skip to main content
research-article

Combining Cyber Security Intelligence to Refine Automotive Cyber Threats

Published: 14 March 2024 Publication History

Abstract

Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, the vehicle is exposed to security attacks that are able to impact road safety. A profound understanding of security attacks, vulnerabilities, and mitigations is necessary to protect vehicles against cyber threats. While automotive threat descriptions, such as in UN R155, are still abstract, this creates a risk that potential vulnerabilities are overlooked and the vehicle is not secured against them. So far, there is no common understanding of the relationship of automotive attacks, the concrete vulnerabilities they exploit, and security mechanisms that would protect the system against these attacks. In this article, we aim at closing this gap by creating a mapping between UN R155, Microsoft STRIDE classification, Common Attack Pattern Enumeration and Classification (CAPEC), and Common Weakness Enumeration (CWE). In this way, already existing detailed knowledge of attacks, vulnerabilities, and mitigations is combined and linked to the automotive domain. In practice, this refines the list of UN R155 threats and therefore supports vehicle manufacturers, suppliers, and approval authorities to meet and assess the requirements for vehicle development in terms of cybersecurity. Overall, 204 mappings between UN threats, STRIDE, CAPEC attack patterns, and CWE weaknesses were created. We validated these mappings by applying our Automotive Attack Database (AAD) that consists of 361 real-world attacks on vehicles. Furthermore, 25 additional attack patterns were defined based on automotive-related attacks.

