Search Results

In order to enhance customer experience [5] and to reduce time to market, the manufacturers are constantly in need of being able to update software/firmware of the Electronic Control units (ECU) when the vehicle is in field operations. The updates could be a bug fix or a new feature release. Until the recent years, the updation of software/firmware used to be done using a physical hardwired connection to the Vehicle in a workshop. However, with the element of connectivity being added to the vehicle, the updation of software can be done remotely and wirelessly over the air using a feature called Flash over the air (FOTA) [2] and Software over the air (SOTA) [2]. In order to safeguard the telematics [3] ECU from tampering or hacking, the manufacturers are doing away with the ports on the underlying hardware through which manual flashing used to be done. This means that, the only option available to flash or update the ECU is using FOTA/SOTA.

Abstract Secure boot is a fundamental security primitive for establishing trust in computer systems. For real-time safety applications, the time taken to perform the boot measurement conflicts with the need for near instant availability. To speed up the boot measurement while establishing an acceptable degree of trust, we propose a dual-phase secure boot algorithm that balances the strong requirement for data tamper detection with the strong requirement for real-time availability. A probabilistic boot measurement is executed in the first phase to allow the system to be quickly booted. This is followed by a full boot measurement to verify the first-phase results and generate the new sampled space for the next boot cycle. The dual-phase approach allows the system to be operational within a fraction of the time needed for a full boot measurement while producing a high detection probability of data tampering.

Abstract Secure boot, although known for more than 20 years, frequent attacks from hackers that show numerous ways to bypass the security mechanism, including electronic control units (ECUs) of the automotive industry. This paper investigates the major causes of security weaknesses of secure boot implementations. Based on penetration test experiences, we start from an attacker’s perspective to identify and outline common implementation weaknesses. Then, from a Tier-One perspective, we analyze challenges in the research and development process of ECUs between original equipment manufacturers (OEMs) and suppliers that amplify the probability of such weakness. The paper provides recommendations to increase the understanding of implementing secure boot securely on both sides and derives a set of reference requirements as a starting point for secure boot ECU requirements.

We propose a security-testing framework to analyze attack feasibilities for automotive control software by integrating model-based development with model checking techniques. Many studies have pointed out the vulnerabilities in the Controller Area Network (CAN) protocol, which is widely used in in-vehicle network systems. However, many security attacks on automobiles did not explicitly consider the transmission timing of CAN packets to realize vulnerabilities. Additionally, in terms of security testing for automobiles, most existing studies have only focused on the generation of the testing packets to realize vulnerabilities, but they did not consider the timing of invoking a security testing. Therefore, we focus on the transmit timing of CAN packets to realize vulnerabilities. In our experiments, we have demonstrated the classification of feasible attacks at the early development phase by integrating the model checking techniques into a virtualized environment.

Abstract The automotive industry intends to create new services that involve sharing vehicle control information via a wide area network. In modern vehicles, an in-vehicle network shares information between more than 70 electronic control units (ECUs) inside a vehicle while it is driven. However, such a complicated system configuration can result in security vulnerabilities. The possibility of cyber-attacks on vehicles via external services has been demonstrated in many research projects. As advances in vehicle systems (e.g., autonomous drive) progress, the number of vulnerabilities to be exploited by cyber-attacks will also increase. Therefore, future vehicles need security measures to detect unknown cyber-attacks. We propose anomaly-based intrusion detection to detect unknown cyber-attacks for the Control Area Network (CAN) protocol, which is popular as a communication protocol for in-vehicle networks.

Recent developments in the commercialization of mobility services have brought unprecedented connectivity to the automotive sector. While the adoption of connected features provides significant benefits to vehicle owners, adversaries may leverage zero-day attacks to target the expanded attack surface and make unauthorized access to sensitive data. Protecting new generations of automotive controllers against malicious intrusions requires solutions that do not depend on conventional countermeasures, which often fall short when pitted against sophisticated exploitation attempts. In this paper, we describe some of the latent risks in current automotive systems along with a well-engineered multi-layer defense strategy. Further, we introduce a novel and comprehensive attack and performance test framework which considers state-of-the-art memory corruption attacks, countermeasures and evaluation methods.

Abstract Connecting vehicles to various network services increases the risk of in-vehicle cyberattacks. For automotive industries, the supply chain for assembling a vehicle consists of many different organizations such as component suppliers, system suppliers, and car manufacturers (CMs). Moreover, once a vehicle has shipped from the factory of the CM, resellers, dealers, and owners of the vehicle may add and replace the optional authorized and third-party equipment. Such equipment may have serious security vulnerabilities that may be targeted by a malicious attacker. The key management system of a vehicle must be applicable to all use cases. We propose a novel key management system adaptable to the electronic control unit (ECU) lifecycle of a vehicle. The scope of our system is not only the vehicle product line but also the third-party vendors of automotive accessories and vehicle maintenance facilities, including resellers, dealers, and vehicle users.

