Académique Documents
Professionnel Documents
Culture Documents
AutomotiveAttackSurfaces
ByCharlieMiller(Twitter:cmiller@openrce.org)
&ChrisValasek(IOActive:cvalasek@gmail.com)
Contents
Introduction..................................................................................................................................................5
AnatomyofaRemoteAttack........................................................................................................................5
Thispaper......................................................................................................................................................7
RemoteAttacksnotrelatedtoAutomotiveNetworks.................................................................................7
AuthorNotes.................................................................................................................................................7
RemoteAttackSurfacesofAutomobiles......................................................................................................8
PassiveAntiTheftSystem(PATS).............................................................................................................8
TirePressureMonitoringSystem(TPMS)...............................................................................................10
RemoteKeylessEntry/Start(RKE).........................................................................................................13
Bluetooth................................................................................................................................................15
RadioDataSystem..................................................................................................................................17
Telematics/Cellular/WiFi....................................................................................................................18
Internet/Apps........................................................................................................................................20
Cyberphysicalfeatures..............................................................................................................................21
Parkassist................................................................................................................................................21
Adaptivecruisecontrol...........................................................................................................................21
Collisionprevention................................................................................................................................21
Lanekeepassist......................................................................................................................................21
EvolutionofAutomotiveNetworks............................................................................................................22
RemoteSurvey............................................................................................................................................24
Legend.....................................................................................................................................................24
2014AudiA8...........................................................................................................................................25
Diagram...............................................................................................................................................27
2014HondaAccordLX(Sedan)...............................................................................................................28
Diagram...............................................................................................................................................30
2014InfinitiQ50.....................................................................................................................................31
Diagram...............................................................................................................................................33
2010InfinitiG37(Sedan)........................................................................................................................34
Diagram...............................................................................................................................................35
2006InfinitiG35(Sedan)........................................................................................................................36
Diagram...............................................................................................................................................37
2014JeepCherokee................................................................................................................................38
Diagram...............................................................................................................................................41
2014DodgeRam3500............................................................................................................................42
Diagram...............................................................................................................................................44
2014Chrysler300...................................................................................................................................45
Diagram...............................................................................................................................................47
2014DodgeViper...................................................................................................................................48
Diagram...............................................................................................................................................49
2015CadillacEscaladeAWD...................................................................................................................50
Diagram...............................................................................................................................................52
2006FordFusion.....................................................................................................................................53
Diagram...............................................................................................................................................54
2014FordFusion.....................................................................................................................................55
Diagram...............................................................................................................................................57
2014BMW3Series(F30)........................................................................................................................58
Diagram...............................................................................................................................................60
2014BMWX3(F25)................................................................................................................................61
Diagram...............................................................................................................................................63
2014BMWi12........................................................................................................................................64
Diagram...............................................................................................................................................66
2014RangeRoverEvoque......................................................................................................................67
Diagram...............................................................................................................................................71
2010RangeRoverSport.........................................................................................................................72
Diagram...............................................................................................................................................74
2006RangeRoverSport.........................................................................................................................75
Diagram...............................................................................................................................................77
2014ToyotaPrius...................................................................................................................................78
Diagram...............................................................................................................................................80
2010ToyotaPrius...................................................................................................................................81
Diagram...............................................................................................................................................83
2006ToyotaPrius...................................................................................................................................84
Diagram...............................................................................................................................................86
Analysisofautomotivenetworks...............................................................................................................87
Analysis...............................................................................................................................................87
MostHackable....................................................................................................................................88
LeastHackable....................................................................................................................................88
C&CCarRatings..................................................................................................................................89
DefendingAgainstRemoteAttacks............................................................................................................90
SecureRemoteEndpoints.......................................................................................................................90
CANInjectionMitigations.......................................................................................................................90
MessageCryptography...........................................................................................................................90
NetworkArchitecture.............................................................................................................................91
AttackDetection.....................................................................................................................................91
Conclusions.................................................................................................................................................93
References..................................................................................................................................................94
Introduction
Modernautomobilesconsistofanumberofdifferentcomputercomponents,calledElectronicControl
Units(ECUs).Eachautomobilecontainsfrom20100ofthesedevices,witheachECUbeingresponsible
foroneormoreparticularfeaturesofthevehicle.Forexample,thereisanECUforseatbelttightening,
oneformonitoringthesteeringwheelangle,onetomeasureifapassengerisinthecar,onetocontrol
theABSsystem,andsoon.TheseECUsneedtopassdatatooneanothersotheycanmakedecisionson
howtoact.Forexample,anECUmayactdifferentlydependingonifthecarisindriveorreverseor
whetheritismovingorstationary.
SomeECUsalsocommunicatewiththeoutsideworldaswellastheinternalvehiclenetwork.These
ECUsposethebiggestrisktothemanufacturer,passenger,andvehicle.Theoptionsavailableto
attackerswillbeinfluencedbythedifferentremoteendpointsoffered,thetopologyofthevehicular
network,aswellassafetyfeaturesprogrammedintothevariousECUsunderconsideration.Thispaper
attemptstoanalyzenumerousautomobilesvaryinginproductionyeartoshowhowremoteattack
surfaceshaveevolvedwithtimeandtotrytoquantifythedifficultyofaremoteattackforavarietyof
differentautomobiles.Thisanalysiswillincludehowlargetheremoteattacksurfaceis,howsegmented
theECUswhichhavephysicalcontroloftheautomobilearefromthoseacceptingexternalinput,and
thefeaturespresentintheautomobilewhichallowcomputerstophysicallycontrolit.Additionally,this
paperrecommendsdefensivestrategiesincludinganIDStypesystemtodetectandpreventthesetypes
ofattacks.
AnatomyofaRemoteAttack
Safetycriticalattacksagainstmodernautomobilesgenerallyrequirethreestages.Thefirststage
consistsofanattackerremotelygainingaccesstoaninternalautomotivenetwork.Thiswillallowthe
attackertoinjectmessagesintothecarsnetworks,directlyorindirectlycontrollingthedesiredECU.
Youcanimaginesuchanattackoccurringbysendingsomekindofwirelesssignalandcompromisinga
listeningECU,subsequentlyinjectingcode.ResearchersfromtheUniversityofWashingtonandthe
UniversityCaliforniaSanDiegowereabletogetremotecodeexecutiononatelematicsunitofavehicle
byexploitingavulnerabilityintheBluetoothstackofanECUandseparatelycompromisingacellular
modem[3].Dependingonthedesiresoftheattacker,thismightbetheendoftheattack,forexample
thecompromisedECUmaycontrolamicrophoneusedtoeavesdroponthevehicle.
Cyberphysicalattacks(attacksthatresultinphysicalcontrolofvariousaspectsoftheautomobile),on
theotherhand,willrequireinteractionwithotherECUs.Itisdifficulttomeasurehowsusceptiblea
particularvehicleistoremoteattackssinceitdependsonthepresence(orabsence)ofvulnerabilities.
Whatwecanmeasure(anddomeasureinthispaper)istheattacksurfaceofeachvehicleandusethis
informationasaproxytoestimatesusceptibilitytothefirststageofremoteattack.
ThecompromisedECUmentionedinthefirststagetypicallycannotdirectlycontrolsafetycritical
featuresofavehicle.ThisECUsjobistypicallyonlyrelatedtoreceivingandprocessingradiosignals.
Therefore,acyberphysicalattackusuallyrequiresasecondstepwhichinvolvesinjectingmessagesonto
theinternalautomotivenetworkinanattempttocommunicatewithsafetycriticalECUs,suchasthose
responsibleforsteering,braking,andacceleration.
Insomevehicles,thismaybetrivial,butinmanydesigns,theECUwhichwascompromisedremotelywill
notbeabletodirectlysendmessagestothesesafetycriticalECUs.Inthiscase,theattackerwillhaveto
somehowgetmessagesbridgedfromthenetworkofcompromisedECUtothenetworkwherethe
targetECUlives.
ThismightrequiretrickingthegatewayECUorcompromisingitoutright.Theacademicresearchers
mentionedabovedemonstratedawaytocompromisethebridgeECUintheirvehicletogetfromthe
lessprivilegedCANnetworktotheonecontainingtheECUinchargeofbraking.Inthispaperwediscuss
thevariousarchitecturesofdifferentvehiclesandexaminetheeffectthesetopologiesmayhaveona
remoteattack.
AftertheattackerhaswirelesslycompromisedanECUandacquiredtheabilitytosendmessagestoa
desiredtargetECU,theattackermaycommunicatewithsafetycriticalECUs.Thefinalstepistomake
thetargetECUbehaveinsomewaythatcompromisesvehiclesafety.Thisinvolvesreverseengineering
themessagesonthenetworkandfiguringouttheexactformattoperformsomephysicalaction.Since
eachmanufacturer(andperhapseachmodelandeveneachyear)usedifferentdatainthemessageson
thebus,themessagereverseengineeringprocessrequiresalargeamountofworkandwillbe
manufacturerspecific.Forexample,themessagestolockthebrakesononemanufacturersvehicle
likelywontworkonavehiclefromadifferentmanufacturer.
Additionally,someECUswillonlylistentocertainmessagesandmayhavesafetyfeaturesbuiltinto
them,suchasnotrespondingtocertainmessageswhilethevehicleisinmotion.Thisthirdstagewas
thefocusofourpreviousresearchefforts[9].Ingeneral,itistoughtoknowwithoutadetailed
investigationwhetheritispossibletoaffectcyberphysicalfeaturesthoughmessageinjectionsinceit
essentiallyreliesontheimplementationoftheECUs.Inthisdocument,weagaintakeanapproach
similartomeasuringremoteattacksurface.
Foreachvehicle,welistthecomputercontrolledfeaturesofthevehicle.Forexample,whileitis
possibletoadverselyaffectECUssometimesusingvulnerabilities(seehowthebrakingonaFordwas
manipulatedin[9]orhowthebrakingwasmanipulatedintheChevyin[3]),itiseveneasierwhen
controllingbrakingisafeatureoftheautomobile.IntheToyotaPriusin[9],thecollisionprevention
systemwasdesignedtostopthevehiclewhencertainCANmessageswerereceived.Thisdidntrequire
avulnerability,butwasasafetyfeature.Sowhileallvehiclesmay(ormay)notbevulnerabletosafety
criticalactionsthroughCANmessageinjection,weassumethosewithadvancedcomputercontrolled
featuresaremoresusceptiblesincetheyaredesignedtotakephysicalactionsbasedonmessages
receivedontheinternalnetwork.
