Search Results

Abstract Trust in the digital data from heavy vehicle event data recorders (HVEDRs) is paramount to using the data in legal contests. Ensuring the trust in the HVEDR data requires an examination of the ways the digital information can be attacked, both purposefully and inadvertently. The goal or objective of an attack on HVEDR data will be to have the data omitted in a case. To this end, we developed an attack tree and establish a model for violating the trust needed for HVEDR data. The attack tree provides context for mitigations and also for functional requirements. A trust model is introduced as well as a discussion on what constitutes forensically sound data. The main contribution of this article is an attack tree-based model of both malicious and accidental events contributing to compromised event data recorder (EDR) data. A comprehensive list of mitigations for HVEDR systems results from this analysis.

Abstract Automotive cybersecurity engineers now have the challenge of delivering Risk Assessments of their products using a method that is described in the new standard for automotive cybersecurity: International Organization for Standardization/Society of Automotive Engineers (ISO/SAE) 21434. ...Abstract Automotive cybersecurity engineers now have the challenge of delivering Risk Assessments of their products using a method that is described in the new standard for automotive cybersecurity: International Organization for Standardization/Society of Automotive Engineers (ISO/SAE) 21434.

Abstract There are already a number of cybersecurity activities introduced in the development process in the automotive industry. For example, security testing of automotive components is often performed at the late stages of development.

Abstract Secure boot, although known for more than 20 years, frequent attacks from hackers that show numerous ways to bypass the security mechanism, including electronic control units (ECUs) of the automotive industry. This paper investigates the major causes of security weaknesses of secure boot implementations. Based on penetration test experiences, we start from an attacker’s perspective to identify and outline common implementation weaknesses. Then, from a Tier-One perspective, we analyze challenges in the research and development process of ECUs between original equipment manufacturers (OEMs) and suppliers that amplify the probability of such weakness. The paper provides recommendations to increase the understanding of implementing secure boot securely on both sides and derives a set of reference requirements as a starting point for secure boot ECU requirements.

Abstract Heavy vehicles are essential for the modern economy, delivering critical food, supplies, and freight throughout the world. Connected heavy vehicles are also driven by embedded computers that utilize internal communication using common standards. However, some implementations of the standards leave an opening for a malicious actor to abuse the system. One such abuse case is a cyber-attack known as the “Address Claim Attack.” Proposed in 2018, this attack uses a single network message to disable all communication to and from a target electronic control unit, which may have a detrimental effect on operating the vehicle. This article demonstrates the viability of the attack and then describes the implementation of a solution to prevent this attack in real time without requiring any intervention from the manufacturer of the target devices. The defense technique uses a bit-banged Controller Area Network (CAN) filter to detect the attack.

Abstract Designers of automotive systems find themselves pulled in an impossible number of directions. Systems must use the most advanced security features, but at the same time run on low-cost and resource-constrained hardware. Ultimately, an engineering trade-off will eventually be made regarding how encryption and key management is used on these systems, potentially leaving them vulnerable to attack. In this paper, we detail the applicability of side-channel power analysis and fault injection on automotive electronic systems, showing how these dangerous techniques can be used to break an otherwise secure system. We build a small example network using AES-CCM to implement an encrypted, authenticated CAN protocol. We demonstrate how open-source hardware and software can easily recover the encryption keys from some of these nodes with side-channel power analysis, and we recover a full firmware image from one device with a fault-injection attack using the same tools.

Abstract The secure boot has successfully protected systems from executing untrusted software (SW), but low-power controllers lack sufficient time to check every memory cell while satisfying real-time functional safety requirements. Automotive controllers need to maintain security through multiple cycles of remote, unsupervised operation and safely reach a secure state when an anomaly is detected. To accelerate the boot time, we propose Sliced Secure Boot: build fingerprints by slicing orthogonally through memory blocks, protect each cell with a reusable fingerprint using a reproducible pattern with sufficient entropy, and randomly check one fingerprint pattern during boot. We do not claim that sampling offers equivalent protection to exhaustive checks but demonstrate that careful sampling can provide a sufficient level of detection while maintaining compatibility with both startup time and functional safety requirements.

