May 20, 2018

Threat Modelling for Automotive – Part 2

Hi guys! In the Threat Modelling for Automotive – Part 2 we are going to explore deeply on connected cars and know about it in detail.

  1. Understanding Car’s Environment

 fig 1.png

Figure 1. Components of a connected car

2. Working of Automotive Cars

As cars are getting more interconnected with other vehicles and the environment around them, the security threats will continue to increase. Before the concept of a connected car was introduced, the automotive industry did not pay much attention to cyber-security because the attackers required physical access to perform an attack.

Today we have cars with multiple connection points to outside networks including a connection to the Internet. In addition to the LTE and Wi-Fi connections, Figure below shows all the additional services that the connected car will have in the future. Car2Cloud technology represents all internal services available because of the existence of Internet connections.

2.1. Automotive Networks

As the number of electrical components in vehicles increases, the need for a good network that will connect these parts becomes more important. Different electrical components have different functions and as such need different types of connectivity.

Today we have four main types of automotive networking:

  • LIN (Local Interconnect Network) – This network type provides a cost effective solution for connecting switches, intelligent actuators, temperature or rain sensors, small motors, lamps, sunroof or heating control. It has the smallest bandwidth of all four networks which is one of the reasons why it is used in non-critical functions of the vehicle system.
  • CAN (Controller Area Network) – The most widely used automotive network protocol. It is a single centralized network bus where all the data inside the vehicle is broadcast. This network type can be divided into two categories depending on the nature of the traffic: real-time control in powertrain (SAE Class C) and body control (SAE Class B). It is used in engine timing controls, anti-lock braking systems, electronic throttle control etc.
  • Flex-Ray – Main purpose of this network type is to support the new drive by-wire systems such as steer-by-wire and brake-by-wire, that require good error management along with high transmission rates.
  • MOST (Media Oriented Systems Transport) – Has the largest bandwidth of all networks and it is mainly used for audio, video, navigation and telecommunications systems. It is most suitable for real-time audio and video transmission applications.

Each of these networks has different attributes and application areas. The table below shows the main differences between them.

LIN CAN Flex-Ray MOST
Application Low-level Communication System Soft Real-time Systems Hard real-time Systems (X-by-wire) Multimedia, telematics
Control Single-master Multi-master Multi-master Timing-master
Bus Access Pooling CSMA/CA TDMA/FTDMA TDM/CSMA
Bandwidth 19.6kNit/s 500kBit/s 10 Mbit/s 24.5 Mbit/s
Data bytes per frame 0 to 8 0 to 8 0 to 254 0 to 60
Redundant channel Not supported Not supported Two channels Not supported
Physical Layer Electrical (single wire) Electrical (twisted wire) Optical, electronic Mainly Optical

Table 1. Overview of Automotive Networks

Figure below shows the internal structure of the in-vehicle networks and how they are organized in smaller sub-networks.

fig 2.png

Figure 2. Overview of Internal Vehicle sub-networks

Each sub-network is based on a different network technology depending on the requirements of the systems connected to that specific network. For example, the head unit is responsible for the audio and video transmission which requires a faster bandwidth, therefore it uses the MOST network type.

3. Motivation for Hacking

The motivation is an important attribute of threat agents because it tells us what human drives are involved and what the main reason is for their actions. The motivation usually has two meanings, cause and drive. The cause means the underlying reason for some harmful or unintentional action, which could be some specific situation or an emotional reason. The cause is the primary parameter used to describe the motivation, but the drive is also important because it defines a certain level of intensity or interest a threat agent might have.

fig 3.png

Figure 3. Motivation of Threat agents

The main reasons behind the motivation parameter are:

  • Knowing the threat agent’s motivation can give us information, about the target or the asset, that agent is most likely to focus on.
  • If the security experts know the threat agent’s intent, they can focus their often limited resources on the most likely attack vectors for any asset.
  • Motivation shapes the intensity of the attack because the attackers usually act in a way that reflects their emotional or circumstantial state.
  • The motivation also helps in better describing the threat scenarios in a less technical language. The motivation describes a more detailed story.

