A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update Framework
Pages 594 - 612
Abstract
We present our experience of formally verifying the desired security properties of the Uptane over-the-air (OTA) software update framework against a set of applicable threat models. Uptane is gaining traction in the automobile industry and is widely considered the next de-facto standard for OTA automobile software updates. The security of Uptane is of utmost importance because modern automobiles rely on software for their safety-critical functionalities and, especially, require OTA software updates to add new safety features or patch bugs in existing ones. Design flaws in Uptane can either violate the integrity of the updates to be installed or prevent vehicles from installing new updates, both of which can cause severe safety issues. Previous approaches to protocol verification either fail to capture the necessary features of Uptane or suffer from termination issues due to Uptane’s complexity. A key component of our approach lies in the eager combination of an infinite-state model checker and a cryptographic protocol verifier, where (in contrast to prior lazy approaches) we are able to eliminate a key manual step in the workflow while enabling reasoning over more fine-grained message structures. In addition, our approach utilizes two proven soundness- and completeness-preserving state-space-reduction optimizations for computational tractability, as well as a meta-level analysis technique that makes it feasible to reason over Uptane’s set of optional protocol features. Our approach is able to discover six new vulnerabilities while rediscovering all five known ones. While there have been previous analyses of Uptane’s security properties, they either missed design flaws identified by our approach or suffered from coverage and termination issues. The Uptane standards body has positively acknowledged our findings and has suggested updates to the protocol specification documents to address them.
References
[1]
Airbiquity. 2024. Airbiquity. https://www.airbiquity.com/. Accessed: March 25, 2023.
[2]
Alessandro Armando and Luca Compagna. 2008. SAT-based model-checking for security protocols analysis. International Journal of Information Security 7 (2008), 3–32.
[3]
N. Asokan, Thomas Nyman, Norrathep Rattanavipanon, Ahmad-Reza Sadeghi, and Gene Tsudik. 2018. ASSURED: Architecture for Secure Software Update of Realistic Embedded Devices. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 37, 11 (2018), 2290–2300. https://doi.org/10.1109/TCAD.2018.2858422
[4]
Gilles Barthe, François Dupressoir, Benjamin Grégoire, César Kunz, Benedikt Schmidt, and Pierre-Yves Strub. 2012. Easycrypt: A tutorial. International School on Foundations of Security Analysis and Design (2012), 146–166.
[5]
Jan Bauwens, Peter Ruckebusch, Spilios Giannoulis, Ingrid Moerman, and Eli De Poorter. 2020. Over-the-Air Software Updates in the Internet of Things: An Overview of Key Principles. IEEE Communications Magazine 58, 2 (2020), 35–41. https://doi.org/10.1109/MCOM.001.1900125
[6]
Rohit Bhatia, Vireshwar Kumar, Khaled Serag, Z. Berkay Celik, Mathias Payer, and Dongyan Xu. 2021. Evading Voltage-Based Intrusion Detection on Automotive CAN. In Network and Distributed System Security Symposium.
[7]
Bruno Blanchet. 2007. CryptoVerif: Computationally sound mechanized prover for cryptographic protocols. In Dagstuhl seminar “Formal Protocol Verification Applied, Vol. 117. 156.
[8]
Bruno Blanchet. 2016. Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif. Found. Trends Priv. Secur. 1, 1–2 (Oct. 2016), 1–135. https://doi.org/10.1561/3300000004
[9]
Ioana Boureanu. 2023. Formally Verifying the Security and Privacy of an Adopted Standard for Software-Update in Cars: Verifying Uptane 2.0. In IEEE SMC 2023.
[10]
Mehmet Bozdal, Mohammad Samie, and Ian Jennions. 2018. A survey on can bus protocol: Attacks, challenges, and potential solutions. In 2018 International Conference on Computing, Electronics and Communications Engineering (iCCECE). IEEE, 201–205.
[11]
Justin Cappos, Justin Samuel, Scott Baker, and John H. Hartman. 2008. A Look in the Mirror: Attacks on Package Managers. In Proceedings of the 15th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS ’08). Association for Computing Machinery, New York, NY, USA, 565–574. https://doi.org/10.1145/1455770.1455841
[12]
Justin Cappos, Justin Samuel, Scott Baker, and John H Hartman. 2008. Package management security. University of Arizona Technical Report (2008), 08–02.
