identify malware [178]–[194]. Table 7 for implementation in intelligent vehicles. Additionally, this
shows a detailed comparison of cloud-based malware detec- technique requires a reliable internet connection in order to
tion solutions. Researchers like in [178], [181], [189] have work properly for security implementation, however, if for
relied on static analysis to detect malware. For example, some reason the internet connection is lost, in that case,
Ye et al. [178] have used file content and file relations fea- security can be compromised. As a result, this technique
tures for detecting malware. Similarly, work by Li et al. [189] might not be safe enough for applying for intelligent vehicles.
proposed a static method to detect malware based on n- But with the advent of high-speed 5G technology [20], this
gram string features. However, in addition to the high cost technique might be safer to apply for intelligent vehicles.
and high overhead of these methods, they are not up to
the task of detecting unknown malware. These methods are E. MACHINE LEARNING-BASED MALWARE DETECTION
also inappropriate for usage in intelligent cars since they For many years, machine learning methods have been
are incapable of detecting malware in real-time because employed to identify malware [195]. Naive Bayes (NB),
they need a long time to detect malware. In recent stud- bayesian network (BN), logistic regression (LR), logistic
ies, dynamic analysis has been utilized in the cloud to model trees (LMT), C4.5 decision tree variant (J48), sequen-
detect malware [188], [190]–[194]. For instance, the authors tial minimal optimization (SMO), random forest tree (RF),
of [188], [192] have proposed a dynamic method for detect- multilayer perceptron (MLP), k-nearest neighbor (KNN),
ing malware based on monitoring system calls. Similarly, and support vector machine (SVM) are examples of well-
work by Mishra et al. [194] proposed a dynamic method known machine learning algorithms that have been used
to detect malware based on n-gram features. The authors for many years in malware detection [195]. Although each
of [191], [193] have used hardware features and hardware algorithm has its own set of benefits and drawbacks, it is
performance counters to detect malware. However, in addi- impossible to say that one is more effective than the other.
tion to the additional resources and sophisticated hardware However, one algorithm can outperform other algorithms in
changes that these approaches necessitate, they are unable to terms of the distribution of data, the amount of features,
detect malware in real-time since they need a long time to and the correlations between characteristics and attributes as
identify malware. Unfortunately, because of these drawbacks, well [195]. Deep Learning is a subfield of machine learning
these approaches are unsuitable for intelligent vehicles. that evolved from artificial neural networks (ANN) that learn

162422 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 7. Survey of cloud-based malware detection techniques.

VOLUME 9, 2021 162423

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

from examples. It is a novel methodology that is extensively for detecting malware based on hardware performance coun-
employed in image processing, voice control, intelligent vehi- ters. However, this approach is not adaptable for intelligent
cles, and recently in malware detection as well [196]. It seems vehicles since it requires hardware modifications to be made
highly effective and dramatically lowers feature space and into vehicle devices. As a result, the hardware modifications
is powerful to detect malware. However, it can be deceived that will be required for millions of vehicles would be difficult
by obfuscation and evasion attacks. Furthermore, building a to implement and might be costly to both vehicle owners and
hidden layer requires a lot of time, and adding more hidden automakers.
layers seldom improves model performance [197]. The machine learning-based malware detection technique
In the last decade, researchers have proposed vari- provides several advantages over traditional malware detec-
ous machine learning-based malware detection techniques tion techniques, including the ability to detect both known
[198]–[221]. Table 8 and Table 9 show a detailed com- and unknown malware, and improving the detection accu-
parison of machine-based malware detection solutions. Some racy. However, it has a lot of limitations when applied to
researchers have used machine learning for detecting mal- safeguarding intelligent vehicles. For instance, the machine
ware based on static features [201], [204], [207], [212], [214], learning-based malware detection technique can be deceived
[217], [218], [220]. For example, the authors of [201], [204], by complex code obfuscation and evasion techniques that
[207], [212], [214], [218], [220] have used static features make malware difficult to identify [197]. Furthermore, this
such as system calls, strings, byte sequences, DLLs, data technique needs an abundant amount of data for training. As a
flow, native opcodes and image features for detecting mal- result, it takes a long time to train for this method, rendering it
ware. However, these methods may fail to identify malware unsuitable for usage in today’s intelligent vehicles. Addition-
if the malware is able to hide its destructive activities and ally, most of the solutions that relied on this technique have
its contents. Furthermore, the time it takes for these methods been suggested and tested on datasets and are not suitable for
to respond from data collection to detection usually results real-time detection. The non-real-time detection approaches
in a partially damaged system, making them unsuitable for are inappropriate and ineffective for intelligent cars because
use in intelligent vehicles. Other work by Sayadi et al. [217] if a vehicle is attacked with malware, the malware must be
proposed a novel method for detecting malware based on identified in real-time in order to ensure the safety of the
microarchitectural features. However, in addition to the high driver and passengers.
computational time and sophisticated hardware changes that
are needed by this method to detect malware, this method is F. INTRUSION DETECTION SYSTEM
also incapable of identifying malware in real-time, making it The need for an efficient intrusion detection system (IDS)
inappropriate for intelligent cars. for modern vehicles is becoming one of the most essential
Other researchers have relied on dynamic features for security components as these vehicles are exposed to a huge
detecting malware [198], [202], [210], [215], [221]. For number of threats. To this end, several IDSs to detect vehi-
instance, the authors of [210], [215] have used dynamic cle attacks have been explored in multiple bodies of work.
features such as behavior features, API calls and opcode For example, Lee et al. [107] and song et al. [222] proposed
sequences for detecting malware. However, if malware is able techniques for detecting an intrusion based on analysis of
to disguise its behaviors and contents, these approaches may the CAN data time interval by monitoring the request time
fail to detect it. In addition, the time it takes these approaches and response time of the CAN data traffic. Despite these
to respond from data collection to detection generally results techniques are lightweight, these techniques have limitations,
in a largely infected system, making them unsuitable for especially when in-vehicle environments change frequently,
use in intelligent cars. Other work by Ghanei et al. [221] as they require a lot of data updates. Müter et al. [223], [224]
used hardware performance counters as features for detecting proposed IDS based on monitoring the state of the CAN
malware. However, in addition to the high detection time and bus traffic and the entropy of in-vehicle networks. Despite
complex hardware modifications required to detect malware, the fact that this technique does not need any hardware
this approach is also incapable of detecting malware in real- modifications, it is unable to detect irregular message
time, making it unsuitable for modern cars. A large portion incoming.
of existing machine learning-based malware detection tech- In addition, multiple bodies of work have adopted physical
niques relied on hybrid features to detect malware [199], fingerprinting techniques for IDSs [228], [229], [235]. For
[200], [203], [205], [206], [208], [210], [211], [213], [215], instance, Avatefipour et al. [229] proposed a physical finger-
[219]. For example, the authors of [199], [200], [203], [205], printing technique based on physical ECU features and the
[206], [208], [210], [213], [215], [219] have used system physical channel features to detect spoofing attacks. How-
calls, instructions, image features, API calls, data flow, net- ever, this technique can be failed when the channel length is
work flow, API call sequences and permissions as features increased which makes the physical ECU features are negli-
for detecting malware. However, these methods may be inef- gible. Other work by [228] proposed a clock-based intrusion
fective, if malware is able to conceal its harmful actions and detection system (CIDS) for fingerprinting each ECU based
contents, making them inappropriate for modern vehicles. on using the clock skew characteristic of ECUs. Despite the
Other work by Sayadi et al. [211] proposed a novel approach efficiency of their technique, it is demonstrated that CIDS

162424 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 8. Survey of machine learning-based malware detection techniques: Part-1.

VOLUME 9, 2021 162425

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 9. Survey of machine learning-based malware detection techniques: Part-2.

162426 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

may be defeated by a spoofing attacker who can observe the methods improve the vehicle’s security, nevertheless, these
clock skew and adjust his transmission accordingly [236]. methods are not feasible for a vehicular network due to the
Additionally, several message authentication techniques limited computing power of the ECUs to procedure a complex
have been explored by researchers to safeguard vehi- process.
cles against attacks [225]–[227], [237]. For example, Table 10 shows a detailed comparison of the IDS-based
Oguma et al. [237] proposed a novel security architecture solutions. We observe that some of these solutions can detect
by adding a master ECU to the network in order to verify any anomalies on CAN bus by using machine learning tech-
other ECUs in the same way as a verification server does. nology through different features such as CAN IDs, CAN bus
Groza et al. [227] proposed a broadcast authentication tech- data field, DLC, timestamp, entropy and graph features [107],
nique based on time synchronization and key chains. Simi- [113], [224], [230]–[234]. The main benefits of these solu-
larly, work by Lin et al. [226] proposed a message authenti- tions are that they provide high accuracy and low false
cation technique by sending extra messages which prompts positive rates. However, in addition to the high complexity
a higher burden on the CAN bus and hence a reduction of and high computational time required, these solutions lack
the available bandwidth of the CAN bus. Other work by the ability to detect critical attacks such as malware since
Herrewege et al. [225] proposed a message authentication these solutions rely on the data link layer and can’t detect
system for the CAN bus by adding the Hash-based Message an attack such as malware which relies on the application
Authentication Code (HMAC) field to the CAN data frame. layer. Other IDS approaches like [228], [229] can detect
Although these approaches improve security, they are inef- any intrusions on CAN bus by using physical fingerprinting
ficient and unsuitable solutions for vehicles since they need technique. Although such approaches provide some degree of
additional resources and sophisticated hardware modifica- security, nevertheless, these approaches are unable to identify
tions to be made in the CAN protocol. malware attacks that rely on the application layer because
Several methods were recently proposed to detect intru- they rely on the physical layer. Other IDS methods such
sions on the CAN bus based on machine learning tech- as [225]–[227] can detect any anomalies on in-vehicle net-
niques [113], [230]–[234], [238], [239]. For instance, work by adding a message authentication system field to
Theissler [231] proposed a novel IDS to detect an anomaly the CAN bus data frame. Despite these methods provide
on CAN bus based on multivariate time series. In order to high detection rate and improve the vehicle’s security, how-
identify both known and unknown fault types in various driv- ever, in addition to the additional resources required and
ing circumstances, an ensemble anomaly detector consisting sophisticated hardware modifications needed, these methods
of two-class and one-class classifiers was created. How- lack the ability to detect malware attack since they rely on
ever, this method has drawbacks, particularly when the in- the data link layer and not rely on the application layer.
vehicle environment changes often; these drawbacks might In summary, the aforementioned IDS solutions can’t detect
include the constant requirement for calibration and data malware attacks at application level and may can detect mal-
updates. Other work by Barletta et al. [233] proposed an IDS ware attacks at either the data link layer or the physical layer
based on a combination of an unsupervised Kohonen Self- after the actual damage has likely been occurred. Therefore,
Organizing Map (SOM) network and k-means algorithm. in addition to the need for an efficient IDS for intelligent
The CAN IDs, timestamp, DLC and data field were used vehicles at data link and physical layers, an efficient malware
as features in order to identify attack messages sent on the defense system for modern cars at application layer is also
CAN bus. Minawi et al. [232] also suggested an IDS that uses needed.
machine learning and includes crucial warning capabilities
to safeguard vehicle operations. The key features utilized to VI. OPEN ISSUES AND FUTURE DIRECTIONS
evaluate whether the communication was benign or mali- In the previous section, we review malware detection
cious were the CAN ID and the Data field. Furthermore, approaches that have been proposed in the last decade based
Martinelli et al. [230] suggested an IDS based on the eight on the method used, the analysis method used, the target
data bytes of a CAN packet as the main features for determin- operating system, the detection and the response times, the
ing whether a message is benign or malicious. Another study data source, the main benefits and drawbacks of each method.
by Hossain et al. [234] presented an IDS using LSTM deep In this section, we first discuss the limitations of applying
learning model-based. For an in-vehicle CAN bus network these approaches in securing and protecting the intelligent
attack, the CAN ID, DLC, and data field were exploited as vehicles against malware. Second, we discuss the security
features. Hanselmann et al. [238] developed an IDS based requirements that are needed in order to provide a successful
on unsupervised neural network architecture to identify intru- and secure intelligent vehicle system. Finally, we summarize
sions and abnormalities on the CAN bus, where the CAN IDs and discuss open research problems for the scientific commu-
and timestamps were utilized as features. Additionally, the nity to address in order to meet the security requirements that
authors of [113], [239] proposed a graph-based IDS by con- are needed for a successful and secure intelligent vehicle sys-
verting the CAN bus messages into a temporal graph, then the tem, and offer some recommendations for developing a more
machine learning techniques have been used to identify attack successful detection schema against malware for intelligent
messages sent on the CAN bus. Although the aforementioned vehicles.