Abstract This work introduces the concept of a dual-layer specification structure for standards that separate interoperability functions, such as backward compatibility, localization, and deployment, from those essential to reliability, security, and functionality. The latter group of features, which constitute the actual standard, make up the baseline layer for instructions, while all the elements required for interoperability are specified in a second layer, known as a Protocols, Operations, Usage, and Formats (POUF) document. We applied this technique in the development of a standard for Uptane [1], a security framework for over-the-air (OTA) software updates used in many automobiles. This standard is a good candidate for a dual-layer specification because it requires communication between entities, but does not require a specific format for this communication.

Abstract Modern vehicles integrate Internet of Things (IoT) components to bring value-added services to both drivers and passengers. These components communicate with the external world through different types of interfaces including the on-board diagnostics (OBD-II) port, a mandatory interface in all vehicles in the United States and Europe. While this transformation has driven significant advancements in efficiency and safety, it has also opened a door to a wide variety of cyberattacks, as the architectures of vehicles were never designed with external connectivity in mind, and accordingly, security has never been pivotal in the design. As standardized, the OBD-II port allows not only direct access to the internal network of the vehicle but also installing software on the Electronic Control Units (ECUs).

Abstract In the automotive domain, the evolution of electrical and electronic (E/E) architecture trend is toward consolidating multiple heterogeneous applications executing on individual devices onto a centralized powerful computing platform. Many forums debate the nature of this centralized computing platform. At least for another decade, automotive powertrain functions will continue their development on a multicore controller platform (MCU) instead of many core processors. Data security and the need to meet Automotive Safety Integrity Level D (ASIL-D)-compliant powertrain functions are some of the reasons for this preference. For the centralized computing platform, virtualizing the underlying MCU will facilitate the simultaneous execution of heterogeneous powertrain applications with guaranteed spatial and temporal isolation. A common problem in virtualizing the MCU is the sharing of peripherals, which are comparatively scarce.

Abstract Identity-Anonymized CAN (IA-CAN) protocol is a secure CAN protocol, which provides the sender authentication by inserting a secret sequence of anonymous IDs (A-IDs) shared among the communication nodes. To prevent malicious attacks from the IA-CAN protocol, a secure and robust system error recovery mechanism is required. This article presents a central management method of IA-CAN, named the IA-CAN with a global A-ID, where a gateway plays a central role in the session initiation and system error recovery. Each ECU self-diagnoses the system errors, and (if an error happens) it automatically resynchronizes its A-ID generation by acquiring the recovery information from the gateway. We prototype both a hardware version of an IA-CAN controller and a system for the IA-CAN with a global A-ID using the controller to verify our concept.

Abstract Automotive software is increasingly complex and critical to safe vehicle operation, and related embedded systems must remain up to date to ensure long-term system performance. Update mechanisms and data modification tools introduce opportunities for malicious actors to compromise these cyber-physical systems, and for trusted actors to mistakenly install incompatible software versions. A distributed and stratified “black box” audit trail for automotive software and data provenance is proposed to assure users, service providers, and original equipment manufacturers (OEMs) of vehicular software integrity and reliability. The proposed black box architecture is both layered and diffuse, employing distributed hash tables (DHT), a parity system and a public blockchain to provide high resilience, assurance, scalability, and efficiency for automotive and other high-assurance systems.

Abstract Over the past forty years, the Electronic Control Unit (ECU) technology has grown in both sophistication and volume in the automotive sector, and modern vehicles may comprise hundreds of ECUs. ECUs typically communicate via a bus-based network architecture to collectively support a broad range of safety-critical capabilities, such as obstacle avoidance, lane management, and adaptive cruise control. However, this technology evolution has also brought about risks: if ECU firmware is compromised, then vehicle safety may be compromised. Recent experiments and demonstrations have shown that ECU firmware is not only poorly protected but also that compromised firmware may pose safety risks to occupants and bystanders.

Abstract Vehicular communications face unique security issues in wireless communications. While new vehicles are equipped with a large set of communication technologies, product life cycles are long and software updates are not widespread. The result is a host of outdated and unpatched technologies being used on the street. This has especially severe security impacts because autonomous vehicles are pushing into the market, which will rely, at least partly, on the integrity of the provided information. We provide an overview of the currently deployed communication systems and their security weaknesses and features to collect and compare widely used security mechanisms. In this survey, we focus on technologies that work in an ad hoc manner. This includes Long-Term Evolution mode 4 (LTE-PC5), Wireless Access in Vehicular Environments (WAVE), Intelligent Transportation Systems at 5 Gigahertz (ITS-G5), and Bluetooth.