Thispaper
Bylookingateachcarsremoteattacksurface,internalnetworkarchitecture,andcomputercontrolled
featuresweareabletodrawsomeconclusionsaboutthesuitabilityofthevehicletoremoteattack.
Thisdoesntmeanthatthemostsusceptiblelookingisntinfactquitesecure(i.e.codedverysecurely)
orthatthemostsecurelookingisntinfacttriviallyexploitable,butitdoesprovidesomeobjective
measureofthesecurityofalargenumberofvehiclesthatwouldntbepossibletoexamineindetail
withoutamassiveeffort.Italsoprovidesanoutlineonhowtodesignandconstructsecurevehicles,
namelyinmakingeachofthesethreestagesofexploitationasdifficultaspossible.
Theauthorsalsodiscussdifferentstrategiestosecuringvehiclesfromremoteattackinalayered,attack
resilientfashion.Inparticular,itintroducesadevicethatactslikeanetworkintrusiondetectionand
preventiondeviceaswellasdiscussessomeearlytestingresults.
Lastly,totheauthorsknowledge,thisisthefirstpubliclyavailableresourceforautomotivenetwork
architecturereview.Whilenetworkarchitecturereviewiscommonplaceinmodernnetwork/computer
security,muchofautomobiletopologyhasbeenshroudedinsecrecy.
RemoteAttacksnotrelatedtoAutomotiveNetworks
Thereareanumberofremoteattacksthathavenothingtodowithsendingmessagesonautomotive
networkssuchasCAN,alargefocusofthispaper.Thesemostlyfallintotwocategories.Thefirstare
attackswheretheremotelyattackedECUisthefinaltargetoftheattack.Forexample,aremoteattack
againstthetelematicsunitmayallowtheattackertolistenandrecordconversationsinthevehicle.If
thisisalltheattackerwants,thentheautomotivenetworkcontainingthetelematicsunitislikelytobe
irrelevant.
Thesecondtypeofattackisonethatdoesntactuallygetremotecodeexecution,butstillimpactsthe
physicalbehaviorofthevehicle.Anexampleofthismightincludetrickingthesensorsofthevehicle.
Onecouldimaginesendingradarsignalsthatinterferewithacarscollisiondetectionsystemandcause
ittothinkacollisionisimminent,resultinginthebrakesbeingengaged.
Thesetypesofattacksareinterestingbutarenotafocusofthispaper.
AuthorNotes
Automobiletechnicalinformationsites,muchlikethevehiclestheydescribe,varyfrommanufacturerto
manufacturer.Wedidourbesttonormalizethedata,suchasECUlistings,attacksurface,andnetwork
topology,whileattemptingtopreservetheterminologyusedbyindividualautomakers.Thiswasnotan
easytaskasjustfindingnetworktopologyinformationcouldtakemanyhours(apparentlythewebsites
werenotintuitivetous).Sometimesoldermodelsdidnotevenappeartohavepubliclyavailable
informationonline,hencethevarianceinmake,model,andyearofvehiclesdetailedinthispaper.
RemoteAttackSurfacesofAutomobiles
Thissectionoutlinessomecommonremoteattackvectorsformodernautomobilesinorderto
understandwhere,ontheautomotivenetwork,anattackermayfirstarrive.Whilethisdiscussionwill
bemostlygeneral,forclarityweuseexamplesfromactualcars,usuallya2010FordEscapeand2010
ToyotaPrius,sinceweareintimatelyfamiliarwiththesevehiclesfrompreviousresearch.
PassiveAntiTheftSystem(PATS)
Formanymoderncars,thereisasmallchipintheignitionkeythatcommunicateswithasensoronthe
steeringcolumn.FortheEscape,thissensoriswireddirectlyintotheInstrumentCluster(IC)ECU.
Whenthekeyisturned,theonboardcomputersendsoutanRFsignalthatispickedupbythe
transponderinthekey.ThetransponderthenreturnsauniqueRFsignaltothevehicle'scomputer,
givingitconfirmationtostartandcontinuetorun.Thisallhappensinlessthanasecond.Iftheon
boardcomputerdoesnotreceivethecorrectidentificationcode,certaincomponentssuchasthefuel
pumpand,onsome,thestarterwillremaindisabled.
Theinstrumentcluster(IC)forthe2010FordEscape
ThePATSsensorforthe2010FordEscape
Range:~10centimeters.
Analysis:Itmaybepossibletocreateadenialofserviceattackthatwouldcausethecarnottostart,
evenwiththeproperkeyinserted.Asfarasremoteattacksareconcerned,thisattacksurfaceisvery
small.Theonlydatatransferred(andprocessedbythesoftwareontheIC)istheidentificationcodeand
theunderlyingRFsignal.Itishardtoimagineanexploitablevulnerabilityinthiscode,andevenifthere
was,youwouldhavetobeveryclosetothesensor,asitisintentionallydesignedtoonlypickupnearby
signals.Theauthorsbelievethemainexploitationvectorwouldbeforvehicletheft,notremotecode
execution.
TirePressureMonitoringSystem(TPMS)
Eachtirehasapressuresensorthatisconstantlymeasuringthetirepressureandtransmittingrealtime
datatoanECU.IntheEscape,thereceivingsensoriswiredintotheSmartJunctionBox(SJB).Thisradio
signalisproprietary,butsomeresearchhasbeendoneinunderstandingtheTPMSsystemforsome
vehiclesandinvestigatingtheirunderlyingsecurity[1][2].
TheSJBfromthe2010FordEscape.
ThecircuitboardfromwithintheSJBofthe2010FordEscape.
TheSJBcontainsaMAX1471A315MHz/434MHzLowPower,3V/5VASK/FSKSuperheterodyneReceiver
[5],seebelow,toreceivetheRFsignals.
AcloseupoftheRFchiplocatedontheSJB.
Range:~1meter.
Analysis:ItiscertainlypossibletoperformsomeactionsagainsttheTPMS,suchascausingthevehicle
tothinkitishavingatireproblem,orproblemwiththeTPMSsystem.Additionally,researchershave
shown[2]thatitispossibletoactuallycrashandremotelybricktheassociatedECUinsomecases.
Regardingcodeexecutionpossibilities,itseemstheattacksurfaceisrathersmall,butremotebricking
indicatesthatdataisbeingprocessedinanunsafemannerandsothismightbepossible.Additionally,
manytimestheTPMSisnotconnectedtothevehiclenetwork,andisonlyresponsibleforilluminatinga
lightontheinstrumentcluster.
RemoteKeylessEntry/Start(RKE)
KeyfobscontainashortrangeradiotransmitterthatcommunicateswithanECUinthevehicle.The
radiotransmittersendsencrypteddatacontainingidentifyinginformationfromwhichtheECUcan
determineifthekeyisvalidandsubsequentlylock,unlock,andstartthevehicle.Forexample,inthe
ToyotaPrius,theysmartkeysendsasignaltoareceiver,whichinturnsendstheinformationtothe
SmartKeyECUthatisconnectedtotheCANandLINbuses.
SmartKeyDiagram2010ToyotaPrius
SmartKeyECU2010ToyotaPrius
Range:~520meters
Analysis:Again,itmaybepossibletocauseadenialofservicethatwouldnotallowthecartobe
remotelylocked/unlocked/startedandinsomecasesitmaybepossibletounlock/startthecarwithout
theproperkeyfob.Withregardstoremotecodeexecution,theattacksurfaceisquitesmall.TheSmart
KeyECUmusthavesomefirmwaretohandlereadingRFsignals,encryption/decryptioncode,somelogic
toidentifydatafromthekeyfob,andtobeprogrammedforadditional/replacementkeyfobs.While
thisisapossibleavenueofremotecodeexecution,theattacksurfaceisquitesmall.
Bluetooth
MostvehicleshavetheabilitytosyncadeviceoverBluetoothwiththevehicle.Thisrepresentsa
remotesignalofsomecomplexityprocessedbyanECU.IntheEscape,theBluetoothisreceivedand
processedbytheFordSYNCcomputeralsoknownastheAccessoryProtocolInterfaceModule(APIM).
Thisallowsthecartoaccesstheaddressbookofthephoneandmakephonecalls.Thecarmayalso
accessandstreammusicandpicturesfromthephone.
TheAPIMforthe2010FordEscape
InordertopairaphonetotheEscape,youhavetopressthephonebuttonontheACM,thenaddnew
phone.TheACMdisplaysarandom6digitPINnumberthatneedstobeenteredonthephone.The
ACMevenhasarecordedvoiceinstructingyouwhattodo.Theredoesnotappeartobeawayto
covertlyaddaBluetoothdevicewithoutuserinteraction,althoughanunsolicitedpairingvulnerabilityis
notoutoftherealmofpossibility.
Unliketheothersignalsuptonow,theBluetoothstackisquitelargeandrepresentsasignificantattack
surfacewhichhashadvulnerabilitiesinthepast[10].Therearegenerallytwoattackscenariosinvolving
aBluetoothstack.Thefirstattackinvolvesanunpairedphone.Thisattackisthemostdangerousasany
attackercanreachthiscode.Thesecondmethodofexploitationoccursafterpairingtakesplace,which
islessofathreatassomeuserinteractionisinvolved.Previously,researchershaveshownremote
compromiseofavehiclethroughtheBluetoothinterface[3].ResearchersfromCodenomiconhave
identifiedmanycrashesincommonBluetoothreceiversfoundinautomobiles[7].
Range:~10meters,possiblymoredependingontheprotocolandantenna.
Analysis:RightnowtheauthorsofthispaperconsiderBluetoothtobeoneofthebiggestandmost
viableattacksurfacesonthemodernautomobile,duetothecomplexityoftheprotocolandunderlying
data.Additionally,Bluetoothhasbecomeubiquitouswithintheautomotivespectrum,givingattackersa
veryreliableentrypointtotest.