VOLUME 9, 2021 162427

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

TABLE 10. Survey of intrusion detection systems.

162428 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

A. EXISTING TECHNIQUES LIMITATIONS IN SECURING • Malware detection in real-time is really challenge.

INTELLIGENT VEHICLES AGAINST MALWARE The majority of malware detection approaches in
Despite the fact that malware detection techniques are the last decade [120]–[135], [144]–[159], [163]–[194],
improving day over day, the following limitations of applying [198]–[221] have been proposed and validated to detect
these malware detection techniques to intelligent vehicles malware using datasets and are not suitable for real-
remain an unresolved issues. time detection. The issue with these non-real-time
• All present approaches [120]–[135], [144]–[159], approaches is that they are unsuitable for intelligent
[163]–[194], [198]–[221] are vulnerable to various types vehicles because if the vehicle is infected with malware,
of obfuscation and evasion techniques as new malware the malware must be detected in real-time in order to
generations utilize various sorts of obfuscation and eva- ensure the safety of the drivers and passengers.
sion techniques to disguise themselves. For example, • There is no well-known and widely recognized dataset
some kinds of malware employ throttled execution in that can be used to assess the effectiveness of
order to evade detection [240], [241]. Malware can use malware detection methods [120]–[135], [144]–[159],
this technique on vehicles to throttle its execution across [163]–[194], [198]–[221]. Despite the fact that each
multiple ECUs in order to evade detection. Other forms malware detection technique has its own set of advan-
of malware take advantage of multi-core processors, tages and disadvantages, however, it is difficult to say
as well as other capabilities like hyper-threading in that one is more effective than the other. This is due to the
order to spread malware activity across several cores fact that each malware detection technique uses different
to evade detection, as well as speed up execution to malware and dataset.
outrun any preventative measures taken by a victim or • According to our findings, we observe that there are
system administrator [242], [243]. Malware also can only two malware detection methods [154], [173] that
use this technique on vehicles to spread its activity can detect malware in real time. However, these meth-
across multiple ECUs’ threads in order to evade detec- ods [154], [173] need a lot of computational resources,
tion. Other sorts of malware can add dummy instruc- which make them infeasible for intelligent vehicles due
tions to their code to make it look different [244], or to the limited computational resources of the ECUs
use instruction substitution to change their code by and CAN bus. Furthermore, these methods [154], [173]
substituting equivalent instructions for some of them are not cost-efficient and are not adaptable for intelli-
[245], or use code transposition to reorder the sequence gent vehicles since they need a sophisticated hardware
of instructions in their code [246], or use subroutine modifications. As a result, these methods may not be
reordering to obfuscate their code by randomly rear- suitable for resource-constrained in-vehicle devices that
ranging their subroutines [247]. Consequently, mal- also need to be lightweight.
ware can evade detection and avoid itself from being • All present IDS approaches [107], [113], [224]–[234]
properly analyzed by employing such techniques. As cannot identify malware attacks at the application level,
a result, these approaches [120]–[135], [144]–[159], but they may detect malware attacks at the data link layer
[163]–[194], [198]–[221] are unsuitable for use in intel- or physical layer after the actual damage has likely hap-
ligent vehicles due to concerns about passengers safety. pened. As a result, in addition to the need for an effective
• All of the current approaches [120]–[135], [144]–[159], IDS for intelligent vehicles at the data link and physical
[163]–[194], [198]–[221] might fail to detect new mal- layers, modern cars also require an effective defense
ware generations, as well as sophisticated malware. As system at the application layer in order to safeguard them
a result, these approaches are inappropriate for use in against malware.
intelligent vehicles due to concerns regarding driver
safety and passengers as well. Furthermore, with the B. SECURITY REQUIREMENTS TO SECURING
exception of cloud-based approaches, all approaches INTELLIGENT VEHICLES
cannot be used for intelligent vehicles since they need In this section, we discuss four essential requirements for
to be updated regularly in order to handle any potential securing intelligent vehicles. These are critical security cri-
new malware during the vehicle’s long lifespan [136]. teria for every communication system. These requirements
Besides, updating them on a regular basis on millions of are authentication, integrity, privacy, and availability. Each
vehicles would be difficult to handle and can be costly requirement is presented below along with its description.
for both vehicle owners and automakers. Cloud-based
approaches have an edge over other approaches since all 1) AUTHENTICATION
installations and configurations are updated on a regular It means that the access to any information or vehicle’s data
basis in the cloud. Therefore, we believe cloud-based must be given to the only authorized users and parties. By giv-
malware detection will be a feasible solution for safe- ing authorization to specific users and parties to access any
guarding intelligent vehicles against malware attacks in information or vehicle’s data, malware attacks and unautho-
the future especially with the advent of high speed 5G rized manipulations can be prevented from happening. In this
technology [20]. way, vehicle’s network system can be more protected by only

VOLUME 9, 2021 162429

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

giving authorization to a certain users and parties. The key that is able to handle complicated transportation circum-
management and distribution must be efficient and accurate stances [251]. The main idea of creating a lightweight crypto-
in order to meet this requirement [248]. graphic authentication system has been in key extraction, key
establishment and key distribution. Major milestones have
2) INTEGRITY been achieved in protocols such as key extraction using wire-
It is referred to the validity of data between the sender and less fading channels [252], key establishment using keyless
the recipient of a communication system. The most basic cryptography technology [253] and key distribution using the
criterion of communication system integrity is that the data Light fidelity (Li-Fi) [254]. It has been proven that Li-Fi tech-
received is correct and not tampered with intentionally. It is nology can accomplish high-speed wireless communication
important to check the honesty of the message that is being of over 3 Gb/s compared to Wi-Fi. Furthermore, Li-Fi tech-
sent in the vehicle’s network system. The message has to nology further provides security by avoiding interception and
get validated to make sure that it hasn’t been manipulated eavesdropping. For these reasons, there has been increased
or corrupted by a malware, or some other factors such as interest in integrating Li-Fi technology in intelligent vehicles
noise and fading. Error detection and correction codes must design to be used for authentication system in intelligent
be developed to ensure the integrity of any communication vehicles [254]. Alongside with implementing authentication
system [248]. system, security criteria must be met in order to provide a
successful and secure protection to the vehicle’s system.
3) PRIVACY
Intelligent vehicles tend to share information with each other 2) FIREWALL SYSTEM
(such as Vehicle-to-Vehicle communication) and between the Although malware attacks can be destructive to intelligent
surrounding infrastructure (Vehicle-to-Infrastructure com- vehicles with its different entry points, there are many ways
munication) [249]. Therefore, privacy plays a big factor in that can be implemented to defend against malware attacks.
this role to protect vehicle’s information from being used to Intelligent vehicle’s system tends to receive updates more
do unauthorized behaviors such as using the information to often. Therefore, the liability of the source that is sending that
spy on vehicles and access its private data [38]. information must be checked to make sure malware doesn’t
get injected in the intelligent vehicle’s network. A network
4) AVAILABILITY security device such as firewall should be implemented to
It is referred to the fact that authorized users have access to the monitor and block unwanted data [255]. The firewall’s main
systems and resources they need. Improving the chances of all purpose is to filter any data that enters the system and rejects
targeted vehicles receiving information is critical in vehicular malware attack vectors that have been recognized as a threat.
networks. Continuous availability is tough to accomplish Alongside with applying a network security device, security
under normal working settings, and it gets more and more requirements need to be satisfied in order to provide a suc-
challenging when updates and patches are required at various cessful and secure protection to the vehicle’s system.
points. It is critical that network activities continue and that
the cars remain unaffected. The availability of services at all 3) DEEP LEARNING USING OFFLOADING COMPUTATION
times is critical. As a result, the needed redundancy for this MECHANISM
purpose must be appropriately implemented [250]. Intelligent deep learning such as neural networks technol-
ogy is a great way to detect vulnerabilities and eliminate
C. RECOMMENDATIONS AND FUTURE DIRECTIONS malware attacks in intelligent vehicle systems. Because the
One of the biggest challenges that automakers face is find- fact that this technology is more accurate and performs better
ing solutions against malware attacks and creating a full than machine learning technology in malware detection, it is
immunity system to combat this threat. Although the existing worth considering this advanced technological approach for
defenses are some of the most effective approaches of build- intelligent vehicle systems [256]. Deep learning, on the other
ing structural defenses against malware attacks, there are still hand, requires a lot of computing resources and capabilities
some challenges and issues that need further investigation in the vehicle’s ECUs, which leads to memory overloading
and study. There are additional potential solutions that could for deep learning implementation in ECUs owing to the
be implemented to provide a great protection and immunity vehicle’s ECUs’ limited computation resources. However,
against malware attacks. Some additional potential solutions the offloading computation mechanism was found to be a
and directions that will enhance intelligent vehicles’ security possible solution to solve the limited computation resources
that need to be addressed to meet the security requirements of the vehicle’s ECUs by transferring the resource inten-
to securing intelligent vehicles are presented below. sive computational tasks to a separate processor such as an
external platform, a hardware accelerator, a cluster, grid,
1) AUTHENTICATION SYSTEM USING Li-Fi TECHNOLOGY or cloud server at the network edge [257]. The future of
A lightweight cryptographic authentication system if imple- intelligent vehicles is quite promising with deep learning
mented would boost security in intelligent vehicles. This using offloading computation mechanism towards faster and
would provide a secure, efficient and flexible method secure vehicle system.