References

[1]
Amer Aijaz, Bernd Bochow, Florian Dötzer, Andreas Festag, Matthias Gerlach, Rainer Kroh, and Tim Leinmüller. 2006. Attacks on inter vehicle communication systems—An analysis. In Proceedings of the 3rd International Workshop on Intelligent Transportation (WIT’06). 189–194.
[2]
Emad Aliwa, Omer Rana, Charith Perera, and Peter Burnap. 2021. Cyberattacks and countermeasures for in-vehicle networks. ACM Computing Surveys 54, 1 (2021), 1–37.
[3]
Adeeb Mansoor Ansari and Mohammed Nazir. 2022. Risk assessment of security vulnerabilities in smart home using CAPEC and defensive goals. In Advances in Data and Information Sciences. Springer, 705–722.
[4]
AO Kaspersky Lab.2019. On the IoT Road: Perks, Benefits and Security of Moving Smartly. Retrieved February 14, 2024 from https://securelist.com/on-the-iot-road/91833/
[5]
Harold Booth, Doug Rike, and Gregory Witte. 2013. The National Vulnerability Database (NVD): Overview. Retrieved February 14, 2024 from https://www.nist.gov/publications/national-vulnerability-database-nvd-overview
[6]
Thomas Brewster. 2014. Zubie: This Car Safety Tool ‘Could Have Given Hackers Control Of Your Vehicle.’ Retrieved February 14, 2024 from https://www.forbes.com/sites/thomasbrewster/2014/11/07/car-safety-tool-could-have-given-hackers-control-of-your-vehicle/#4986296f1481
[7]
Ondrej Burkacky, Johannes Deichmann, Benjamin Klein, Klaus Pototzky, and Gundbert Scherf. 2020. Cybersecurity in Automotive: Mastering the Challenge. Retrieved February 14, 2024 from https://www.mckinsey.com/industries/automotive-and-assembly/our-insights/cybersecurity-in-automotive-mastering-the-challenge
[8]
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Security Symposium.
[9]
Abdullahi Chowdhury, Gour Karmakar, Joarder Kamruzzaman, Alireza Jolfaei, and Rajkumar Das. 2020. Attacks on self-driving cars and their countermeasures: A survey. IEEE Access 8 (2020), 207308–207342.
[10]
Catalin Cimpanu. 2015. Cars Exposed to Hacking Inside Car Dealerships. Retrieved February 14, 2024 from https://news.softpedia.com/news/cars-exposed-to-hacking-inside-car-dealerships-493572.shtml
[11]
Catalin Cimpanu. 2019. Tesla car hacked at Pwn2Own contest. ZDNet. Retrieved February 14, 2024 from https://www.zdnet.com/article/tesla-car-hacked-at-pwn2own-contest/
[12]
Computest. 2018. The Connected Car—Ways to Get Unauthorized Access and Potential Implications. Retrieved February 14, 2024 from https://www.computest.nl/documents/9/The_Connected_Car._Research_Rapport_Computest_april_2018.pdf
[13]
Gianpiero Costantino, Marco de Vincenzi, and Ilaria Matteucci. 2022. In-depth exploration of ISO/SAE 21434 and its correlations with existing standards. IEEE Communications Standards Magazine 6, 1 (2022), 84–92.
[14]
Gianpiero Costantino, Antonio La Marra, Fabio Martinelli, and Ilaria Matteucci. 2018. CANDY: A social engineering attack to leak information from infotainment system. In Proceedings of the 2018 IEEE 87th Vehicular Technology Conference (VTC Spring’18). 1–5.
[15]
Sam Curry. 2019. Cracking My Windshield and Earning 10,000 on the Tesla Bug Bounty Program. Retrieved February 14, 2024 from https://samcurry.net/cracking-my-windshield-and-earning-10000-on-the-tesla-bug-bounty-program/
[16]
Cybersecurity and Infrastructure Security Agency. 2017. ICS Advisory (ICSA-17-208-01): Continental AG Infineon S-Gold 2 (PMB 8876). Retrieved February 14, 2024 from https://www.cisa.gov/uscert/ics/advisories/ICSA-17-208-01
[17]
Pritam Dash, Mehdi Karimibiuki, and Karthik Pattabiraman. 2019. Out of control: Stealthy attacks against robotic vehicles protected by control-based techniques. In Proceedings of the 35th Annual Computer Security Applications Conference. 660–672.
[19]
Nitesh Dhanjani. 2014. Cursory Evaluation of the Tesla Model S: We Can’t Protect Our Cars Like We Protect Our Workstations. Retrieved February 14, 2024 from https://www.dhanjani.com/blog/2014/03/curosry-evaluation-of-the-tesla-model-s-we-cant-protect-our-cars-like-we-protect-our-workstations.html
[20]
Evan R. Sparks and Sean W. Smith. 2007. A Security Assessment of Trusted Platform Modules. Retrieved February 14, 2024 from https://digitalcommons.dartmouth.edu/cgi/viewcontent.cgi?article=1052&context=senior_theses
[21]
Andy Greenberg. 2018. Hackers can steal a Tesla model S in seconds by cloning its key fob. WIRED. Retrieved February 14, 2024 from https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/
[22]
Vikram Gupta, Srikanth Krishnamurthy, and Michalis Faloutsos. 2002. Denial of service attacks at the MAC layer in wireless ad hoc networks. In Proceedings of MILCOM 2002. IEEE, 1118–1123.
[23]
Anne Honkaranta, Tiina Leppänen, and Andrei Costin. 2021. Towards practical cybersecurity mapping of stride and CWE—A multi-perspective approach. In Proceedings of the 2021 29th Conference of the Open Innovations Association (FRUCT’21). 150–159.
[24]
Kazuki Iehira, Hiroyuki Inoue, and Kenji Ishida. 2018. Spoofing attack using bus-off attacks against a specific ECU of the CAN bus. In Proceedings of the 2018 15th IEEE Annual Consumer Communications and Networking Conference (CCNC’18). 1–4.
[25]
