Abstract
Highly connected with the environment via various interfaces, cars have been the focus of malicious cyber attacks for years. These attacks are becoming an increasing burden for a society with growing vehicle autonomization: they are the sword of Damocles of future mobility. Therefore, research is particularly active in the area of vehicle IT security, and in part also in the area of dependability, in order to develop effective countermeasures and to maintain a minimum of one step ahead of hackers. This paper examines the known state-of-the-art security and dependability measures based on a detailed and systematic analysis of published cyber attacks on automotive software systems. The sobering result of the analysis of the cyber attacks with the model-based technique SAM (Security Abstraction Model) and a categorization of the examined attacks in relation to the known security and dependability measures is that most countermeasures against cyber attacks are hardly effective. They either are not applicable to the underlying problem or take effect too late; the intruder has already gained access to a substantial part of the vehicle when the countermeasures apply. The paper is thus contributing to an understanding of the gaps that exist today in the area of vehicle security and dependability and concludes concrete research challenges.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Common Vulnerability Scoring System Version 3.0 Calculator. https://www.first.org/cvss/calculator/3.0. Accessed 14 May 2019
Vulnerability Notes Database. http://www.kb.cert.org/vuls/. Accessed 29 Oct 2014
Nürnberger, S., Rossow, C.: vatiCAN: vetted, authenticated CAN bus. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 106–124. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_6
Agrawal, M., Huang, T., Zhou, J., Chang, D.: CAN-FD-Sec: improving security of CAN-FD protocol. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds.) CSITS 2018, ISSA 2018. LNCS, vol. 11552, pp. 77–93. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16874-2_6
Amendola, S.: Improving automotive security by evaluation-from security health check to common criteria. White paper, Security Research & Consulting GmbH 176 (2004)
Auernhammer, K., Tavakoli Kolagari, R., Zoppelt, M.: Attacks on machine learning: lurking danger for accountability. In: Proceedings of the AAAI Workshop on Artificial Intelligence Safety 2019 co-located with the Thirty-Third AAAI Conference on Artificial Intelligence 2019 (AAAI 2019), Honolulu, Hawaii, p. 9 (2019)
Barzilai, D.: Autonomous Security, pp. 1–14 (2018)
Foster, I., Prudhomme, A., Koscher, K., Savage, S.: Fast and vulnerable: a story of telematic failures. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15) (2015)
Garcia, F.D., Oswald, D., Kasper, T., Pavlidès, P.: Lock it and still lose it–on the (in)security of automotive remote keyless entry systems. In: Proceedings of the 25th USENIX Security Symposium, pp. 929–944 (2016)
Glas, B., et al.: Automotive safety and security integration challenges. In: Automotive-Safety & Security 2014 (2015)
Hayes, J., Danezis, G.: Machine Learning as an Adversarial Service: Learning Black-Box Adversarial Examples 2 (2017)
Van den Herrewegen, J., Garcia, F.D.: Beneath the bonnet: a breakdown of diagnostic security. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 305–324. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99073-6_15
Hubaux, J.P., Capkun, S., Luo, J.: The security and privacy of smart vehicles. IEEE Secur. Privacy 3, 49–55 (2004)
Huber, M., Brunner, M., Sauerwein, C., Carlan, C., Breu, R.: Roadblocks on the highway to secure cars: an exploratory survey on the current safety and security practice of the automotive industry. In: Gallina, B., Skavhaug, A., Bitsch, F. (eds.) SAFECOMP 2018. LNCS, vol. 11093, pp. 157–171. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-99130-6_11
Humayed, A., Luo, B.: Using ID-hopping to defend against targeted DoS on CAN. In: Proceedings of the 1st International Workshop on Safe Control of Connected and Autonomous Vehicles - SCAV 2017, pp. 19–26 (2017)
Jakubowski, M.H., Saw, C.W.N., Venkatesan, R.: Tamper-tolerant software: modeling and implementation. In: Takagi, T., Mambo, M. (eds.) IWSEC 2009. LNCS, vol. 5824, pp. 125–139. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04846-3_9
Kriha, W., Schmitz, R.: Sichere Systeme: Konzepte, Architekturen und Frameworks. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-78959-8