Cyber security is becoming increasingly critical in the car industry. Not only the entry points to the external world in the car need to be protected against potential attack, but also the on-board communication in the car require to be protected against attackers who may try to send unauthorized CAN messages. However, the current CAN network was not designed with security in mind. As a result, the extra measures have to be taken to address the key security properties of the secure CAN communication, including data integrity, authenticity, confidentiality and freshness. While integrity and authenticity can be achieved by using a relatively straightforward algorithms such as CMAC (Cipher-based Message Authentication Code) and Confidentiality can be handled by a symmetric encryption algorithm like AES128 (128-bit Advanced Encryption Standard), it has been recognized to be more challenging to achieve the freshness of CAN message.

Abstract The secure boot has successfully protected systems from executing untrusted software (SW), but low-power controllers lack sufficient time to check every memory cell while satisfying real-time functional safety requirements. Automotive controllers need to maintain security through multiple cycles of remote, unsupervised operation and safely reach a secure state when an anomaly is detected. To accelerate the boot time, we propose Sliced Secure Boot: build fingerprints by slicing orthogonally through memory blocks, protect each cell with a reusable fingerprint using a reproducible pattern with sufficient entropy, and randomly check one fingerprint pattern during boot. We do not claim that sampling offers equivalent protection to exhaustive checks but demonstrate that careful sampling can provide a sufficient level of detection while maintaining compatibility with both startup time and functional safety requirements.

CAN bus network proved to be efficient and dynamic for small compact cars as well as heavy-duty vehicles (HDV). However, HDVs are more susceptible to malicious attacks due to lack of security in their intra-vehicle communication protocols. SAE proposed a new standard named J1939-91C for CAN-FD networks which provides methods for establishing trust and securing mutual messages with optional encryption. J1939-91C ensures message authenticity, integrity, and confidentiality by implementing complex cryptographic operations including hash functions and random key generation. In this paper, the three main phases of J1939-91C, i.e., Network Formation, Rekeying, and Message Exchange, are simulated and tested on Electronic Control Units (ECUs) supporting CAN-FD network. Numerous test vectors were generated and validated to support SAE J1939-91C. The mentioned vectors were produced by simulating different encryption and hashing algorithms with variable message and key lengths.

Abstract Modern vehicles integrate Internet of Things (IoT) components to bring value-added services to both drivers and passengers. These components communicate with the external world through different types of interfaces including the on-board diagnostics (OBD-II) port, a mandatory interface in all vehicles in the United States and Europe. While this transformation has driven significant advancements in efficiency and safety, it has also opened a door to a wide variety of cyberattacks, as the architectures of vehicles were never designed with external connectivity in mind, and accordingly, security has never been pivotal in the design. As standardized, the OBD-II port allows not only direct access to the internal network of the vehicle but also installing software on the Electronic Control Units (ECUs).

Abstract In the automotive domain, the overall complexity of technical components has increased enormously. Formerly isolated, purely mechanical cars are now a multitude of cyber-physical systems that are continuously interacting with other IT systems, for example, with the smartphone of their driver or the backend servers of the car manufacturer. This has huge security implications as demonstrated by several recent research papers that document attacks endangering the safety of the car. However, there is, to the best of our knowledge, no holistic overview or structured description of the complex automotive domain. Without such a big picture, distinct security research remains isolated and is lacking interconnections between the different subsystems. Hence, it is difficult to draw conclusions about the overall security of a car or to identify aspects that have not been sufficiently covered by security analyses.

With the development of vehicle intelligence and the Internet of Vehicles, how to protect the safety of the vehicle network system has become a focus issue that needs to be solved urgently. The Controller Area Network (CAN) bus is currently a very widely used vehicle-mounted bus, and its security largely determines the degree of vehicle-mounted information security. The CAN bus lacks adequate protection mechanisms and is vulnerable to external attacks such as replay attacks, modifying attacks, and so on. On the basis of the existing work, this paper proposes an authentication method that combines Hash-based Message Authentication Code (HMAC)-SHA256 and Tiny Encryption Algorithm (TEA) algorithms. This method is based on dynamic identity authentication in challenge/response made and combined with the characteristics of the CAN bus itself as it achieves the identity authentication between the gateway and multiple electronic control units (ECUs).