[13]
Adrien Champion, Alain Mebsout, Christoph Sticksel, and Cesare Tinelli. 2016. The Kind 2 Model Checker. In Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part II(Lecture Notes in Computer Science, Vol. 9780), Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer, 510–517. https://doi.org/10.1007/978-3-319-41540-6_29
[14]
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In 20th USENIX Security Symposium (USENIX Security 11). USENIX Association, San Francisco, CA. https://www.usenix.org/conference/usenix-security-11/comprehensive-experimental-analyses-automotive-attack-surfaces
[15]
Thomas Chowdhury, Eric Lesiuta, Kerianne Rikley, Chung-Wei Lin, Eunsuk Kang, BaekGyu Kim, Shinichi Shiraishi, Mark Lawford, and Alan Wassyng. 2018. Safe and Secure Automotive Over-the-Air Updates. In Computer Safety, Reliability, and Security, Barbara Gallina, Amund Skavhaug, and Friedemann Bitsch (Eds.). Springer International Publishing, Cham, 172–187.
[16]
Catalin Cimpanu. 2017. Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software. Available at https://www.bleepingcomputer.com/news/security/petya-ransomware-outbreak-originated-in-ukraine-via-tainted-accounting-software/.
[17]
Linday Clark. 2023. CAN do attitude: How thieves steal cars using network bus. https://www.theregister.com/2023/04/06/can_injection_attack_car_theft. Accessed: March 25, 2023.
[18]
Gianpiero Costantino and Ilaria Matteucci. 2020. KOFFEE-Kia OFFensivE Exploit. Istituto di Informatica e Telematica, Tech. Rep. (2020).
[19]
Sam Curry. 2023. Web Hackers vs. The Auto Industry. https://samcurry.net/web-hackers-vs-the-auto-industry/. Accessed: March 25, 2023.
[20]
Debian. 2003. Debian Investigation Report after Server Compromises. https://www.debian.org/News/2003/20031202. Accessed: March 25, 2023.
[21]
D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (1983), 198–208. https://doi.org/10.1109/TIT.1983.1056650
[22]
Saad El Jaouhari and Eric Bouvet. 2022. Secure firmware Over-The-Air updates for IoT: Survey, challenges, and discussions. Internet of Things 18 (2022), 100508. https://doi.org/10.1016/j.iot.2022.100508
[23]
Zeinab El-Rewini, Karthikeyan Sadatsharan, Daisy Flora Selvaraj, Siby Jose Plathottam, and Prakash Ranganathan. 2020. Cybersecurity challenges in vehicular communications. Vehicular Communications 23 (2020), 100214. https://doi.org/10.1016/j.vehcom.2019.100214
[24]
Ian Foster, Andrew Prudhomme, Karl Koscher, and Stefan Savage. 2015. Fast and Vulnerable: A Story of Telematic Failures. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C.https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
[25]
Linux Foundation. 2024. Automotive Grade Linux. https://www.automotivelinux.org/. Accessed: Mar 15, 2023.
[26]
Linux Foundation. 2024. Uptane – Securing Software Updates for Automobiles. https://uptane.github.io/. Accessed: Mar 15, 2023.
[27]
Linux Foundation. 2024. Uptane Deployment Best Practices v.2.1.0. https://uptane.org/docs/2.1.0/deployment/best-practices. Accessed: Mar 15, 2023.
[28]
Linux Foundation. 2024. Uptane Standard for Design and Implementation 2.1.0. https://uptane.org/docs/2.1.0/standard/uptane-standard. Accessed: Mar 15, 2023.
[29]
P. W Frields. 2008. Infrastructure report, 2008-08-22 UTC 1200. https://listman.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html. Accessed: March 25, 2023.
[30]
Inc. GitHub. 2012. Public Key Security Vulnerability and Mitigation. https://github.blog/2012-03-04-public-key-security-vulnerability-and-mitigation/. Accessed: March 25, 2023.
[31]
Xinchi He, Sarra Alqahtani, Rose Gamble, and Mauricio Papa. 2019. Securing Over-The-Air IoT Firmware Updates Using Blockchain. In Proceedings of the International Conference on Omni-Layer Intelligent Systems (Crete, Greece) (COINS ’19). Association for Computing Machinery, New York, NY, USA, 164–171. https://doi.org/10.1145/3312614.3312649
[32]
Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings 2018 Network and Distributed System Security Symposium. Internet Society, San Diego, CA. https://doi.org/10.14722/ndss.2018.23313 tex.ids: hussainLTEInspectorSystematicApproach2018a.
[33]
Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019. 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Machinery, New York, NY, USA, 669–684. https://doi.org/10.1145/3319535.3354263
[34]
Muhammad Sabir Idrees, Hendrik Schweppe, Yves Roudier, Marko Wolf, Dirk Scheuermann, and Olaf Henniger. 2011. Secure Automotive On-Board Protocols: A Case of Over-the-Air Firmware Updates. In Communication Technologies for Vehicles, Thomas Strang, Andreas Festag, Alexey Vinel, Rashid Mehmood, Cristina Rico Garcia, and Matthias Röckl (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 224–238.
