Koji Nakao, Dai Arisue NICT, Japan Case Studies (existing incidents) -Identification of Threats and Vulnerabilities- Koji Nakao, Dai Arisue NICT, Japan

Background In the most of security incidents, vulnerabilities and threats are correlated. Each definition can be found in cybersecurity environment as follows: Threat: Potential cause of an unwanted incident, which may result in harm to a system or organization (ISO/IEC 27000) Vulnerability: Any weakness that could be exploited to violate a system or the information it contains (ITU-T X.1500) To practically identify threats and vulnerabilities, this contribution provides a set of existing incidents in the vehicle environment and recognize related threats and vulnerabilities. Recommended countermeasures are also identified (after ). This contribution will be helpful to study the countermeasures to be installed in the matrix.

Case 1: Remote hacking (Jeep) Two researchers have succeeded to intrude vehicle device control system via wireless connection. They did connect Vehicle LAN to control Vehicle (engine and handle…) using CAN commands. Vulnerabilities : 75(software bugs)  Bugs fixed. 92(system design exploited : inadequate design and planning or lack of adaption (D- Bus opened))  Vulnerability check & Security by Design Threats : 68 (Hardware or software, engineered to enable an attack or fail to meet design criteria to stop an attack)  Security by Design 24 (Malicious internal (e.g. CAN) messages)  Abnormal message detection 886 (Attacking vehicle internal network by illegally monitoring, changing, fabricating information and refusing service, etc.)  Illegal monitoring detection

Case 2: Misuse of after-marketing tool (insurance rate estimation tool) Insurance rate estimation tool was inserted to OBD-II port for sending vehicle information to the insurance company via mobile connection. Attackers maliciously used this vulnerable configuration and succeeded to intrude and control the vehicle (wiper and brake…). Vulnerabilities : 75(software bugs)  Bugs fixed 92(system design exploited : inadequate design and planning or lack of adaption)  Vulnerability check & Security by Design 33 (Damage caused by a third party. Sensitive data may be lost or compromised due to physical damages in cases of traffic accident or theft)  Tools/Devices provided by third parties need to be evaluated before implementing them Threats : 67 (Manipulation of hardware & software, Manipulation of information, e.g. hardware added to a vehicle to enable "man-in-the-middle" attack)  Manipulation detection 24 (Malicious internal (e.g. CAN) messages)  Abnormal messages detection 25 (Malicious infrastructure to vehicle messages (e.g CAM, DENM))  Abnormal messages detection 886 (Attacking vehicle internal network by illegally monitoring, changing, fabricating information and refusing service, etc.)  Illegal monitoring detection

Case 3: IoT malware injection (Mirai… ) IoT malwares (Mirai, Bashlight, Hajime…) are often injected to IoT devices including Vehicle devices. The malware Mirai was observed by sending DDoS traffic to the external systems or organizations. Once such malwares are injected inside a vehicle, the malware do almost everything including information leakage and using malicious internal messages and so on. Vulnerabilities : 75(software bugs)  Bugs fixed 93 (Using remainders from development (e.g. debug ports, JTAG ports, development certificates, developer passwords, …) to gain access to ECUs or gain higher privileges)  Vulnerability check & Security by Design Threats : 72 (Malicious software, Malicious software activity)  Malware detection 8（Dos: Sending a large number of garbage data to vehicle information system, so that it is unable to provide services in the normal manner） DoS mitigation facility needs to be implemented in the network sides/ DoS detection and cut off the connection 9 (vehicle used as a means to propagate an attack: Transmission of false/unreliable/contaminated data or V2V messages to other vehicles)  Malware detection and abnormal message detection 10（attack on external devices connected to a vehicle: Use of a vehicle as means to compromise connected devices） Monitoring the external traffic and detection of external attacks 11（attack on infrastructure: Transmission of false/unreliable/contaminated data to infrastructure） Existing countermeasures can be applied xx（attack on network: Vehicle acting as a botnet） Same with Threat 10 24（communication channels used to attack a vehicle: Malicious internal (e.g. CAN) messages）  Abnormal message detection