Vehicles have more connectivity options now-a-days and these increasing connection options are giving more chances for an intruder to exploit the system. So, the vehicle manufacturers need to make the ECU in the vehicle more secure. To make the system secure, the embedded system must secure all the assets in the system. Examples of assets are Software, Kernel or Operating system, cryptographic Keys, Passwords, user data, etc. In this, securing the Kernel is extremely important as an intruder can even exploit the operating system characteristics just by changing the kernel code without introducing a trojan in the system. Also, the Kernel is the one entity that manages all permissions, so, if the kernel is hacked, these permissions also get compromised. The proposed approach is to make the kernel secure by doing the integrity check periodically of the kernel code loaded into the main memory of the system.

The new generation vehicles these days are managed by networked controllers. A large portion of the networks is planned with more security which has recently roused researchers to exhibit various attacks against the system. This paper talks about the liabilities of the Controller Area Network (CAN) inside In-vehicle communication protocol and a few potentials that could take due advantage of it. Moreover, this paper presents a few security measures proposed in the present examination status to defeat the attacks. In any case, the fundamental objective of this paper is to feature a comprehensive methodology known as Intrusion Detection System (IDS), which has been a significant device in getting network data in systems over many years. To the best of our insight, there is no recorded writing on a through outline of IDS execution explicitly in the CAN transport network system.

In agriculture industry, increasing use of Vehicle Internet of Things (IoT), telematics and emerging technologies are resulting in smarter machines with connected solutions. Inter and Intra Communication with vehicle to vehicle and inside vehicle - Electronic Control Unit (ECU) to ECU or ECU (Electronic Control Unit) to sensor, requirement for flow of data increased in-turn resulting in increased need for secure communication. In this paper, we focus on functional verification and validation of secure Controller Area Network (CAN) for intra vehicular communication to establish confidentiality, integrity, authenticity, and freshness of data, supporting safety, advanced automation, protection of sensitive data and IP (Intellectual Property) protection. Network security algorithms and software security processes are the layers supporting to achieve our cause.

Abstract Identity-Anonymized CAN (IA-CAN) protocol is a secure CAN protocol, which provides the sender authentication by inserting a secret sequence of anonymous IDs (A-IDs) shared among the communication nodes. To prevent malicious attacks from the IA-CAN protocol, a secure and robust system error recovery mechanism is required. This article presents a central management method of IA-CAN, named the IA-CAN with a global A-ID, where a gateway plays a central role in the session initiation and system error recovery. Each ECU self-diagnoses the system errors, and (if an error happens) it automatically resynchronizes its A-ID generation by acquiring the recovery information from the gateway. We prototype both a hardware version of an IA-CAN controller and a system for the IA-CAN with a global A-ID using the controller to verify our concept.

Abstract In this work, we present an approach to support penetration tests by combining safety and security analyses to enhance automotive security testing. Our approach includes a new way to combine safety and threat analyses to derive possible test cases. We reuse outcomes of a performed safety analysis as the input for a threat analysis. We show systematically how to derive test cases, and we present the applicability of our approach by deriving and performing test cases for a penetration test of an automotive electronic control unit (ECU). Therefore, we selected an airbag control unit due to its safety-critical functionality. During the penetration test, the selected control unit was installed on a test bench, and we were able to successfully exploit a discovered vulnerability, causing the detonation of airbags.

Abstract Vehicle-to-Vehicle (V2V) communication is a vehicular communication technology to reduce traffic accidents and congestion. To protect V2V communication, multiple security standards have been developed. This article provides an overview of the China V2V security draft standard and compares it to the American IEEE1609.2 V2V standard and to the Security Credential Management System (SCMS). The article provides an overview of the Chinese cryptographic algorithms used in the China V2V standard, and points out differences in the certificate format, such as the lack of implicit certificates in the China V2V standard. The China V2V PKI architecture is similar to the American SCMS, however, the Chinese system utilizes a set of Root Certificate Authorities (CA) that are trusted via an out-of-band channel whereas the American SCMS supports elector-based addition and revocation of Root CAs.

Abstract The importance of in-vehicle network security has increased with an increase in automated and connected vehicles. Hence, many attacks and countermeasures have been proposed to secure the controller area network (CAN), which is an existent in-vehicle network protocol. At the same time, new protocols-such as FlexRay and Ethernet-which are faster and more reliable than CAN have also been proposed. European OEMs have adopted FlexRay as a control network that can perform the fundamental functions of a vehicle. However, there are few studies regarding FlexRay security. In particular, studies on attacks against FlexRay are limited to theoretical studies or simulation-based experiments. Hence, the vulnerability of FlexRay is unclear. Understanding this vulnerability is necessary for the application of countermeasures and improving the security of future vehicles. In this article, we highlight the vulnerability of FlexRay found in the experiments conducted on a real FlexRay network.