Automotive Cyber Security | Horizon Consulting

In recent years, the fast-growing smart automotive industry encounters new challenges similar to those in "traditional" computer security.

To improve car safety or enhance car users' experience, the modern automobile is composed of many sub-networks operating in different domains.

Such in-vehicle sub-networks connect different sensors and several Electronic Control Units (ECUs) that use various protocols to exchange data transported by different bus systems (Ethernet, CAN, LIN, FlexRay, MOST etc.).

Furthermore, modern cars and commercial vehicles have been equipped with Internet-connected infotainment system and Telematics Control Units which integrates multiple wireless communication systems (Cellular, Bluetooth, Wi-Fi, etc.).

Each of these components require appropriate protection, since its compromise may strongly impact the privacy, the security or even the safety of the end users.

Research shows that remote attacks can be feasible utilizing complex chains of vulnerabilities in different vehicle components.

Domain Areas

INFOTAINMENT
This domain includes navigation services and entertainment services for audio/video content.
Infotainment systems often dispose of Internet access and other communications features (e.g. telephone) cooperating with the telematics domain.

TELEMATICS
A Telematics Control Unit deals with different telematics services; manages others wireless connectivity modules integrating multiple wireless communication support into automobiles systems. Car makers tipically offer different proprietary remote services provided on top of this technologies.

ENVIRONMENT
This domain controls some vehicle features with regard to the current environment. It includes for example steering control, airbag control, braking systems or Advanced Driver Assistance Systems, embedded cameras, Tire Pressure Monitoring System.

POWER-TRAIN
Includes ECUs that control sub-networks of mechanical or electronic systems of the vehicle between the energy source of the car and its transmission.

BODY
Manages sub-networks that command for example the climate control system, various warning indicator. The instrument clusters, the direction lights, heating seats. The locking system, the immobilizer, key fobs and passive entry systems are included in this domain.

Extended Attack Surface

The threat model for automobiles is no more just focused on physical access, the Internet connection offers new possibilities.

The recent developments in the automotive transportation system introduced the opportunity for creative attacks.

Threats & Attacks

Compromising an asset in the TELEMATICS DOMAIN is the front door for remote attacks. Sometimes this domain offers a cellular connection via an embedded SIM card to provide some propietary remote services, exploiting a vulnerability in the software stack responsible for these online features may disrupt the service or lead to the opportunity to send messages to other ECUs on different buses.

Compromising the POWER-TRAIN DOMAIN, ignition, steering, brakes, speed control or driving support may obviously result in a loss of control of the vehicle.

In the ENVIRONMENT DOMAIN an adversary can attacks for example the Tire Pressure Monitor System (TMPS) compromising this wireless sub-network may result in a loss of control of the vehicle in some circumnstances. In a MITM position it may be possible to proxy and modify the packets that control the Lane Keeping Assist System (LKAS) and its steering control. Abusing the camera system and the parking sensors may pose another a safety risk, depending on the exact implementation of the target vehicle.

Compromising the BODY DOMAIN may harm the passengers, if an adversary attacks the airbags, but also the surrounding vehicles, for example the rear mirror view system or the warning/direction lights. The immobilizer and the locking system are also part of this domain and could be attacked.

In the INFOTAINMENT DOMAIN may be possible to trigger malicious firmware updates, spoof navigation data, access to the underlying operation system for further attacks.

Timeline

2010
CAESS - ''Experimental Security Analysis of a Modern Automobile'' in IEEE SP.

2013
Miller & Valasek hack Ford Escape & Toyota Prius.

2014
Kaspersky Lab exploits BMW's ConnectedDrive.
BlackHat USA - Miller & Valasek - A Survey of Remote Automotive Attack Surfaces.

2015
Lesley Stahl, DARPA demonstration. Miller and Valasek remote control a Jeep Cherokee.

Defcon:
Kevin Mahaffey and Marc Rogers hack Tesla infotainment system.

2016
Nissan LEAF App Hacked.

2017
Comma.ai by George Holtz, offers software and hardware for car hacking.

2018
Keen Team:
Experimental Security Assessment of BMW Cars.

2020
Keen Team:
Exploiting Wi-Fi Stack on Tesla Model S.
Comma.ai shows a MitM on FlexRay of an Audi.

Keen Team:
Experimental Security Assessment on Lexus Cars (unreleased).

Horizon Security Automotive Security Services

Horizon Security performs comprehensive security analysis of the hardware and the software hosted on a modern automobile:

Automotive domain segregation review

A proper segregation between automotive domains is fundamental to obtain a correct segregation of traffic from a component to another.
Horizon Security performs a high-level review of the interconnections of the different automotive domains, helping to focus on the assessment of the high-risk components.

Infotainment domain testing

Generally, infotainment systems are not safety critical but are often tightly connected with other domains. There is a consistent remote attack surface next to very different physical ones since the infotainment systems typically offers multiple external media connection. Bluetooth support, different interactions with the end user's mobile phone or mobile applications and sometimes a Wi-Fi internal connection by creating a hotspot within the vehicle.
These systems are directly connected with other components and offers probably the easiest accessible attack surface.

Telematics domain testing

Telematics domain typically offers an assorted remote attack surfaces, exploiting bugs in telematics may be possible for an attacker to remotely cross domains boundaries, possibly gaining control of components of different domains. Is certainly the most interconnected sub-system, probably the once that mostly allow a pivot between domains.
Car makers offer different proprietary remote services provided on top of this domain that should be analyzed.

Environment control domain testing

It's sometimes possible to eavesdrop the communication in wireless in-car sensors network. Some systems do not even perform basic input validation and it may be possible to remotely spoof the messages.
As a result, vehicles may be tracked, may be possible to simply trigger fake warning messages or strongly impact the vehicle safety, depending on the specific implementation of the components and their interconnection with other domains.

End-user exposed interface testing

Testing of the interfaces exposed to end users such as ODB-II ports but also USB (that sometimes hides Ethernet support) or the interface available for diagnostic and maintenance is crucial to understand the real attack surface of your vehicle. As an attacker, Horizon Security reviews the interfaces accessible to the end users in order to ensure a complete understanding of the whole reachable attack surface.

Automotive hardware reverse engineering

Reverse engineering of the automotive embedded systems with a usual hardware-hacking approach.
Part numbers enumeration, enumeration of debug interfaces such as JTAG etc., attempts at firmware extraction/modification.

Wireless/RF security review

From the standard Wi-Fi internal hotspot security to complex automobile passive entry systems or custom RF sensor protocols there are a wide spectrum of frequencies employed in a modern automotive system. Through the plain analysis or the reverse engineering of the underlying protocol and encryption mechanisms Horizon Security can assess their resilience to typical and specialized attacks.