The threat modelling process in this thesis describes two motivational aspects, defining motivation and personal motivators for individuals. The first one is the most descriptive, describes the threat agent group in the best way, and is the primary cause of their actions. The second one is focused on motivators for individuals that work alone or as part of a organisation. This aspect describes the main reasons and drives for these individuals.

The TARA (Threat Agent Risk Assessment) threat modelling method defines the following 10 types of motivation:

  • Accidental – Type of motivation that is usually connected to a threat agent with harmless intent that through distraction or poor training causes unintentional harm to the company.
  • Coercion – When someone is forced into doing something against their will on behalf of another is the core of this motivation type. An employee from a car manufacturer e.g. could be forced by intimidation or blackmail to give out confidential information or perform some other action that is harmful to his company.
  • Disgruntlement – Motivation type that is closely tied to employees or former employees that want to do harm to their company. The reason for this is mostly revenge or retaliation because of some wrongdoing by that company. This motivation type implies that there was some sort of prior interaction between the threat agent and the target company.
  • Dominance – An attempt to establish superiority over another individual, company, organization or even another country. It can take many forms such as intimidation, threatening to expose sensitive data or stealing information assets in order to become more powerful toward a goal of dominance. Access to this information allows the attacker to leverage them or exploit their vulnerabilities when they decide to attack.
  • Ideology – The agent motivated by ideology primarily relies on some personal belief, political loyalty, and sense of morality or justice.
  • Notoriety – This motivation type describes someone that is trying to become famous for his harmful actions in the cyber world. A threat agent with this type of motivation usually looks for confirmation and respect from the community in which they act.
  • Organizational gain – An unlawful action by a threat agent that would increase an organization’s profit or obtain some other advantage over a competing organization or company. This can be information theft, misuse of information, inappropriate acquisition, sabotage etc.
  • Personal financial gain – Probably one of the most common motivations where an individual or a group of individuals performs cyber-attacks with only one goal improving their financial status.
  • Personal satisfaction – Another very common type of motivation where a threat agent acts in order to accomplish some personal wish or a desire in order to satisfy their emotional self-interest.
  • Unpredictable – An action conducted by a threat agent that is totally random, strange and has no logical explanation. It creates unpredictable events.

4. Attack Vectors

The connected car can be exploited for a number of purposes:

  • Safety – How can attackers compromise the safety of the drivers, passengers and nearby people? For example, can an attacker manipulate communications between electronic control units to initiate a self-parking mode while the car is speeding down a highway?
  • Privacy – How secure is the acquisition of driver activities data (e.g., location of vehicle, navigation destination, etc.)? A recent study showed that 5 percent of all Americans (or more than 15 million people) could be identified just by knowing their home and work zip codes.
  • Fraud and theft – The connected car vision often includes the ability to easily make purchases from the car. How can developers protect your information from unauthorized commercial transactions? This area is a likely early target for attackers, as this exploit can be easily monetized.
  • Mischief – How can you prevent interference with on board non-safety vehicle systems such as infotainment, heating and air conditioning systems, etc.? While there’s no monetary gain to be had by attackers, developers still need to protect against the “bored teen” who wants to see if he can turn his neighbour’s heat up on the hottest summer day or continually honk the horn.

4.1. Finding the Attack Vectors

Attack surface refers to all the possible ways to attack a target, from vulnerabilities in individual components to those that affect the entire vehicle. When discussing the attack surface, we’re not considering how to exploit a target; we’re concerned only with the entry points into it.

The following questions should be asked when finding the attack surface.

