By Dennis Kengo Oka, Principal Automotive Security Strategist, Synopsys Software Integrity Group
A modern vehicle typically supports communication over several different wireless interfaces such as Wi-Fi, Bluetooth, cellular network, vehicle-to-X (V2X), GPS, etc. These wireless communication technologies enable new use cases to improve the user experience as well as new features and functions such as autonomous driving and route planning. While wireless communication has several benefits, it also presents a potential attack vector for hackers. In particular, wireless communication has the added risk that potential attacks can be conducted remotely with no need for physical access to the target vehicle. In addition, a large number of connected vehicles can generally be targeted with less effort compared to the effort required to physically attack multiple vehicles individually.
Wireless interfaces have a higher attack feasibility as illustrated in the following table, which is based on the attack vector-based approach referenced in ISO/SAE FDIS 21434 Road Vehicles – Cybersecurity Engineering.
As indicated by the bolded words in the table, wireless communication interfaces generally pose a greater risk for attacks since they are more accessible, requiring no physical access compared to local or physical attacks that require physical access.
A modern vehicle has multiple networks for sharing information, including wireless channels to support various use cases. For example, Wi-Fi is used to communicate between in-vehicle components, to turn vehicles into access points, and for vehicles to behave like a client to connect to, say, a home network.
Bluetooth communication is typically used for communication between a user’s mobile device and the vehicle to improve the user experience, such as to provide audio streaming or support phone calls. Some keyless entry systems are also using Bluetooth Low Energy between the key fob and vehicle. Both Wi-Fi and Bluetooth are short-range communication technologies typically ranging between 10 and 30 m.
On the other hand, cellular network communications are used for long-range communication between vehicles and backend systems. Telematics units providing cellular network communication support several use cases, including roadside assistance, remote diagnostics, stolen vehicle tracking, and software updates.
Additional wireless communications include V2X communication, which could be based on either DSRC (IEEE 802.11p/IEEE 1609) or C-V2X (3GPP), where the former is based on Wi-Fi and the latter on cellular connectivity. Use cases for these communication protocols include emergency brake warnings, traffic jam warnings, intersection movement assist, and lane change warnings.
There have been several examples in the past where attackers have used wireless communication to target passenger vehicles and compromised not only the communication units but also gained further access to safety-critical systems in the in-vehicle network. One famous example from 2015 is when security researchers gained access to a vehicle over both Wi-Fi and cellular communication. Similar examples targeting both Wi-Fi and cellular communication have occurred in the years following. In 2020, there were a couple of examples where security researchers exploited vulnerabilities in Bluetooth to gain access to the target vehicle. All of these different examples include exploiting vulnerabilities in the lower layers of the communication as well as upper layers including the application layer.
The most common wireless attack surfaces to date have been over Wi-Fi, Bluetooth, and cellular network communication; however, with new technological advancements, other wireless interfaces may become the focal point in the future.
The National Highway Traffic Safety Administration (NHTSA) provides technical cybersecurity best practices on wireless paths into vehicles in its updated NHTSA cybersecurity best practices document. Examples include treating all networks external to a vehicle’s wireless interfaces as untrusted, applying network segmentation and isolation techniques in the vehicle architecture design, limiting use and access of network services on the vehicle, using secure communication with backend servers, and implementing capabilities to alter routing rules to block access to potentially vulnerable vehicles.
It’s worth noting that wireless communication is not specific to automotive and, therefore, it’s possible for organizations to consider other best practices and lessons learned regarding wireless communication from other industries as well. For example, it is important to continuously monitor and be aware of wireless attacks occurring in other industries as the same hardware or software may be used in automotive systems too.
It is important to consider security starting from the hardware layer through all the software layers. For example, hardware-specific vulnerabilities may affect a certain chip that is used in millions of devices. In 2020, security researchers identified a vulnerability in a Wi-Fi chip that allows unauthorized decryption of some WPA2-encrypted traffic.
Also critical is considering security during chip design and using appropriate IP building blocks. To enable secure wireless communication on a hardware level, it’s necessary to, for instance, ensure that hardware wireless interfaces are designed with robust protections. Moreover, it is crucial to include a secure hardware root of trust that can support cryptographic functions used to establish secure communication, such as an AES crypto core and secure storage to store cryptographic keys and credentials. In addition, the root of trust can provide secure boot to prevent an attacker from making malicious code or backdoors persistent in a vulnerable system.
Software vulnerabilities can range from the lower layers in the communication stacks to upper layers in the application software and can be caused by design flaws or implementation mistakes. One famous example affecting secure communication is the Heartbleed vulnerability in the OpenSSL cryptographic library. This vulnerability allows an attacker to extract potentially sensitive data such as secret keys, usernames, and passwords from servers running vulnerable versions of OpenSSL. This vulnerability was discovered in 2014 using a fuzz testing tool. Fuzzing as a technique is effective to detect issues in protocol stacks and parsers by providing malformed input to the target system and observing the behavior.
Furthermore, there is an example where custom code in a telematics unit contained a buffer overflow vulnerability allowing an attacker to remotely send exploit code to compromise the system. This type of coding mistake and implementation flaw can generally be detected using static analysis and be avoided by following secure coding guidelines.
Additionally, open-source software (OSS) is often used in communication stacks. The famous Blueborne from 2017, which is a set of vulnerabilities, affected more than eight billion devices, including Android and Linux-based devices. Automotive organizations can manage the usage of OSS communication stacks in their released products using software composition analysis in order to detect and manage known vulnerabilities.
Moreover, besides software implementation flaws, there are several examples of common design issues. For example, communication between a vehicle and the backend system is conducted in plain text, making the communication susceptible to eavesdropping attacks. There have also been examples where network services on vehicles are accessible remotely without any authentication. Additionally, there have been cases where the authentication mechanism has not been properly implemented; for example, it does not verify the receiving certificates properly and is, therefore, susceptible to man-in-the-middle attacks.
Several Bluetooth-enabled automotive systems have in the past used static and fixed PINs such as 0000 and 1234. Some Wi-Fi enabled automotive systems act as hotspots and use fixed SSIDs that are broadcast, which makes it easy to identify and track such vehicles. Other systems automatically connect over Wi-Fi to predefined SSIDs and make them susceptible to the evil twin attack. There are also examples where the randomly generated Wi-Fi passwords are based on low entropy data such as a fixed date, which makes the password susceptible to a brute-force attack. By conducting a TARA (threat analysis and risk assessment) of the target system early in the development lifecycle, it is possible to detect these type of design issues and define appropriate security controls. It may also be possible to detect these types of issues during a penetration test of the automotive system.
As the automotive industry continues to evolve, vehicles will support more advanced use cases based on wireless communication, and it will become increasingly important to consider building secure wireless communication based on a strong hardware foundation and software layers developed following best practices for secure software development.
Catch up on other recent posts related to automotive cybersecurity: