Trends in ECU vulnerabilities highlighted at DEF CON 2020

James Tyrrell, a Threat Modelling Analyst at Secure-CAV consortium member Copper Horse, takes a virtual seat at this year’s Car Hacking Village – a popular conference track and interactive event at DEF CON.

DEF CON’s Car Hacking Village is a great opportunity to discover more about automotive cybersecurity as researchers from around the world share their latest findings. One of the talks that caught my eye at this year’s conference, held online due to Covid-19, was a study carried out by NDIAS – a Japan-based automotive cybersecurity assessment group, directed by Tatsuya Katsuhara.

In their work, the NDIAS engineers tested over 40 electronic control units (ECUs) provided by multiple manufacturers. The data set featured (based on the percentages given in the slideshow) 15 in-vehicle infotainment units, 8 telematic control units and 8 gateway ECUs, as well as other devices such as advanced driver-assistance systems, smart key units and electric vehicle chargers.

Mapping the hotspots

To map the ECU security hotspots, the group recorded the whereabouts of each of the more than 300 vulnerabilities detected as part of the software and hardware analysis. From their results, 67% of vulnerabilities were found at the operating system/basic software module level, 20% were hardware related and 13% originated in the application layer. But the evaluation didn’t stop there.

Each scenario was given a risk score based on the feasibility of the attack and the damage impact on the vehicle (a methodology that we are using in our threat modelling work for Secure-CAV, following requirements given by the draft ISO/SAE DIS 21434 ‘Road vehicles – Cybersecurity engineering’). In terms of the highest risk vulnerabilities, the Japanese engineers found that software issues dominated, made worse by the application of out-of-date or misconfigured packages.

The results highlight the threat posed by security errors especially in complex ECUs, which can present attackers with a wide range of entry points – from debugging ports through to cellular connections.

Considering high and medium vulnerabilities at local network interfaces, more than half (58%) were associated with the Controller Area Network (CAN). Drilling down into the common issues, the NDIAS group flags Universal Diagnostic Services as an area to pay attention to. Specifically, the researchers note broken Security Access protection as a reoccurring theme – for example, underutilization of hardware security modules for storing credentials as well as a lack of entropy in seed generation. In testing, the group noticed that resetting some ECUs would produce the same random sequence.

Ultimately, developers will need to raise the bar and encouragingly the team notes movements in that direction – for example, increased support for message authentication codes across in-vehicle networks.

Three generations of car cybersecurity

Like many, Katsuhara feels that Miller and Valasek’s remote takeover of a Jeep Cherokee in 2015 was a watershed moment for the automotive industry. Considering the timeline of responses that have followed, he divides this activity into three phases – referred to as first-, second- and third generation car cybersecurity in his presentation.

Measures such as gateway ECUs mark the first phase, beginning after the Jeep hack. But more substantial changes in automotive electronic platforms took longer to appear, reflecting the multiyear process of new vehicle development. Modern automobiles on the road today fall into phase two, Katsuhura explains.

Looking to the future, he notes that third generation car cybersecurity will be shaped by regulations such as those submitted by WP29 (The UNECE World Forum for Harmonization of Vehicle Regulations), which come into effect from 2021 onwards, and ISO/SAE DIS 21434 (currently under development).

Approaching requirements include a responsibility for car makers to detect and respond to security incidents across a fleet of vehicles and to engage in activities such as threat modelling to focus design efforts.

All of the talks from this year’s DEF CON Car Hacking Village can be found on YouTube.

Related reading on securecav.com
Computers on wheels and networks in the fast lane
Automotive cybersecurity regulation imposes lifetime obligation on car makers
Threat modelling connected and autonomous vehicle cybersecurity: an overview of available tools

You May Also Like