[35]
Swati Khandelwal. 2018. CCleaner Attack Timeline—Here’s How Hackers Infected 2.3 Million PCs. Available at https://thehackernews.com/2018/04/ccleaner-malware-attack.html.
[36]
Muzaffar Khurram, Hemanth Kumar, Adi Chandak, Varun Sarwade, Nitu Arora, and Tony Quach. 2016. Enhancing connected car adoption: Security and over the air update framework. In 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT). 194–198. https://doi.org/10.1109/WF-IoT.2016.7845430
[37]
Rhys Kirk, Hoang Nga Nguyen, Jeremy Bryans, Siraj Shaikh, David Evans, and David Price. 2021. Formalising UPTANE in CSP for Security Testing. In 2021 IEEE 21st International Conference on Software Quality, Reliability and Security Companion (QRS-C). 816–824. https://doi.org/10.1109/QRS-C55045.2021.00124
[38]
Rhys Kirk, Hoang Nga Nguyen, Jeremy Bryans, Siraj Ahmed Shaikh, and Charles Wartnaby. 2023. A formal framework for security testing of automotive over-the-air update systems. Journal of Logical and Algebraic Methods in Programming 130 (2023), 100812. https://doi.org/10.1016/j.jlamp.2022.100812
[39]
Sebastian Köhler, Richard Baker, Martin Strohmeier, and Ivan Martinovic. 2022. Brokenwire: Wireless disruption of ccs electric vehicle charging. arXiv preprint arXiv:2202.02104 (2022).
[40]
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage. 2010. Experimental Security Analysis of a Modern Automobile. In 2010 IEEE Symposium on Security and Privacy. 447–462. https://doi.org/10.1109/SP.2010.34
[41]
Trishank Karthik Kuppusamy, Lois Anne DeLong, and Justin Cappos. 2018. Uptane: Security and Customizability of Software Updates for Vehicles. IEEE Vehicular Technology Magazine 13, 1 (2018), 66–73. https://doi.org/10.1109/MVT.2017.2778751
[42]
Trishank Karthik Kuppusamy, Vladimir Diaz, and Justin Cappos. 2017. Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 673–688. https://www.usenix.org/conference/atc17/technical-sessions/presentation/kuppusamy
[43]
Trishank Karthik Kuppusamy, Santiago Torres-Arias, Vladimir Diaz, and Justin Cappos. 2016. Diplomat: Using Delegations to Protect Community Repositories. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX Association, Santa Clara, CA, 567–581. https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy
[44]
NYU Secure Systems Lab. 2023. Uptane Reference Implementation. https://github.com/uptane/obsolete-reference-implementation. Accessed: March 25, 2023.
[45]
Daniel Larraz, Mickaël Laurent, and Cesare Tinelli. 2021. Merit and blame assignment with Kind 2. In Formal Methods for Industrial Critical Systems: 26th International Conference, FMICS 2021, Paris, France, August 24–26, 2021, Proceedings 26. Springer, 212–220.
[46]
Daniel Larraz and Cesare Tinelli. 2023. Finding Locally Smallest Cut Sets Using Max-SMT. ACM SIGAda Ada Letters 42, 2 (Apr 2023), 32–39. https://doi.org/10.1145/3591335.3591337
[47]
Robert Lorch, Daniel Larraz, Cesare Tinelli, and Omar Chowdhury. 2024. A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update Framework: Technical Report. https://github.com/lorchrob/UptaneRaid2024TechReport/tree/master. Accessed: Nov 29, 2023.
[48]
Shahid Mahmood, Alexy Fouillade, Hoang Nga Nguyen, and Siraj A. Shaikh. 2020. A Model-Based Security Testing Approach for Automotive Over-The-Air Updates. In 2020 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 6–13. https://doi.org/10.1109/ICSTW50294.2020.00019
[49]
Farhad Manjoo. 2010. I’m Sorry, Dave, I’m Afraid I Can’t Make a U-Turn. https://slate.com/technology/2010/02/should-we-be-worried-that-our-cars-are-controlled-by-software.html. Accessed: Mar 15, 2023.
[50]
Anthony Martin. 2020. Vehicle Dynamics International. https://www.vehicledynamicsinternational.com/features/vehicle-cybersecurity-control-the-code-control-the-road.html. Accessed: Mar 15, 2023.
[51]
Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In Computer Aided Verification, Natasha Sharygina and Helmut Veith (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 696–701.
[52]
Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015, S 91 (2015), 1–91.
[53]
Imanol Mugarza, Jose Luis Flores, and Jose Luis Montero. 2020. Security Issues and Software Updates Management in the Industrial Internet of Things (IIoT) Era. Sensors 20, 24 (2020). https://doi.org/10.3390/s20247160
[54]
Sen Nie, Ling Liu, and Yuefeng Du. 2017. Free-fall: Hacking tesla from wireless to can bus. Briefing, Black Hat USA 25 (2017), 1–16.