162430 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

4) SOFTWARE DEFINED SECURITY technique. Finally, a future direction is provided to further

Intelligent vehicles need to be able to detect malware attacks improve the immunity for the system of intelligent vehicles
efficiently and effectively. Therefore, the software defined to protect it against malware attacks.
security system can be a reliable solution to detect and elim-
REFERENCES
inate malware threats and further improves network security
[1] R. N. Charette, ‘‘This car runs on code,’’ IEEE Spectr., vol. 46, no. 3, p. 3,
for intelligent vehicles by forwarding the security threats
Feb. 2009.
characteristics and traffic parameters for forensic analysis. [2] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham,
The software defined security is referred to the use of soft- S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohn, ‘‘Com-
prehensive experimental analyses of automotive attack surfaces,’’ in
ware defined platforms to automate threat detection and Proc. USENIX Secur. Symp., vol. 4, San Francisco, CA, USA, 2011,
mitigation. This can be accomplished by adopting an open pp. 447–462.
flow protocol, Network Function Virtualization (NFV) and [3] L. Delgrossi and T. Zhang, Vehicle Safety Communications: Protocols,
Security, and Privacy, vol. 103. U.K.: J. Inf. Secur. Appl., 2012.
Software-Defined Networking (SDN) that uses multi-layered [4] M. Ring, D. Frkat, and M. Schmiedecker, ‘‘Cybersecurity evaluation of
open virtual switch with programmatic extension principle automotive E/E architectures,’’ in Proc. ACM Comput. Sci. Cars Symp.
that allows automation of threat detection and elimination on (CSCS), 2018, pp. 1–7.
[5] L. O’Carroll, ‘‘Scientist banned from revealing codes used to start luxury
a bigger scale [258]. This form of dynamic solution to threats cars,’’ Guardian, vol. 27, Jul. 2013. [Online]. Available: http://www.
will provide security for intelligent vehicles against malware theguardian.com/technology/2013/jul/26/scientist-banned-revealing-
codes-cars
attacks. [6] A. Francillon, B. Danev, and S. Capkun, ‘‘Relay attacks on passive keyless
entry and start systems in modern cars,’’ in Proc. Netw. Distrib. Syst.
5) CLOUD-BASED SOLUTION USING 5G TECHNOLOGY
Secur. Symp. (NDSS). Zürich, Switzerland: Eidgenössische Technische
It is another potential future route for intelligent vehicles Hochschule Zürich, Department of Computer Science, 2011, pp. 1–16.
since it offers several advantages, such as simple access, on- [7] I. Rouf, R. D. Miller, H. A. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser,
W. Trappe, and I. Seskar, ‘‘Security and privacy vulnerabilities of in-
demand storage, and lower pricing. Furthermore, installa- car wireless networks: A tire pressure monitoring system case study,’’ in
tions, settings, and setups are all updated on a regular basis Proc. USENIX Secur. Symp., vol. 10, 2010, pp. 1–16.
[8] I. Studnia, V. Nicomette, E. Alata, Y. Deswarte, M. Kaaniche, and
with this method. It also can improve the malware detection Y. Laarouchi, ‘‘Survey on security threats and protection mechanisms in
performance of the intelligent vehicle’s system with large embedded automotive networks,’’ in Proc. 43rd Annu. IEEE/IFIP Conf.
malware datasets and ponderous computing resources. It also Dependable Syst. Netw. Workshop (DSN-W), Jun. 2013, pp. 1–12.
[9] A. Greenberg, ‘‘Hackers reveal nasty new car attacks–with me behind
can fix the resources allocation issues of intelligent vehicle’s the wheel,’’ (Video), Forbes, Mumbai, India, Tech. Rep., Jul. 2013.
system by storing the data acquired at each ECU in cloud, [Online]. Available: https://www.forbes.com/sites/andygreenberg/2013/
the training and testing can be performed also on cloud to see 07/24/hackers-reveal-nasty-newcar-attacks-with-me-behind-the-wheel
video/#6677f02228c7
whether the data is authentic or not. This solution of sending [10] O. Solon, ‘‘Team of hackers take remote control of Tesla models from
data to the cloud would have been impractical few years 12 miles away,’’ Guardian, vol. 20, Sep. 2016. [Online]. Available:
ago since the internet connection was not fast and always https://www.theguardian.com
[11] C. Miller and C. Valasek, ‘‘Remote exploitation of an unaltered passenger
available, but with the advent of high speed 5G [20], it is vehicle,’’ Black Hat USA, vol. 2015, p. 91, Aug. 2015.
now practical to store data in cloud. The future of intelligent [12] Z. Cai, A. Wang, W. Zhang, M. Gruffke, and H. Schweppe, ‘‘0-days
& mitigations: Roadways to exploit and secure connected BMW cars,’’
vehicles looks bright, thanks to cloud solutions that leverage Black Hat USA, vol. 2019, p. 39, Aug. 2019.
5G technology to create a quicker and more secure vehicle [13] M. Dunn, ‘‘Toyota’s killer firmware: Bad design and its consequences,’’
system. EDN Netw., vol. 28, Oct. 2013. [Online]. Available: http://www.edn.
com/design/automotive/4423428/Toyota-s-killer-firmware-Bad-design-
VII. CONCLUSION and-its-consequences
[14] M. Dibaei, X. Zheng, K. Jiang, R. Abbas, S. Liu, Y. Zhang, Y. Xiang,
In this paper, we first present a great depth description of the and S. Yu, ‘‘Attacks and defences on intelligent connected vehicles: A
architecture of intelligent vehicles. We also identify the secu- survey,’’ Digit. Commun. Netw., vol. 6, no. 4, pp. 399–421, Nov. 2020.
rity issues and vulnerabilities of intelligent vehicles in order [15] M. H. Eiza and Q. Ni, ‘‘Driving with sharks: Rethinking connected
vehicles with vehicle cybersecurity,’’ IEEE Veh. Technol. Mag., vol. 12,
to illustrate the lack of protection against malware attacks. no. 2, pp. 45–51, Jun. 2017.
Furthermore, this paper discusses the most common types [16] CAN-Bus Specifications Report, Robert Bosch, Stuttgart, Germany, 1983.
[17] T. Zhang, H. Antunes, and S. Aggarwal, ‘‘Defending connected vehicles
of malware that might infiltrate intelligent vehicles to show against malware: Challenges and a solution framework,’’ IEEE Internet
how each type of malware could be different than another. Things J., vol. 1, no. 1, pp. 10–21, Feb. 2014.
Additionally, different entry points for malware to infect [18] M. Sauerwald, ‘‘Can bus Ethernet or FPD-link: Which is best for
automotive communications,’’ Analog Appl. J., vol. 1Q, pp. 20–22,
intelligent vehicles were covered in this paper to emphasize 2014. Accessed: Feb. 4, 2016. [Online]. Available: http://www.ti.com/lit/
the importance of protecting those aspects. A comprehensive an/slyt560/slyt560.pdf
[19] D. G. Yang, K. Jiang, D. Zhao, C. Yu, Z. Cao, S. Xie, Z. Xiao, X. Jiao,
survey of malware detection techniques is also discussed S. Wang, and K. Zhang, ‘‘Intelligent and connected vehicles: Current
and further categorized into five categories, i.e. signature- status and future perspectives,’’ Sci. China Technol. Sci., vol. 61, no. 10,
based malware detection techniques, behavior-based mal- pp. 1446–1471, Oct. 2018.
[20] M. H. Eiza, Q. Ni, and Q. Shi, ‘‘Secure and privacy-aware cloud-assisted
ware detection techniques, heuristic-based malware detection video reporting service in 5G-enabled vehicular networks,’’ IEEE Trans.
techniques, cloud-based malware detection techniques, and Veh. Technol., vol. 65, no. 10, pp. 7868–7881, Oct. 2016.
machine learning-based malware detection techniques. Each [21] X. Wu, S. Subramanian, R. Guha, R. G. White, J. Li, K. W. Lu,
A. Bucceri, and T. Zhang, ‘‘Vehicular communications using DSRC:
of these techniques has certain advantages and disadvantages, Challenges, enhancements, and evolution,’’ IEEE J. Sel. Areas Commun.,
we discussed the advantages and disadvantages of each vol. 31, no. 9, pp. 399–408, Sep. 2013.