  • What are the audio input options: CD? USB? Bluetooth?
  • Are there diagnostic ports?
  • What are the capabilities of DashBoard? Is there a GPS? Internet?
  • If the vehicle is electric, how does it charge?
  • Are there touch or motion sensors?
  • What signals are received? Radio Waves?
  • Is there physical keypad access?

fig 4.png

Figure 4. Weakest points of connected cars

Figure above illustrates the 15 most vulnerable points of a connected car according to the Intel security report from 2015. Each of these 15 points actually represents an advanced feature of the connected car. Most of these features are implemented through dedicated ECUs that are in charge of those specific functions. The ECUs are interconnected through the internal vehicle network called CAN (Controller Area Network). If any of these features gets compromised, the entire internal network is potentially in danger since these ECUs are interconnected, and depending on the attacker’s expertise some of the critical systems can be controlled.

fig 5.png

Figure 5. Connected Car Threats

The four main difficulties in securing the connected car are in the following areas:

  • Over-the-air updates (OTA) – The connected cars are very similar to computers, as they have a very complex software architecture and a variety of applications to enable some of the new enhanced features. As time goes by, this software needs to be updated with new bug-fixes or security patches to prevent discovered vulnerabilities. These updates are challenging for the automotive industry because some updates could be very critical and potentially dangerous for the safety of the driver and passengers if not installed on time. If the car cannot be updated due to the vehicle not always being on-line, whose responsibility will it be if outdated software causes an accident? At this time, only Tesla has remote updates enabled while others require a visit to the service centre.
  • Low computational power – Because of the long vehicle life-cycle and the environment conditions such as humidity, vibration and temperature, the computational power of vehicles is low. This is to the attacker’s advantage because they can leverage the power of stronger computers. Moreover, as the vehicle gets older, the more advanced technologies will be developed comparing to the car’s production year, making it even easier to exploit.
  • Difficult to monitor – It is difficult to monitor the status of the automotive electronics by a certified authority, as the car is not always connected to the Internet.
  • Cost – One of the major difficulties is, of course, the costs of making all the vehicle software secure. Companies would need to employ more people and they would need to change their entire development process in order to incorporate security from the very beginning.
  • No Safety without Security – Just one infected car on the road represents a potential hazard for all the surrounding vehicles, and each new security vulnerability exposes new safety issues e.g. if security mechanisms fail to ensure the integrity of messages sent by the braking system.

5. Major Components of Automotive Cars

  • ECU

The ECU, also known as the car computer, provides controls for a variety of systems within the engine thus the Brain of the car. It controls a series of actuators to make sure things are running smoothly within the engine. It reads signal coming from various sensors in different part of the car. Each car contains of at least 30 ECU. Each ECU in car need to interface with more than one ECU to perform its own functionality.

fig 6.pngfig 6-1.png

Figure 6. ECU

Parts of Engine ECU Controls are:

  • Amount of fuel injected into each cylinder
  • Ignition Timing
  • Revolution limit
  • Water temperature correction
  • Transient furling
  • Low fuel pressure modifier
  • Closed loop lambda- monitors output of a system to control the inputs to a system

fig 7.png

Figure 7. Automotive ECUs

  • CAN BUS

The most widely used automotive network protocol. It is a single centralized network bus where all the data inside the vehicle is broadcast. This network type can be divided into two categories depending on the nature of the traffic: real-time control in powertrain (SAE Class C) and body control (SAE Class B). It is used in engine timing controls, anti-lock braking systems, electronic throttle control etc.

CAN is a serial communication Protocol to allow communication between ECUs and Sensors. It is used in automotive electronics for critical tasks such as engine control and brake system. Depending on the importance of message the priorities will be given to different messages. Highest Priority message with lowest ID.

  • Auto start/stop
  • Electric park brakes
  • Parking assist systems
  • Auto lane assist/collision avoidance systems
  • Auto brake wiping

fig 8.png

Figure 8. CAN BUS

CAN Benefits are listed below:

  • Low-Cost,Lightweight Network
  • Broadcast Communication
  • Priority
  • Error Capabilities
  • OBD-II

The OBD II port (On-Board Diagnostics) is the oldest interface in the CEL library. The interface is typically located under the steering wheel. It is mainly used by service shops to run diagnostic checks and to read status information about different vehicle subsystems.

