Skip to content

Automotive Cybersecurity: the Future of Autonomous Vehicles

QAC Automotive and Robotics (QAaR) Quality Assurance

This monthly newsletter will focus on QAC’s activities regarding Automotive and Robotics Quality Assurance Services.

FOCUSED ON THE FUTURE

Leading the way
 
Welcome to the eighth edition of the QAaR newsletter. In this edition, we’ll be sharing a bit of the state-of-the-art of automotive cybersecurity. We want to present some more details about the challenges and threats that a cybersecurity attack might present to the automotive domain and how quality assurance is crucial to address those issues.
Welcome to our 6th edition of our Automotive and Robotics Quality Assurance Newsletter

Keeping you informed

 

Our automotive and robotics quality assurance workstreams

Research and Grant Projects
Grant budgets allow for research and development of new technologies that position QAC to become a world leader in quality assurance services.
AQS (Automotive Quality Services)
Testing and Quality Assurance services exclusively developed for Automotive and Autonomous Road vehicles.
RQS (Robotic Quality Services)
Testing and Quality Assurance services exclusively developed for Robotics and Autonomous small vehicles.
Safety and Cybersecurity
Focus on developing services that adhere to ISO’s compliance verification testing automation Cybersecurity, and Connectivity standards.

Automotive cybersecurity: the future of autonomous vehicles

The current advancement in Connected Autonomous Vehicles (CAVs) made the safety and security of these vehicles a key factor for manufacturers as any malfunction or attack could lead to severe consequences for the driver, passengers, or others outside of the vehicle. There are several types of cyber attacks frequently performed to automotive vehicles, which can be classified according to their types and entry points. Thus, in this newsletter, we will talk about some of the attack types and targeted attack entry points we have in CAVs.

Entry Point Levels of cyber attacks in automotive domain

Cybersecurity for Automotive is related to the protection of its electronic systems, communication networks, algorithms, software, hardware, and data. So, it’s pretty much everything in the car and the objective is to guard against malicious attacks, unauthorized access, and any unwanted manipulation. There are different entry points for attackers in CAVs which can be classified in 6 levels numbering these levels from 0 to 5.

CYBER ATTACK ENTRY POINT LEVELS
  • Level 0: Sensor interaction and driver interaction
  • Level 1: Controls
  • Level 2: Interfaces
  • Level 3: Applications
  • Level 4: Communication channels
  • Level 5: Cloack and dagger
Level 0: It involves interactions between sensors and drivers. Some example potential entry points are communication interfaces, debug interfaces, memory chips, etc. Also, the physical equipment making up the car itself such as the car doors, windows, trunk, and so on are within the scope of level 0.

Level 1: It looks at controls such as those in drive control, process control, safety controls, etc. for this level, Door control, light control, climate control, Anti-lock Braking System (ABS), Supplemental Restraint System (SRS), and Emergency Brake Assist (EBA) are some example of potential entry points.

Level 2: It looks at interfaces such as the infotainment system which communicates with levels 0-1). They could be third-party applications such as Apple’s Carplay and Android auto are the main entry points. The infotainment system could also provide direct access to CAN bus which makes it vulnerable to attacks.

Level 3: It assesses applications on both mobile and infotainment system interfaces. Some potential entry points we can mention are peripherals and connected devices such as rear-seat entertainment (open up android hacks for instance).

Level 4: Technologies that leverage communication channels such as those found in wireless entry points belong to this level. Attackers in this level look at onboard Wifi within the car, GPS, LIDAR, RADAR, and other network communication capacities as the entry points.

Level 5: Attacks and entry points in this level fall under the cloak and dagger methodology which dealing with mismatched permission issues to access certain features on the Android devices.

Every mentioned level as the potential entry point is subjected to different types of attacks such as Physical, Network, Sensors, Software attacks, etc. In this newsletter, we only cover the first two types which are physical and network attacks.

Hackers use the vulnerabilities exist in some versions of Android devices, to launch undetectable attacks. Passwords and pins, and all permissions could be captured to leave behind almost no traceable attack.

Cyber attacks

Physical attacks usually include hardware modification, node replication, physical damage, and side channels attacks. Hardware hacking and modification involves attacking the physical infrastructure of a computer and occurs at the lowest level of the vehicle. Hardware hacking may be the result of replacing, removing, or replicating components of hardware systems within a car. Replication of the physical hardware itself is called node replication. It occurs when an attacker can harm the functionality of a network or communication device by injecting a clone, or replica into the environment. This type of attack may be done via a network where a car is considered a node. Attackers could damage vehicle components or even the vehicle itself in a physical damage attack scenario. Damaging headlights, locks, components that may be responsible for the power windows in a vehicle are just a few to mention here. Finally, there is one type of attack which is based on the information gained from the implementation of a computer system. A vehicle may be sold to a third party (such as registered dealer), so data may be wiped or left on components of the car, which could serve as potential information disclosure vulnerabilities, privacy, and sensitive user data.

CAVs have several communication network architectures with other entities which are FlexRay, Controller Area Network (CAN), Local Interconnect Network (LIN), and Ethernet. Real-time safety-critical applications are generally using FlexRay to establish communication. It is subjected to standard attacks such as spoofing where an attacker can create and inject requests.

Spoofing is defined as an email sent from a false sender address that asks the recipient to provide sensitive data. One of the most common attacks is the replacement of an authorized ECU program with unauthorized and malicious programs, connecting to the CAN bus using an unauthorized device. A malicious invasion may cause the Denial of Service (DoS) attack and create messages with ID 0, which are of the highest priority, which causes the CAN bus to become unusable.

LIN network is used to facilitate the intercommunication of the ECU, which is used to control lights, engines, air conditioning, steering wheels, seats, and doors. After CAN, it is the most subject to exploitation by malicious agents. Among the threats to LIN, the most frequent and common are Message Spoofing (criminals send messages with inaccurate information, so that vehicle communications are stopped), Response Collision (take advantage of the error-handling mechanism of the LIN), and Header Collision attacks (an attacker sends a fake header to collide with a legitimate header). Ethernet interfaces in CAVs interact similarly to the way Ethernet would react in a traditional computer network. It has a variety of attack vectors, from unused ports, MAC spoofing, and bandwidth abuse, to the more sophisticated, such as TCP hijacking, etc.

Currently, we are working with the Ontario Tech University to list out all security concerns and are collaborating with them to choose specific types of attacks to focus on and build a comprehensive cybersecurity testing framework for CAVs. More information will be provided in the next newsletters.

STAY TUNED

Coming next month
In our next edition, we will present research that the QAaR team has completed that highlights the exposures, and knowledge sharing of Connected and Autonomous vehicle cybersecurity threats and opportunities to use advanced QA techniques.

Our partners:

 
 

 

Recent thought leadership