VOLUME 9, 2021 162431

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[22] S. Corrigan, ‘‘Introduction to the controller area network (CAN),’’ USA, [47] X. Li, Y. Yu, G. Sun, and K. Chen, ‘‘Connected vehicles’ security from
Appl. Rep. SLOA101, Aug. 2002, pp. 1–17. the perspective of the in-vehicle network,’’ IEEE Netw., vol. 32, no. 3,
[23] S. Asano, T. Maruyama, and Y. Yamaguchi, ‘‘Performance comparison pp. 58–63, May 2018.
of FPGA, GPU and CPU in image processing,’’ in Proc. Int. Conf. Field [48] H.-L. Liu, J.-S. Ma, S.-Y. Zhu, Z.-J. Lu, and Z.-L. Liu, ‘‘Practical contact-
Program. Log. Appl., Aug. 2009, pp. 126–131. less attacks on Hitag2-based immobilizer and RKE systems,’’ in Proc. Int.
[24] S. Bunzel, ‘‘AUTOSAR—The standardized software architecture,’’ Conf. Comput., Commun. Netw. Technol., 2018, pp. 505–512.
Informatik-Spektrum, vol. 34, no. 1, pp. 79–83, Feb. 2011. [49] M. Dibaei, X. Zheng, K. Jiang, S. Maric, R. Abbas, S. Liu, Y. Zhang,
[25] S. Adarsh, S. M. Kaleemuddin, D. Bose, and K. I. Ramachandran, ‘‘Per- Y. Deng, S. Wen, J. Zhang, Y. Xiang, and S. Yu, ‘‘An overview
formance comparison of infrared and ultrasonic sensors for obstacles of of attacks and defences on intelligent connected vehicles,’’ 2019,
different materials in vehicle/robot navigation applications,’’ IOP Conf. arXiv:1907.07455.
Ser., Mater. Sci. Eng., vol. 149, Sep. 2016, Art. no. 012141. [50] S. Nie, L. Liu, and Y. Du, ‘‘Free-fall: Hacking Tesla from wireless to CAN
[26] B. S. Lim, S. L. Keoh, and V. L. L. Thing, ‘‘Autonomous vehicle ultra- bus,’’ Briefing, Black Hat USA, vol. 25, pp. 1–16, Jul. 2017.
sonic sensor vulnerability and impact assessment,’’ in Proc. IEEE 4th [51] O. Nakhila, E. Dondyk, M. F. Amjad, and C. Zou, ‘‘User-side Wi-Fi evil
World Forum Internet Things (WF-IoT), Feb. 2018, pp. 231–236. twin attack detection using SSL/TCP protocols,’’ in Proc. 12th Annu.
[27] W. Menzel and A. Moebius, ‘‘Antenna concepts for millimeter-wave IEEE Consum. Commun. Netw. Conf. (CCNC), Jan. 2015, pp. 239–244.
automotive radar sensors,’’ Proc. IEEE, vol. 100, no. 7, pp. 2372–2379, [52] M. Vanhoef and F. Piessens, ‘‘Denial-of-service attacks against the 4-
Jul. 2012. way Wi-Fi handshake,’’ in Proc. 9th Int. Conf. Netw. Commun. Secur.
[28] D. G. Johnson, ‘‘Development of a high resolution MMW radar employ- Chennai, India: Academy & Industry Research Collaboration Center,
ing an antenna with combined frequency and mechanical scanning,’’ in 2017, pp. 1–10.
Proc. IEEE Radar Conf., May 2008, pp. 1–5. [53] W. Whyte, J. Petit, V. Kumar, J. Moring, and R. Roy, ‘‘Threat and
[29] X. Wang, L. Xu, H. Sun, J. Xin, and N. Zheng, ‘‘Bionic vision inspired on- countermeasures analysis for WAVE service advertisement,’’ in Proc.
road obstacle detection and tracking using radar and visual information,’’ IEEE 18th Int. Conf. Intell. Transp. Syst., Sep. 2015, pp. 1061–1068.
[54] I. Ivanov, C. Maple, T. Watson, and S. Lee, ‘‘Cyber security standards and
in Proc. 17th Int. IEEE Conf. Intell. Transp. Syst. (ITSC), Oct. 2014,
issues in V2X communications for internet of vehicles,’’ in Proc. Living
pp. 39–44.
[30] Y. Fang, I. Masaki, and B. Horn, ‘‘Depth-based target segmentation for Internet Things, Cybersecur. (IoT), London, U.K., 2018, pp. 1–6.
[55] M. Muhammad and G. A. Safdar, ‘‘Survey on existing authentication
intelligent vehicles: Fusion of radar and binocular stereo,’’ IEEE Trans.
issues for cellular-assisted V2X communication,’’ Veh. Commun., vol. 12,
Intell. Transp. Syst., vol. 3, no. 3, pp. 196–202, Sep. 2002.
[31] M. Bertozzi, A. Broggi, and A. Fascioli, ‘‘Vision-based intelligent vehi- pp. 50–65, Apr. 2018.
[56] (Dec. 2017). Guide to LTE Security. Accessed: Aug. 25, 2020. [Online].
cles: State of the art and perspectives,’’ Robot. Auto. Syst., vol. 32, no. 1,
Available: https://nvlpubs. nist.gov/nistpubs/SpecialPublications/NIST.
pp. 1–16, 2000.
SP.800-187.p%dfp
[32] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, [57] (2016). Autoblog Report. [Online]. Available: https://www.autoblog.
D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage, ‘‘Exper- com/2016/02/25/nissanconnect-ev-leaf-app-hacking-followup/?guc
imental security analysis of a modern automobile,’’ in Proc. IEEE Symp. counter=1
Secur. Privacy, 2010, pp. 447–462. [58] (2017). Threatpost Report. [Online]. Available: https://threatpost.
[33] F. Sommer, J. Dürrwang, and R. Kriesten, ‘‘Survey and classification com/hyundai-patches-leaky-blue-link-mobile-app/125182/
of automotive security attacks,’’ Information, vol. 10, no. 4, p. 148, [59] U. Bayer, A. Moser, C. Kruegel, and E. Kirda, ‘‘Dynamic analysis of
Apr. 2019. malicious code,’’ J. Comput. Virol., vol. 2, no. 1, pp. 67–77, 2006.
[34] S. Bharati, P. Podder, M. R. H. Mondal, and M. R. Alam Robel, ‘‘Threats [60] J. Aycock, Computer Viruses and Malware, vol. 22. France: Springer,
and countermeasures of cyber security in direct and remote vehicle com- 2006.
munication systems,’’ 2020, arXiv:2006.08723. [61] M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant,
[35] C. Valasek and C. Miller, ‘‘Adventures in automotive networks and con- ‘‘Semantics-aware malware detection,’’ in Proc. IEEE Symp. Secur. Pri-
trol units,’’ in Proc. DEF CON, 2013, pp. 260–264. vacy (SP), May 2005, pp. 32–46.
[36] D. Klinedinst and C. King, ‘‘On board diagnostics: Risks and vulnerabil- [62] P. Szor, The Art of Computer Virus Research and Defense. London, U.K.:
ities of the connected vehicle,’’ Softw. Eng. Inst., Carnegie Mellon Univ., Pearson, 2005.
Pittsburgh, PA, USA, Tech. Rep., 2016, vol. 10. [63] P. J. Denning, ‘‘Computer viruses,’’ Nasa, USA, Tech. Rep., 1988.
[37] H. Onishi, K. Wu, K. Yoshida, and T. Kato, ‘‘Approaches for vehicle [64] G. Bonfante, M. Kaczmarek, and J.-Y. Marion, ‘‘On abstract computer
cyber-security in the US,’’ Int. J. Automot. Eng., vol. 8, no. 1, pp. 1–6, virology from a recursion theoretic perspective,’’ J. Comput. Virol., vol. 1,
2017. nos. 3–4, pp. 45–54, Mar. 2006.
[38] C. Bernardini, M. R. Asghar, and B. Crispo, ‘‘Security and privacy in [65] M. Karresand, ‘‘Separating Trojan horses, viruses, and worms—A pro-
vehicular communications: Challenges and opportunities,’’ Veh. Com- posed taxonomy of software weapons,’’ in Proc. IEEE Syst., Man Cybern.
mun., vol. 10, pp. 13–28, Oct. 2017. Soc. Inf. Assurance Workshop, Jun. 2003, pp. 127–134.
[39] (2018). Bleepingcomputer Report. [Online]. Available: https://www. [66] J. Markoff, ‘‘Worm infects millions of computers worldwide,’’ New York
bleepingcomputer.com/news/security/volkswagen-and-audi-cars- Times, vol. 23, Jan. 2009. [Online]. Available: https://www.nytimes.
vulnerable-to-remote-hacking com/2009/01/23/technology/internet/23worm.html
[40] (2016). Latimes Report. [Online]. Available: https://www.latimes. [67] D. M. Kienzle and M. C. Elder, ‘‘Recent worms: A survey and trends,’’
com/business/la-fi-hy-mystery-car-stealing-device-20161207- in Proc. ACM Workshop Rapid Malcode, 2003, pp. 1–10.
[68] X. Wang, W. Yu, A. Champion, X. Fu, and D. Xuan, ‘‘Detecting worms
story.html/
via mining dynamic program execution,’’ in Proc. 3rd Int. Conf. Secur.
[41] K. Jaisingh, K. El-Khatib, and R. Akalu, ‘‘Paving the way for intelligent
Privacy Commun. Netw. Workshops (SecureComm), 2007, pp. 412–421.
transport systems (ITS): Privacy implications of vehicle infotainment and
[69] S. Kiltz, A. Lang, and J. Dittmann, ‘‘Malware: Specialized Trojan horse,’’
telematics systems,’’ in Proc. 6th ACM Symp. Develop. Anal. Intell. Veh.
in Cyber Warfare and Cyber Terrorism. Hershey, PA, USA: IGI Global,
Netw. Appl., Nov. 2016, pp. 25–31.
2007, pp. 154–160.
[42] H. J. Jo, W. Choi, S. Y. Na, S. Woo, and D. H. Lee, ‘‘Vulnerabilities of [70] J. Edwards, ‘‘System, method and computer program product for prevent-
Android OS-based telematics system,’’ Wireless Pers. Commun., vol. 92, ing spyware/malware from installing a registry,’’ U.S. Patent 11 010 993,
no. 4, pp. 1511–1530, 2017. Feb. 23, 2006.
[43] J. Petit, B. Stottelaar, M. Feiri, and F. Kargl, ‘‘Remote attacks on auto- [71] Y. Ye, T. Li, D. Adjeroh, and S. S. Iyengar, ‘‘A survey on malware
mated vehicles sensors: Experiments on camera and LiDAR,’’ in Proc. detection using data mining techniques,’’ ACM Comput. Surv., vol. 50,
Black Hat Eur., vol. 11, 2015, p. 2015. no. 3, pp. 1–40, Oct. 2017.
[44] C. Yan, W. Xu, and J. Liu, ‘‘Can you trust autonomous vehicles: Con- [72] S. Embleton, S. Sparks, and C. C. Zou, ‘‘SMM rootkit: A new breed
tactless attacks against sensors of self-driving vehicle,’’ Defcon, vol. 24, of OS independent malware,’’ Secur. Commun. Netw., vol. 6, no. 12,
no. 8, p. 109, 2016. pp. 1590–1605, 2013.
[45] P. Kleberger, T. Olovsson, and E. Jonsson, ‘‘Security aspects of the in- [73] A. Zaki and B. Humphrey, ‘‘Unveiling the kernel: Rootkit discovery using
vehicle network in the connected car,’’ in Proc. IEEE Intell. Vehicles selective automated kernel memory differencing,’’ in Proc. VIRUS Bull.
Symp. (IV), Jun. 2011, pp. 528–533. Conf., 2014, pp. 239–256.
[46] D. K. Nilsson and U. E. Larson, ‘‘Simulated attacks on can buses: Vehicle [74] A. Javed and M. Akhlaq, ‘‘Patterns in malware designed for data espi-
virus,’’ in Proc. IASTED Int. Conf. Commun. Syst. Netw. (AsiaCSN), 2008, onage and backdoor creation,’’ in Proc. 12th Int. Bhurban Conf. Appl.
pp. 66–72. Sci. Technol. (IBCAST), Jan. 2015, pp. 338–342.

