The more connected features that modern vehicles offer, the richer the attack surface gets, and the more diverse the threat space becomes. Examining the threat landscape is an essential step in understanding the cyber risks that modern vehicles are exposed to and the required cybersecurity controls to reduce or eliminate that risk. The intent of this chapter is not to serve as an exhaustive reference on all possible cybersecurity threats and attacks that impact a modern vehicle, but rather to serve as a representative catalog of threats to be considered by practitioners in the field. Whether you are a vehicle manufacturer, an electronic control unit (ECU) supplier, or a component supplier, you are encouraged to build upon the threats presented here to create a tailored threat catalog that fits your vehicle systems and update it frequently to aid engineers who are performing security analysis. A secondary goal of this chapter is to establish...

Before diving into real-world threats, let’s first define what a threat is and how it differs from an attack. Simply put, a threat represents the possibility of achieving an adverse effect on the vehicle stakeholders, through the exploitation of a security vulnerability or weakness. For example, an ECU that receives data over an insecure channel is exposed to the threat of data tampering by a threat agent with access to the vehicle network. On the other hand, an attack is the actual exploitation of a vulnerability or a weakness to realize the threat. For example, the threat of vehicle network data tampering can be realized by an attack in which network messages are intercepted, modified, and retransmitted to the target ECU. To derive attacks for a specific threat, it helps to identify the underlying vulnerability or weakness that makes the threat viable, turning the possibility of compromise (threat) into a realized action (attack...

In Chapter 1, we explored the various E/E architecture types from the highly distributed, to the domain centralized, and finally, the zone architecture. In this section, we will highlight the threats against each type of architectural layout.

Highly distributed E/E architecture

A typical weakness of such architecture is that security-critical ECUs may be reached from multiple attack surfaces, without the possibility of cleanly separating the domains. One of our security principles in Chapter 2 was domain separation, which required the physical and logical separation of the domains of various levels of security needs.

An example of a weak architecture is that of the famous Jeep hack in which the infotainment ECU was on the same network segment as the brake ECU [28].

Figure 3.11 – 2014 Jeep Cherokee architecture (source is [28])

This enabled an attacker who managed to compromise the infotainment ECU to start...

In-vehicle networking protocols enable ECUs, sensors, and in some cases, actuators to communicate under strict real-time and low-cost constraints. However, since the primary design objective of these networking protocols is efficient and deterministic communication, it is not unusual for some of these protocols to exhibit serious security weaknesses. In this section, we examine the weaknesses and in-vehicle networking protocols and highlight the corresponding attacks that can exploit them.

CAN

A simple Google search on CAN security yields hundreds of papers and articles on how CAN is not secure. While earlier versions of CAN such as CAN 2.0 and CAN FD did not consider security while the protocol was being defined, a more recent variant called CAN XL [REF29] now offers a security extension that protects the data link layer. Nevertheless, CAN XL is in its infancy, so we have to judge the security of the CAN protocol based on the first two variants...

As we saw in Chapter 1, sensors play a critical role in the ability of the vehicle to determine its current state and to apply the correct control, given a specific driving situation. Attackers who want to influence the vehicle’s ability in performing its functions will find that sensors form a rich attack surface. Vehicle sensors are often connected to the vehicle’s network, which can make them vulnerable to cyberattacks potentially leading to accidents or other safety issues. In addition, sensors in vehicles often collect and transmit data, which could be vulnerable to tampering or manipulation. Attackers could potentially alter sensor data to mislead the vehicle’s control systems or gain access to sensitive information.

We differentiate between two types of sensors, based on the level of exposure to external attacks [18]:

• Environment sensors: For example, Light Detection and Ranging (LiDAR), ultrasonic, camera, Radio Detection...

When looking at threats against external vehicle interfaces, we indirectly analyzed threats that impact external facing ECUs, such as telematics, IVI, and autonomous driving systems. In this section, we will expand our focus on threats that apply to both internal and external facing ECUs, based on the most common weaknesses of these systems.

Debug ports

ECUs offer several methods to access debug capability during development and, in some cases, after the ECU has been installed on a production vehicle. The JTAG interface is commonly used to debug and test the internal operation of an ECU. Attackers who gain access to the JTAG interface can extract the ECU software for offline analysis to identify vulnerabilities that can be exploited in the field. Another popular attack is attempting to recover global secrets, such as long-term cryptographic keys that are accessible in a debug mode. In addition to these attacks, ECU suppliers may have proprietary test modes...

In this chapter, we investigated the threats that affect all the layers of the E/E architecture that were introduced in Chapter 1. Doing so has enabled us to understand the full spectrum of threats and attacks that automotive systems must consider. The obvious question that follows the threat and attack enumeration is what security countermeasures are required to mitigate such threats?

It would have been tempting to simply provide a catalog of threats and mitigations. However, in a real vehicle, new threats and attacks are continuously emerging. Addressing those threats requires a systematic engineering approach that provides us with assurances that we not only addressed those threats but we adequately uncovered all the applicable threats and followed a measurable approach to reducing risk to a tolerable level. This is the focus of Part 2 of the book where we address security assurance through a process-driven approach. This is to stress that the problem of automotive cybersecurity...

• [1] No, U.R. (2021). 155 [Uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system].
• [2] Le, V.H., Hartog, J.D., Zannone, N. Security and privacy for innovative automotive applications: A survey. Comput. Commun. 2018, 132, 17–41.
• [3] Kim, S., Shrestha, R. In-Vehicle Communication and Cyber Security. In Automotive Cyber Security; J.B. Metzler: Stuttgart, Germany, 2020; pp. 67–96.
• [4] Nilsson, D.K., Larson, U.E., Picasso, F., Jonsson, E. A First Simulation of Attacks in the Automotive Network Communications Protocol FlexRay. In Proceedings of the Advances in Computer Science and Education; J.B. Metzler: Stuttgart, Germany, 2008; Volume 53, pp. 84–91.
• [5] Kishikawa, T., Hirano, R., Ujiie, Y., Haga, T., Matsushima, H., Fujimura, K., Anzai, J. Vulnerability of FlexRay and Countermeasures. SAE Int. J. Transp. Cybersecur. Priv. 2019, 2, 21–33.
• [6] Khatri, N., Shrestha...