[55]
Sen Nie, Ling Liu, Yuefeng Du, and Wenkai Zhang. 2018. Over-the-air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars. Briefing, Black Hat USA (2018), 1–19.
[56]
Dennis K. Nilsson, Lei Sun, and Tatsuo Nakajima. 2008. A Framework for Self-Verification of Firmware Updates over the Air in Vehicle ECUs. In 2008 IEEE Globecom Workshops. 1–5. https://doi.org/10.1109/GLOCOMW.2008.ECP.56
[57]
Anam Qureshi, Murk Marvi, Jawwad Ahmed Shamsi, and Adnan Aijaz. 2022. eUF: A framework for detecting over-the-air malicious updates in autonomous vehicles. Journal of King Saud University - Computer and Information Sciences 34, 8, Part A (2022), 5456–5467. https://doi.org/10.1016/j.jksuci.2021.05.005
[58]
Ishtiaq Rouf, Robert D Miller, Hossen A Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trappe, and Ivan Seskar. 2010. Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study. In USENIX Security Symposium, Vol. 10.
[59]
Justin Samuel, Nick Mathewson, Justin Cappos, and Roger Dingledine. 2010. Survivable Key Compromise in Software Update Systems. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS ’10). Association for Computing Machinery, New York, NY, USA, 61–72. https://doi.org/10.1145/1866307.1866315
[60]
Khaled Serag, Rohit Bhatia, Akram Faqih, Muslum Ozgur Ozmen, Vireshwar Kumar, Z. Berkay Celik, and Dongyan Xu. 2023. ZBCAN: A Zero-Byte CAN Defense System.
[61]
Khaled Serag, Rohit Bhatia, Vireshwar Kumar, Z Berkay Celik, and Dongyan Xu. 2021. Exposing New Vulnerabilities of Error Handling Mechanism in CAN. In USENIX Security Symposium. 4241–4258.
[62]
SolarWinds. 2019. SolarWinds Security Advisory. Available at https://www.solarwinds.com/securityadvisory.
[63]
Junko Takahashi, Yosuke Aragane, Toshiyuki Miyazawa, Hitoshi Fuji, Hirofumi Yamashita, Keita Hayakawa, Shintarou Ukai, and Hiroshi Hayakawa. 2017. Automotive attacks and countermeasures on lin-bus. Journal of Information Processing 25 (2017), 220–228.
[64]
Apache Infrastructure Team. 2009. apache.org incident report for 8/28/2009. https://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html. Accessed: March 25, 2023.
[65]
Ken Tindell. 2023. CAN Injection: keyless car theft. https://kentindell.github.io/2023/04/03/can-injection/. Accessed: March 25, 2023.
[66]
Haohuang Wen, Qi Alfred Chen, and Zhiqiang Lin. 2020. Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 949–965. https://www.usenix.org/conference/usenixsecurity20/presentation/wen
[67]
Samuel Woo, Hyo Jin Jo, and Dong Hoon Lee. 2014. A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Transactions on intelligent transportation systems 16, 2 (2014), 993–1006.
Index Terms
- A Comprehensive, Automated Security Analysis of the Uptane Automotive Over-the-Air Update Framework
Recommendations
Combining Cyber Security Intelligence to Refine Automotive Cyber Threats
Modern vehicles increasingly rely on electronics, software, and communication technologies (cyber space) to perform their driving task. Over-The-Air (OTA) connectivity further extends the cyber space by creating remote access entry points. Accordingly, ...
Automotive Cyber Security: Lessons Learned and Research Challenges
CS2 '18: Proceedings of the Fifth Workshop on Cryptography and Security in Computing SystemsThe automotive industry is undergoing a major transformation process where everything from the car key to the vehicle diagnostics is becoming digital. Modern vehicles have several wireless interfaces, and are interconnected with various consumer devices,...
Cyber security quantification model
SIN '10: Proceedings of the 3rd international conference on Security of information and networksSecurity of information systems is a major concern today because the existing threats are getting new dimensions. Information Security (IS) is to protect our important information assets from accidental or deliberate damages. Cyber Security (CS) is a ...
Comments
Information & Contributors
Information
Published In
September 2024
719 pages
ISBN:9798400709593
DOI:10.1145/3678890
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- The State University of New York's Empire Innovation Program
Conference
RAID '24
RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses
September 30 - October 2, 2024
Padua, Italy
Acceptance Rates
RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 645Total Downloads
- Downloads (Last 12 months)645
- Downloads (Last 6 weeks)72
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in