162432 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[75] M. Chowdhury, A. Rahman, and R. Islam, ‘‘Malware analysis and detec- [98] K. C. Dey, A. Rayamajhi, M. Chowdhury, P. Bhavsar, and J. Martin,
tion using data mining and machine learning classification,’’ in Proc. Int. ‘‘Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) commu-
Conf. Appl. Techn. Cyber Secur. Intell. Jakarta, Indonesia: Springer, 2017, nication in a heterogeneous wireless network—Performance evaluation,’’
pp. 266–274. Transp. Res. C, Emerg. Technol., vol. 68, pp. 168–184, Jul. 2016.
[76] B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, and [99] W. Ahmed and M. Elhadef, ‘‘Securing intelligent vehicular ad hoc net-
G. Vigna, ‘‘Analysis of a botnet takeover,’’ IEEE Security Privacy, vol. 9, works: A survey,’’ in Advances in Computer Science and Ubiquitous
no. 1, pp. 64–72, Jan./Feb. 2011. Computing. Tamil Nadu, India: Springer, 2017, pp. 6–14.
[77] G. A. N. Mohamed and N. B. Ithnin, ‘‘Survey on representation tech- [100] V. H. La and A. R. Cavalli, ‘‘Security attacks and solutions in vehicular ad
niques for malware detection system,’’ Amer. J. Appl. Sci., vol. 14, no. 11, hoc networks: A survey,’’ Int. J. AdHoc Netw. Syst., vol. 4, no. 2, pp. 1–20,
pp. 1049–1069, Nov. 2017. 2014.
[78] V. P. Laxmi and M. Gaur, ‘‘Survey on malware detection methods, 3rd [101] P. Cope, J. Campbell, and T. Hayajneh, ‘‘An investigation of Bluetooth
hackers workshop on computer and internet security,’’ IEEE Commun. security vulnerabilities,’’ in Proc. IEEE 7th Annu. Comput. Commun.
Surveys Tuts., vol. 17, no. 2, pp. 998–1022, Apr./Jun. 2015. Workshop Conf. (CCWC), Jan. 2017, pp. 1–7.
[79] C. Seifert, J. W. Stokes, C. Colcernian, J. C. Platt, and L. Lu, ‘‘Robust [102] Kaspersky. (2019). Operation Shadowhammer. [Online]. Available:
scareware image detection,’’ in Proc. IEEE Int. Conf. Acoust., Speech https://securelist.com/operation-shadowhammer
Signal Process., May 2013, pp. 2920–2924. [103] Upstream Security. (2021). Upstream Security Global Automotive
[80] R. Richardson and M. M. North, ‘‘Ransomware: Evolution, miti- Cybersecurity Report. [Online]. Available: https://info.upstream.
gation and prevention,’’ Int. Manage. Rev., vol. 13, no. 1, p. 10, auto/hubfs/Security_Report/Security_Report_2021/Upstream_Security-
2017. Global_Automotive_Cybersecurity_Report_2021.pdf
[81] M. Wolf, R. Lambert, T. Enderle, and A. Schmidt, ‘‘Wanna drive? [104] A. A. Elkhail and T. Cerny, ‘‘On relating code smells to security vulnera-
Feasible attack paths and effective protection against ransomware in bilities,’’ in Proc. IEEE IEEE 5th Int. Conf. Big Data Secur. Cloud (Big-
modern vehicles,’’ in Proc. Embedded Secur. Cars Conf. (ESCAR) Eur., DataSecurity) Int. Conf. High Perform. Smart Comput. (HPSC) IEEE Int.
2017, pp. 1–14. Conf. Intell. Data Secur. (IDS), May 2019, pp. 7–12.
[82] The McAfee Security Report. Accessed: Mar. 27, 2018. [Online]. Avail- [105] H. Perl, S. Dechand, M. Smith, D. Arp, F. Yamaguchi, K. Rieck, S. Fahl,
able: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/todays- and Y. Acar, ‘‘VCCFinder: Finding potential vulnerabilities in open-
connected-cars-vulnerable-hacking-malware source projects to assist code audits,’’ in Proc. 22nd ACM SIGSAC Conf.
[83] Boston 25 News Report. Accessed: May 1, 2018. [Online]. Available: Comput. Commun. Secur., Oct. 2015, pp. 426–437.
https://www.boston25news.com/news/discovery-of-hidden-gps-tracker- [106] Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, ‘‘Evaluating
leads-to-mass-supreme-court-case/742286360 complexity, code churn, and developer activity metrics as indicators
[84] Y. Wiseman, ‘‘Vehicle identification by OCR, RFID and Bluetooth for of software vulnerabilities,’’ IEEE Trans. Softw. Eng., vol. 37, no. 6,
toll roads,’’ Int. J. Control Autom., vol. 11, no. 9, pp. 67–76, Sep. 2018. pp. 772–787, Dec. 2011.
[85] The IBM Security Report. Accessed: Nov. 12, 2020. [Online]. Avail- [107] H. Lee, S. H. Jeong, and H. K. Kim, ‘‘OTIDS: A novel intrusion detection
able: https://www.zdnet.com/article/info-of-27-7-million-texas-drivers- system for in-vehicle network by using remote frame,’’ in Proc. 15th
exposed-in-vertafore-data-breach Annu. Conf. Privacy, Secur. Trust (PST), Aug. 2017, pp. 5709–5757.
[86] Washington and California Universities Report. [Online]. Available: [108] V. Kumar, J. Srivastava, and A. Lazarevic, Managing Cyber Threats:
https://www.wired.com/2015/10/car-hacking-tool-turns-repair-shops- Issues, Approaches, and Challenges, vol. 5. Germany: Springer, 2006.
malware-brothels [109] N. Idika and A. P. Mathur, ‘‘A survey of malware detection techniques,’’
[87] The University of Leuven Research Report. Accessed: Nov. 23, 2020. Purdue Univ., vol. 48, no. 2, pp. 1–48, 2007.
[Online]. Available: https://www.washingtonpost.com/technology/2020/ [110] G. Serazzi and S. Zanero, ‘‘Computer virus propagation models,’’ in Proc.
11/23/tesla-modelx-hack Int. Workshop Modeling, Anal., Simulation Comput. Telecommun. Syst.
[88] A. Arora, S. K. Yadav, and K. Sharma, ‘‘Denial-of-service (DoS) attack Orlando, FL, USA: Springer, 2003, pp. 26–50.
and botnet: Network analysis, research tactics, and mitigation,’’ in [111] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan,
Handbook of Research on Network Forensics and Analysis Techniques. ‘‘A survey of intrusion detection techniques in cloud,’’ J. Netw. Comput.
Hershey, PA, USA: IGI Global, 2018, pp. 117–141. Appl., vol. 36, no. 1, pp. 42–57, 2013.
[89] D. Ibdah, N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, ‘‘Dark [112] Ö. Aslan and R. Samet, ‘‘A comprehensive review on malware detection
firmware: A systematic approach to exploring application security risks in approaches,’’ IEEE Access, vol. 8, pp. 6249–6271, 2020.
the presence of untrusted firmware,’’ in Proc. 23rd Int. Symp. Res. Attacks, [113] R. U. D. Refat, A. A. Elkhail, A. Hafeez, and H. Malik, ‘‘Detecting
Intrusions Defenses (RAID), 2020, pp. 413–426. can bus intrusion by applying machine learning method to graph based
[90] R. Rehman, G. Hazarika, and G. Chetia, ‘‘Malware threats and mitiga- features,’’ in Proc. SAI Intell. Syst. Conf. London, U.K.: Springer, 2021,
tion strategies: A survey,’’ J. Theor. Appl. Inf. Technol., vol. 29, no. 2, pp. 730–748.
pp. 69–73, 2011. [114] M. Siddiqui, ‘‘Data mining methods for malware detection,’’ Univ. Cen-
[91] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, ‘‘A survey on automated tral Florida, Orlando, FL, USA, Tech. Rep., 2008.
dynamic malware-analysis techniques and tools,’’ ACM Comput. Surv., [115] P. Vinod, R. Jaipur, V. Laxmi, and M. Gaur, ‘‘Survey on malware detec-
vol. 44, no. 2, pp. 1–42, 2008. tion methods,’’ in Proc. 3rd Hackers Workshop Comput. Internet Secur.
[92] P. Sivakumar, R. S. S. Devi, A. N. Lakshmi, B. VinothKumar, and (IITKHACK), 2009, pp. 74–79.
B. Vinod, ‘‘Automotive grade Linux software architecture for automotive [116] S. Roy, S. Nag, I. K. Maitra, and S. K. Bandyopadhyay, ‘‘International
infotainment system,’’ in Proc. Int. Conf. Inventive Comput. Technol. journal of advanced research in computer science and software engineer-
(ICICT), Feb. 2020, pp. 391–395. ing,’’ Int. J., vol. 3, no. 6, pp. 1706–1746, 2013.
[93] N. H. V. Reddy, K. Thaiyalnayaki, and S. Sivasakthiselvan, ‘‘A study on [117] H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, ‘‘Intrusion detection
real time vehicle surveillance and tracking system for Android applica- system: A comprehensive review,’’ J. Netw. Comput. Appl., vol. 36, no. 1,
tion,’’ in Proc. Int. Conf. Commun. Signal Process. (ICCSP), Jul. 2020, pp. 16–24, 2013.
pp. 1599–1602. [118] M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, ‘‘RiskRanker:
[94] The Meet Linux Viruses Report. Accessed: Feb. 15, 2018. [Online]. Scalable and accurate zero-day Android malware detection,’’ in Proc.
Available: http://www.unixmen.com/meet-linux-viruses// 10th Int. Conf. Mobile Syst., Appl., Services, 2012, pp. 281–294.
[95] Malware Affecting Linux Web Servers Major Trend. Accessed: [119] P. Khodamoradi, M. Fazlali, F. Mardukhi, and M. Nosrati, ‘‘Heuristic
Apr. 25, 2013. [Online]. Available: http://www.bnamericas.com/news/ metamorphic malware detection based on statistics of assembly instruc-
technology/malware-affecting-linux-web-servers-major-trend-in-2013- tions using classification algorithms,’’ in Proc. 18th CSI Int. Symp. Com-
eset put. Architecture Digit. Syst. (CADS), Oct. 2015, pp. 1–6.
[96] O. H. Alhazmi, Y. K. Malaiya, and I. Ray, ‘‘Measuring, analyzing and [120] S. Shang, N. Zheng, J. Xu, M. Xu, and H. Zhang, ‘‘Detecting malware
predicting security vulnerabilities in software systems,’’ Comput. Secur., variants via function-call graph similarity,’’ in Proc. 5th Int. Conf. Mali-
vol. 26, no. 3, pp. 219–228, 2007. cious Unwanted Softw., Oct. 2010, pp. 113–120.
[97] (2015). Technology News Report. [Online]. Available: https://www. [121] M. K. Shankarapani, S. Ramamoorthy, R. S. Movva, and S. Mukkamala,
reuters.com/article/us-gm-hacking/researcher-says-can-hack-gms- ‘‘Malware detection using assembly and API call sequences,’’ J. Comput.
onstar-app-open-vehicle-start-engine Virol., vol. 7, no. 2, pp. 107–119, 2011.

