An Extended Survey on Vehicle Security

The advanced electronic units with wireless capabilities inside modern vehicles have, enhanced the driving experience, but also introduced a myriad of security problems due to the inherent limitations of the internal communication protocol. In the last two decades, a number of security threats have been identified and accordingly, security measures have been proposed. In this paper, we provide a comprehensive review of security threats and countermeasures for the ubiquitous CAN bus communication protocol. Our review of the existing literature leads us to a observation of an overlooked simple, cost-effective, and incrementally deployable solution. Essentially, a reverse firewall, referred to in this paper as an icewall, can be an effective defense against a major class of packet-injection attacks and many denial of service attacks. We cover the fundamentals of the icewall in this paper. Further, by introducing the notion of human-in-the-loop, we discuss the subtle implications to its security when a human driver is accounted for

OTA updates mechanisms: a taxonomy and techniques catalog

The use of the Internet of Things (IoT) and Cyber-Physical Systems (CPS) in industry and daily life has increased. The embedded software of IoT systems requires updates over time for long-term maintainability, bug xes, and improvements. Developers and manufacturers design and implement OTA update systems in ad-hoc manners because there are no speci c standards and little empirical information about mechanisms. This article describes a systematic literature review to identify proposed OTA update mechanisms, and a taxonomy to orga- nize them for system designers. Academic and professional (grey) litera- ture was gathered from four information sources; 109 studies were found, of which 29 remained after applying inclusion and exclusion criteria; and they were recognized as belonging to six mechanisms (categories). Each technique was associated to a mechanism, yielding an (initial) catalog of OTA update techniques. This taxonomy and catalog can be used to design IoT and CPS applications that must include OTA update functionality.Sociedad Argentina de Informática e Investigación Operativ

Machine learning and blockchain technologies for cybersecurity in connected vehicles

Future connected and autonomous vehicles (CAVs) must be secured againstcyberattacks for their everyday functions on the road so that safety of passengersand vehicles can be ensured. This article presents a holistic review of cybersecurityattacks on sensors and threats regardingmulti-modal sensor fusion. A compre-hensive review of cyberattacks on intra-vehicle and inter-vehicle communicationsis presented afterward. Besides the analysis of conventional cybersecurity threatsand countermeasures for CAV systems,a detailed review of modern machinelearning, federated learning, and blockchain approach is also conducted to safe-guard CAVs. Machine learning and data mining-aided intrusion detection systemsand other countermeasures dealing with these challenges are elaborated at theend of the related section. In the last section, research challenges and future direc-tions are identified

Towards a centralized multicore automotive system

Today’s automotive systems are inundated with embedded electronics to host chassis, powertrain, infotainment, advanced driver assistance systems, and other modern vehicle functions. As many as 100 embedded microcontrollers execute hundreds of millions of lines of code in a single vehicle. To control the increasing complexity in vehicle electronics and services, automakers are planning to consolidate different on-board automotive functions as software tasks on centralized multicore hardware platforms. However, these vehicle software services have different and contrasting timing, safety, and security requirements. Existing vehicle operating systems are ill-equipped to provide all the required service guarantees on a single machine. A centralized automotive system aims to tackle this by assigning software tasks to multiple criticality domains or levels according to their consequences of failures, or international safety standards like ISO 26262. This research investigates several emerging challenges in time-critical systems for a centralized multicore automotive platform and proposes a novel vehicle operating system framework to address them. This thesis first introduces an integrated vehicle management system (VMS), called DriveOS™, for a PC-class multicore hardware platform. Its separation kernel design enables temporal and spatial isolation among critical and non-critical vehicle services in different domains on the same machine. Time- and safety-critical vehicle functions are implemented in a sandboxed Real-time Operating System (OS) domain, and non-critical software is developed in a sandboxed general-purpose OS (e.g., Linux, Android) domain. To leverage the advantages of model-driven vehicle function development, DriveOS provides a multi-domain application framework in Simulink. This thesis also presents a real-time task pipeline scheduling algorithm in multiprocessors for communication between connected vehicle services with end-to-end guarantees. The benefits and performance of the overall automotive system framework are demonstrated with hardware-in-the-loop testing using real-world applications, car datasets and simulated benchmarks, and with an early-stage deployment in a production-grade luxury electric vehicle

