Sie sind auf Seite 1von 94

ASurveyofRemote

AutomotiveAttackSurfaces
ByCharlieMiller(Twitter:cmiller@openrce.org)
&ChrisValasek(IOActive:cvalasek@gmail.com)

Contents
Introduction..................................................................................................................................................5
AnatomyofaRemoteAttack........................................................................................................................5
Thispaper......................................................................................................................................................7
RemoteAttacksnotrelatedtoAutomotiveNetworks.................................................................................7
AuthorNotes.................................................................................................................................................7
RemoteAttackSurfacesofAutomobiles......................................................................................................8
PassiveAntiTheftSystem(PATS).............................................................................................................8
TirePressureMonitoringSystem(TPMS)...............................................................................................10
RemoteKeylessEntry/Start(RKE).........................................................................................................13
Bluetooth................................................................................................................................................15
RadioDataSystem..................................................................................................................................17
Telematics/Cellular/WiFi....................................................................................................................18
Internet/Apps........................................................................................................................................20
Cyberphysicalfeatures..............................................................................................................................21
Parkassist................................................................................................................................................21
Adaptivecruisecontrol...........................................................................................................................21
Collisionprevention................................................................................................................................21
Lanekeepassist......................................................................................................................................21
EvolutionofAutomotiveNetworks............................................................................................................22
RemoteSurvey............................................................................................................................................24
Legend.....................................................................................................................................................24
2014AudiA8...........................................................................................................................................25
Diagram...............................................................................................................................................27
2014HondaAccordLX(Sedan)...............................................................................................................28
Diagram...............................................................................................................................................30
2014InfinitiQ50.....................................................................................................................................31
Diagram...............................................................................................................................................33
2010InfinitiG37(Sedan)........................................................................................................................34
Diagram...............................................................................................................................................35
2006InfinitiG35(Sedan)........................................................................................................................36
Diagram...............................................................................................................................................37
2014JeepCherokee................................................................................................................................38

Diagram...............................................................................................................................................41
2014DodgeRam3500............................................................................................................................42
Diagram...............................................................................................................................................44
2014Chrysler300...................................................................................................................................45
Diagram...............................................................................................................................................47
2014DodgeViper...................................................................................................................................48
Diagram...............................................................................................................................................49
2015CadillacEscaladeAWD...................................................................................................................50
Diagram...............................................................................................................................................52
2006FordFusion.....................................................................................................................................53
Diagram...............................................................................................................................................54
2014FordFusion.....................................................................................................................................55
Diagram...............................................................................................................................................57
2014BMW3Series(F30)........................................................................................................................58
Diagram...............................................................................................................................................60
2014BMWX3(F25)................................................................................................................................61
Diagram...............................................................................................................................................63
2014BMWi12........................................................................................................................................64
Diagram...............................................................................................................................................66
2014RangeRoverEvoque......................................................................................................................67
Diagram...............................................................................................................................................71
2010RangeRoverSport.........................................................................................................................72
Diagram...............................................................................................................................................74
2006RangeRoverSport.........................................................................................................................75
Diagram...............................................................................................................................................77
2014ToyotaPrius...................................................................................................................................78
Diagram...............................................................................................................................................80
2010ToyotaPrius...................................................................................................................................81
Diagram...............................................................................................................................................83
2006ToyotaPrius...................................................................................................................................84
Diagram...............................................................................................................................................86
Analysisofautomotivenetworks...............................................................................................................87
Analysis...............................................................................................................................................87

MostHackable....................................................................................................................................88
LeastHackable....................................................................................................................................88
C&CCarRatings..................................................................................................................................89
DefendingAgainstRemoteAttacks............................................................................................................90
SecureRemoteEndpoints.......................................................................................................................90
CANInjectionMitigations.......................................................................................................................90
MessageCryptography...........................................................................................................................90
NetworkArchitecture.............................................................................................................................91
AttackDetection.....................................................................................................................................91
Conclusions.................................................................................................................................................93
References..................................................................................................................................................94