VOLUME 9, 2021 162433

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[122] B. B. Rad, M. Masrom, and S. Ibrahim, ‘‘Opcodes histogram for clas- [145] S.-T. Liu, H.-C. Huang, and Y.-M. Chen, ‘‘A system call analysis method
sifying metamorphic portable executables malware,’’ in Proc. Int. Conf. with mapreduce for malware detection,’’ in Proc. IEEE 17th Int. Conf.
E-Learn. E-Technol. Educ. (ICEEE), Sep. 2012, pp. 209–213. Parallel Distrib. Syst., Dec. 2011, pp. 631–637.
[123] I. Santos, F. Brezo, X. Ugarte-Pedrero, and P. G. Bringas, ‘‘Opcode [146] B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane, ‘‘Graph-based
sequences as representation of executables for data-mining-based malware detection using dynamic analysis,’’ J. Comput. Virol., vol. 7,
unknown malware detection,’’ Inf. Sci., vol. 231, pp. 64–82, May 2013. no. 4, pp. 247–258, 2011.
[124] J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, [147] P. Faruki, V. Laxmi, M. S. Gaur, and P. Vinod, ‘‘Behavioural detection
S. Sethumadhavan, and S. Stolfo, ‘‘On the feasibility of online malware with API call-grams to identify malicious PE files,’’ in Proc. SecurIT,
detection with performance counters,’’ ACM SIGARCH Comput. Archit. 2012, pp. 85–91.
News, vol. 41, no. 3, pp. 559–570, 2013. [148] Y. Ding, X. Yuan, K. Tang, X. Xiao, and Y. Zhang, ‘‘A fast malware
[125] B. Wu, T. Lu, K. Zheng, D. Zhang, and X. Lin, ‘‘Smartphone malware detection algorithm based on objective-oriented association mining,’’
detection model based on artificial immune system,’’ China Commun., Comput. Secur., vol. 39, pp. 315–324, Nov. 2013.
vol. 11, no. 13, pp. 86–92, 2014. [149] M. Eskandari, Z. Khorshidpour, and S. Hashemi, ‘‘HDM-Analyser: A
[126] M. E. Boujnouni, M. Jedra, and N. Zahid, ‘‘New malware detection hybrid analysis approach based on data mining techniques for malware
framework based on N-grams and support vector domain description,’’ in detection,’’ J. Comput. Virol. Hacking Techn., vol. 9, no. 2, pp. 77–93,
Proc. 11th Int. Conf. Inf. Assurance Secur. (IAS), Dec. 2015, pp. 123–128. May 2013.
[127] Y. Duan, X. Fu, B. Luo, Z. Wang, J. Shi, and X. Du, ‘‘Detective: [150] Y. Park, D. S. Reeves, and M. Stamp, ‘‘Deriving common malware behav-
Automatically identify and analyze malware processes in forensic sce- ior through graph clustering,’’ Comput. Secur., vol. 39, pp. 419–430,
narios via DLLs,’’ in Proc. IEEE Int. Conf. Commun. (ICC), Jun. 2015, Nov. 2013.
pp. 5691–5696. [151] D. Uppal, R. Sinha, V. Mehra, and V. Jain, ‘‘Malware detection and
[128] Z. Li, L. Sun, Q. Yan, W. Srisa-An, and Z. Chen, ‘‘DroidClassifier: Effi- classification based on extraction of API sequences,’’ in Proc. Int. Conf.
cient adaptive mining of application-layer header for classifying Android Adv. Comput., Commun. Informat. (ICACCI), Sep. 2014, pp. 2337–2342.
malware,’’ in Proc. Int. Conf. Secur. Privacy Commun. Syst. Washington, [152] S. Sheen, R. Anitha, and V. Natarajan, ‘‘Android based malware detection
DC, USA: Springer, 2016, pp. 597–616. using a multifeature collaborative decision fusion approach,’’ Neurocom-
[129] J. B. Fraley and M. Figueroa, ‘‘Polymorphic malware detection using puting, vol. 151, pp. 905–912, Mar. 2015.
topological feature extraction with data mining,’’ in Proc. SoutheastCon, [153] A. Boukhtouta, S. A. Mokhov, N.-E. Lakhdari, M. Debbabi, and J. Paquet,
2016, pp. 1–7. ‘‘Network malware classification comparison using DPI and flow packet
[130] L. Sun, Z. Li, Q. Yan, W. Srisa-an, and Y. Pan, ‘‘SigPID: Significant headers,’’ J. Comput. Virol. Hacking Techn., vol. 12, no. 2, pp. 69–100,
permission identification for Android malware detection,’’ in Proc. 11th May 2016.
Int. Conf. Malicious Unwanted Softw. (MALWARE), Oct. 2016, pp. 1–8. [154] S. Das, Y. Liu, W. Zhang, and M. Chandramohan, ‘‘Semantics-
[131] Y. Fan, Y. Ye, and L. Chen, ‘‘Malicious sequential pattern mining for based online malware detection: Towards efficient real-time protection
automatic malware detection,’’ Expert Syst. Appl., vol. 52, pp. 16–25, against malware,’’ IEEE Trans. Inf. Forensics Security, vol. 11, no. 2,
Jun. 2016. pp. 289–302, Feb. 2016.
[132] S. Alam, Z. Qu, R. Riley, Y. Chen, and V. Rastogi, ‘‘DroidNative: [155] S. D. Nikolopoulos and I. Polenakis, ‘‘A graph-based model for malware
Automating and optimizing detection of Android native code malware detection and classification using system-call groups,’’ J. Comput. Virol.
variants,’’ Comput. Secur., vol. 65, pp. 230–246, Mar. 2017. Hacking Techn., vol. 13, no. 1, pp. 29–46, Feb. 2017.
[133] A. Narayanan, M. Chandramohan, L. Chen, and Y. Liu, ‘‘A multi-view [156] S. Chaba, R. Kumar, R. Pant, and M. Dave, ‘‘Malware detection approach
context-aware approach to Android malware detection and malicious for Android systems using system call logs,’’ 2017, arXiv:1709.08805.
code localization,’’ Empirical Softw. Eng., vol. 23, no. 3, pp. 1222–1274, [157] F. Marhusin and C. J. Lokan, ‘‘A preemptive behaviour-based malware
Jun. 2018. detection through analysis of API calls sequence inspired by human
[134] A. Ojugo and A. Eboka, ‘‘Signature-based malware detection using immune system,’’ Int. J. Eng. Technol., vol. 7, nos. 4–15, pp. 113–119,
approximate Boyer Moore string matching algorithm,’’ Int. J. Math. Sci. 2018.
Comput., vol. 5, no. 3, pp. 49–62, Jul. 2019. [158] M. Rhode, L. Tuson, P. Burnap, and K. Jones, ‘‘LAB to SOC: Robust
[135] T.-L. Wan, T. Ban, Y.-T. Lee, S.-M. Cheng, R. Isawa, T. Takahashi, and features for dynamic malware detection,’’ in Proc. 49th Annu. IEEE/IFIP
D. Inoue, ‘‘IoT-malware detection based on byte sequences of executable Int. Conf. Dependable Syst. Netw., Ind. Track, Jun. 2019, pp. 13–16.
files,’’ in Proc. 15th Asia Joint Conf. Inf. Secur. (AsiaJCIS), Aug. 2020, [159] M. Alazab, M. Alazab, A. Shalaginov, A. Mesleh, and A. Awajan,
pp. 143–150. ‘‘Intelligent mobile malware detection using permission requests and API
[136] I. Markit. (2017). Vehicles Getting Older: Average Age of Light Cars calls,’’ Future Gener. Comput. Syst., vol. 107, pp. 509–521, Jun. 2020.
and Trucks in U.S. [Online]. Available: http://news.ihsmarkit.com/press- [160] Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, ‘‘A survey on
release/automotive/vehicles-getting-olderaverage-age-light-cars-and- heuristic malware detection techniques,’’ in Proc. 5th Conf. Inf. Knowl.
trucks-us-rises-again-2017 Technol., May 2013, pp. 113–120.
[137] X. Hu, T.-C. Chiueh, and K. G. Shin, ‘‘Large-scale malware indexing [161] F. Adkins, L. Jones, M. Carlisle, and J. Upchurch, ‘‘Heuristic malware
using function-call graphs,’’ in Proc. 16th ACM Conf. Comput. Commun. detection via basic block comparison,’’ in Proc. 8th Int. Conf. Malicious
Secur., 2009, pp. 611–620. Unwanted Softw. Amer. (MALWARE), Oct. 2013, pp. 11–18.
[138] S. Cook. (2021). Malware Statistics and Facts for 2021. [Online]. Avail- [162] K. Alzarooni, ‘‘Malware variant detection,’’ Ph.D. dissertation, Dept.
able: https://www.comparitech.com/antivirus/malware-statistics-facts/ Comput. Sci., Univ. College London, London, U.K., 2012.
[139] G. Jacob, H. Debar, and E. Filiol, ‘‘Behavioral detection of malware: [163] Y. Ye, T. Li, K. Huang, Q. Jiang, and Y. Chen, ‘‘Hierarchical associative
From a survey towards an established taxonomy,’’ J. Comput. Virol., classifier (HAC) for malware detection from the large and imbalanced
vol. 4, no. 3, pp. 251–266, Aug. 2008. gray list,’’ J. Intell. Inf. Syst., vol. 35, no. 1, pp. 1–20, Aug. 2010.
[140] N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, ‘‘A cross-stack [164] I. Santos, F. Brezo, J. Nieves, Y. K. Penya, B. Sanz, C. Laorden, and
approach towards defending against cryptojacking,’’ IEEE Comput. P. G. Bringas, ‘‘Idea: Opcode-sequence-based malware detection,’’ in
Archit. Lett., vol. 19, no. 2, pp. 126–129, Jul. 2020. Proc. Int. Symp. Eng. Secure Softw. Syst. Springer, 2010, pp. 35–43.
[141] N. Lachtar, A. A. Elkhail, A. Bacha, and H. Malik, ‘‘An application [165] Z. Zhao, ‘‘A virus detection scheme based on features of control flow
agnostic defense against the dark arts of cryptojacking,’’ in Proc. 51st graph,’’ in Proc. 2nd Int. Conf. Artif. Intell., Manage. Sci. Electron.
Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), Jun. 2021, Commerce (AIMSEC), Aug. 2011, pp. 943–947.
pp. 314–325. [166] N. Runwal, R. M. Low, and M. Stamp, ‘‘Opcode graph similarity and
[142] T. Zhang and L. Delgrossi, Vehicle Safety Communications: Protocols, metamorphic detection,’’ J. Comput. Virol., vol. 8, nos. 1–2, pp. 37–52,
Security, and Privacy, vol. 103. Hoboken, NJ, USA: Wiley, 2012. 2012.
[143] O. Aslan and R. Samet, ‘‘Investigation of possibilities to detect malware [167] A. Shabtai, R. Moskovitch, C. Feher, S. Dolev, and Y. Elovici, ‘‘Detecting
using existing tools,’’ in Proc. IEEE/ACS 14th Int. Conf. Comput. Syst. unknown malicious code by applying classification techniques on opcode
Appl. (AICCSA), Oct. 2017, pp. 1277–1284. patterns,’’ Secur. Informat., vol. 1, no. 1, pp. 1–22, Dec. 2012.
[144] Y. Fukushima, A. Sakai, Y. Hori, and K. Sakurai, ‘‘A behavior based [168] R. Islam, R. Tian, L. M. Batten, and S. Versteeg, ‘‘Classification of mal-
malware detection scheme for avoiding false positive,’’ in Proc. 6th IEEE ware based on integrated static and dynamic features,’’ J. Netw. Comput.
Workshop Secure Netw. Protocols, Oct. 2010, pp. 79–84. Appl., vol. 36, no. 2, pp. 646–656, 2013.