RadioDataSystem
Theradioreceivesnotonlyaudiosignals,butsomeotherdataaswell.IntheEscape,theAudioControl
Module(ACM)hasmanysuchremoteinputs,suchasGPS,AM/FMRadio,andSatelliteradio.These
signalsaremostlysimplyconvertedtoaudiooutputanddontrepresentsignificantparsingofdata,
whichmeanstheyarelikelytonotcontainexploitablevulnerabilities.Onepossibleexceptionislikelyto
betheRadioDataSystemdatathatisusedtosenddataalongwithFManaloguesignals(orthe
equivalentonsatelliteradio).Thisistypicallyseenasradioswillsaythenamesofstations,thetitleof
thesongplaying,etc.Here,thedatamustbeparsedanddisplayed,makingroomforasecurity
vulnerability.
TheACMforthe2010FordEscape
Range:Theoreticallymiles,butmorerealisticallyaround100meters
Analysis:AlthoughtheendresultisthesameasBluetooth,thelikelihoodofthisattackoccurringand
beingsuccessfulismuchlower.ThereforewhileyoucouldhavecontroloftheACM,wedontperceive
thethreattobeasgreat.
Telematics/Cellular/WiFi
Manymodernautomobilescontainacellularradio,whichisusedtoconnecttothevehicletoacellular
network,forexampleGMsOnStar.Itcanalsobeusedtoretrievedata,suchastrafficorweather
information.Insomenewervehicles,itevenservesasaremoteWiFihotspot.
TheToyotaPriuscamewiththeSafetyConnectfeature,moregenericallyknownasatelematics
system.TheSafetyConnectsystemspermitforemergencycalling,stolenvehicletracking,androadside
assistanceviaaudioanddatacommunicationsbetweenthecallcenterandthevehicle.
ThetelematicsreceiverinthePriususedaQualcommchipandcommunicatesovera3G/CDMA
connection,asshownbelow.
TelematicsECU2010ToyotaPrius
Range:Board/Varying
Analysis:Thisistheholygrailofautomotiveattackssincetherangeisquitebroad(i.e.aslongasthecar
canhavecellularcommunications).EventhoughatelematicsunitmaynotresidedirectlyontheCAN
bus,itdoeshavetheabilitytoremotelytransferdata/voice,viathemicrophone,toanotherlocation.
Researcherspreviouslyremotelyexploitedatelematicsunitofanautomobilewithoutuserinteraction
[3].
Internet/Apps
Ascarsmoveintothefuture,theyarebeingmoreconnectedwithfeaturesnormallyfoundindesktop
computerslikeappsandevenwebbrowsers.The2014JeepCherokeeevenhasaWiFihotspotwith
openports(whennotusingencryption).
BMWrunningawebbrowserhttp://www.techradar.com/news/cartech/bmwupgrades
connecteddrivewithtouch3ginternetappsandmore1159983/2
Range:N/A
Analysis:Webelievethisnewtechnologyopensupmanyattackvectorsthatdidnotexistbefore,such
aswebbrowserexploits,maliciousapps,andinternetserviceexploitation.Notonlyistheaddedattack
surfacebeingaddedindroves,buttheunderlyingresearchandexploitationmethodologiesarewidely
understoodbyattackers.Complexcodeisbeingaddedtovehiclesandthereisnoreasontobelieve
correspondingantiexploitationtechnologiesarebeingaddedwiththem.
Cyberphysicalfeatures
Inthefinalstageofacyberphysicalattack,theattackerwishestosendmessagestoasafetycriticalECU
andmakeittakesomeunsafeaction,suchaslockingupthebrakesorturningthesteeringwheel.While
thismaybepossibleevenwithoutcyberphysicalfeatures,havingthepresenceofcomputersthat
controlphysicalactionsmakethelikelihoodofcyberphysicalattacksmuchhigher.Theseadvanced
technologyfeaturesensurethattheseECUsarelisteningtothemessagesonthenetworkandmaking
physicalchangestothevehiclebasedonmessagesseen.Wehaveseensafetymechanismsbuiltinto
ECUsthatcanlimitwhatanattackercando.Forexample,themessageswhichindicatethesteeringECU
toturnthewheelforparkingassistmayonlyworkifthevehicleismovingveryslowlyorthemessages
whichtellthesteeringECUtoturnthewheelforlanekeepassistmayonlyallowverysmallmovements
ofthewheel.Inotherwords,thepresenceofthesefeaturesisnotnecessarilyforattackandcanhave
protectionsbuiltin,butattacksarelikelyeasierintheirpresencethanintheirabsence.Belowwebriefly
introducesomeofthesecyberphysicalfeaturespresentonsomemodernautomobiles.
Parkassist
Parkassist,alsoreferredbysomemanufacturersasintelligentparkassist,activeparkassist,parking
maneuverassistant,orautomaticselfparkinghelpsthedriverparkintightspots.Thereisusuallya
dedicatedECUthattakesindatafromsensorsandcalculateshowthesteeringwheelshouldbeturned
toparkinaspot.ItcommunicatesthedesiredsteeringwheelpositionwiththesteeringwheelECUthat
thenturnsthewheel.Thisfeaturesmeansthatundersomeconditions,thesteeringcanbeturnedby
sendingmessagesovertheautomotivenetwork.Thisfeatureisonlyneededwhenthevehicleismoving
veryslowly,andinpracticetherearetypicallysafetymechanismsthattrytopreventthewheelfrom
turningduetothisfeaturewhenthevehicleisatanythingbutslowspeed.
Adaptivecruisecontrol
Adaptivecruisecontrolisafeaturethattriestomaintainthedesiredspeedofthevehicleeveninthe
presenceofothervehicles.Asthevehicleapproachesaslowercar,itwillapplythebrakestoslow
down,sometimesallthewaytoastopifnecessary.Astheslowercarspeedsuporgetsoutoftheway,
theautomobilewillspeedupagaintothedesiredspeed.Thismeansthatacomputeriscontrollingthe
brakingandaccelerationofthevehiclebasedonsensorreadings.Portionsofthevehiclecontrolare
performedovertheinternalvehiclenetworkandaredesignedtoworkatspeed.
Collisionprevention
Collisionpreventionsystems,sometimescalledcrashmitigation,automaticbraking,citybraking,orpre
collisionsystemsaredesignedtopreventorlessencrashesbyapplyingthebrakeswhenacrashis
eminent.ThesensorsandcollisioncalculationsaretypicallyperformedbyoneECUandmessagesare
senttothebrakestotellthemtoengage.Thissystemisdesignedtoworkatspeed.
Lanekeepassist
Lanekeepassist,sometimescalledactivelaneassist,LaneSense,orlanekeepingassistisdesignedto
preventcarsfromleavingtheirlaneonaccident.AcameradetectsthelinesofthelaneandanECU
computesifthecarisabouttoleavethelane.Byeithersendingmessagestothesteeringorbrakes,the
carisabletoadjustthelocationofthecarwithinthelane.Thisisanothersystemdesignedtoworkat
speed.
EvolutionofAutomotiveNetworks
Asvehicleshavegottenmorecomplex,theremoteattacksurfacehasexpanded.Additionally,the
numberofECUsinavehiclehasgoneupwiththecomplexityoftheautomotivenetworkincreasing.For
example,considertheJeepCherokeefrom2010vs2014.Injust4years,thenumberofECUshasmore
thandoubled.BelowareillustrationsoftheCANCnetworkforthisvehiclefrom2010and2014.
CANCNetwork2010JeepCherokee
CANCNetwork2014JeepCherokee
Asyoucansee,the2014JeephasalmosttwiceasmanyECUs,resultinginaddedcomplexityandalso
denotesamanufacturersnecessitytomultiplexmoreoftheautomobile.Newfeaturesaremoreeasily
addedintoexistingautomobileinfrastructure,insteadofrunningnewwiresoraddingadditional
networks.
RemoteSurvey
Thecarsexaminedinthispaperhavehadtheirfeatures,standards,andnetworkarchitectureexamined
todeterminethefunctionalityandsubsequentremoteattacksurfacedocumented.Foreachvehiclewe
document
Theremoteattacksurface(i.e.Bluetooth,telematics,etc)
Thecyberphysicalcomputercontrolledfeatures.Thetermcyberphysicalisusedtodenote
automotivefeaturesthatperformphysicalactionsthroughtheinputofmessageonthe
automotivenetwork,suchasadaptivecruisecontrol,collisionprevention,andmanyothers
Layoutoftheinternalautomotivenetwork,includingtheECUswithremoteattacksurfaceand
theECUswithsafetycriticalcomponents
Bylookingatthelayoutoftheinternalautomotivenetworks,thelocationsofthevariousECUs,and
consideringthesafetycriticalcomputercontrolledfeatures,onecanbegintogetagrasponthe
difficulty(orsimplicity)ofremoteattacksagainstthatparticularvehicle.
Obviouslywewerenotabletoacquireeachvehiclefordetailedtesting,butthefirststepinany
automotiveassessmentwouldbeafeaturesandarchitecturereview.ECUsthatareboldedhave
significancewithregardstowirelessexploitation,communicationsbridging,orhavingcyberphysical
functionality.
Wewereawarethatcertainmanufacturersarenotpresentinthispaper.Manytimesitwasdueto
overlapinparentcompanysvehiclesandothertimeswefoundtheironlineexperiencetoopainfulto
navigate.