Introduction
Modernautomobilesconsistofanumberofdifferentcomputercomponents,calledElectronicControl
Units(ECUs).Eachautomobilecontainsfrom20100ofthesedevices,witheachECUbeingresponsible
foroneormoreparticularfeaturesofthevehicle.Forexample,thereisanECUforseatbelttightening,
oneformonitoringthesteeringwheelangle,onetomeasureifapassengerisinthecar,onetocontrol
theABSsystem,andsoon.TheseECUsneedtopassdatatooneanothersotheycanmakedecisionson
howtoact.Forexample,anECUmayactdifferentlydependingonifthecarisindriveorreverseor
whetheritismovingorstationary.
SomeECUsalsocommunicatewiththeoutsideworldaswellastheinternalvehiclenetwork.These
ECUsposethebiggestrisktothemanufacturer,passenger,andvehicle.Theoptionsavailableto
attackerswillbeinfluencedbythedifferentremoteendpointsoffered,thetopologyofthevehicular
network,aswellassafetyfeaturesprogrammedintothevariousECUsunderconsideration.Thispaper
attemptstoanalyzenumerousautomobilesvaryinginproductionyeartoshowhowremoteattack
surfaceshaveevolvedwithtimeandtotrytoquantifythedifficultyofaremoteattackforavarietyof
differentautomobiles.Thisanalysiswillincludehowlargetheremoteattacksurfaceis,howsegmented
theECUswhichhavephysicalcontroloftheautomobilearefromthoseacceptingexternalinput,and
thefeaturespresentintheautomobilewhichallowcomputerstophysicallycontrolit.Additionally,this
paperrecommendsdefensivestrategiesincludinganIDStypesystemtodetectandpreventthesetypes
ofattacks.

AnatomyofaRemoteAttack
Safetycriticalattacksagainstmodernautomobilesgenerallyrequirethreestages.Thefirststage
consistsofanattackerremotelygainingaccesstoaninternalautomotivenetwork.Thiswillallowthe
attackertoinjectmessagesintothecarsnetworks,directlyorindirectlycontrollingthedesiredECU.
Youcanimaginesuchanattackoccurringbysendingsomekindofwirelesssignalandcompromisinga
listeningECU,subsequentlyinjectingcode.ResearchersfromtheUniversityofWashingtonandthe
UniversityCaliforniaSanDiegowereabletogetremotecodeexecutiononatelematicsunitofavehicle
byexploitingavulnerabilityintheBluetoothstackofanECUandseparatelycompromisingacellular
modem[3].Dependingonthedesiresoftheattacker,thismightbetheendoftheattack,forexample
thecompromisedECUmaycontrolamicrophoneusedtoeavesdroponthevehicle.
Cyberphysicalattacks(attacksthatresultinphysicalcontrolofvariousaspectsoftheautomobile),on
theotherhand,willrequireinteractionwithotherECUs.Itisdifficulttomeasurehowsusceptiblea
particularvehicleistoremoteattackssinceitdependsonthepresence(orabsence)ofvulnerabilities.
Whatwecanmeasure(anddomeasureinthispaper)istheattacksurfaceofeachvehicleandusethis
informationasaproxytoestimatesusceptibilitytothefirststageofremoteattack.
ThecompromisedECUmentionedinthefirststagetypicallycannotdirectlycontrolsafetycritical
featuresofavehicle.ThisECUsjobistypicallyonlyrelatedtoreceivingandprocessingradiosignals.
Therefore,acyberphysicalattackusuallyrequiresasecondstepwhichinvolvesinjectingmessagesonto
theinternalautomotivenetworkinanattempttocommunicatewithsafetycriticalECUs,suchasthose
responsibleforsteering,braking,andacceleration.

Insomevehicles,thismaybetrivial,butinmanydesigns,theECUwhichwascompromisedremotelywill
notbeabletodirectlysendmessagestothesesafetycriticalECUs.Inthiscase,theattackerwillhaveto
somehowgetmessagesbridgedfromthenetworkofcompromisedECUtothenetworkwherethe
targetECUlives.
ThismightrequiretrickingthegatewayECUorcompromisingitoutright.Theacademicresearchers
mentionedabovedemonstratedawaytocompromisethebridgeECUintheirvehicletogetfromthe
lessprivilegedCANnetworktotheonecontainingtheECUinchargeofbraking.Inthispaperwediscuss
thevariousarchitecturesofdifferentvehiclesandexaminetheeffectthesetopologiesmayhaveona
remoteattack.
AftertheattackerhaswirelesslycompromisedanECUandacquiredtheabilitytosendmessagestoa
desiredtargetECU,theattackermaycommunicatewithsafetycriticalECUs.Thefinalstepistomake
thetargetECUbehaveinsomewaythatcompromisesvehiclesafety.Thisinvolvesreverseengineering
themessagesonthenetworkandfiguringouttheexactformattoperformsomephysicalaction.Since
eachmanufacturer(andperhapseachmodelandeveneachyear)usedifferentdatainthemessageson
thebus,themessagereverseengineeringprocessrequiresalargeamountofworkandwillbe
manufacturerspecific.Forexample,themessagestolockthebrakesononemanufacturersvehicle
likelywontworkonavehiclefromadifferentmanufacturer.
Additionally,someECUswillonlylistentocertainmessagesandmayhavesafetyfeaturesbuiltinto
them,suchasnotrespondingtocertainmessageswhilethevehicleisinmotion.Thisthirdstagewas
thefocusofourpreviousresearchefforts[9].Ingeneral,itistoughtoknowwithoutadetailed
investigationwhetheritispossibletoaffectcyberphysicalfeaturesthoughmessageinjectionsinceit
essentiallyreliesontheimplementationoftheECUs.Inthisdocument,weagaintakeanapproach
similartomeasuringremoteattacksurface.
Foreachvehicle,welistthecomputercontrolledfeaturesofthevehicle.Forexample,whileitis
possibletoadverselyaffectECUssometimesusingvulnerabilities(seehowthebrakingonaFordwas
manipulatedin[9]orhowthebrakingwasmanipulatedintheChevyin[3]),itiseveneasierwhen
controllingbrakingisafeatureoftheautomobile.IntheToyotaPriusin[9],thecollisionprevention
systemwasdesignedtostopthevehiclewhencertainCANmessageswerereceived.Thisdidntrequire
avulnerability,butwasasafetyfeature.Sowhileallvehiclesmay(ormay)notbevulnerabletosafety
criticalactionsthroughCANmessageinjection,weassumethosewithadvancedcomputercontrolled
featuresaremoresusceptiblesincetheyaredesignedtotakephysicalactionsbasedonmessages
receivedontheinternalnetwork.