IoT Innovator. 2018. Zingbox identifies cybersecurity threat for cars and drivers; reveals SMS-commanded malware infection to car ‘infotainment’ system. IoT Innovator. Retrieved February 14, 2024 from https://www.iotinnovator.com/zingbox-identifies-cybersecurity-threat-for-cars-and-drivers-reveals-sms-commanded-malware-infection-to-car-infotainment-system/
[26]
ISO. 2006. ISO 14229:2006: Road Vehicles—Unified Diagnostic Services (UDS)—Specification and Requirements. ISO.
[27]
ISO. 2018. ISO. 2018. ISO 26262-1:2018: Road Vehicles—Functional Safety: Part 1: Vocabulary. ISO.
[28]
ISO. 2021. ISO/SAE 21434:2021: Road Vehicles—Cybersecurity Engineering. ISO
[29]
Keen Security Lab. 2017. Experimental Security Assessment of BMW Cars: A Summary Report. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf
[30]
Keen Security Lab. 2019. Experimental Security Research of Tesla Autopilot. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Research_of_Tesla_Autopilot.pdf
[31]
Keen Security Lab. 2020. Exploiting Wi-Fi Stack on Tesla Model S. Retrieved February 14, 2024 from https://keenlab.tencent.com/en/2020/01/02/exploiting-wifi-stack-on-tesla-model-s/
[32]
Loren Kohnfelder and Praerit Garg. 2009. The STRIDE Threat Model. Retrieved February 14, 2024 from https://docs.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20)
[33]
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage. 2010. Experimental security analysis of a modern automobile. In Proceedings of the 2010 IEEE Symposium on Security and Privacy. IEEE, 447–462.
[34]
John Leyden. 2018. Connected car data handover headache: There’s no quick fix . . . and it’s NOT just Land Rovers. The Register. Retrieved February 14, 2024 from https://www.theregister.com/2018/08/21/connected_car_data_handover_mess/
[35]
John Leyden. 2018. Shock Land Rover discovery: Sellers could meddle with connected cars if not unbound. The Register. Retrieved February 14, 2024 from https://www.theregister.com/2018/07/27/jaguar_land_rover_connected_car_privacy/
[36]
Feng Luo, Yifan Jiang, Zhaojing Zhang, Yi Ren, and Shuo Hou. 2021. Threat analysis and risk assessment for connected vehicles: A survey. Security and Communication Networks 2021 (2021), 1–19.
[37]
Georg Macher, Christoph Schmittner, Omar Veledar, and Eugen Brenner. 2020. ISO/SAE DIS 21434 automotive cybersecurity standard—In a nutshell. In Computer Safety, Reliability, and Security. SAFECOMP 2020 Workshops, António Casimiro, Frank Ortmeier, Erwin Schoitsch, Friedemann Bitsch, and Pedro Ferreira (Eds.). Springer eBook Collection, Vol. 12235. Springer International Publishing, Cham, 123–135.
[38]
Kevin Mahaffey. 2015. Hacking a Tesla Model S: What We Found and What We Learned. Retrieved February 14, 2024 from https://blog.lookout.com/hacking-a-tesla
[39]
Piergiuseppe Mallozzi, Patrizio Pelliccione, Alessia Knauss, Christian Berger, and Nassar Mohammadiha. 2019. Autonomous vehicles: State of the art, future trends, and challenges. In Automotive Systems and Software Engineering. Springer, Cham, 347–367.
[40]
Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. DEF CON 21 (2013), 260–264.
[41]
Charlie Miller and Chris Valasek. 2014. A survey of remote automotive attack surfaces. In Proceedings of the 2014 Black Hat USA Conference.
[42]
Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Proceedings of the 2015 Black Hat USA Conference.
[43]
Charlie Miller and Chris Valasek. 2016. CAN Message Injection. Retrieved February 14, 2024 from https://dl.packetstormsecurity.net/papers/attack/remote-attack-surfaces.pdf
[44]
Ashcon Mohseninia. 2019. Made My Old Merc Put on a Small Lights Show Using an Arduino. Retrieved February 14, 2024 from https://github.com/rnd-ash/W203-canbus
[45]
Victor Murray. 2019. Legal GNSS spoofing and its effects on autonomous vehicles. In Proceedings of the 2019 Black Hat USA Conference.
[46]
National Vulnerability Database. 2019. CVE-2019-14951. Retrieved February 14, 2024 from https://nvd.nist.gov/vuln/detail/CVE-2019-14951
[47]
Alfred Ng. 2019. Smart alarms left 3 million cars vulnerable to hackers who could turn off motors. CNET. Retrieved February 14, 2024 from https://www.cnet.com/news/privacy/smart-alarms-left-3m-cars-vulnerable-to-hackers-who-could-turn-off-motors/
[48]
Sen Nie, Ling Liu, Yuefeng Du, and Wenkai Zhang. 2018. Over-the-Air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars. In Proceedings of the 2018 Black Hat USA Conference.
[49]
Samir Ouchani and Abdelaziz Khaled. 2019. A meta language for cyber-physical systems and threats: Application on autonomous vehicle. In Proceedings of the 2019 IEEE/ACS 16th International Conference on Computer Systems and Applications (AICCSA’19). 1–8.
[50]
Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. 506–519.
[51]
Irdin Pekaric, Clemens Sauerwein, Stefan Haselwanter, and Michael Felderer. 2021. A taxonomy of attack mechanisms in the automotive domain. Computer Standards & Interfaces 78 (2021), 103539.
[52]
Jonathan Petit, Bas Stottelaar, Michael Feiri, and Frank Kargl. 2015. Remote attacks on automated vehicles sensors: Experiments on camera and LiDAR. In Proceedings of the 2015 Black Hat Europe Conference.
[53]
Daniel Rekawek. 2019. How I hacked Volkswagen and Skoda. A story about Volkswagen Group Car Remote Hacking. Vensis Cyber Security. Retrieved February 14, 2024 from https://blog.vensis.pl/2019/11/vw-hacking/