Legend
2014AudiA8
http://image.motortrend.com/f/roadtests/sedans/1307_2014_audi_a8_l_tdi_first_test/52692898/2013audia8l30tsideinmotion.jpg
Standards:CAN,LIN,MOST,FlexRay
WirelessCommunications:RemoteKeylessEntry/Start,Bluetooth,Cellular,WiFi,AM/FM/XMRadio,
ProprietaryRadio,AudiConnect
CyberPhysical:AdaptiveCruiseControl,ActiveLaneAssist,AudiPreSense
DrivetrainCAN
1. ECM(J623)
2. ABS(J104)
3. AirbagControl(J234)
4. TransmissionControlModule(J217)
5. ElectricalDriveMainRelay(J437)
6. ElectroMechanicalParkingBrakeControlModule(J540)
7. LevelControlSystemControlModule(J197)
8. SteeringAngleSensor(G85)
9. DataBusonBoardDiagnosticInterface(J533)
ConvenienceCAN
1. DriversDoorControlModule(J386)
2. FrontPassengersDoorControlModule(J387)
3. LeftRearDoorControlModule(J388)
4. RightRearDoorControlModule(J389)
5. MemorySeat/SteeringColumnAdjustmentControlModule(J136)
6. PassengerMemorySeatControlModule(J521)
7. TowingRecognitionControlModule(J345)
8. SteeringColumnElectronicsSystemControlModule(J527)
9. TirePressureMonitoringControlModule(J502)
a. ConnectedviaLINtoTPMSTransmitters
10. ClimatronicControlModule(J255)
a. ConnectedviaLINtoA/C
11. ComfortSystemCentralControlModule(J393)
12. VehicleElectronicSystemControlModule(J519)
13. Access/StartControlModule(J518)
a. ConnectedviaLINtoAccess/StartAuthorizationSwitch(E415)&KeylessAccess
AuthorizationAntennaReader(J723)
14. VehicleElectricalSystemControlModule(J520)
15. ParkingAidControlModule(J446)
16. AuxiliaryHeaterControlModule(J364)
17. EnergyManagementControlModule(J644)
18. DataBusonBoardDiagnosticInterface(J533)
InstrumentCluster/GatewayCAN
1. InstrumentClusterControlModule(J285)
2. DataBusonBoardDiagnosticInterface(J533)
DistanceControlCAN
1. DistanceRegulationControlModule(J428)
2. DataBusonBoardDiagnosticInterface(J533)
MOSTRing
1. CDChanger(R41)
2. DigitalSoundSystemControlModule(J525)
3. Radio&SpeechInputControlModule(J507)
4. TVTuner(R78)
5. Navigationsystemw/CDDriveControlModule(J401)
6. Telephone/TelematicsControlModule(J526)
a. Bluetooth
b. TelephoneHandset(R37)
7. TelephoneTransceiver(R36)
8. FrontInformationControlHeadControlModule(J523)
9. DataBusonBoardDiagnosticInterface(J533)
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
AccessControlModule
TirePressureControlModule
TelematicsControlUnit
RadioControlModule
TelematicsControlModule
AudiConnectSystem
Bus
ConvenienceCAN
ConvenienceCAN
MOSTRing
MOSTRing
MOSTRing
MOSTRing
Diagram
2014HondaAccordLX(Sedan)
http://images.newcars.com/images/carpictures/original/2014HondaAccordSedanLX4drSedanPhoto.png
Standards:CAN,KLine,SNET
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio,
HondaLink
CyberPhysical:AdaptiveCruiseControl,ForwardCollisionWarning,LaneWatch
BCAN
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
UnderDashFuse/RelayBox
AudioUnit/NavigationUnit
HVACControl/ClimateControlUnit
PowerWindowMasterSwitch
CenterJunctionBox
DriversJunctionBox
SunlightSensor
GaugeControlModule
KeylessAccessControlUnit
PowerSeatControlUnit
FCAN
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
PowertrainControlModule(PCM)
VSAModulatorControlUnit
EPSControlUnit
EngineMountControlUnit
SRSUnit
ANC/ActiveSoundControlUnit
DLC
CenterJunctionBox
SteeringAngleSensor
GaugeControlModule
ACCUnit
AudioUnit/NavigationUnit
DriversJunctionBox
FCW/LDWCameraUnit
KLine
1.
2.
3.
4.
5.
6.
7.
8.
9.
FrontPassengersWeightSensor
VSAModulatorControlUnit
EPSControlUnit
UnderDashFuse/RelayBox
ANC/ActiveSoundControlUnit
AudioUnit/NavigationUnit
KeylessAccessControlUnit
DLC
CenterJunctionBox
SNET
1. UnderDashFuse/RelayBox
2. KeylessAccessControlUnit
3. PCM
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
KeylessAccessControlUnit
VSAModulatorControlUnit
AudioUnit/NavigationUnit
AudioUnit/NavigationUnit
N/A
HondaLink
Bus
BCAN/KLine/SNET
FCAN
FCAN/BCAN/KLine
FCAN/BCAN/KLine
N/A
FCAN/BCAN/KLine
Diagram
2014InfinitiQ50
http://images.dealer.com/autodata/us/640/color/2014/USC40INC251A0/GAC.jpg
Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,Cellular,AM/FM/XMRadio,Proprietary
Radio,InfinitiConnect
CyberPhysical:AdaptiveCruiseControl,DirectAdaptiveSteering,Steerbywire,DriverAssistance
System
IntelligentTransportationSystems(ITS)CommunicationsCircuit
1. SideRadarLH
2. AroundviewMirrorControlUnit
3. DriverAssistanceBuzzerControlUnit
4. SideRadarRH
5. AccelerationPedalActuator
6. SonarControlUnit
7. ICCSensor
8. ADASControlUnit(GATEWAY)
ChassisCommunicationsCircuit
1. SteeringAngleMainControlModule
2. LaneCameraUnit
3. ChassisControlModule(Gateway)
CANCommunicationsCircuit2
1. ChassisControlModule(Gateway)
2. ADASControlUnit(Gateway)
3. ABSControlUnit
4. PreCrashSeatBeltControl
5. AWDControlUnit
6. DriverSeatControlUnit
7. SteeringForceControlModule
8. SteeringAngleSensor
9. DLC(ODBII)
10. CANGateway(Gateway)
CANCommunicationsCircuit1
1. IPDME/R(IntelligentPowerDistributionModuleEngineRoom)
2. CombinationMeter
3. AFSControlUnit(AdaptiveFrontlightingSystem)
4. HighBeamAssistControlModule
5. ECM(EngineControlModule)
6. TCM(TransmissionControlModule)
7. A/CAutoAmp
8. AirbagDiagnosisSensorUnit
9. DisplayControlUnit
10. TCU(TelematicsControlUnit)
11. BCM(BodyControlModule)
12. DLC(ODBII)
13. CANGateway(Gateway)
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
BCM
BCM
TCU
TCU
TCU
TCU
Bus
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
Diagram
2010InfinitiG37(Sedan)
http://images.thecarconnection.com/lrg/2010infinitig37sedan_100234015_l.jpg
Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,PreCrashSystem
CANNetwork
1. SteeringAngleSensor
2. UnifiedMeterandA/CAmp
3. TCM(TransmissionControlModule)
4. PreCrashSeatBeltControlUnit
5. ECM(EngineControlModule)
6. AWDControlUnit
7. A/VControlUnit
8. AirbagDiagnosisSensorUnit
9. BCM(BodyControlModule)
10. ICCIntegratedCircuit(IntelligentCruiseControl)
11. IPDME/R(IntelligentPowerDistributionModuleEngineRoom)
12. ABSActuatorandECU
13. 4WASMainControlUnit
14. DriverSeatControlUnit
15. DLC
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
BCM
BCM
A/VControlUnit
A/VControlUnit
N/A
N/A
Bus
CAN
CAN
CAN
CAN
N/A
N/A
Diagram
2006InfinitiG35(Sedan)
http://upload.wikimedia.org/wikipedia/commons/f/f2/2006InfinitiG35sedan.jpg
Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,PreCrashSystem
CANCommunications
1. ABS/TCS/VDS
2. IntelligentKeyUnit
3. IPDME/R
4. ECM
5. AWDECU
6. CombinationMeter
7. BCM
8. SteeringAngleSensor
9. DriverSeatControlUnit
10. TransmissionControlModule(A/TAssembly)
11. DLC
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
BCM
BCM
A/VControlUnit
A/VControlUnit
N/A
N/A
Bus
CAN
CAN
None
None
N/A
N/A
Diagram
2014JeepCherokee
http://www.digitaltrends.com/wpcontent/uploads/2013/02/2014jeepcherokee1.jpg
Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,WiFi,
ProprietaryRadio,Uconnect
CyberPhysical:AdaptiveCruiseControlwithStopandgo,ParallelandPerpendicularParkingAssist,
ForwardCollisionWarningwithCrashMitigation,LaneSenseLaneDepartureWarning
CANCBus
1. ABSMODULEANTILOCKBRAKES
2. AHLMMODULEHEADLAMPLEVELING
3. ACCMODULEADAPTIVECRUISECONTROL
4. BCMMODULEBODYCONTROL
5. CCBCONNECTORSTARCANCBODY
6. CCIPCONNECTORSTARCANCIP
7. DLCDATALINKCONNECTOR
8. DTCMMODULEDRIVETRAINCONTROL
9. EPBMODULEELECTRONICPARKINGBRAKE
10. EPSMODULEELECTRICPOWERSTEERING
11. ESMMODULEELECTRONICSHIFT
12. FFCMCAMERAFORWARDFACING
13. IPCCLUSTER
14. OCMMODULEOCCUPANTCLASSIFICATION
15. ORCMODULEOCCUPANTRESTRAINTCONTROLLER
16. PAMMODULEPARKASSIST
17. PCMMODULEPOWERTRAINCONTROL(2.4L)
18. RADIOMODULERADIO
19. RFHMODULERADIOFREQUENCYHUB
20. SCMMODULESTEERINGCONTROL
21. SCLMMODULESTEERINGCOLUMNLOCK
22. TCMMODULETRANSMISSIONCONTROL
CANIHSBus
1. AMPAMPLIFIERRADIO
2. BCMMODULEBODYCONTROL
3. CCBCONNECTORSTARCANIHSBODY
4. CCIPCONNECTORSTARCANIHSIP
5. DDMMODULEDOORDRIVER
6. DLCDATALINKCONNECTOR
7. EDMMODULEEXTERNALDISC
8. HSMMODULEHEATEDSEATS
9. HVACMODULEA/CHEATER
10. ICSMODULEINTEGRATEDCENTERSTACKSWITCH
11. IPCMODULECLUSTER
12. LBSSSENSORBLINDSPOTLEFTREAR
13. MSMMODULEMEMORYSEATDRIVER
14. PDMMODULEDOORPASSENGER
15. PLGMMODULEPOWERLIFTGATE
16. RADIOMODULERADIO(NotaBridge)
17. RBSSSENSORBLINDSPOTRIGHTREAR
LINBus
1. AGSACTUATORGRILLSHUTTER
2. AHLMMODULEHEADLAMPLEVELING
3. ASBMSWITCHBANK
4. ASUSIREN
5. BCMMODULEBODYCONTROL
6. CRVMMASSEMBLYREARVIEWMIRROR
7. DDMMODULEDOORDRIVER
8. DSBMSWITCHWINDOW/DOORLOCKDRIVER
9. FLLAASSEMBLYLAMPLEFTFRONT
10. FRLAASSEMBLYLAMPRIGHTFRONT
11. GENGENERATOR
12. HUMSENSORHUMIDITY
13. IBSSENSORBATTERYCURRENT
14. IPCMODULECLUSTER
15. ITMMODULEINTRUSION
16. LRSMMODULELIGHTRAINSENSOR
17. PADLLAMPAIRBAGDISABLE
18. PCMMODULEPOWERTRAINCONTROL
19. PCMDieselMODULEPOWERTRAINCONTROL
20. RVCMASSEMBLYVIDEOCAMERA
21. SCCMMODULESTEERINGCONTROL
22. TSBMMODULETERRAINSWITCHBANK
23. VSMMODULEVOLTAGESTABILITY
24. WCPMMODULECHARGERWIRELESS
EntryPoint
ECU
RKE
RFHM
TPMS
RFHM
Bluetooth
Radio
FM/AM/XM
Radio
Cellular
Radio
Internet/Apps
Radio
Bus
CANC
CANC
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
Diagram
2014DodgeRam3500
http://images6.alphacoders.com/417/417590.jpg
Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,WiFi,
ProprietaryRadio,Uconnect
CyberPhysical:Itsbig.Itburnslotsofgas.