OBD systems give vehicle owner or repair technician access to the status of the various vehicle subsystems. It is an automotive term to a vehicle’s self diagnostic and reporting capability. OBD-II is an improvement over OBD-I in both capability and standardization.

The type A connector is used for vehicles that use 12V supply voltage, whereas type B is used for 24V vehicles and it is required to mark the front of the D-shaped area in blue color.

fig 9.png

Figure 9. OBD Port

It was firstly used to make modifications related to tweaking the engine or the vehicle mileage, while today this port can be used for orchestrating a wireless attack or violating the privacy of the driver. The attacker would need prior physical access to the OBD port in order to pull off any type of attack.

The security mechanism of this interface is so low that it would give almost full access to the entire vehicle system. Some of the possible wireless attacks could be conducted in case an aftermarket telematics unit is connected to this port, or if a wireless insurance/rent-a-car dongle is plugged into it. The attack could affect the safety features of the vehicle as well as violate the privacy of the driver.

fig 10.png

Figure 10. OBD Scan Tool

Ability to read and clear codes. These scanners can also offer the ability to check pending, or soft, codes that haven’t activated the check engine light yet, and provide access to a wealth of information. Data from virtually every sensor that provides an input to the onboard computer can be viewed via an OBD-II scanner, and some scanners can also set up custom lists of parameter IDs (PIDs).

When your car is not working properly, a dashboard warning light or, a (MIL) malfunction indicator light, will illuminate. This lets the driver know something is wrong but not exactly, what is wrong. This is where an OBD Scanner tool comes into use. It can be plugged into your vehicle easily and report a code. This in turn, will give you further information about what, is wrong. With all the complex electrical and mechanical systems within a car today it can be hard to troubleshoot issues without one.

  • Infotainment

The infotainment system is gradually becoming a standard in the automotive industry and is turning the car into an entertainment center with various features and Internet access. This system offers access to web browsers, social media applications, games and other applications that the user can download from the Internet.

The famous Jeep Cherokee attack from 2015 used a flaw in the Uconnect  entertainment system in order to get remote access to the vehicle. The Infotainment system is connected directly to the Controller Area Network (CAN) bus. As previously mentioned the in-vehicle network segmentation is very low which is why the attacker can access critical systems just by compromising the entertainment center. A recent paper demonstrated another flaw in the infotainment system that exploits the Mirror Link Protocol in order to get remote access to the vehicle’s controls.

It Includes:

  • Car Audio Systems- Radio, CD Players
  • Automotive navigation system
  • Video Player
  • USB
  • Bluetooth
  • WiFi
  • In-car internet
  • Dashboards knobs and dials
  • Hands Free voice control

In-car entertainment (ICE), or in-vehicle infotainment (IVI), is a collection of hardware and software in automobiles that provides audio or video entertainment.

  • Cellular connection (3G/4G)

Vehicles can have a dedicated cellular connection using a SIM-card that is implemented by the OEM and cannot be replaced by the driver. This connection is used for exchanging information with the car manufacturer such as delivering software updates or providing Internet access for applications in the Infotainment center.

This was the entry point for the famous Jeep Cherokee attack performed in 2015. The attackers exploited a vulnerability that allowed them access to the critical vehicle functions such as the steering wheel, brakes, infotainment system etc. A constant connection over a cellular network is certainly a tempting attack surface and the research shows it as a very likely target.

 

  • Over-The-Air (OTA) updates

This feature refers to software and firmware updates delivered to the vehicle over an Internet connection without visiting the service shop. A very small number of vehicles has this feature today but it is estimated that by 2022 over 200 million connected cars will have OTA updates enabled. The main reason for the OTA updates becoming a standard is that they provide a cheaper and more effective way of delivering updates for software bugs and vulnerabilities.