Securing CAN-Based Cyber-Physical Systems

With the exponential growth of cyber-physical systems (CPSs), new security challenges have emerged. Various vulnerabilities, threats, attacks, and controls have been introduced for the new generation of CPS. However, there lacks a systematic review of the CPS security literature. In particular, the heterogeneity of CPS components and the diversity of CPS systems have made it difficult to study the problem with one generalized model. As the first component of this dissertation, existing research on CPS security is studied and systematized under a unified framework. Smart cars, as a CPS application, were further explored under the proposed framework and new attacks are identified and addressed. The Control Area Network (CAN bus) is a prevalent serial communication protocol adopted in industrial CPS, especially in small and large vehicles, ships, planes, and even in drones, radar systems, and submarines. Unfortunately, the CAN bus was designed without any security considerations. We then propose and demonstrate a stealthy targeted Denial of Service (DoS) attack against CAN. Experimentation shows that the attack is effective and superior to attacks of the same category due to its stealthiness and ability to avoid detection from current countermeasures. Two controls are proposed to defend against various spoofing and DoS attacks on CAN. The first one aims to minimize the attack using a mechanism called ID-Hopping so that CAN arbitration IDs are randomized so an attacker would not be able to target them. ID-Hopping raises the bar for attackers by randomizing the expected patterns in a CAN network. Such randomization hinders an attacker’s ability to launch targeted DoS attacks. Based on the evaluation on the testbed, the randomization mechanism, ID-Hopping, holds a promising solution for targeted DoS, and reverse engineering CAN IDs, and which CAN networks are most vulnerable. The second countermeasure is a novel CAN firewall that aims to prevent an attacker from launching a plethora of nontraditional attacks on CAN that existing solutions do not adequately address. The firewall is placed between a potential attacker’s node and the rest of the CAN bus. Traffic is controlled bi-directionally between the main bus and the attacker’s side so that only benign traffic can pass to the main bus. This ensures that an attacker cannot arbitrarily inject malicious traffic into the main bus. Demonstration and evaluation of the attack and firewall were conducted by a bit-level analysis, i.e., “Bit banging”, of CAN’s traffic. Results show that the firewall successfully prevents the stealthy targeted DoS attack, as well as, other recent attacks. To evaluate the proposed attack and firewall, a testbed was built that consisted of BeagleBone Black and STM32 Nucleo- 144 microcontrollers to simulate real CAN traffic. Finally, a design of an Intrusion Detection System (IDS) was proposed to complement the firewall. It utilized the proposed firewall to add situational awareness capabilities to the bus’s security posture and detect and react to attacks that might bypass the firewall based on certain rules

Demystifying Internet of Things Security

Break down the misconceptions of the Internet of Things by examining the different security building blocks available in Intel Architecture (IA) based IoT platforms. This open access book reviews the threat pyramid, secure boot, chain of trust, and the SW stack leading up to defense-in-depth. The IoT presents unique challenges in implementing security and Intel has both CPU and Isolated Security Engine capabilities to simplify it. This book explores the challenges to secure these devices to make them immune to different threats originating from within and outside the network. The requirements and robustness rules to protect the assets vary greatly and there is no single blanket solution approach to implement security. Demystifying Internet of Things Security provides clarity to industry professionals and provides and overview of different security solutions What You'll Learn Secure devices, immunizing them against different threats originating from inside and outside the network Gather an overview of the different security building blocks available in Intel Architecture (IA) based IoT platforms Understand the threat pyramid, secure boot, chain of trust, and the software stack leading up to defense-in-depth Who This Book Is For Strategists, developers, architects, and managers in the embedded and Internet of Things (IoT) space trying to understand and implement the security in the IoT devices/platforms

Design of a wireless monitoring system based on the ZigBee protocol for photovoltaic systems