CANCBus
1. ABS
2. ASCM
3. BCM
4. DTCM
5. ITBM
6. PAM
7. PCM
8. ORC
9. RADIO
10. RFH
11. SCCM
12. TCM
13. VSIM
CANIHSBus
1. AMP
2. BCM
3. DDM
4. EDM
5. HSM
6. HVAC
7. ICS
8. MSM
9. PDM
10. RADIO
LINBus
1. BCM
2. COM
3. DDM
4. LRSM
5. SCCM
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
RFH
RFH
Radio
Radio
Radio
Radio
Bus
CANC
CANC
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
Diagram
2014Chrysler300
http://www.chrysler.com/assets/images/Vehicles/2014/300/PhotosVideos/Exterior/large/300_ext_expand_0000_15.jpg
Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,Uconnect
CyberPhysical:AdaptiveCruiseControl,ParkAssist
CANCBus
1. ABS
2. AFLS
3. BCM
4. IPC
5. ORC
6. PAM
7. PCM
8. RFH
9. SCCM
10. TCP
11. TPM
CANIHSBus
1. BCM
2. DDM
3. HSM
4. HVAC
5. MSM
6. PDM
7. RADIO
LINBus
1. AFLS
2. BCM
3. COM
4. DDM
5. LRSM
6. SCCM
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
RFH
TPM
Radio
Radio
Radio
Radio
Bus
CANC
CANC
CANIHS
CANIHS
CANIHS
CANIHS
Diagram
2014DodgeViper
http://www.drivesrt.com/news/wpcontent/uploads/2013/09/TAColor.jpg
Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,Uconnect
CyberPhysical:Fast
CANCBus
1. ABS
2. ADCM
3. BCM
4. ORC
5. PCM
6. RFH
7. SCCM
8. TPM
LINBus
1. BCM
2. DDM
3. SCCM
CANIHSBus
1. BCM
2. DDM
3. HVAC
4. ICS
5. PDM
6. RADIO
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
RFH
TPM
Radio
Radio
Radio
Radio
Bus
CANC
CANC
CANIHS
CANIHS
CANIHS
CANIHS
Diagram
2015CadillacEscaladeAWD
http://image.motortrend.com/f/roadtests/suvs/1310_2015_cadillac_escalade_first_look/54528620/2015cadillacescalade
frontthreequartersview.jpg
Standards:CAN,MOST,LIN
WirelessCommunicationsRemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,OnStar
CyberPhysical:Frontandrearautomaticbreaking,Automaticcollisionpreparation,Fullspeedadaptive
cruisecontrol
PTCAN(powertraincontrollerareanetwork)
1. DME
2. ACSM
3. KAFAS
4. EKPS
5. EGS
6. GWS
LowSpeedGMLAN(CAN)
1. infodisplaymodule
2. radio
3. telematicscommunicationinterfacemodule(TCIM)
4. HVAC
5. mediadiscplayer
6. instrumentcluster
7. passengerpresencemodule
8. keylessentrycontrolmodule(KECM)
9. trailerinterfacecontrolmodule
10. frontandrearparkingassistcontrolmodule
11. sideobjectsensormoduleleft
12. activesafetycontrolmodule
13. bodycontrolmodule
14. liftgatecontrolmodule
15. videoprocessingcontrolmodule
16. inflatablerestraintsensinganddiagnosticmodule
17. assiststepcontrolmodule
HighSpeedGMLAN(CAN)
1. distancesensingcruisecontrolmodule
2. enginecontrolmodule
3. transmissioncontrolmodule
4. activesafetycontrolmodule**
5. telematicscommunicationinterfacecontrolmodule(TCIM)
6. humanmachineinterfacecontrolmodule
7. powersteeringcontrolmodule
8. bodycontrolmodule
9. electronicbrakecontrolmodule
10. parkbrakecontrolmodule
11. suspensioncontrolmodule
12. chassiscontrolmodule
LIN
1. BCM
2. TPIM
MOST
1. RADIO
2. Instrumentcluster
3. Amp
4. Mediadiskplayer
5. Humaninterfacecontrolmodule
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
KECM
KECM
TCIM
Radio
TCIM
TCIM
Bus
LowSpeedCAN
LowSpeedCAN
Low&HighSpeedCAN
MOST
Low&HighSpeedCAN
Low&HighSpeedCAN
Diagram
2006FordFusion
http://www.blogcdn.com/www.autoblog.com/media/2006/03/FordFusionCrashtestresized.jpg
Standards:CAN
WirelessCommunications:RemoteKeylessEntry,AM/FMRadio,ProprietaryRadio
CyberPhysical:None
HSCAN
1. ABS
2. RCM
3. OCS
4. IC
5. TCM
6. PCM
MSCAN
1. HCS(heated/cooled)
2. MM(memmodule)
3. Dsp
4. Sjb
5. Ddm
6. Radio
7. Eatc
8. Datc
9. IC
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
SJB
SJB
N/A
Radio
N/A
N/A
Bus
MSCAN
MSCAN
N/A
MSCAN
N/A
N/A
Diagram
2014FordFusion
http://upload.wikimedia.org/wikipedia/commons/b/be/2013_Ford_Fusion_Titanium__2012_NYIAS.JPG
Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,SYNC
CyberPhysical:Lanekeepingassist,Adaptivecruisecontrolwithforwardcollisionwarning(collision
warningonlyprechargesbrakes),ActiveParkassist
HSCAN1
1.
2.
3.
4.
5.
6.