It is very important for this feature to have a strong security mechanism that would ensure a secure connection with the service provider and the integrity of the software package. If this feature gets compromised by an attacker, it could lead to major safety issues endangering the driver and the passengers. Research has shown that OTA updates are a major security concern and need to be addressed very carefully.

  • Smart-phone

Almost every new car today has an option to pair with your smartphone and make it easier to make phone calls, access the phone book, play music from the phone on to the car’s speaker system or even share the smartphone’s Internet connection with the vehicle.If the smartphone gets infected by malware it could easily spread to the vehicle and allow the attacker to further extend the length and scope of the attack and compromise the vehicle system.

The smartphone could be used to send malicious messages to the CAN network if the attacker gains access to it and, prior to the attack, enables a certain communication protocol in the infotainment system. Applications in the smartphone could also be exploited and this has already happened a number of times, but more details will be given in the “Remote link Type App” section.

  • Bluetooth

The main usage of the Bluetooth interface in the vehicle is to pair the smartphone with the vehicle system. This enables making phone calls through the in-car system, accessing your phone book and playing music on the car speaker system. The range of Bluetooth is around 10 meters but it can be extended through amplifiers and directional antennas.

Attacks on the Bluetooth connection can be conducted with an un-paired device and with a device paired with the in-vehicle system. The research shows that a malicious payload can be injected into the vehicle system by exploiting a vulnerability in the Bluetooth interface connected to the vehicle’s telematics unit.

  • Remote link Type App

This refers to different applications in the Infotainment system or in the driver’s smartphone that provide remote access to the vehicle system. This feature allows drivers to unlock, locate, track, turn on the heating, AC or even start the car’s engine and all of this remotely using an application on their smartphone.

Although this feature is very appealing to the driver it has significant security vulnerabilities that could allow the attacker to gain access to the vehicle system and the inside network. Many of the major car manufacturers (GM, BMW, Tesla, Nissan) have had security issues with this feature that was exploited by the attacker.

  • KeyFobs and Immobilizers

The main usage of these two technologies is for unlocking the vehicle and preventing any unauthorised access that would enable the attacker to get inside the car and start the engine. The immobilizer is a small device that prevents the fuel injection to the engine and thus prevents the engine from starting up, unless a correct key is inserted in the vehicle. This mechanism is mandatory in all vehicles. Key Fob is a remote key that unlocks the vehicle at the push of a button.

Car thieves are the main threat agents that target these attack surfaces. A common attack involves intercepting the frequency and the code that the car owner sends by pressing the button on the car keys, later on the thief tries to replay this code to the car in order to unlock it. In a recent paper by security experts from the University of Birmingham, it was revealed that over 100 million cars sold by Volkswagen since 1995 have a security flaw in the key-less entry systems and are vulnerable to an attack. Various researchers have proven that KeyFobs and Immobilizers are not secure enough and need more improvement in order to protect the vehicle from being stolen.

  • USB

Almost every modern car today has a USB interface for various purposes such as updating the vehicle software or charging the smartphone. USBs are very well known in the computer world as devices that can easily transfer malware from one computer to another even without an Internet connection. The same situation can happen in the automotive industry which is why this interface needs proper security mechanisms. It was also discovered that using a USB dongle can allow an attacker to exploit it and gain access to the vehicle’s functions.

  • ADAS System

The main features of this ADAS (Advanced Driver Assistance System) are the LDW (Lane Departure Warning), ACC (Adaptive Cruise Control) and the Brake Assistance/Collision Avoidance System.

If the attacker would be able to inject malicious data into these systems or force the sensors to read false data, it could lead to major safety issues, which could consequently cause material damage or injury to the driver and the passengers.

  • DSRC-based receiver (V2X)

The DSRC (Dedicated short-range Communications) is a high-speed wireless technology with a medium range (< 1 km) and a very low latency (50ms) that is specifically designed for the use in the automotive industry. This is one of the key wireless protocols to be used with the upcoming V2V and V2I technologies. It is constructed in a similar way as the existing Wi-Fi communication systems (IEEE 802.11p is the standard used in DSRC, which is a subset of the IEEE, 802.11 standard).