162434 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[169] M. Eskandari and H. Raesi, ‘‘Frequent sub-graph mining for intel- [192] O. Aslan, M. Ozkan-Okay, and D. Gupta, ‘‘Intelligent behavior-based
ligent malware detection,’’ Secur. Commun. Netw., vol. 7, no. 11, malware detection system on cloud computing environment,’’ IEEE
pp. 1872–1886, Nov. 2014. Access, vol. 9, pp. 83252–83271, 2021.
[170] M. Zakeri, F. F. Daneshgar, and M. Abbaspour, ‘‘A static heuristic [193] J. C. Kimmel, A. D. Mcdole, M. Abdelsalam, M. Gupta, and
approach to detecting malware targets,’’ Secur. Commun. Netw., vol. 8, R. Sandhu, ‘‘Recurrent neural networks based online behavioural mal-
no. 17, pp. 3015–3027, Nov. 2015. ware detection techniques for cloud infrastructure,’’ IEEE Access, vol. 9,
[171] B. Kang, S. Y. Yerima, S. Sezer, and K. McLaughlin, ‘‘N-gram opcode pp. 68066–68080, 2021.
analysis for Android malware detection,’’ 2016, arXiv:1612.01445. [194] P. Mishra, P. Aggarwal, A. Vidyarthi, P. Singh, B. Khan, H. H. Alhelou,
[172] A. Kapoor and S. Dhavale, ‘‘Control flow graph based multiclass malware and P. Siano, ‘‘VMShield: Memory introspection-based malware detec-
detection using bi-normal separation,’’ Defence Sci. J., vol. 66, no. 2, tion to secure cloud-based services against stealthy attacks,’’ IEEE Trans.
p. 138, Mar. 2016. Ind. Informat., vol. 17, no. 10, pp. 6754–6764, Oct. 2021.
[173] A. Narayanan, M. Chandramohan, L. Chen, and Y. Liu, ‘‘Context- [195] E. Gandotra, D. Bansal, and S. Sofat, ‘‘Malware analysis and classifica-
aware, adaptive, and scalable Android malware detection through online tion: A survey,’’ J. Inf. Secur., vol. 5, no. 2, pp. 56–64, 2014.
learning,’’ IEEE Trans. Emerg. Topics Comput. Intell., vol. 1, no. 3, [196] K. Grosse, N. Papernot, P. Manoharan, M. Backes, and P. McDaniel,
pp. 157–175, Jun. 2017. ‘‘Adversarial perturbations against deep neural networks for malware
[174] Y. Ding, X. Xia, S. Chen, and Y. Li, ‘‘A malware detection method classification,’’ 2016, arXiv:1606.04435.
based on family behavior graph,’’ Comput. Secur., vol. 73, pp. 73–86, [197] B. Kolosnjaji, A. Demontis, B. Biggio, D. Maiorca, G. Giacinto,
Mar. 2018. C. Eckert, and F. Roli, ‘‘Adversarial malware binaries: Evading deep
[175] S. Wang and P. S. Yu, ‘‘Heterogeneous graph matching networks: Appli- learning for malware detection in executables,’’ in Proc. 26th Eur. Signal
cation to unknown malware detection,’’ in Proc. IEEE Int. Conf. Big Data Process. Conf. (EUSIPCO), Sep. 2018, pp. 533–537.
(Big Data), Dec. 2019, pp. 5401–5408. [198] I. Firdausi, C. Lim, A. Erwin, and A. S. Nugroho, ‘‘Analysis of machine
[176] R. Surendran, T. Thomas, and S. Emmanuel, ‘‘GSDroid: Graph signal learning techniques used in behavior-based malware detection,’’ in Proc.
based compact feature representation for Android malware detection,’’ 2nd Int. Conf. Adv. Comput., Control, Telecommun. Technol., Dec. 2010,
Expert Syst. Appl., vol. 159, Nov. 2020, Art. no. 113581. pp. 201–203.
[177] O. T. Suryati and A. Budiono, ‘‘Impact analysis of malware based on call [199] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, ‘‘Malware
network API with heuristic detection method,’’ Int. J. Adv. Data Inf. Syst., images: Visualization and automatic classification,’’ in Proc. 8th Int.
vol. 1, no. 1, pp. 1–8, Apr. 2020. Symp. Vis. Cyber Secur., 2011, pp. 1–7.
[178] Y. Ye, T. Li, S. Zhu, W. Zhuang, E. Tas, U. Gupta, and M. Abdulhayoglu, [200] B. Anderson, C. Storlie, and T. Lane, ‘‘Improving malware classification:
‘‘Combining file content and file relations for cloud based malware Bridging the static/dynamic gap,’’ in Proc. 5th ACM workshop Secur.
detection,’’ in Proc. 17th ACM SIGKDD Int. Conf. Knowl. Discovery Artif. Intell., 2012, pp. 3–14.
Data Mining (KDD), 2011, pp. 222–230. [201] D. Kong and G. Yan, ‘‘Discriminant malware distance learning on struc-
[179] C. A. Martínez, G. I. Echeverri, and A. G. C. Sanz, ‘‘Malware detection tural information for automated malware classification,’’ in Proc. 19th
based on cloud computing integrating intrusion ontology representation,’’ ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, Aug. 2013,
in Proc. IEEE Latin-Amer. Conf. Commun., Sep. 2010, pp. 1–6. pp. 1357–1365.
[180] C. Jarabek, D. Barrera, and J. Aycock, ‘‘ThinAV: Truly lightweight mobile [202] G. E. Dahl, J. W. Stokes, L. Deng, and D. Yu, ‘‘Large-scale malware clas-
cloud-based anti-malware,’’ in Proc. 28th Annu. Comput. Secur. Appl. sification using random projections and neural networks,’’ in Proc. IEEE
Conf., 2012, pp. 209–218. Int. Conf. Acoust., Speech Signal Process., May 2013, pp. 3422–3426.
[181] S. Kim, S. W. Ko, and D. H. Lee, ‘‘Cloud-based malware analysis system [203] Z. Yuan, Y. Lu, Z. Wang, and Y. Xue, ‘‘Droid-Sec: Deep learning in
for mobile applications,’’ Information, vol. 16, no. 6, pp. 4357–4364, Android malware detection,’’ in Proc. ACM Conf. SIGCOMM, Aug. 2014,
2013. pp. 371–372.
[182] N. Penning, M. Hoffman, J. Nikolai, and Y. Wang, ‘‘Mobile malware [204] J. Saxe and K. Berlin, ‘‘Deep neural network based malware detection
security challeges and cloud-based detection,’’ in Proc. Int. Conf. Col- using two dimensional binary program features,’’ in Proc. 10th Int. Conf.
laboration Technol. Syst. (CTS), May 2014, pp. 181–188. Malicious Unwanted Softw. (MALWARE), Oct. 2015, pp. 11–20.
[183] H. Sun, X. Wang, J. Su, and P. Chen, ‘‘RScam: Cloud-based anti-malware [205] S. Huda, J. Abawajy, M. Alazab, M. Abdollalihian, R. Islam, and
via reversible sketch,’’ in Proc. Int. Conf. Secur. Privacy Commun. Syst. J. Yearwood, ‘‘Hybrids of support vector machine wrapper and filter
Dallas, TX, USA: Springer, 2015, pp. 157–174. based framework for malware detection,’’ Future Gener. Comput. Syst.,
[184] H. Zhang, Y. Cole, L. Ge, S. Wei, W. Yu, C. Lu, G. Chen, D. Shen, vol. 55, pp. 376–390, Feb. 2016.
E. Blasch, and K. D. Pham, ‘‘ScanMe mobile: A cloud-based Android [206] S. Huda, S. Miah, M. M. Hassan, R. Islam, J. Yearwood, M. Alrubaian,
malware analysis service,’’ ACM SIGAPP Appl. Comput. Rev., vol. 16, and A. Almogren, ‘‘Defending unknown attacks on cyber-physical sys-
no. 1, pp. 36–49, Apr. 2016. tems by semi-supervised approach and available unlabeled data,’’ Inf. Sci.,
[185] L. Xiao, Y. Li, X. Huang, and X. Du, ‘‘Cloud-based malware detection vol. 379, pp. 211–228, Feb. 2017.
game for mobile devices with offloading,’’ IEEE Trans. Mobile Comput., [207] D. Zhu, H. Jin, Y. Yang, D. Wu, and W. Chen, ‘‘DeepFlow: Deep learning-
vol. 16, no. 10, pp. 2742–2750, Oct. 2017. based malware detection by mining Android application for abnormal
[186] Y. Kucuk, N. Patil, Z. Shu, and G. Yan, ‘‘BigBing: Privacy-preserving usage of sensitive data,’’ in Proc. IEEE Symp. Comput. Commun. (ISCC),
cloud-based malware classification service,’’ in Proc. IEEE Symp. Jul. 2017, pp. 438–443.
Privacy-Aware Comput. (PAC), Sep. 2018, pp. 43–54. [208] M. A. Jerlin and K. Marimuthu, ‘‘A new malware detection system using
[187] R. M. Yadav, ‘‘Effective analysis of malware detection in cloud comput- machine learning techniques for API call sequences,’’ J. Appl. Secur. Res.,
ing,’’ Comput. Secur., vol. 83, pp. 14–21, Jun. 2019. vol. 13, no. 1, pp. 45–62, Jan. 2018.
[188] R. Patil, H. Dudeja, and C. Modi, ‘‘Designing in-VM-assisted lightweight [209] Z. Chen, Q. Yan, H. Han, S. Wang, L. Peng, L. Wang, and B. Yang,
agent-based malware detection framework for securing virtual machines ‘‘Machine learning based mobile malware detection using highly imbal-
in cloud computing,’’ Int. J. Inf. Secur., vol. 19, no. 2, pp. 147–162, anced network traffic,’’ Inf. Sci., vols. 433–434, pp. 346–364, Apr. 2018.
Apr. 2020. [210] J. Jung, H. Kim, D. Shin, M. Lee, H. Lee, S.-J. Cho, and K. Suh, ‘‘Android
[189] S. Li, Y. Li, W. Han, X. Du, M. Guizani, and Z. Tian, ‘‘Malicious malware detection based on useful API calls and machine learning,’’ in
mining code detection based on ensemble learning in cloud comput- Proc. IEEE 1st Int. Conf. Artif. Intell. Knowl. Eng. (AIKE), Sep. 2018,
ing environment,’’ Simul. Model. Pract. Theory, vol. 113, Dec. 2021, pp. 175–178.
Art. no. 102391. [211] H. Sayadi, H. M. Makrani, S. M. P. Dinakarrao, T. Mohsenin, A. Sasan,
[190] T. Panker and N. Nissim, ‘‘Leveraging malicious behavior traces from S. Rafatirad, and H. Homayoun, ‘‘2SMaRT: A two-stage machine
volatile memory using machine learning methods for trusted unknown learning-based approach for run-time specialized hardware-assisted mal-
malware detection in Linux cloud environments,’’ Knowl.-Based Syst., ware detection,’’ in Proc. Design, Autom. Test Eur. Conf. Exhib. (DATE),
vol. 226, Aug. 2021, Art. no. 107095. Mar. 2019, pp. 728–733.
[191] D. Tian, Q. Ying, X. Jia, R. Ma, C. Hu, and W. Liu, ‘‘MDCHD: A [212] N. Lachtar, D. Ibdah, and A. Bacha, ‘‘The case for native instructions in
novel malware detection method in cloud using hardware trace and deep the detection of mobile ransomware,’’ IEEE Lett. Comput. Soc., vol. 2,
learning,’’ Comput. Netw., vol. 198, Oct. 2021, Art. no. 108394. no. 2, pp. 16–19, Jun. 2019.