APIM
BCM
PCM
DCtoDCconvertercontrolmodule
HCM(headlampcontrol)
Gatewaymodule
HSCAN2
1. RCM
2. OCSM
3. ADIM(autodimminginteriormirror)
4. Proximitywarningradarunit
5. ABS
6. PSCM
7. SCCM(steeringcolumn)
8. HUDMheadsupdisplay
9. VDMVehicleDynamics
10. TRCM(transmissionrangecontrol)
11. FSCM(frontseatclimatecontrol)
12. PMCSM(passengermulticontourseatmodule)
13. CCMcruisecontrolmodule
14. Gatewaymodule
HSCAN3
1. APIM
2. ACM
3. FCDM
4. IPCinstrumentpanel
5. ADSPM(audiodigitalprocessing)
6. CD
7. Gatewaymodule
MSCAN
10. GPSM
11. APIM
12. FCIM(frontcontrolinterface)
13. PCM
14. RTM(radiotransceivermodule)
15. DDM(driverdoor)
16. DSM(driverseat)
17. SODL(sideobstacledetectleft)
18. SODR
19. HSWM(heatedsteeringwheel)
20. DMCSM(drivermulticontourseatmodule)
21. DSM(driverseatmodule)
22. DDM(driverdoormodule)
23. Reargatetrunkmodule
24. Sideobstacledetectioncontrolmodule
25. Gatewaymodule
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
BCM
RTM
APIM
ACM
APIM
APIM
Bus
HSCAN1
MSCAN
MSCAN,HSCAN1,HSCAN3
HSCAN3
MSCAN,HSCAN1,HSCAN3
MSCAN,HSCAN1,HSCAN3
Diagram
2014BMW3Series(F30)
http://www.roadandtrack.com/cm/roadandtrack/images/zQ/0013GT.jpg
Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Parkingassistmodule,Collisiondetection(vibratewheel),Lanewarning(light)
KCAN(bodycontrollerareanetwork)
1. IHKA
2. CON
3. TRSVC
4. TPMS
5. SMFA
6. FEMfrontelectronicsmodule
KCAN2
1. Headunit
2. Combox
3. Rearelectronicmodule
4. Fzd
5. Pmaparkingmaneuverassistant
6. Fla
PTCAN(powertraincontrollerareanetwork)
7. DMEdigitalmotorelectronics
8. ACSM
9. KAFAS
10. EKPS
11. EGS
12. GWS
Flexray
3. SWW
4. EPSelectromechanicalpowersteering
5. VDM
6. DSCdynamicstabilitycontrol(brakes)
7. ICM
8. DME
MOST
6. Headunit
7. Comboxcomboxemergencycall,multimediacombox
8. Kombi
9. Dvdc
10. Ampt
EntryPoint
ECU
RKE
FEM
TPMS
TPMS
Bluetooth
Headunit
FM/AM/XM
Headunit
Cellular
Combox
Internet/Apps
Combox
Bus
KCAN
KCAN
KCAN2,MOST
KCAN2,MOST
KCAN2,MOST
KCAN2,MOST
Diagram
2014BMWX3(F25)
http://static.autoexpress.co.uk/sites/autoexpressuk/files/111061559231880430.jpg
Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Dynamiccruisecontrol(includesbraking),Parkingassistmodule,Collisiondetection
(vibratewheel),Lanewarning(light)
KCAN(bodycontrollerareanetwork)
1. IHKA
2. CON
3. CID
4. HUD
5. FLA
6. TRSVC
7. TPMS
8. SMFA
9. HKL
10. ZGM
11. CIC
KCAN2
1. ZGM
2. FRM
3. FZD
4. JBE
5. CAScaraccesssystem
6. RAD
PTCAN(powertraincontrollerareanetwork)
1. DME
2. ACSM
3. EKPS
4. EGS
5. GWS
6. EMF
Flexray
1. EPS
2. VDM
3. DSC
4. ICM
5. VTG
MOST
1. CIC
2. Combox
3. Kombi
4. Dvdc
5. ampt
EntryPoint
ECU
RKE
CAS
TPMS
TPMS
Bluetooth
CIC
FM/AM/XM
CIC
Cellular
Combox
Internet/Apps
Combox
Bus
KCAN2
KCAN
MOST,KCAN
MOST,KCAN
MOST,KCAN2
MOST,KCAN2
Diagram
2014BMWi12
http://upload.wikimedia.org/wikipedia/commons/d/db/BMW_Concept_Vision_Efficient_Dynamics_Front.JPG
Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Collisionwarningwithcitybrakingfunction,Dynamiccruisecontrol(includesbraking)
KCAN(bodycontrollerareanetwork)
1. IHKAIntegratedautomaticheating/airconditions
2. CONcontroller
3. ASDactivesounddesign
4. AMPamplifier
5. TBXtouchbox
6. TCBtelematicscommunicationbox
KCAN2
1. FZDrooffunctioncenter
2. TRSVCtoprearsideviewcamera
3. PDCparkdistancecontrol
KCAN3
1. FLERfrontallightelectronicsright
2. FLELfrontallightelectronicsleft
3. VSGvehiclesoundgenerator
PTCAN(powertraincontrollerareanetwork)
1. LIMcharginginterfacemodule
2. DMEdigitalengineelectronics
3. TFEhybridpressurerefuelingelectroniccontrolunit
4. GWSgearselectorswitch
5. EGSelectronictransmissioncontrol
6. EMFelectmechanicalparkingrake
7. KAFAScamerabaseddriversupportsystems
8. EMEelectricalmachineelectronics
PTCAN2(powertraincontrollerareanetwork)
1. REMErangeextenderelectricalmachineelectronics
2. SMEbatterymanagementelectronics
3. DMEdigitalengineelectronics
4. GWSgearselectorswitch
5. EGSelectronictransmissioncontrol
6. EMEelectricalmachineelectronics
Flexray
1. ACSMadvancedcrashsafetymodule
2. EPSelectornicpowersteering
3. SASoptionalequipmentsystem
4. DSCdynamicstabilitycontrol
5. DMEdigitalengineelectronics
6. EMEelectricalmachineelectronics
MOST
1. Headunit
2. Kombiinstrumentcluster
EntryPoint
ECU
RKE
ZGM/BDC
TPMS
BDC
Bluetooth
Headunit
FM/AM/XM
Headunit
Cellular
TCB
Internet/Apps
TCB
Bus
ALL
ALL
MOST
MOST
KCAN
KCAN
Diagram
2014RangeRoverEvoque
http://evoque.landrover.com/static/images/content/l538puremodels930x530.jpg
Standards:CAN,LIN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,InControl
CyberPhysical:ElectronicPowerAssistedSteering(EPAS),AdaptiveCruiseControl,AutomaticSelf
Parking
CANHSChassisSystem
1. RestraintsControlModule
2. ModuleParkingAidControl
3. ModuleAWDControl
4. ModuleDampingContinuouslyVariable
5. ModuleGeneralProximitySensor
6. SwitchpackTerrainResponse
7. DiagnosticConnector
8. ModuleGateway
9. ModulePowerSteering
10. ModuleIntegratedBrakeControl
11. ModuleSteeringWheel
CANHSPowertrainSystem
1. JunctionboxCentral(BCM)
2. ModuleGateway
3. ModuleSteeringColumnLock
4. RestraintsControlModule
5. ModuleAWDControl
6. DiagnosticConnector
7. InstrumentCluster
8. SwitchAutomaticTransmission
9. ModuleElectricParkBrakeControl
10. ModuleTelematicControl
11. ModuleControlOccupantClassification
12. ModuleControlOccupantClassificationSensor
13. ModuleIntegratedBrakeControl
14. ModuleAdaptiveSpeedControl
15. ModuleHeadlampLeveling
16. ModuleTransmissionControl
17. ECM
CANMSBodySystem
1. JunctionBoxCentral
2. DiagnosticConnector
3. ModuleDriverDoor
4. ModuleTelematicControl
5. MirrorRearView
6. ModulePassengerDoor
7. ModuleSeatMemoryPassenger
8. ModulePoweredlidLuggageCompartment
9. KeylessVehicleModule
10. ModuleSeatMemoryDriver
11. ModuleGateway
CANMSComfortandConvenienceSystem
1. ModuleGateway
2. FuelFiredBoosterHeater
3. UnitMultiInformationDisplay
4. TouchScreen
5. ModuleClimateControl
6. IntegratedControlPanel
7. DiagnosticConnector
8. ModuleNavigationControl
9. ModuleBlindSpotMonitoringRight
10. CameraRearView
11. ModuleBlingSpotMonitoringLeft
12. ModuleImageProcessing
13. InstrumentCluster
LIN(AllLINSubsystems)
1. UnitImmobiliserAntenna
2. JunctionBoxCentral
3. MotorRoofBlindFront
4. ConsoleOverheadFront
5. SensorRain
6. SounderBatteryBackup
7. ModuleSteeringWheel
8. CruiseControlsRemote
9. Clockspring
10. ModuleHeaterControlSteeringWheel
11. SwitchRemoteICE
12. ModuleHeatedSeatPassenger
13. ModuleClimateControl
14. SensorHumidity
15. RHRearSeatHeaterModule
16. RHALRTemperatureDoorMotor
17. ScreenAirDistributionDoorMotor
18. MotorRecirculation
19. LHAirTemperatureDoorMotor
20. ModuleClimateControl
21. MotorAirDistributionFeet/Face
22. ModuleHeatedSeatDriver
23. SwitchpackRearConsole
24. LHRearSeatHeaterModule
25. ModuleDriverDoor
26. SwitchpackMirrorWindowDriver
27. ModuleRearDoorLeft
28. ModulePassengerDoor
29. ModuleRearDoorRight
30. ModuleHeadlampLevelingControl
31. HeadlampLeft
32. HeadlampRight
33. ModuleGateway
34. Generator
35. ReceiverRF
36. KeylessVehicleModule
37. ModuleVoltageQuality
38. ModuleBatteryMonitoringSystem
39. ModuleControlQuiescentCurrent
MOSTRings
1. TouchScreen
2. ConnectorMOSTDiagnostic
3. IntegratedAudio
4. ModuleAudioAmplifier
5. EntertainmentModule
6. ModuleTVControl
7. ModuleTunerDAB
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleNavigationControl
ModuleNavigationControl
ModuleTelematicControl
ModuleNavigationControl
Bus
CANMSBodySystem
CANMS/CANHS
CANMSComfort&Convenience
CANMSComfort&Convenience
CANHSPowertrain
CANMSComfort&Convenience
Diagram
2010RangeRoverSport
http://static.cargurus.com/images/site/2009/07/14/18/33/2010landroverrangeroversportscpic57937.jpeg
Standards:CAN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,CollisionRestraintSystem
CANMS
1. JunctionboxCentral
2. ModulePassengerDoor
3. ModuleDriverDoor
4. MemoryControlModule
5. KeylessVehicleModule
6. ModuleClimateControl
7. ModuleParkingAid
8. ModuleCameras
9. MirrorElectrochromic
10. FuelfiredBoosterHeater
11. AudioHeadUnit
12. IntegratedControlPanelUpper
13. ModuleClimateControl
14. DiagnosticSocket
15. InstrumentCluster
CANHS
1. ECM
2. AFSControlModule
3. ABSModule
4. ModuleSpeedControl
5. DynamicResponseModule
6. TCMandControlValveBody
7. TransferBoxControlModule
8. JunctionboxCentral
9. DiagnosticSocket
10. InstrumentCluster
11. ModuleSteeringColumnLock
12. ModuleAirSuspension
13. SensorOccupancyDetector
14. SwitchpacketCenterConsole
15. RestraintsControlModule
16. SensorSteeringAngle
17. RearDifferentialControlModule
18. ModuleDampingContinuouslyVariable
19. ModuleParkingBrake
MOSTRings
1. AudioHeadUnit
2. TouchScreenDisplay
3. AmplifierPower
4. ModulePortableAudioInterface
5. SeatEntertainmentModule
6. ModuleTuner
7. ModuleTelephone
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleTelephone
AudioHeadUnit
N/A
N/A
Bus
CANMS
CANMS/CANHS
MOST
CANMS
N/A
N/A
Diagram
2006RangeRoverSport
http://images.thecarconnection.com/med/2006landroverrangeroversport4drwgnwhite_100047815_m.jpg
Standards:CAN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl
CANMS
1. InstrumentCluster
2. DiagnosticSocket
3. FuelFiredBoosterHeater
4. TirePressureMonitoringControlModule
5. AudioHeadUnit
6. AutomaticTemperatureControlModule
7. ParkingAidControlModule
8. CentralJunctionBox
CANHS
1. InstrumentCluster
2. AirSuspensionControlModule
3. SensorSteeringAngle
4. DiagnosticSocket
5. SwitchpackCenterConsole
6. RearDifferentialControlModule
7. ParkingBrakeModule
8. RestraintsControlModule
9. SpeedControlModule
10. ECM
11. Generator
12. TransmissionControlModule
13. TransferBoxControlModule
14. ABS
15. DynamicResponseModule
16. AFSECU
MOSTRings
1. AudioHeadUnit
2. TouchScreenDisplay
3. AmplifierPower
4. ModulePortableAudioInterface
5. SeatEntertainmentModule
6. ModuleTuner
7. ModuleTelephone
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleTelephone
AudioHeadUnit
N/A
N/A
Bus
CANMS
CANMS/CANHS
MOST
CANMS
N/A
N/A
Diagram
2014ToyotaPrius
http://image.automobilemag.com/f/63379071+q100+re0/2014toyotapriusthreequartersdriversview001.jpg
Standards:CAN,LIN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,Proprietary
Radio,SafetyConnect
CyberPhysical:AdaptiveCruiseControl,SelfParkingSystem,PreCollisionSystem
LINPowerWindowsandSlidingRoof
1. MainBodyECU
2. PowerWindowRegulationMotorAssembly(frontpassenger)
3. PowerWindowRegulationMotorAssembly(frontdriver)
4. PowerWindowRegulationMotorAssembly(rearpassenger)
5. PowerWindowRegulationMotorAssembly(reardriver)
6. SlidingRoofECU
7. MultiplexNetworkMasterSwitchAssembly
LINSmartKeySystem
1. PowerManagementControlECU
2. TransmissionControlECU
3. ImmobiliserCodeECU
4. CertificationECU
LINAirConditioningSystem
1. AirConditioningAmplifierAssembly
2. AirConditioningControlAssembly
CANv1Bus
1. MainBodyECU(LINAlso)
2. ECM
3. PowerManagementECU(LIN,PowerManagementBus,CANv2Bus)
4. TransmissionControlECU(LINAlso)
5. NavigationReceiverAssembly
6. MainBodyECU
7. PowerSteeringECU
8. CertificationECU
9. YawRateandAccelerationSensor
10. AirbagECUAssembly
11. SteeringAngleSensor
12. SkidControlECU
13. DLC3
14. CombinationMeter
CANPowerManagementBus
1. ECM
2. AirConditioningAmplifierAssembly
3. SkidControlECU/ABS
4. PowerManagementControlECU
CANv2Bus
1. PowerManagementControlECU
2. SeatBeltControlECU
3. DrivingSupportECU
CANParkingAssistBus
1. DrivingSupportECU
2. LaneRecognitionCamera
3. MillimeterWaveSensor
AVCLAN
1. StereoComponentAmplifierAssembly
2. XMSatelliteRadioTuner
3. NavigationReceiver
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
CertificationECU
TPMS(Displaylightonly)
NavigationReceiverAssembly
NavigationReceiverAssembly
TelematicsECU
N/A
Bus
LIN/CANv1
CANv1(Displaylightonly)
CANv1
CANv1
None
N/A
Diagram
2010ToyotaPrius
ChrisPrius!