Because it is based on a similar standard as the Wi-Fi, it is vulnerable to similar attacks. These attacks include jamming, spoofing, interference and attacks on user confidentiality.

  • DAB Radio

The DAB (Digital audio broadcasting) radio broadcasts digital audio radio services and it is used in most countries in Europe and Asia. The radio is in most cases integrated into the Infotainment center and as such connected to the internal CAN network.

A security expert from the NCC Group company managed to perform a successful attack on a vehicle through the DAB Radio. Davis created a fake DAB Station, which broadcasted malicious data to the targeted car and allowed him to compromise the infotainment center. From this point, the attacker could access some of the critical controls such as the steering wheel and the brakes.

  • TPMS

The TPMS (Tire Pressure Monitoring System) system is used to monitor the air pressure inside the tires and notify the driver if the pressure is too low. The system is supposed to increase the safety of the vehicle by notifying the driver in time about potential problems with the tires.

The main vulnerability of the system is that it broadcasts a specific ID number, which can be used to identify the car and as such could be used for tracking specific vehicles. Even though the range of TPMS sensors is around 40 meters it still represents an interesting attack surface that could be exploited by the attackers.

  • GPS

The GPS (Global Positioning System) is a technology that most cars today have that is used to help the drivers find the right path to their destination. The reason it is vulnerable is that an attacker can use this system to locate and track specific vehicles as well as extract GPS history and get information about driver’s recent routes and home address. The attack surface is mainly seen as a threat to privacy.

  • eCall

The eCall is a new initiative of the European Union that would allow the car system to call the emergency services and send location data in case of a serious traffic accident. According to the EU, this feature would decrease the response time of emergency services by up to 40% in urban areas and by 50% on the countryside saving up to 2500 lives every year. The eCall system is not implemented in many cars today but in the future attackers because of its connection to the mobile network could potentially exploit it.

  • EV Charging port

The usage of vehicles powered by electricity is becoming more popular by each year; electric car manufacturers such as Tesla have their own charging stations across the world that can be used for free. The main threat to the EV charging port is represented through the use of the charging stations. These stations are usually connected to the Internet and have access to PII data of the driver when the car gets connected to the charging station. A security experts working for a company that produces these charging stations presented various attack scenarios in a recent talk. These scenarios included identity theft, financial theft and DoS attacks that could take down the entire smart grid, which will in the future be connected to these charging stations.

  • CD/DVD Player

Every vehicle today has a CD/DVD player in their infotainment center and even though it sounds very unlikely that a music CD could be used to attack the vehicle, it is actually possible to do this. Researchers have shown that a specifically designed mp3 file could be used to compromise the CD/DVD player, which is already integrated in the infotainment center and as such connected with the internal, CAN network.

  • WiFi

The Wi-Fi connection is a new feature of vehicles today. The vehicle can offer this in a form of a hot spot over a dedicated 3G/4G connection, and in this case, the vehicle owner would have to pay additional fees to use the feature. The other form of this function is to use the Internet connection of the driver’s smartphone in which case no additional charges would be made. In both cases, the Wi-Fi connection is broadcasted through the in-vehicle system.

This interface gives direct wireless access to the vehicle; although the range is limited, it can still be used to perform an attack. The initial attack can be used to infect the vehicle with malware, which would enable the attacker to access the car later on, possibly from a greater distance using the vehicle’s cellular connection. Recent attacks have shown that this interface can be used to perform attacks allowing the attackers to disable the alarm system, control the vehicle lights, drain the battery or even control the brakes of the vehicle.

I hope you got an idea on the components that are very important part of the connected cars. If you like it please comment and share.

Parminder Singh

vicky.jpg

Email: singhvicky1516@gmail.com

Leave a Reply

Your email address will not be published. Required fields are marked *