Extending AUTOSAR\u27s Counter-based Solution for Freshness of Authenticated Messages in Vehicles

Nowadays vehicles have an internal network consisting of more than 100 microcontrollers, so-called Electronic Control Units (ECUs), which control core functionalities, active safety, diagnostics, comfort and infotainment. The Controller Area Network (CAN) bus is one of the most widespread bus technologies in use, and thus is a primary target for attackers. AUTOSAR, an open system platform for vehicles, introduced in version 4.3 SecOC Profile 3, a counter-based solution to provide freshness in authenticated messages to protect the system against replay attacks. In this paper, we analyse and assess this method regarding safety constraints and usability, and discuss design considerations when implementing such a system. Furthermore, we propose a novel security profile addressing the identified deficiencies which allows faster resynchronisation when only truncated counter values are transmitted. Finally, we evaluate our solution in an experimental setup in regard to communication overhead and time to synchronise the freshness counter

An Extended Survey on Vehicle Security

The advanced electronic units with wireless capabilities inside modern vehicles have, enhanced the driving experience, but also introduced a myriad of security problems due to the inherent limitations of the internal communication protocol. In the last two decades, a number of security threats have been identified and accordingly, security measures have been proposed. In this paper, we provide a comprehensive review of security threats and countermeasures for the ubiquitous CAN bus communication protocol. Our review of the existing literature leads us to a observation of an overlooked simple, cost-effective, and incrementally deployable solution. Essentially, a reverse firewall, referred to in this paper as an icewall, can be an effective defense against a major class of packet-injection attacks and many denial of service attacks. We cover the fundamentals of the icewall in this paper. Further, by introducing the notion of human-in-the-loop, we discuss the subtle implications to its security when a human driver is accounted for

Towards a Standardised Framework for Securing Connected Vehicles

Vehicular security was long limited to physical security - to prevent theft. However, the trend of adding more comfort functions and delegating advanced driving tasks back to the vehicle increased the magnitude of attacks, making cybersecurity inevitable. Attackers only need to find one vulnerability in the myriad of electronic control units (ECUs) and communication technologies used in a vehicle to compromise its functions. Vehicles might also be attacked by the owners, who want to modify or even disable certain vehicle functions.Many different parties are involved in the development of such a complex system as the functions are distributed over more than 100 ECUs, making it difficult to get an overall picture of the achieved security. Therefore, moving towards a standardised security framework tailored for the automotive domain is necessary.In this thesis we study various safety and security standards and proposed frameworks from different industrial domains with respect to their way of classifying demands in the form of levels and their methods to derive requirements. In our proposed framework, we suggest security levels appropriate for automotive systems and continue with a mapping between these security levels and identified security mechanisms and design rules to provide basic security. We further study in detail a mechanism which provides freshness to authenticated messages, namely AUTOSAR SecOC Profile 3, and present a novel extension that offers a faster synchronisation between ECUs and reduces the number of required messages for synchronisation

Securing SOME/IP for In-Vehicle Service Protection

Although high-speed in-vehicle networks are being increasingly adopted by the industry to support emerging use cases, previous research already demonstrated that car hacking is a real threat. This paper formalizes a novel framework proposed to provide improved security to the emerging SOME/IP middleware, without introducing at the same time limitations in the communication patterns available. Most notably, the entire traffic matrix is designed to be configured using simple high-level rules, clearly stating who can talk to whom according to the service abstraction adopted by SOME/IP. Three incremental security levels are made available, accounting for different services being associated with different requirements. The core security protocol, encompassing a session establishment phase followed by the transmission of secured SOME/IP messages, has been formally verified, to prove its correctness in terms of authentication and secrecy properties. Performance-wise, in-depth experimental evaluations conducted with an extended version of vsomeip confirmed the introduction of quite limited penalties compared to the bare unsecured implementation

Lightweight Authentication for Low-End Control Units with Hardware Based Individual Keys*