Standards:CAN,LIN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,Proprietary
Radio,SafetyConnect
CyberPhysical:AdaptiveCruiseControl,SelfParkingSystem,PreCollisionSystem
LINPowerWindowsandSlidingRoof
1. MainBodyECU
2. PowerWindowRegulationMotorAssembly(frontpassenger)
3. PowerWindowRegulationMotorAssembly(frontdriver)
4. PowerWindowRegulationMotorAssembly(rearpassenger)
5. PowerWindowRegulationMotorAssembly(reardriver)
6. SlidingRoofECU
7. MultiplexNetworkMasterSwitchAssembly
CANPowerManagementBus
1. ECM
2. AirConditioningAmplifierAssembly
3. SkidControlECU/ABS
4. PowerManagementControlECU
CANv2Bus
1. PowerManagementControlECU
2. SeatBeltControlECU
3. DrivingSupportECU
CANv1Bus
1. MainBodyECU(LINAlso)
2. ECM
3. PowerManagementECU(LIN,PowerManagementBus,CANv2Bus)
4. TransmissionControlECU(LINAlso)
5. NavigationReceiverAssembly
6. MainBodyECU
7. PowerSteeringECU
8. CertificationECU
9. YawRateandAccelerationSensor
10. AirbagECUAssembly
11. SteeringAngleSensor
12. SkidControlECU
13. DLC3
14. CombinationMeter
CANParkingAssistBus
1. DrivingSupportECU
2. LaneRecognitionCamera
3. MillimeterWaveSensor
AVCLAN
1. StereoComponentAmplifierAssembly
2. XMSatelliteRadioTuner
3. NavigationReceiver
LINSmartKeySystem
1. PowerManagementControlECU
2. TransmissionControlECU
3. ImmobiliserCodeECU
4. CertificationECU
LINAirConditioningSystem
1. AirConditioningAmplifierAssembly
2. AirConditioningControlAssembly
LINAdvancedParkingGuidance
1. ParkingAssistECU
2. UltraSonicSensorLH
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
CertificationECU
TPMSECU(Displaylightonly)
NavigationReceiverAssembly
NavigationReceiverAssembly
TelematicsECU
N/A
Bus
LIN/CANv1
CANv1(Displaylightonly)
CANv1
CANv1
N/A
N/A
Diagram
2006ToyotaPrius
http://upload.wikimedia.org/wikipedia/commons/6/60/2006_Toyota_Prius.jpg
Standards:CAN,BEAN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:None
CANBus
1. ECM
2. HVECU
3. YawRateandDecelerationSensor
4. BatteryECU
5. ABSECU
6. ElectronicPowerSteering(EPS)ECU
7. SteeringAngleSensor
8. DLC3
9. GatewayECU
BEANBus
1. PowerSourceControlECU
2. CombinationMeter
3. TirePressureMonitorECU
4. CertificationECU
5. TransmissionControlECU
6. TransponderKeyECU
7. DriverSideJunctionBlock
8. A/CECU
9. GatewayECU
AVCLAN
1. NavigationECU
2. AudioAmplifier
3. RadioandMediaPlayer
4. MultiDisplay
5. GatewayECU
EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps
ECU
TransponderKeyECU
TirePressureMonitorECU
NavigationECU
NavigationECU
N/A
N/A
Bus
BEAN
BEAN(Displaylightonly)
AVCLAN
AVCLAN
N/A
N/A
Diagram
Analysisofautomotivenetworks
Asyoucansee,eachmanufacturerdiffersnotonlyinremotecommunicationsandcyberphysical
systems,butalsonetworkarchitecture.Thismeansthatremotecompromiseswillgenerallybedifferent
foreachmanufacturerandeachcar.
Analysis
ThenumberofECUshaveincreasedovertime
o Infinitiwentfrom11in2006to34in2014
o Jeepwentfrom7in2010to17from2014
o RangeRoverwentfrom41in2010to98in2014
o ToyotaPriuswentfrom23in2006to40in2014
TherearealargenumberofECUsin2014vehiclesfrom19(DodgeViper)to98(RangeRover)
Theremoteattacksurfaceandthenumberofcyberphysicalfeatureshasincreasedastimehas
goneon.
Thenumberofdifferentnetworksincars(complexityofarchitecture)hasincreasedovertime.
TheadditionofECUsovertimeisaresultofmanufacturersrequiringmoretechnology,
specificallyarounduserexperienceandsafety,whichismosteasilyaddedtothevehicleby
patchingitintothemultiplexsystemsavailable,insteadofaddingnewwiringornetworks.
Vehiclesarehavingcommondesktoptechnology,suchaswebbrowsersandincarapps,
providingafamiliarattacksurfaceknowntoattackersformanyyears[12].
TheTPMSandRKEarethemostlikelyECUswithremoteattacksurfaceonthesamesegmentas
cyberphysicalECUs.
6outof14(42%)ofthe2014vehicleswelookedathavenoseparationbetweenatleastone
cyberphysicalECUandonewithremoteattacksurfaces.
Thediagramsofthecarsexamined(above)shownetworktopologieswithalargedegreeof
variance.Somevehiclesseparatecertainfunctionalitywhileothershadmostofthetechnology
andcyberphysicalcomponentsonthesamebus.
Ontheotherhand,Carsmanufacturedinthesameregiontendtohavesimilarnetwork
topologies.WeveseencommonarchitecturesinJapanese(Toyota&Infiniti),German(Audi/VW
&BMW),andAmerican(GM&Ford)automobiles.Thiscouldbeduetosimilarthoughtprocess
orengineerturnover.
Cyberphysicalcontrols,suchasAdaptiveCruiseControl,aremoreprevalentinnewer
automobiles.Muchofthenewtechnologyhastodowithcustomerdemandformoresafety
consciousautomobiles.Permittingcomputerstoperformphysicalactionsmakethedriversafer,
butatthesametime,giveanattackerbuiltinfunctionalityofwhichtoabusetobringpotential
harmtothepassengerandvehicle.
Oursurveyshowsnewercarshavemorecyberphysicalfeaturesbutmanytimesaresegmented
ondifferentcomputernetworks.Sincewedidnothaveallofthecarsreviewedinthispaperwe
cannotsaydefinitelyhowbigofanobstaclesegmentednetworkswouldputinfrontofan
attacker.Fromourperspective,wehaverarelyseensegmentationusedforsecurityboundaries,
insteadnetworksegmentationisusedfornoncommunicablenetworkbuses.
Howpatchableisthemodernautomobile?Rightnow,wevereceivedseveralrecallnoticesfor
the2010FordEscapeandthe2010ToyotaPrius.Allofthemrequiredustobringthevehicleto
alocaldealership.ItdoesnotappearthatmanymanufacturerssupportOvertheAir(OTA)
updateasthistime(July2014).WeveseenpatchingwasntnearlyaseffectiveuntilMicrosoft
automatedtheWindowsUpdatefunctionalityandassumevehicleswillnotbeanydifferent.