[54]
Martin Ring, Jürgen Dürrwang, Florian Sommer, and Reiner Kriesten. 2015. Survey on vehicular attacks—Building a vulnerability database. In Proceedings of the 2015 IEEE International Conference on Vehicular Electronics and Safety (ICVES’15). IEEE, 208–212.
[55]
Marc Ruef. 2018. Daimler Mercedes Me App 2.11.0-846 on iOS Certificate Pinning Information Disclosure. Retrieved February 14, 2024 from https://vuldb.com/?id.125081
[56]
Marcel Rumez, Daniel Grimm, Reiner Kriesten, and Eric Sax. 2020. An overview of automotive service-oriented architectures and implications for security countermeasures. IEEE Access 8 (2020), 221852–221870.
[57]
Kai Rüsberg. 2015. Keyless Gone: Autodiebe Tricksen Kontaktlose Schließsysteme aus. Retrieved February 14, 2024 from https://www.heise.de/select/ct/archiv/2015/26/seite-80
[58]
SAE Vehicle Electrical System Security Committee. 2016. SAE J3061: Cybersecurity Guidebook for Cyber-Physical Automotive Systems. SAE.
[59]
Kai Schramm, Kerstin Lemke, and Christof Paar. 2006. Embedded cryptography: Side channel attacks. In Embedded Security in Cars. Springer, 187–206.
[60]
Florian Sommer and Jürgen Dürrwang. 2019. IEEM-HsKA/AAD: Automotive Attack Database (AAD) V3.0. Retrieved February 14, 2024 from https://github.com/IEEM-HsKA/AAD/blob/master/Automotive_Attack_Database_(AAD)_V3.0.db
[61]
Florian Sommer, Jürgen Dürrwang, and Reiner Kriesten. 2019. Survey and classification of automotive security attacks. Information 10, 4 (2019), 148.
[62]
Florian Sommer and Reiner Kriesten. 2022. Attack path generation based on attack and penetration testing knowledge. In Proceedings of the 7th International Conference on Cyber-Technologies and Cyber-Systems. 36–41.
[63]
Vangelis Stykas. 2018. Remote smart car hacking with just a phone. Medium. Retrieved February 14, 2024 from https://medium.com/@evstykas/remote-smart-car-hacking-with-just-a-phone-2fe7ca682162
[64]
Vangelis Stykas. 2019. Lojack’d: Pwning smart vehicle trackers. Pen Test Partners. Retrieved February 14, 2024 from https://www.pentestpartners.com/security-blog/lojackd-pwning-smart-vehicle-trackers/
[65]
The MITRE Corporation. 2022. Common Attack Pattern Enumeration and Classification (CAPEC). Retrieved February 14, 2024 from https://capec.mitre.org/index.html
[66]
The MITRE Corporation. 2022. Common Weakness Enumeration (CWE). Retrieved February 14, 2024 from https://cwe.mitre.org/
[67]
The MITRE Corporation. 2022. MITRE ATT&CK®. Retrieved February 14, 2024 from https://attack.mitre.org/
[68]
Vrizlynn L. L. Thing and Jiaxi Wu. 2016. Autonomous vehicle security: A taxonomy of attacks and defences. In Proceedings of the 2016 IEEE International Conference on Internet of Things (iThings), IEEE Green Computing and Communications (GreenCom), IEEE Cyber, Physical, and Social Computing (CPSCom), and IEEE Smart Data (SmartData). 164–170.
[69]
UNECE. 2021. UN Regulation No. 155—Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management System: E/ECE/TRANS/505/Rev.3/Add.154. Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-03/R155e.pdf
[70]
UNECE. 2021. UN Regulation No. 156—Software Update and Software Update Management System: E/ECE/TRANS/ 505/Rev.3/Add.155. Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-03/R156e.pdf
[71]
Colin Urquhart, Xavier Bellekens, Christos Tachtatzis, Robert Atkinson, Hanan Hindy, and Amar Seeam. 2019. Cyber-security internals of a Skoda Octavia vRS: A hands on approach. IEEE Access 7 (2019), 146057–146069.
[72]
Roel Verdult, Flavio D. Garcia, and Baris Ege. 2013. Dismantling Megamos Crypto: Wirelessly lockpicking a vehicle immobilizer. In Proceedings of the USENIX Security Symposium. 703–718.
[73]
WMC. 2018. Used cars increase identity theft chances, BBB finds. Action News. Retrieved February 14, 2024 from https://www.actionnews5.com/story/39022826/used-cars-increase-identity-theft-chances-bbb-finds/
[74]
Working Party on Automated/Autonomous and Connected Vehicles. 2020. Proposals for Interpretation Documents for UN Regulation No. 155 (Cyber Security and Cyber Security Management System). Retrieved February 14, 2024 from https://unece.org/sites/default/files/2021-02/ECE-TRANS-WP29-2021-059e_0.pdf
[75]
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs, and Bart Preneel. 2019. Fast furious and insecure: Passive keyless entry and start systems in modern supercars. IACR Transactions on Cryptographic Hardware and Embedded Systems 2019, 3 (2019), 66–85.
[76]
Gongjun Yan, Danda B. Rawat, and Bhed B. Bista. 2012. Towards secure vehicular clouds. In Proceedings of the 2012 6th International Conference on Complex, Intelligent, and Software Intensive Systems. 370–375.
[77]
Xiaohong Yuan, Emmanuel Borkor Nuakoh, Jodria S. Beal, and Huiming Yu. 2014. Retrieving relevant CAPEC attack patterns for secure software development. In Proceedings of the 9th Annual Cyber and Information Security Research Conference (CISR’14). ACM, 33–36.
[78]
Daniel Zelle, Christian Plappert, Roland Rieke, Dirk Scheuermann, and Christoph Krauß. 2022. ThreatSurf: A method for automated Threat Surface assessment in automotive cybersecurity engineering. Microprocessors and Microsystems 90 (2022), 104461.