With increasing autonomous features of vehicles, key issues of robotic- and automotive engineering converge toward each other. Closing existing security gaps of device communication networks will be an enabling feature for connecting autonomously interacting systems in a more secure way. We introduce a novel approach for deriving a secret key using a lightweight cipher in the firmware of a low-end control unit. In this approach, we propose to use a non-standardized lightweight algorithm with unique hardware based parameters to prevent duplicate key generation. The randomness of the selected cipher was assessed by applying the NIST statistical test suite to produced key values. By evaluating the method on a typical low-end automotive platform, we could demonstrate the realistic applicability of the solution. The proposed method counteracts a known security issue in device communication between control units not only present in automotive solutions but also in the robotics domain. The security of the implemented solution has been compared to current automotive guidelines and recommendations for the security of resource constrained devices, also present in robotics. This approach allows low-end communication systems to be enhanced by message- and device authentication

Automotive Communication Security Methods and Recommendations for Securing In-vehicle and V2X Communications

Today’s vehicles contain approximately more than 100 interconnected computers (ECUs), several of which will be connected to the Internet or external devices and networks around the vehicle. In the near future vehicles will extensively communicate with their environment via Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I), together called V2X communications. Such level of connectivity enables car manufacturers to implement new entertainment systems and to provide safety features to decrease the number of road accidents. Moreover, authorities can deploy the traffic information provided by vehicular communications to improve the traffic management. Despite the great benefits that comes with vehicular communications, there are also risks associated with exposing a safety-critical integrated system to external networks. It has already been proved that vehicles can be remotely hacked and the safety critical functions such as braking system and steering wheel can be compromised to endanger the safety of passengers. This putshigh demands on IT security and car manufacturers to secure vehicular communications. This thesis proposes methods and recommendations for improving the security of internal and external vehicular communications.The main contributions of this thesis are contained in six included papers, and cover the following research areas of automotive security: (i) secure network architecture design, (ii) attack protection, (iii) attack detection, and (iv) V2X security. The first two papers in the collection are on the topic of secure network architecture design and propose an automated approach for grouping in-vehicle ECUs into security domains which facilitate the implementation of security measures in in-vehicle networks. The third paper is on the topic of attack protection and evaluates the applicability of existing Controller Area Network (CAN) bus authentication solutions to a vehicular context. In particular, this paper identifies five critical requirements for an authentication solution to be used in such a context. The fourth paper deals with the issue of attack detection in in-vehicle networks and proposes a specification agnostic method for detecting intrusion in vehicles. The fifth paper identifies weaknesses or deficiencies in the design of the ETSI V2X security standard and proposes changes to fix the identified weaknesses or deficiencies. The last paper investigates the security implications of adopting 5G New Radio (NR) for V2X communications

Securing the in-vehicle network

Recent research into automotive security has shown that once a single electronic vehicle component is compromised, it is possible to take control of the vehicle. These components, called Electronic Control Units, are embedded systems which manage a significant part of the functionality of a modern car. They communicate with each other via the in-vehicle network, known as the Controller Area Network, which is the most widely used automotive bus. In this thesis, we introduce a series of novel proposals to improve the security of both the Controller Area Network bus and the Electronic Control Units. The Controller Area Network suffers from a number of shortfalls, one of which is the lack of source authentication. We propose a protocol that mitigates this fundamental shortcoming in the Controller Area Network bus design, and protects against a number of high profile media attacks that have been published. We derive a set of desirable security and compatibility properties which an authentication protocol for the Controller Area Network bus should possess. We evaluate our protocol, along with other proposed protocols in the literature, with respect to the defined properties. Our systematic analysis of the protocols allows the automotive industry to make an informed choice regarding the adoption suitability of these solutions. However, it is not only the communication of Electronic Control Units that needs to be secure, but the firmware running on them as well. The growing number of Electronic Control Units in a vehicle, together with their increasing complexity, prompts the need for automated tools to test their security. Part of the challenge in designing such a tool is the diversity of Electronic Control Unit architectures. To this end, this thesis presents a methodology for extracting the Control Flow Graph from the Electronic Control Unit firmware. The Control Flow Graph is a platform independent representation of the firmware control flow, allowing us to abstract from the underlying architecture. We present a fuzzer for Electronic Control Unit firmware fuzz-testing via Controller Area Network. The extracted Control Flow Graph is tagged with static data used in instructions which influence the control flow of the firmware. It is then used to create a set of input seeds for the fuzzer, and in altering the inputs during the fuzzing process. This approach represents a step towards an efficient fuzzing methodology for Electronic Control Units. To our knowledge, this is the first proposal that uses static analysis to guide the fuzzing of Electronic Control Units