Abstract

As automotive security concerns are rising, the Controller Area Network (CAN) — the de facto standard of in-vehicle communication protocol — has come under scrutiny due to its lack of encryption and authentication. Several vulnerabilities, such as eavesdropping, spoofing, and replay attacks, have shown that the current implementation needs to be extended. Both academic and commercial solutions for a Secure CAN (S-CAN) have been proposed, but OEMs have not yet integrated them into their products. The main reasons for this lack of adoption are their heavy use of limited computational resources in the vehicle, increased latency that can lead to missed deadlines for safety-critical messages, as well as insufficient space available in a CAN frame to include a Message Authentication Code (MAC). By making a trade-off between security and performance, we develop S2-CAN, which overcomes the aforementioned problems of S-CAN. We leverage protocol-specific properties of CAN instead of using cryptographic primitives and design a “sufficiently secure” alternative CAN with minimal overhead on resources and latency. We evaluate the security of S2-CAN in four real-world vehicles by an automated vehicular attack tool.We finally show that CAN security can be guaranteed by the correct choice of a design parameter while achieving acceptable performance.

Abstract

Vehicular data-collection platforms as part of Original Equipment Manufacturers’ (OEMs’) connected telematics services are on the rise in order to provide diverse connected services to the users. They also allow the collected data to be shared with third-parties upon users’ permission. Under the current suggested permission model, we find these platforms leaking users’ location information without explicitly obtaining users’ permission. We analyze the accuracy of inferring a vehicle’s location from seemingly benign steering wheel angle (SWA) traces, and show its impact on the driver’s location privacy. By collecting and processing real-life SWA traces, we can infer the users’ exact traveled routes with up to 71% accuracy, which is much higher than the state-of-the-art.

Abstract

Modern Connected and Autonomous Vehicles (CAVs) are equipped with an increasing number of Electronic Control Units (ECUs), many of which produce large amounts of data. Data is exchanged between ECUs via an in-vehicle network, with the Controller Area Network (CAN) bus being the de facto standard in contemporary vehicles. Furthermore, CAVs have not only physical interfaces but also increased data connectivity to the Internet via their Telematic Control Units (TCUs), enabling remote access via mobile devices. It is also possible to tap into, and read/write data from/to the CAN bus, as data transmitted on the CAN bus is not encrypted. This naturally generates concerns about automotive cybersecurity. One commonality among most vehicular security attacks reported to date is that they ultimately require write access to the CAN bus. In order to cause targeted and intentional changes in vehicle behavior, malicious CAN injection attacks require knowledge of the CAN message format. However, since this format is proprietary to OEMs and can differ even among different models of a single make of vehicle, one must manually reverse-engineer the CAN message format of each vehicle they target — a time-consuming and tedious process that does not scale. To mitigate this difficulty, we develop LibreCAN, which can translate most CAN messages with minimal effort. Our extensive evaluation on multiple vehicles demonstrates LibreCAN’s efficiency in terms of accuracy, coverage, required manual effort and scalability to any vehicle.

Abstract

Privacy has been a rising concern. The European Union has established a privacy standard called General Data Protection Regulation (GDPR) in May 2018. Furthermore, the Facebook-Cambridge Analytica data incident made headlines in March 2018. Data collection from vehicles by OEM platforms is increasingly popular and may offer OEMs new business models but it comes with the risk of privacy leakages. Vehicular sensor data shared with third-parties can lead to misuse of the requested data for other purposes than stated/intended. There exists a relevant regulation document introduced by the Alliance of Automobile Manufacturers (“Auto Alliance”), which classifies the vehicular sensors used for data collection as covered and non-sensitive parameters.
This paper reviews existing privacy standards as well as ongoing efforts in the automotive domain, and surveys the landscape of automotive privacy-related attacks which can be classified into three categories: driver fingerprinting, location inferencing and driving-behavior analysis. These three categories are derived from the aforementioned guidelines of covered information. Based on this survey, we define a Privacy Score (PS), quantifying the risk associated with each vehicular sensor. Sensors contributing to multiple privacy attacks will be assigned a higher PS. Furthermore, combinations of sensors used in privacy attacks must be considered and assessed in the PS metric as some attacks cannot be mounted using a single independent sensor alone.

Abstract

Due to the growth of intelligent and self-driving vehicles, there are a multitude of data-driven applications such as user monitoring or traffic modeling and control. Each application often uses its own data-collection platform, leading to a scattered landscape of solutions for vehicular data-driven research and app development. We propose CarLab, a flexible and open vehicular data-collection platform which unifies this landscape of vehicular data-driven research and app development.
In this paper, we survey the field of vehicular data collection, describe the system architecture of CarLab and related research issues.

Abstract

This paper describes a method and framework to detect manipulations in automotive control systems. As the automotive industry is shifting towards employing software-based solutions, the incentives for attackers to manipulate automotive systems. The boundary where the cyber and physical world interface is particularly sensitive for security and safety. Manipulations in the computer system might have an uncontrollable impact in the physical environment and could lead to potentially dangerous situations.
This paper presents a context-aware intrusion detection system (CAID) framework capable to recognize manipulations of the physical system using cyber means. CAID uses sensor information to establish reference models of the physical system and then checks correctness of current sensor data against the reference models. Thereby, it establishes the notion of plausibility of a controller’s operation. CAID augments today’s cyber physical intrusion detection systems (IDS) by adding a physical model to the detection engine. The CAID framework has been evaluated in a vehicular setup using test vehicle. Telemetry data has been collected from a test vehicle that has then been chip-tuned with a commercially available chip-tuning tool to obtain manipulated data. CAID was able to recognize the chip tuning with a very high probability using an unsupervised Artificial Neural Network (ANN). This proof-of-concept could be the starting point to enhance current automotive IDS using the CAID framework in order to detect future automotive attacks to safety-critical systems.

Abstract

The automotive industry experiences a major change as vehicles are gradually becoming a part of the Internet. Security concepts based on the closed-world assumption cannot be deployed anymore due to a constantly changing adversary model. Automotive Ethernet as future in-vehicle network and a new E/E Architecture have different security requirements than Ethernet known from traditional IT and legacy systems. In order to achieve a high level of security, a new multi-layer approach in the vehicle which responds to special automotive requirements has to be introduced. One essential layer of this holistic security concept is to restrict non-authorized access by the deployment of embedded firewalls.
This paper addresses the introduction of automotive firewalls into the next-generation domain architecture with a focus on partitioning of its features in hardware and software. Based on the deployment of the firewall in the in-vehicle network, the corresponding adversary model and automotive requirements such as latency, jitter, CPU load and memory consumption are going to be discussed. Drivers behind these metrics are primarily safety concerns and cost and thus are relevant for both OEMs and hardware manufacturers. As a result, a reasonable implementation of an automotive firewall system has to be a trade-off between hardware and software in order to meet the above-named automotive requirements. We implemented the firewall on an Infineon AURIX TriCore and Altera Cyclone V FPGA to analyze these metrics. The paper shows the options and decision points to find an optimal partitioning between hardware and software for an automotive embedded firewall system.