This thesis was submitted for the degree of Master of Philosophy and awarded by Brunel University.This work deals with the possibility of using the promising technology of wireless sensor networks (WSN) in the field of photovoltaic (PV) plant supervising and monitoring. The knowledge of the status and good working condition of each PV module separately as well as of any component of the PV system will guide in a more efficient way of power management. This work will concentrate on monitoring and controlling as well as healthy operation control of PV panels separately. Data logging will be also available and can be used for reference or statistical purposes. The nature of wireless sensor networks (WSN) offers several advantages on monitoring and controlling applications over other traditional technologies including self-healing, self-organization, and flexibility. The versatility, ease of use, and reliability of a mesh network topology offered by the ZigBee technology that is based on the IEEE 802.15.4 standard, are used in this work to offer the maximum of its capabilities on the system being presented. A set of sensors attached on each PV panel are connected to a wireless ZigBee module. Each PV panel has its own ZigBee device located at its back side. All ZigBee devices forms a network with all the necessary devices of the ZigBee protocol included, such as end devises (RFD), a router (FFD), and a coordinator (COO). An extra ZigBee device might optionally be used to serve the whole system as an Ethernet gateway for making the system able to be connected to the internet. The factors that are being monitored are the panel‟s temperature, the output voltage, and output current. At the router device that operates as a parent for all the end devices, extra monitored factors are the air dust concentration, current irradiance and also the angle of the PV array (in the case of tracking system use).Two controlling outputs (relays) are located at the router device offering the capability of controlling the motors or the actuators of a tracking system