Lukasiewycz, M., Mundhenk, P., Steinhorst, S.: Security-aware obfuscated priority assignment for automotive CAN platforms. ACM Trans. Des. Autom. Electron. Syst. 21(2), 1–27 (2016)
Madl, T., Brückmann, J., Hof, H.J.: CAN Obfuscation by Randomization (CANORa) A technology to prevent large-scale malware attacks on driverless autonomous vehicles (September), 1–7 (2018)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Privacy 4(6), 85–89 (2006)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. In: Defcon 23 2015, pp. 1–91 (2015). http://illmatics.com/Remote%20Car%20Hacking.pdf
Miller, C., Valasek, C.: CAN message injection, pp. 1–29 (2016). http://illmatics.com/canmessageinjection.pdf
Mundhenk, P., et al.: Security in automotive networks: lightweight authentication and authorization (2017)
Nie, S., Liu, L., Du, Y.: Free-fall: hacking tesla from wireless to CAN bus. In: Defcon, pp. 1–16 (2017)
Nie, S., Liu, L., Du, Y., Zhang, W.: Over-the-air: how we remotely compromised the gateway, BCM, and autopilot ECUs of tesla cars. In: Defcon 1 (2018)
Nowdehi, N., Lautenbach, A., Olovsson, T.: In-vehicle CAN message authentication: an evaluation based on industrial criteria. In: 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), pp. 1–7. IEEE (2017)
Othmane, L.B., Weffers, H., Mohamad, M.M., Wolf, M.: A survey of security and privacy in connected vehicles. In: Benhaddou, D., Al-Fuqaha, A. (eds.) Wireless Sensor and Mobile Ad-Hoc Networks, pp. 217–247. Springer, New York (2015). https://doi.org/10.1007/978-1-4939-2468-4_10
Palanca, A., Evenchick, E., Maggi, F., Zanero, S.: A stealth, selective, link-layer denial-of-service attack against automotive networks. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 185–206. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_9
Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in Machine Learning: From Phenomena to Black-Box Attacks Using Adversarial Samples (2016)
Radu, A.-I., Garcia, F.D.: LeiA: a lightweight authentication protocol for CAN. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 283–300. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_15
Ray, S., Chen, W., Bhadra, J., Al Faruque, M.A.: Extensibility in automotive security: current practice and challenges. In: 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6, June 2017
Rosenstatter, T., Olovsson, T.: Towards a standardized mapping from automotive security levels to security mechanisms. In: IEEE Conference on Intelligent Transportation Systems, Proceedings, ITSC 2018-November, pp. 1501–1507 (2018)
Sabaliauskaite, G., Liew, L.S., Cui, J.: Integrating autonomous vehicle safety and security analysis using STPA method and the six-step model. Int. J. Adv. Secur. 11(1&2), 160–169 (2018)
Tencent Keen Security Lab: Experimental Security Assessment of BMW Cars: A Summary Report (2018)
Tencent Keen Security Lab: Experimental Security Research of Tesla Autopilot, p. 38 (2019)
Valasek, C., Miller, C.: Adventures in automotive networks and control units. Technical White Paper 21, 99 (2013)
Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems. In: Workshop on Embedded Security in Cars (2004)
Wolf, M., Weimerskirch, A., Wollinger, T.: State of the art: embedding security in vehicles. EURASIP J. Embedded Syst. 2007(1), 74706 (2007)
Zhang, Y., Ge, B., Li, X., Shi, B., Li, B.: Controlling a car through OBD injection. In: Proceedings - 3rd IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2016 and 2nd IEEE International Conference of Scalable and Smart Cloud, SSC 2016, pp. 26–29 (2016)
Zoppelt, M., Tavakoli Kolagari, R.: SAM: a security abstraction model for automotive software systems. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds.) CSITS/ISSA -2018. LNCS, vol. 11552, pp. 59–74. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16874-2_5
Acknowledgment
This work is funded by the Bavarian State Ministry of Science and the Arts in the framework of the Centre Digitisation.Bavaria (ZD.B).
M.Z. was supported by the BayWISS Consortium Digitization.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zoppelt, M., Tavakoli Kolagari, R. (2019). What Today’s Serious Cyber Attacks on Cars Tell Us: Consequences for Automotive Security and Dependability. In: Papadopoulos, Y., Aslansefat, K., Katsaros, P., Bozzano, M. (eds) Model-Based Safety and Assessment. IMBSA 2019. Lecture Notes in Computer Science(), vol 11842. Springer, Cham. https://doi.org/10.1007/978-3-030-32872-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-32872-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-32871-9
Online ISBN: 978-3-030-32872-6
eBook Packages: Computer ScienceComputer Science (R0)