Case 4: Misuse of electronic device (smart key) “Smart Key” system is often utilized in many vehicles to start vehicle engine without insert key. Using this vulnerable system, an attacker gets the vehicle signal far distance from the vehicle and amplifies the signal to start vehicle illegally for stealing it. Vulnerabilities : 75(software bugs)  Bugs fixed 92(system design exploited : inadequate design and planning or lack of adaption)  Vulnerability check & Security by Design Threats : 68 (Hardware or software, engineered to enable an attack or fail to meet design criteria to stop an attack)  Vulnerability check & Security by Design 15 (Spoofing of messages (e.g. 802.11p V2X during platooning, etc.) by impersonation)  Strengthen authentication and encryption 886 (Attacking vehicle internal network by illegally monitoring, changing, fabricating information and refusing service, etc.)  Illegal monitoring detection

Case 5: Misuse of electronic device (Immobiliser) Immobiliser (electronic device that prevents an automobile engine from running without the key) was maliciously used for stealing the vehicle. There was a vulnerability that a malicious guy can register a new key to the vehicle with Immobiliser. Vulnerabilities : 93 (Using remainders from development (e.g. debug ports, JTAG ports, development certificates, developer passwords, …) to gain access to ECUs or gain higher)  Vulnerability check and security by design Threats : 68 (Hardware or software, engineered to enable an attack or fail to meet design criteria to stop an attack)  Vulnerability check & Security by Design 87 (Malicious remote instructions (e.g. activate or deactivate immobilizer, etc.)） Vulnerability check & Security by Design

Case 6: Misuse of specific application Vulnerability in the specific application of the electronic vehicle was misused to control air condition/fun and to obtain drive recode information through the Internet. No authentication system was implemented in the application. The attacker only used 5 digit of Vehicle ID to access the control. Vulnerabilities : 75(software bugs)  Bugs fixed 94 (Using deprecated methods for hashing cryptographic algorithms (e.g. MD5, SHA-1) e.g. to gain access to ECUs (by signing and installing unauthorized))  Strengthen cryptographic methods 93 (Using remainders from development (e.g. debug ports, JTAG ports, development certificates, developer passwords, …) to gain access to ECUs or gain higher)  Vulnerability check and security by design Threats : 87 (Malicious remote instructions (e.g. activate or deactivate immobilizer, etc.)）  Vulnerability check & Security by Design

Case 7: Misuse of Wireless access (short PW) Length of Password was short enough to be hacked for wireless access in PHEV vehicle. A mobile application for remote control was hacked using this vulnerability to maliciously control light and air condition and so. In this case, there was no way to change the password in this specification. Vulnerabilities : 75(software bugs)  Bugs fixed 90 (Combination of short encryption keys and long period of validity enables attacker to break encryption)  Strengthen cryptographic methods 94 (Using deprecated methods for hashing cryptographic algorithms (e.g. MD5, SHA-1) e.g. to gain access to ECUs (by signing and installing unauthorized))  Strengthen cryptographic methods Threats : 87 (Malicious remote instructions (e.g. activate or deactivate immobilizer, etc.)）  Vulnerability check & Security by Design

Case 8: Jamming attack and spoofing attack to sensors Chinese research team evaluated contactless attacks against millimeter wave radar, ultrasonic waves sensor, monitor camera sensors in vehicle equipped with devices for supporting safe driving. As the results, the researchers pointed out large possibilities that the vehicle will be damaged and/or crashed against jamming attack and spoofing attack. Vulnerabilities : 93 (Using remainders from development (e.g. debug ports, JTAG ports, development certificates, developer passwords, …) to gain access to ECUs or gain higher)??  Vulnerability check & Security by Design Threats : 3 (Jamming (via natural or unnatural interferences) of radio based (wireless) systems including navigation systems） Jamming detection and cut off the connection 15 (Spoofing of messages (e.g. 802.11p V2X during platooning, etc.) by impersonation)  Spoofing messages detection 68 (Hardware or software, engineered to enable an attack or fail to meet design criteria to stop an attack)  Vulnerability check & Security by Design