VOLUME 9, 2021 162435

 A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[213] W.-C. Kuo, T.-P. Liu, and C.-C. Wang, ‘‘Study on Android hybrid mal- [236] S. U. Sagong, X. Ying, A. Clark, L. Bushnell, and R. Poovendran, ‘‘Cloak-
ware detection based on machine learning,’’ in Proc. IEEE 4th Int. Conf. ing the clock: Emulating clock skew in controller area networks,’’ in
Comput. Commun. Syst. (ICCCS), Feb. 2019, pp. 31–35. Proc. ACM/IEEE 9th Int. Conf. Cyber-Physical Syst. (ICCPS), Apr. 2018,
[214] Z. Ma, H. Ge, Y. Liu, M. Zhao, and J. Ma, ‘‘A combination method for pp. 32–42.
Android malware detection based on control flow graphs and machine [237] H. Oguma, A. Yoshioka, M. Nishikawa, R. Shigetomi, A. Otsuka, and
learning algorithms,’’ IEEE Access, vol. 7, pp. 21235–21245, 2019. H. Imai, ‘‘New attestation based security architecture for in-vehicle com-
[215] S. Yang, S. Li, W. Chen, and Y. Liu, ‘‘A real-time and adaptive-learning munication,’’ in Proc. IEEE Global Telecommun. Conf. (IEEE GLOBE-
malware detection method based on API-pair graph,’’ IEEE Access, vol. 8, COM), Nov./Dec. 2008, pp. 1–6.
pp. 208120–208135, 2020. [238] M. Hanselmann, T. Strauss, K. Dormann, and H. Ulmer, ‘‘CANet: An
[216] A. Pektaş and T. Acarman, ‘‘Learning to detect Android malware via unsupervised intrusion detection system for high dimensional CAN bus
opcode sequences,’’ Neurocomputing, vol. 396, pp. 599–608, Jul. 2020. data,’’ IEEE Access, vol. 8, pp. 58194–58205, 2020.
[217] H. Sayadi, Y. Gao, H. M. Makrani, T. Mohsenin, A. Sasan, S. Rafatirad, [239] R. Islam, R. U. D. Refat, S. M. Yerram, and H. Malik, ‘‘Graph-
J. Lin, and H. Homayoun, ‘‘StealthMiner: Specialized time series based intrusion detection system for controller area networks,’’
machine learning for run-time stealthy malware detection based on IEEE Trans. Intell. Transp. Syst., early access, Oct. 1, 2020, doi:
microarchitectural features,’’ in Proc. Great Lakes Symp. VLSI, Sep. 2020, 10.1109/TITS.2020.3025685.
pp. 175–180. [240] H. L. Bijmans, T. M. Booij, and C. Doerr, ‘‘Inadvertently making cyber
[218] N. Lachtar, D. Ibdah, and A. Bacha, ‘‘Toward mobile malware detection criminals rich: A comprehensive study of cryptojacking campaigns at
through convolutional neural networks,’’ IEEE Embedded Syst. Lett., internet scale,’’ in Proc. 28th USENIX Secur. Symp. (USENIX Security),
vol. 13, no. 3, pp. 134–137, Sep. 2021. 2019, pp. 1627–1644.
[219] X. Huang, L. Ma, W. Yang, and Y. Zhong, ‘‘A method for Windows [241] G. Hong, Z. Yang, S. Yang, L. Zhang, Y. Nan, Z. Zhang, M. Yang,
malware detection based on deep learning,’’ J. Signal Process. Syst., Y. Zhang, Z. Qian, and H. Duan, ‘‘How you get shot in the
vol. 93, nos. 2–3, pp. 265–273, Mar. 2021. back: A systematical study about cryptojacking in the real world,’’
[220] M. Almahmoud, D. Alzu’bi, and Q. Yaseen, ‘‘ReDroidDet: Android in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2018,
malware detection based on recurrent neural network,’’ Proc. Comput. pp. 1701–1713.
Sci., vol. 184, pp. 841–846, Jan. 2021. [242] D. Olenick. (2021). How Conti Ransomware Works. [Online]. Avail-
[221] H. Ghanei, F. Manavi, and A. Hamzeh, ‘‘A novel method for malware able: https://www.bankinfosecurity.com/how-conti-ransomware-works-
detection based on hardware events using deep neural networks,’’ J. Com- a-15763
put. Virol. Hacking Techn., vol. 17, pp. 319–331, May 2021. [243] M. Loman. (2019). How the Most Damaging Ransomware Evades
[222] H. M. Song, H. R. Kim, and H. K. Kim, ‘‘Intrusion detection system IT Security. [Online]. Available: https://news.sophos.com/en-
based on the analysis of time intervals of CAN messages for in-vehicle us/2019/11/14/how-the-most-damaging-ransomware-evades-it-security
network,’’ in Proc. Int. Conf. Inf. Netw. (ICOIN), Jan. 2016, pp. 63–68. [244] S. Hosseinzadeh, S. Rauti, S. Laurén, J.-M. Mäkelä, J. Holvitie,
[223] M. Müter, A. Groll, and F. C. Freiling, ‘‘A structured approach to anomaly S. Hyrynsalmi, and V. Leppänen, ‘‘Diversification and obfuscation tech-
detection for in-vehicle networks,’’ in Proc. 6th Int. Conf. Inf. Assurance niques for software security: A systematic literature review,’’ Inf. Softw.
Secur., Aug. 2010, pp. 92–98. Technol., vol. 104, pp. 72–93, Dec. 2018.
[224] M. Müter and N. Asaj, ‘‘Entropy-based anomaly detection for in- [245] C. Barría, D. Cordero, C. Cubillos, and M. Palma, ‘‘Proposed classifica-
vehicle networks,’’ in Proc. IEEE Intell. Vehicles Symp. (IV), Jun. 2011, tion of malware, based on obfuscation,’’ in Proc. 6th Int. Conf. Comput.
pp. 1110–1115. Commun. Control (ICCCC), May 2016, pp. 37–44.
[225] A. Van Herrewege, D. Singelee, and I. Verbauwhede, ‘‘CANAuth—A [246] F. Martinelli, F. Mercaldo, V. Nardone, A. Santone, A. K. Sangaiah, and
simple, backward compatible broadcast authentication protocol for can A. Cimitile, ‘‘Evaluating model checking for cyber threats code obfusca-
bus,’’ in Proc. ECRYPT Workshop Lightweight Cryptogr., 2011, pp. 1–7. tion identification,’’ J. Parallel Distrib. Comput., vol. 119, pp. 203–218,
[226] C.-W. Lin and A. Sangiovanni-Vincentelli, ‘‘Cyber-security for the con- Sep. 2018.
troller area network (CAN) communication protocol,’’ in Proc. Int. Conf. [247] H. Xu, Y. Zhou, J. Ming, and M. Lyu, ‘‘Layered obfuscation: A taxonomy
Cyber Secur., Dec. 2012, pp. 1–7. of software obfuscation techniques for layered security,’’ Cybersecurity,
[227] B. Groza and S. Murvay, ‘‘Efficient protocols for secure broadcast in vol. 3, no. 1, pp. 1–18, Dec. 2020.
controller area networks,’’ IEEE Trans. Ind. Informat., vol. 9, no. 4, [248] E. Stavrou and A. Pitsillides, ‘‘A survey on secure multipath routing
pp. 2034–2042, Nov. 2013. protocols in WSNs,’’ Comput. Netw., vol. 54, no. 13, pp. 2215–2238,
[228] K.-T. Cho and K. G. Shin, ‘‘Fingerprinting electronic control units 2010.
for vehicle intrusion detection,’’ in Proc. 25th USENIX Secur. Symp. [249] Q. G. K. Safi, S. Luo, C. Wei, L. Pan, and G. Yan, ‘‘Cloud-based
(USENIX Security), 2016, pp. 911–927. security and privacy-aware information dissemination over ubiqui-
[229] O. Avatefipour, A. Hafeez, M. Tayyab, and H. Malik, ‘‘Linking received tous VANETs,’’ Comput. Standards Interfaces, vol. 56, pp. 107–115,
packet to the transmitter through physical-fingerprinting of controller Feb. 2018.
area network,’’ in Proc. IEEE Workshop Inf. Forensics Secur. (WIFS), [250] F. A. Silva, A. Boukerche, T. R. M. B. Silva, L. B. Ruiz, and
Dec. 2017, pp. 1–6. A. A. F. Loureiro, ‘‘Geo-localized content availability in VANETs,’’ Ad
[230] F. Martinelli, F. Mercaldo, V. Nardone, and A. Santone, ‘‘Car hacking Hoc Netw., vol. 36, pp. 425–434, Jan. 2016.
identification through fuzzy logic algorithms,’’ in Proc. IEEE Int. Conf. [251] F. Wang, Y. Xu, H. Zhang, Y. Zhang, and L. Zhu, ‘‘2FLIP:
Fuzzy Syst. (FUZZ-IEEE), Jul. 2017, pp. 1–7. A two-factor lightweight privacy-preserving authentication scheme for
[231] A. Theissler, ‘‘Detecting known and unknown faults in automotive sys- VANET,’’ IEEE Trans. Veh. Technol., vol. 65, no. 2, pp. 896–911,
tems using ensemble-based anomaly detection,’’ Knowl.-Based Syst., Feb. 2016.
vol. 123, pp. 163–173, May 2017. [252] S. Jana, S. N. Premnath, M. Clark, S. K. Kasera, N. Patwari, and
[232] O. Minawi, J. Whelan, A. Almehmadi, and K. El-Khatib, ‘‘Machine S. V. Krishnamurthy, ‘‘On the effectiveness of secret key extraction from
learning-based intrusion detection system for controller area networks,’’ wireless signal strength in real environments,’’ in Proc. 15th Annu. Int.
in Proc. 10th ACM Symp. Design Anal. Intell. Veh. Netw. Appl., Nov. 2020, Conf. Mobile Comput. Netw., 2009, pp. 321–332.
pp. 41–47. [253] B. Alpern and F. B. Schneider, ‘‘Key exchange using ‘keyless cryptogra-
[233] V. S. Barletta, D. Caivano, A. Nannavecchia, and M. Scalera, ‘‘Intru- phy,’’’ Inf. Process. Lett., vol. 16, no. 2, pp. 79–81, Feb. 1983.
sion detection for in-vehicle communication networks: An unsuper- [254] N. A. Abdulsalam, R. A. Hajri, Z. A. Abri, Z. A. Lawati, and
vised Kohonen SOM approach,’’ Future Internet, vol. 12, no. 7, p. 119, M. M. Bait-Suwailam, ‘‘Design and implementation of a vehicle to vehi-
Jul. 2020. cle communication system using Li-Fi technology,’’ in Proc. Int. Conf.
[234] M. D. Hossain, H. Inoue, H. Ochiai, D. Fall, and Y. Kadobayashi, Inf. Commun. Technol. Res. (ICTRC), May 2015, pp. 136–139.
‘‘LSTM-based intrusion detection system for in-vehicle can bus commu- [255] M. D. Pesé, K. Schmidt, and H. Zweck, ‘‘Hardware/software co-design
nications,’’ IEEE Access, vol. 8, pp. 185489–185502, 2020. of an automotive embedded firewall,’’ SAE Tech. Paper 2017-01-1659,
[235] W. Choi, K. Joo, H. J. Jo, M. C. Park, and D. H. Lee, ‘‘VoltageIDS: 2017.
Low-level communication characteristics for automotive intrusion detec- [256] G. Loukas, T. Vuong, R. Heartfield, G. Sakellari, Y. Yoon, and D. Gan,
tion system,’’ IEEE Trans. Inf. Forensics Security, vol. 13, no. 8, ‘‘Cloud-based cyber-physical intrusion detection for vehicles using deep
pp. 2114–2129, Aug. 2018. learning,’’ IEEE Access, vol. 6, pp. 3491–3508, 2017.

162436 VOLUME 9, 2021

A. A. Elkhail et al.: Vehicle Security: Survey of Security Issues and Vulnerabilities, Malware Attacks and Defenses

[257] G. Loukas, Y. Yoon, G. Sakellari, T. Vuong, and R. Heartfield, ‘‘Compu- AZEEM HAFEEZ is currently working as a
tation offloading of a vehicle’s continuous intrusion detection workload Faculty with the Department of Electrical and
for energy efficiency and performance,’’ Simul. Model. Pract. Theory, Computer Engineering (ECE), University of
vol. 73, pp. 83–94, Apr. 2017. Michigan–Dearborn, where he is also work-
[258] A. Darabseh, M. Al-Ayyoub, Y. Jararweh, E. Benkhelifa, M. Vouk, ing with the Information Systems, Security, and
and A. Rindos, ‘‘SDSecurity: A software defined security experimen- Forensics (ISSF) Laboratory. Besides research
tal framework,’’ in Proc. IEEE Int. Conf. Commun. Workshop (ICCW), and teaching, he is also an Advisor of senior
Jun. 2015, pp. 1871–1876.
design projects and Intelligent Systems Club at
the University of Michigan–Dearborn. His areas
of interests include vehicle cybersecurity, DSP,
AI/machine learning/pattern recognition, data science, and embedded
systems.
ABDULRAHMAN ABU ELKHAIL (Member,
IEEE) received the B.S. degree in computer engi-
neering from Yarmouk University, Irbid, Jordan,
and the M.S. degree in computer engineering from
the King Fahd University of Petroleum & Miner- ANYS BACHA (Member, IEEE) is currently
als, Dhahran, Saudi Arabia. He is currently pur- an Assistant Professor with the University of
suing the Ph.D. degree with the Department of Michigan–Dearborn, where he leads the Security
Electrical and Computer Engineering, University and Systems Lab, which focuses on advancing
of Michigan–Dearborn, USA. Before commenc- the state-of-the-art in mobile and computer sys-
ing his Ph.D., he worked in the industry for five tems to address important challenges in security,
years. He has several publications in referred reputable journals and con- applied machine learning, and energy efficiency.
ference proceedings and two U.S. patents. His areas of interests include His research contributions have been published
automotive cybersecurity, network security and privacy, system and security, in top tier venues, where his work received vari-
mobile and wireless communications, WSN and ad hoc networks, the IoT, ous prestigious awards. Furthermore, his industry
and performance evaluation. impact is demonstrated through several U.S. and World patents. Prior to
joining academia, he spent over 13 years in the industry, where he worked
in different research and development roles on a variety of subsystems
spanning the hardware, firmware, and operating systems layers. He led
multiple interdisciplinary efforts that include driving architectural changes
RAFI UD DAULA REFAT (Graduate Student into next generation Intel processors that are necessary to meet the demands
Member, IEEE) received the B.Sc. degree in of emerging workloads. During his tenure at Hewlett-Packard, he led a group
computer science and engineering from the of engineers on a multi-million dollar scalable computing project that broke
Rajshahi University of Engineering & Technol- world records in performance, in 2015 and 2014.
ogy. He is currently pursuing the Ph.D. degree
with the Department of Electrical, Electron-
ics and Computer Engineering, University of
Michigan–Dearborn, Dearborn, MI, USA. Prior to
starting his Ph.D., he worked in the software indus-
try for nearly four years. His research interests HAFIZ MALIK (Senior Member, IEEE) is cur-
focus on automotive network security, machine learning, data science, and rently an Associate Professor with the Department
speaker verification. He has publications in IEEE and Springer journals so of Electrical and Computer Engineering (ECE),
far on automotive network security. He was awarded the RUET Academic University of Michigan–Dearborn. He has pub-
Excellence Award, in 2013. lished more than 100 papers in leading jour-
nals, conferences, and workshops. His research
interests include automotive cybersecurity, the
IoT security, sensor security, multimedia foren-
sics, steganography/steganalysis, information hid-
RICARDO HABRE is currently a Graduate Stu- ing, pattern recognition, and information fusion
dent in electrical engineering from the Univer- is funded by the National Science Foundation, National Academies, Ford
sity of Michigan–Dearborn. His areas of interests Motor Company, and other agencies. Since 2015, he has been a member
include vehicle cybersecurity, DSP, AI/machine of the MCity Working Group on Cybersecurity. He is a Founding Mem-
learning, and embedded systems. ber of the Cybersecurity Center for Research, Education, and Outreach at
UM-Dearborn. He is a Member Leadership Circle of the Dearborn Artificial
Intelligence Research Center, UM-Dearborn. He is also a member of the
Scientific and Industrial Advisory Board (SIAB), National Center for Cyber
Security, Pakistan.

VOLUME 9, 2021 162437