Towards a systematic security evaluation of the automotive Bluetooth interface

In-cabin connectivity and its enabling technologies have increased dramatically in recent years. Security was not considered an essential property, a mind-set that has shifted significantly due to the appearance of demonstrated vulnerabilities in these connected vehicles. Connectivity allows the possibility that an external attacker may compromise the security - and therefore the safety - of the vehicle. Many exploits have already been demonstrated in literature. One of the most pervasive connective technologies is Bluetooth, a short-range wireless communication technology. Security issues with this technology are well-documented, albeit in other domains. A threat intelligence study was carried out to substantiate this motivation and finds that while the general trend is towards increasing (relative) security in automotive Bluetooth implementations, there is still significant technological lag when compared to more traditional computing systems. The main contribution of this thesis is a framework for the systematic security evaluation of the automotive Bluetooth interface from a black-box perspective (as technical specifications were loose or absent). Tests were performed through both the vehicle’s native connection and through Bluetoothenabled aftermarket devices attached to the vehicle. This framework is supported through the use of attack trees and principles as outlined in the Penetration Testing Execution Standard. Furthermore, a proof-of-concept tool was developed to implement this framework in a semi-automated manner, to carry out testing on real-world vehicles. The tool also allows for severity classification of the results acquired, as outlined in the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Results of the severity classification are validated through domain expert review. Finally, how formal methods could be integrated into the framework and tool to improve confidence and rigour, and to demonstrate how future iterations of design could be improved is also explored. In conclusion, there is a need for systematic security testing, based on the findings of the threat intelligence study. The systematic evaluation and the developed tool successfully found weaknesses in both the automotive Bluetooth interface and in the vehicle itself through Bluetooth-enabled aftermarket devices. Furthermore, the results of applying this framework provide a focus for counter-measure development and could be used as evidence in a security assurance case. The systematic evaluation framework also allows for formal methods to be introduced for added rigour and confidence. Demonstrations of how this might be performed (with case studies) were presented. Future recommendations include using this framework with more test vehicles and expanding on the existing attack trees that form the heart of the evaluation. Further work on the tool chain would also be desirable. This would enable further accuracy of any testing or modelling required, and would also take automation of the entire process further

A practical approach to cellular communications standards education

The cellular communications industry is steadily growing and expanding to solve the needs of governments, businesses and communities. Standards are fundamental to enable cooperation while promoting competition. The companies involved contribute and agree on appropriate technical specifications to ensure diversity, compatibility and facilitate worldwide commercial deployment and evolution. The specifications of cellular communications standards are extensive, complex and intentionally incomplete to spur innovation and differentiation. This makes standards education a difficult endeavor, but it is highly demanded by the wireless industry. This paper describes a practical approach to teaching cellular communications standards. Our methodology leverages software-defined radio technology and uses the abstraction layer and operating environment (ALOE) to provide a practical learning environment that facilitates developing many of the needed technical and soft skills without the inherent difficulty and cost associated with radio frequency components and regulation. We define six learning stages that assimilate the standardization process and identify key learning objectives for each. We discuss our experiences when employing the proposed methodology at Barcelona Tech in Spain, compare the approach with an equivalent class at Virginia Tech in the US and make the following observations: (1) The complexity of standards need to be abstracted and presented in a form suitable for a given class. (2) Educating about cellular communications standards is most effective when students are immersed in the process. (3) Hands-on activities need careful preparation and close guidance.Peer ReviewedPostprint (published version

Audit Process during Projects for Development of New Mobile IT Application

This paper presents characteristics of the computer audit process during software development life cycle focused on specific aspects of the mobile IT applications. There are highlighted specific features of the distributed informatics systems implemented in wireless environments as hardware components, wireless technologies, classes of wireless systems, specialized software for mobile IT applications, quality characteristics of the mobile IT applications, software development models and their specific stages and issues aspects of the computer audit during software development life cycle of the distributed informatics systems customized on mobile IT applications. In the computer audit process, tasks of the computer auditors and what controls they must implement are also presented.Audit Process, Mobile It Applications, Software Development Life Cycle, Project Management

CYBEREDUCATION-BY-DESIGN™: DEVELOPING A FRAMEWORK FOR CYBERSECURITY EDUCATION AT SECONDARY EDUCATION INSTITUTIONS IN ARIZONA

Most survey results agree that there is a current and ongoing shortage of skilled cybersecurity workers that places our privacy, infrastructure, and nation at risk. Estimates for the global Cybersecurity Workforce Gap range from 2.72 million (ISC2, 2021) to 3.5 million (Cyber Academy, 2021) for 2021 and the United States estimates range from 465,000 (Brooks, 2021) to over 769,000 (Cyber Seek, 2022) open jobs as of November 2022. The most optimistic estimates still demonstrate a critical issue. As cybersecurity threats continue to grow in sophistication, scope, and scale, the ability to secure the United States from these threats lies in the ability to develop cybersecurity professionals with the knowledge, skills, and abilities (KSAs) to accomplish the tasks associated with their cyber roles. The ability to supply qualified cybersecurity professionals is outpaced by the growing demand as previously outlined. This study proposes that conducting a case study of existing cybersecurity programs at secondary education institutions can identify the critical elements of these programs. These elements can be codified into program profiles and further refined into a comprehensive cybersecurity education framework for secondary education institutions. This framework can be used by school districts throughout Arizona to develop cybersecurity programs and ultimately develop qualified and competent cybersecurity professionals to overcome the cybersecurity workforce gap

Interim research assessment 2003-2005 - Computer Science

This report primarily serves as a source of information for the 2007 Interim Research Assessment Committee for Computer Science at the three technical universities in the Netherlands. The report also provides information for others interested in our research activities

A Scoping Review of Technology and Infrastructure Needs in the Delivery of Virtual Hearing Aid Services

Purpose: The digital health revolution has brought forward integral technological advancements enabling virtual care as a readily accessible delivery model. Despite this forward momentum, the field of audiology still faces barriers that impede the uptake of virtual services into routine clinical practice. The aim of this study was to gather, synthesize, and summarize the literature around virtual hearing aid intervention studies and the related technology and infrastructure requirements. Method: A scoping review was conducted using MEDLINE, CINAHL, Scopus, Nursing and Allied Health, and Web of Science databases. Objectives, inclusion criteria, and scoping review methods were specified in advance and documented in a protocol. Results: The 11 studies identified through this review related to virtual hearing aid services delivered by a licensed health care provider and/or facilitator(s) specific to hearing aid management, programming, verification, and validation services. Service delivery models varied according to patient population, technology experience, type(s) and time course of care, type of remote location, and technology/support requirements. Barriers and facilitators to implementation-related themes including technology access and function, client sociotechnical, convenience, education and training, interaction quality, service delivery, and technology innovation. Conclusions: This scoping review provides evidence around the technology and infrastructure required for full integration of virtual hearing aid services into practice and according to care type. Low-tech versus high-tech requirements may be used to guide virtual service delivery triaging efforts. Research and development efforts in the areas of pediatrics, clinical support tools, and hearing aid/app-based solutions will support further uptake of virtual service delivery in audiology