Introduction
Welcome back! I hope you have gone through the previous blog “Automotive Security – Part 1” If not, I would urge you to go through it to understand the meaning of Automotive Security. Now we will start getting into security and try to define a way to understand more about the attack surface and entry points.
In May of 2020, Automotive Management Online reported that [attacks on connected cars rose a staggering 99%] (https://www.am-online.com/news/manufacturer/2020/06/04/cyber-attacks-on-connected-cars-rise-by-99). In addition to AI (artificial intelligence), 5G and cloud services, V2X (vehicle-to-everything) is a key technology for connected cars, yet it is not without its risks.
If we look at the architecture discussed in the previous post, it now becomes clear and easy for us to segregate the components and try to define the attack surface for each one of them individually and then combine them to create a holistic overview of the Automotive ecosystem attack surface. It is indeed an ecosystem of different components talking to each other to tackle a particular real-world problem.
Vehicle’s often also have a single exposed ECU for communication and have Bluetooth, Wi-Fi, GSM, UMTS (Universal Mobile Telecommunications System), LTE (Long Term Evolution), GPS (Global Positioning System) and other antennas and services that count to their externally accessibly attack surface.
Let’s go ahead and define the attack surface of Automotive ecosystem and discuss each component’s attack surface in detail. As discussed in the previous blog we have both connected vehicle (CV) and Connected Autonomous Vehicle (CAV). They use V2V, V2I & V2X communications to handle all the functions of the vehicle along with internal communications between ECU’s. Let’s narrow down the surface into three sections:
- Physical Access.
- Short range wireless attacks.
- Long range wireless attacks.
In Automotive Security the threats depend on adversary/attackers’ knowledge of the vehicle and its connections with different head units or infotainment hubs in order to develop malicious exploits.
Physical access
In order to carry out a physical attack, attacker will maintain physical access to the vehicle’s communication channels to record internal communication between different ECUs. Then attacker will reverse-engineer the collected data and carry out several attacks. an attacker can use the OBD2 port or hardwire a malicious hardware (like a backdoor) to carry out such attacks. In this way hackers will be able to manipulate data packets and perform attacks on all the nodes which are connected in this channel. These attacks include reprogramming an ECU and encapsulating a sleeper program by hardcoding ECUs to carry out attacks.
Short range wireless attacks
we heard of V2V communications using Bluetooth, RF, RFID and Wi-Fi, here an adversary/attacker is in the vicinity of the vehicle. TPMS (Tire pressure monitoring system) key fobs and PKES (passive keyless entry system) work on Radio frequency that has a short-range radio transmitter that communicates with a vehicle by sending identification information to it for authentication. In general, a vehicles infotainment hub or gateway takes care of receiving OTA update. What if it is using an adversary’s Wi-Fi? it will be allowing a malicious smartphone inside the internal CAN bus. If the same head unit is connected with vehicles internal communication bus. Now, an attacker might be able to deploy applications or web sites that are capable of installing and acting as Trojans in the telematics units. Also, if the Bluetooth capability of a head unit is poorly implemented by the OEM, then there is a high chance of able to connect to Bluetooth head unit or read information.
Long range wireless attacks
V2I or V2X basically connects with remote gigs, using combined vulnerabilities between the infotainment hub/gateway the attackers will able to gain access through the telematics unit and carry out an attack. Now a days we see a lot of OEM’s and 3rd party apps/software which are able to remotely start a car. If we are able to hack into the chain, we will able to access a wide fleet of vehicles too. V2X communications are susceptible to eavesdropping, spoofing, man-in-the-middle types of attacks.
When we see Supply Chain and Third-Party Component Challenges we also need to look into the software used and ECU’s attack surface. The software used in OEM infrastructure, infotainment hubs and gateways might be susceptible to attacks like Buffer overflow attacks or Remote code execution attacks. security of these software it is a very important binding glue for overall security of a vehicle ecosystem.
We see that any incoming data is arriving at an ECU to gain control of vehicles, also ECUs are Hardware Attack Surfaces that can be tampered only with physical access, like boot memory comprising storage of attacker supplied code that could allow execution, left open debug interfaces that are not used in regular operation, but used in development and advanced maintenance. Inter-Chip/SoC Communication Channels are any data exchange links inside an ECU (usually in between semiconductors) that could be revealed and tampered with a Side Channel Attack by measuring or manipulating an ECU physically for information. Side channel attacks are generally considered as hard to perform attacks but, it’s possible to tamper a particular ECU so that it opens an attack chain which enables an advisory or attacker to remotely hack into a vehicle.
So, the attack surface is pretty wide and comprises an eco-system of vehicles, which can be sectioned as:
- Hardware.
- Communication.
- Cloud.
- Apps & Software’s.
Conclusion
An insecure increase in capabilities of a vehicle drastically increases unnecessary attack surfaces. Also, research shows that interface joints create more chances of getting a vehicle hacked. Automotive manufacturer’s should adopt standards like United Nations Economic Commission for Europe (UNECE) WP.29 cybersecurity, International Standardization Organization (ISO) 24089 and 21434 for ensuring vehicles Cybersecurity. Additionally, in a vehicle, the risk of physical injury is added to the risk of loss of data which can be avoided by embedding a strong culture of secure code practices, threat/risk management and a strong cybersecurity tests these can help keep vehicles, drivers and pedestrians safe.
We hope this blog post gave you a good high-level overview of Automotive Attack Surface. If you are reading up to this point, you are very much interested in Automotive security. This blog post aimed to give you a basic idea about attack surfaces in Automotive eco-system. Going forward, the next blog post will describe about a most widely used protocol in cars/vehicles. I hope you enjoyed reading this as much as I enjoyed writing it : )
About Payatu
Payatu is a research-powered cybersecurity service and training organization specialized in IoT, embedded, mobile, cloud, infrastructure security, and advanced security training. We offer a full IoT/IIoTT ecosystem security assessment, including hardware, firmware, middleware, and application interfaces. If you are looking for security testing services then let’s talk, share your requirements: https://payatu.com/#getstarted Payatu is at the front line of IoT security research, with a great team, and in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT/IIoT product ecosystems and we understand the IoT ecosystem inside out. Get in touch with us. Click on the get started button below.
