Revisiting remote attack kill-chains on modern in-vehicle networks

In-vehicle networks contain an increasing number of electronic control units (ECUs) with advanced electronics and wireless capabilities. Due to their critical role in vehicles, these ECUs are a prime target for remote adversaries as ECUs often communicate via the reliable but insecure Controller Area Network (CAN) protocol. By compromising just a single invehicle ECU, a remote adversary could manipulate safety-critical systems by simply injecting

CAN messages. Prior work had demonstrated the feasibility and severity of real-world remote exploitation of in-vehicle ECUs, which brought this threat to the attention of automotive manufacturers/suppliers and global regulatory bodies. In response, the automotive industry has since developed defenses to secure the CAN bus against remote adversaries, and these defenses do well to detect and prevent known message injection attacks. In this thesis, we argue that there remain unaddressed disconnects in the security design of modern in-vehicle networks. We develop an end-to-end attack “kill-chain” that demonstrates

a series of exploited vulnerabilities in modern vehicles. Here, we envision an adversary that remotely compromises a non-safety-critical and wirelessly-connected ECU (e.g.,

infotainment) with the goal of controlling a safety-critical ECU (e.g., engine, transmission) while evading detection by modern network defenses. However, these defenses can still prevent our attacker from simply using the compromised ECU to inject critical CAN messages that disrupt the safety-critical ECU’s functionality. Therefore, we aim to construct a

kill-chain that can ultimately enable a remote adversary to gain control of a safety-critical ECU’s software, opening the door to more advanced safety-critical attacks. By identifying

disconnects that an adversary can exploit to build this kill-chain, we can inform defenses for next-generation vehicles with proposals of countermeasures that target these disconnects. Our key contributions consist of building new attack classes, demonstrating attack feasibility

on real vehicles, and proposing countermeasures for each stage of our kill-chain. First, to gauge an understanding of a victim network of ECUs and their transmission characteristics, our CANvas network mapper accurately identifies the source and destination ECU of a given CAN message and permits us to characterize ECU transmissions. Using this network knowledge, the CANnon disruption technique demonstrates how an adversary can target a

victim ECU in the network and disrupt its CAN transmissions to the adversary’s advantage. Finally, the CANdid authentication bypass leverages both CANvas and CANnon to successfully authenticate with a safety-critical victim ECU without access to its secret keys. To complete the kill-chain, we demonstrate how our three stages enable a remote adversary to download code to a victim ECU. Drawing from the vulnerabilities that enable our kill-chain, we propose practical countermeasures to detect and prevent our methods and discuss the lessons we learned to help identify potential vulnerabilities in a future automotive network

design.