Cited By

View all
  • (2024)Facilitating the Integrative Use of Security Knowledge Bases within a Modelling EnvironmentJournal of Cybersecurity and Privacy10.3390/jcp40200134:2(264-277)Online publication date: 20-Apr-2024
  • (2024)Cybersecurity Maintenance in the Automotive Industry Challenges and Solutions: A Technology Adoption ApproachFuture Internet10.3390/fi1611039516:11(395)Online publication date: 28-Oct-2024
  • (2024)A Framework for the Systematic Assessment of Anomaly Detectors in Time-Sensitive Automotive Networks2024 IEEE Vehicular Networking Conference (VNC)10.1109/VNC61989.2024.10576017(57-64)Online publication date: 29-May-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security
ACM Transactions on Privacy and Security  Volume 27, Issue 2
May 2024
192 pages
EISSN:2471-2574
DOI:10.1145/3613601
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2024
Online AM: 05 February 2024
Accepted: 20 January 2024
Received: 26 January 2023
Published in TOPS Volume 27, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Automotive security
  2. taxonomies
  3. attacks
  4. vulnerabilities
  5. mitigations

Qualifiers

  • Research-article

Funding Sources

  • SecForCARs-SAVE
  • German Ministry of Education and Research (BMBF)
  • GTÜ Gesellschaft für technische Überwachung mbH in Stuttgart, Germany

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1,403
  • Downloads (Last 6 weeks)49
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Facilitating the Integrative Use of Security Knowledge Bases within a Modelling EnvironmentJournal of Cybersecurity and Privacy10.3390/jcp40200134:2(264-277)Online publication date: 20-Apr-2024
  • (2024)Cybersecurity Maintenance in the Automotive Industry Challenges and Solutions: A Technology Adoption ApproachFuture Internet10.3390/fi1611039516:11(395)Online publication date: 28-Oct-2024
  • (2024)A Framework for the Systematic Assessment of Anomaly Detectors in Time-Sensitive Automotive Networks2024 IEEE Vehicular Networking Conference (VNC)10.1109/VNC61989.2024.10576017(57-64)Online publication date: 29-May-2024

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Full Text

View this article in Full Text.

Full Text

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media