Novel Validation Techniques for Autonomous Vehicles

The automotive industry is facing challenges in producing electrical, connected, and autonomous vehicles. Even if these challenges are, from a technical point of view, independent from each other, the market and regulatory bodies require them to be developed and integrated simultaneously. The development of autonomous vehicles implies the development of highly dependable systems. This is a multidisciplinary activity involving knowledge from robotics, computer science, electrical and mechanical engineering, psychology, social studies, and ethics. Nowadays, many Advanced Driver Assistance Systems (ADAS), like Emergency Braking System, Lane Keep Assistant, and Park Assist, are available. Newer luxury cars can drive by themselves on highways or park automatically, but the end goal is to develop completely autonomous driving vehicles, able to go by themselves, without needing human interventions in any situation. The more vehicles become autonomous, the greater the difficulty in keeping them reliable. It enhances the challenges in terms of development processes since their misbehaviors can lead to catastrophic consequences and, differently from the past, there is no more a human driver to mitigate the effects of erroneous behaviors. Primary threats to dependability come from three sources: misuse from the drivers, design systematic errors, and random hardware failures. These safety threats are addressed under various aspects, considering the particular type of item to be designed. In particular, for the sake of this work, we analyze those related to Functional Safety (FuSa), viewed as the ability of a system to react on time and in the proper way to the external environment. From the technological point of view, these behaviors are implemented by electrical and electronic items. Various standards to achieve FuSa have been released over the years. The first, released in 1998, was the IEC 61508. Its last version is the one released in 2010. This standard defines mainly: • a Functional Safety Management System (FSMS); • methods to determine a Safety Integrated Level (SIL); • methods to determine the probability of failures. To adapt the IEC61508 to the automotive industry’s peculiarity, a newer standard, the ISO26262, was released in 2011 then updated in 2018. This standard provides guidelines about FSMS, called in this case Safety Lifecycle, describing how to develop software and hardware components suitable for functional safety. It also provides a different way to compute the SIL, called in this case Automotive SIL (ASIL), allowing us to consider the average driver’s abilities to control the vehicle in case of failures. Moreover, it describes a way to determine the probability of random hardware failures through Failure Mode, Effects, and Diagnostic Analysis (FMEDA). This dissertation contains contributions to three topics: • random hardware failures mitigation; • improvementoftheISO26262HazardAnalysisandRiskAssessment(HARA); • real-time verification of the embedded software. As the main contribution of this dissertation, I address the safety threats due to random hardware failures (RHFs). For this purpose, I propose a novel simulation-based approach to aid the Failure Mode, Effects, and Diagnostic Analysis (FMEDA) required by the ISO26262 standard. Thanks to a SPICE-level model of the item, and the adoption of fault injection techniques, it is possible to simulate its behaviors obtaining useful information to classify the various failure modes. The proposed approach evolved from a mere simulation of the item, allowing only an item-level failure mode classification up to a vehicle-level analysis. The propagation of the failure modes’ effects on the whole vehicle enables us to assess the impacts on the vehicle’s drivability, improving the quality of the classifications. It can be advantageous where it is difficult to predict how the item-level misbehaviors propagate to the vehicle level, as in the case of a virtual differential gear or the mobility system of a robot. It has been chosen since it can be considered similar to the novel light vehicles, such as electric scooters, that are becoming more and more popular. Moreover, my research group has complete access to its design since it is realized by our university’s DIANA students’ team. When a SPICE-level simulation is too long to be performed, or it is not possible to develop a complete model of the item due to intellectual property protection rules, it is possible to aid this process through behavioral models of the item. A simulation of this kind has been performed on a mobile robotic system. Behavioral models of the electronic components were used, alongside mechanical simulations, to assess the software failure mitigation capabilities. Another contribution has been obtained by modifying the main one. The idea was to make it possible to aid also the Hazard Analysis and Risk Assessment (HARA). This assessment is performed during the concept phase, so before starting to design the item implementation. Its goal is to determine the hazards involved in the item functionality and their associated levels of risk. The end goal of this phase is a list of safety goals. For each one of these safety goals, an ASIL has to be determined. Since HARA relies only on designers expertise and knowledge, it lacks in objectivity and repeatability. Thanks to the simulation results, it is possible to predict the effects of the failures on the vehicle’s drivability, allowing us to improve the severity and controllability assessment, thus improving the objectivity. Moreover, since simulation conditions can be stored, it is possible, at any time, to recheck the results and to add new scenarios, improving the repeatability. The third group of contributions is about the real-time verification of embedded software. Through Hardware-In-the-Loop (HIL), a software integration verification has been performed to test a fundamental automotive component, mixed-criticality applications, and multi-agent robots. The first of these contributions is about real-time tests on Body Control Modules (BCM). These modules manage various electronic accessories in the vehicle’s body, like power windows and mirrors, air conditioning, immobilizer, central locking. The main characteristics of BCMs are the communications with other embedded computers via the car’s vehicle bus (Controller Area Network) and to have a high number (hundreds) of low-speed I/Os. As the second contribution, I propose a methodology to assess the error recovery system’s effects on mixed-criticality applications regarding deadline misses. The system runs two tasks: a critical airplane longitudinal control and a non-critical image compression algorithm. I start by presenting the approach on a benchmark application containing an instrumented bug into the lower criticality task; then, we improved it by injecting random errors inside the lower criticality task’s memory space through a debugger. In the latter case, thanks to the HIL, it is possible to pause the time domain simulation when the debugger operates and resume it once the injection is complete. In this way, it is possible to interact with the target without interfering with the simulation results, combining a full control of the target with an accurate time-domain assessment. The last contribution of this third group is about a methodology to verify, on multi-agent robots, the synchronization between two agents in charge to move the end effector of a delta robot: the correct position and speed of the end effector at any time is strongly affected by a loss of synchronization. The last two contributions may seem unrelated to the automotive industry, but interest in these applications is gaining. Mixed-criticality systems allow reducing the number of ECUs inside cars (for cost reduction), while the multi-agent approach is helpful to improve the cooperation of the connected cars with respect to other vehicles and the infrastructure. The fourth contribution, contained in the appendix, is about a machine learning application to improve the social acceptance of autonomous vehicles. The idea is to improve the comfort of the passengers by recognizing their emotions. I started with the idea to modify the vehicle’s driving style based on a real-time emotions recognition system but, due to the difficulties of performing such operations in an experimental setup, I move to analyze them offline. The emotions are determined on volunteers’ facial expressions recorded while viewing 3D representa- tions showing different calibrations. Thanks to the passengers’ emotional responses, it is possible to choose the better calibration from the comfort point of view