MostHackable
1. 2014JeepCherokee
2. 2015CadillacEscalade
3. 2014InfinitiQ50
LeastHackable
1. 2014DodgeViper
2. 2014AudiA8
3. 2014HondaAccord
C&CCarRatings
Car
2014AudiA8
2014Honda
AccordLX
2014Infiniti
Q50
2010InfinitiG37
2014Jeep
Cherokee
2014Dodge
Ram3500
2014Chrysler
300
2014Dodge
Viper
2015Cadillac
Escalade
2006Ford
Fusion
2014Ford
Fusion
2014BMW3
series
2014BMWX3
2014BMWi12
2014Range
RoverEvoque
2010Range
RoverSport
2006Range
RoverSport
2014Toyota
Prius
2010Toyota
Prius
2006Toyota
Prius
AttackSurface NetworkArchitecture
++
CyberPhysical
+
+
++
++
++
++
+
++
++
++
++
++
++
++
++
++
++
++
++
++
++
+
++
++
++
DefendingAgainstRemoteAttacks
Nowthatweunderstandtheentirechainofeventsnecessarytogofromremotelycommunicatingwith
vehicletocontrollingcyberphysicalfeatures,wecanhaveaninformeddiscussionabouthowtodefend
theseattacks.Assuchanattackisnecessarilymultistageinnature,itisouropinionthatthedefense
shouldbelayeredaswell,makingeachstageofsuchanattackdifficulttoachieve.Belowisalistofsuch
ideas.
SecureRemoteEndpoints
First,minimizetheattacksurfaceandlockdownremoteservicesasmuchaspossible.Thisprobably
goeswithoutsaying.However,asthehistoryofsoftwaresecurityshows,completesecurityisnot
achievable.EngineeringpowerhouseslikeMicrosoftandGooglestillhaventbeenabletomakeaweb
browserthatcangoafewmonthswithoutacriticalsecuritypatch,sothereisnoreasontothinkthat
wellhavea100%secureBluetoothstackanytimesoon.Nonetheless,tryingtominimizethenumberof
vulnerabilitiesisstillanimportantstep.Ontopofallthesecureengineeringissues,moreandmore
technologyisbeingaddedeveryyear,creatingadditionalattacksurface.Whilewecondonesecuring
remoteendpoints,wedontbelieveitshouldbetheonlyprocessusedinsecuringthemodern
automobile.
CANInjectionMitigations
OnceanattackergetscoderunningonanECU,itispossibletomakeithardertofortheattackerto
injectCANmessagesimmediately.Forexample,theBluetoothstackprobablydoesnotneedtheability
tosendCANmessages(butwecantcompletelyruleanythingout).Itseemstelematicsunitsinthe
futuremayrunAndroidwhichwouldhavethiscapability.However,asweveseenwithothersandbox
technologies(andAndroidinparticular),thereisalwaysawaytoescapethesesandboxesorelevate
privileges,saythroughaLinuxkernelexploit,tobypassthesemechanisms.
MessageCryptography
OneideaoftensuggestedistocryptographicallyverifyCANmessagestomakeinjectiondifficult.The
ideaisthatonlytheECUs(andmechanicstools)havethekeysandsoarandomattackerwouldntbe
abletosendvalidCANmessagesonthecompromisedautomotivenetwork.Thisideamaypresent
obstaclesforattackerswhoaddroguedevicestoautomotivenetworks,butinthecontextofaremote
attack,theattackerisexecutingcodeonacompromisedECU.Atthispoint,thekeysarealso
compromised,oratleasttheabilitytosendvalidCANmessages.Sothisideadoesntseemtopresent
muchofanobstacleintheremoteattackscenario,whichismostconcerningtoconsumersand
manufacturersalike.
NetworkArchitecture
Asweveseenbylookingatexistingautomotivearchitectures,someautomotivenetworkspresentmore
ofachallengetoattacksafetycriticalECUsthanothers.Thisforwardstheideathatmanufacturers
shoulddesigntheirautomotivenetworksinsuchawaytoisolatethoseECUswithremotefunctionality
fromthosethatcontrolsafetycriticalfeatures.Thisisagreatideaandisdefinitelyrecommended.
However,itisnotapanaceaanddoesnotsolvealltheproblems.First,majorarchitecturalchangeslike
thisareexpensive,takeyearstoimplement,andmostlikelyarentgoingtobehappeninganytimesoon.
OneoftheunderlyingproblemsisthatwhileyoucanisolatethesetwotypesofECUs,some
communicationbetweenthemislikely.Thismeanstherewillhavetobesomekindofbridge/gateway
betweenthem.ThisbridgeECUthenopensupthepossibilityofbeingtrickedintoforwardingmessages
orstraightupbecomingthetargetofcompromise.Whilethisdoesaddanadditionalbarrier(for
example,theacademicresearcherscitedthroughoutthisworkwereabletomovefromonenetworkto
theotherbycompromisingthebridge),itisnotgoingtobeperfect,andmayevenbecomethesingle
pointoffailure.
Additionally,withmoreconnectivitytechnology,includingVehicletoVehicle(V2V)andVehicleto
Infrastructure(V2I),becomingmoreprevalent,thereseemstobetherequirementofremote
communicationsdevicestalkingtocyberphysicalcomponents.Forexample,forV2Vcollisionavoidance
systemstoworkcorrectlyawirelesscomponentmustreceiveasignalandsendmessagesthatcontrol
brakingand/orsteering.
AttackDetection
AfinalsuggestionistoaddattackdetectionandpreventiontechnologyintocriticalCANnetworks.This
representsaninexpensiveandaccuratewaytogreatlyimprovethesecurityofCANnetworksandcanbe
addedtovehiclesimmediately,especiallysincemostmajorcyberphysicalcomponentsrelyonCAN
(althoughFlexrayandothercommunicationsprotocolsaregainingtraction).
Whileattackdetectiontypicallydoesntworkwellinenterprisenetworkenvironments,initialdata
showsthatitworksquitewellinautomotivenetworks.Theprimarydifferenceisthatautomotive
networksarehighlyregularandonlyinvolvecomputerstalkingwithcomputers,withouthuman
interaction.Furthermore,whiletypicalsoftwareexploitscanvarywidelyandcanbedesignedtobe
stealthy,thisdoesntappearpossibleinautomotivenetworks.AllknownCANinjectionattacks(both
oursandtheacademicresearchers)alltakeoneoftwoforms.TheyareeitherCANdiagnosticmessages
ortheyarestandardmessagewithahighlyinflatedsendrate.
Whileitisobviouswhydiagnosticmessagesmightbedangerous,itmayneedaquickdiscussionofwhy
normalmessagesusedforattackmustbettransmittedatamuchhigherratethannormal.Therate
mustbehigherbecausetherearealwaysmessagesgoingfromECUstoECUs.Unlesstheattacker
happenstobeontheECUthatsendstheparticularmessagetheattackerwishestoinject,theoriginal
ECUwillstillbesendingtheoriginalmessagealongwiththeattacker.
ThatmeanstheattackercansendthesamemessagebutthetargetECUwillbereceivingmessagesfrom
theoriginalECUandtheattacker.Atthispoint,therateoftheCANmessagesarehigherthannormal.
But,evenmoreso,inpractice,thewayanattackerensuresthetargetECUlistenstotheinjected
messagesandnottheoriginalonesistosendthemevenfasterthantheoriginalECU.Regardlessofthe
normalmessageinjectionattack,therateofmessageswillbetwiceashighasnormalandinpractice20
100xhigherthannormal.Thepointisthatabnormalmessagesoccurwhethertheattackerissending
diagnosticmessagesornormalmessagesatanincreasedrate,permittingeasydetectionandpossible
preventionofattacks.
Theotherinterestingaspectofdetection,unliketheotherpossibilitiesmentionedhere,isthatindividual
researcherscanbuildandtestthesedevices.Allofourattacksarepublishedandimportantaspectsof
theacademicsarepublicaswell.Asaproofofconcept,webuiltasmalldevicethatplugsintotheOBD
IIportofacar,learnstrafficpatterns,andthendetectsanomalies.Whenthedevicedoesdetect
something,itshortcircuitstheCANbus,thusdisablingallCANmessages,seeFigurebelow.
CANdefenseandprotectionmechanism
WhilethisparticulardeviceplugsintotheOBDIIport,itcouldjustaseasilybewireddirectlyintothe
CANbusormanufacturerscouldeasilyintegratethesesimplealgorithmsintoexistingECUsatalmostno
cost.
Conclusions
Remoteattacksagainstvehicleshavingphysicalimplicationswilltypicallyneedthreestages.These
threestagesareremotecompromise;sendinginjectedmessagestocyberphysicalcomponents,and
makingthedestinationECUperformsomeunsafeaction.Inthispaper,foralargevarietyofvehicles,
weidentifiedtheremoteattacksurfacetoestimatehowdifficultremotecompromisemightbe.We
thenexaminedthearchitectureoftheinternalnetworksofeachvehicle,identifyingthelocationofECUs
whichprocessexternalinputsaswellasECUsthatcontaincapabilitiestocausephysicalchangestothe
vehicle.Thiswillgiveanindicationonhoweasyitwouldbetogetmessagesfromtheformertothe
latter.Finally,weidentifythefeaturesthatthecarpossesseswhichmayhelpintakingphysicalcontrol
ofthevehicle.Combiningthisdata,wecanmakeroughestimatesonthedifficultyofremote
exploitationforthesevehicles.Sincethesetypesofremoteattackswillnecessarilybemultistage,we
recommendadefenseindepthstrategythatincludesdetectionofmessageinjectionaspartofan
overallsafetystrategy.
References
[1]http://bwrcs.eecs.berkeley.edu/Classes/icdesign/ee241_s05/Projects/Midterm/VictorWen.pdf
[2]http://ftp.cse.sc.edu/reports/drafts/2010002tpms.pdf
[3]http://www.autosec.org/pubs/carsusenixsec2011.pdf
[4]http://networksasia.net/article/fsecurewarnsagainsthtcbluetoothexploit1247839201
[5]http://www.defcon.org/images/defcon15/dc15presentations/dc15barisani_and_bianco.pdf
[6]http://datasheets.maximintegrated.com/en/ds/MAX1471.pdf
[7]http://www.codenomicon.com/resources/whitepapers/codenomicon_wp_Fuzzing_Bluetooth_20110
919.pdf
[8]http://en.wikipedia.org/wiki/Radio_Data_System
[9]http://illmatics.com/car_hacking.pdf
[10]http://www.fsecure.com/vulnerabilities/SA201106648
[11]http://www.networkworld.com/article/2231495/ciscosubnet/defconhackingtirepressure
monitorsremotely.html
[12]http://en.wikipedia.org/wiki/Pwn2Own