Thispaper
Bylookingateachcarsremoteattacksurface,internalnetworkarchitecture,andcomputercontrolled
featuresweareabletodrawsomeconclusionsaboutthesuitabilityofthevehicletoremoteattack.
Thisdoesntmeanthatthemostsusceptiblelookingisntinfactquitesecure(i.e.codedverysecurely)
orthatthemostsecurelookingisntinfacttriviallyexploitable,butitdoesprovidesomeobjective
measureofthesecurityofalargenumberofvehiclesthatwouldntbepossibletoexamineindetail
withoutamassiveeffort.Italsoprovidesanoutlineonhowtodesignandconstructsecurevehicles,
namelyinmakingeachofthesethreestagesofexploitationasdifficultaspossible.
Theauthorsalsodiscussdifferentstrategiestosecuringvehiclesfromremoteattackinalayered,attack
resilientfashion.Inparticular,itintroducesadevicethatactslikeanetworkintrusiondetectionand
preventiondeviceaswellasdiscussessomeearlytestingresults.
Lastly,totheauthorsknowledge,thisisthefirstpubliclyavailableresourceforautomotivenetwork
architecturereview.Whilenetworkarchitecturereviewiscommonplaceinmodernnetwork/computer
security,muchofautomobiletopologyhasbeenshroudedinsecrecy.

RemoteAttacksnotrelatedtoAutomotiveNetworks
Thereareanumberofremoteattacksthathavenothingtodowithsendingmessagesonautomotive
networkssuchasCAN,alargefocusofthispaper.Thesemostlyfallintotwocategories.Thefirstare
attackswheretheremotelyattackedECUisthefinaltargetoftheattack.Forexample,aremoteattack
againstthetelematicsunitmayallowtheattackertolistenandrecordconversationsinthevehicle.If
thisisalltheattackerwants,thentheautomotivenetworkcontainingthetelematicsunitislikelytobe
irrelevant.
Thesecondtypeofattackisonethatdoesntactuallygetremotecodeexecution,butstillimpactsthe
physicalbehaviorofthevehicle.Anexampleofthismightincludetrickingthesensorsofthevehicle.
Onecouldimaginesendingradarsignalsthatinterferewithacarscollisiondetectionsystemandcause
ittothinkacollisionisimminent,resultinginthebrakesbeingengaged.
Thesetypesofattacksareinterestingbutarenotafocusofthispaper.

AuthorNotes
Automobiletechnicalinformationsites,muchlikethevehiclestheydescribe,varyfrommanufacturerto
manufacturer.Wedidourbesttonormalizethedata,suchasECUlistings,attacksurface,andnetwork
topology,whileattemptingtopreservetheterminologyusedbyindividualautomakers.Thiswasnotan
easytaskasjustfindingnetworktopologyinformationcouldtakemanyhours(apparentlythewebsites
werenotintuitivetous).Sometimesoldermodelsdidnotevenappeartohavepubliclyavailable
informationonline,hencethevarianceinmake,model,andyearofvehiclesdetailedinthispaper.

RemoteAttackSurfacesofAutomobiles
Thissectionoutlinessomecommonremoteattackvectorsformodernautomobilesinorderto
understandwhere,ontheautomotivenetwork,anattackermayfirstarrive.Whilethisdiscussionwill
bemostlygeneral,forclarityweuseexamplesfromactualcars,usuallya2010FordEscapeand2010
ToyotaPrius,sinceweareintimatelyfamiliarwiththesevehiclesfrompreviousresearch.

PassiveAntiTheftSystem(PATS)
Formanymoderncars,thereisasmallchipintheignitionkeythatcommunicateswithasensoronthe
steeringcolumn.FortheEscape,thissensoriswireddirectlyintotheInstrumentCluster(IC)ECU.
Whenthekeyisturned,theonboardcomputersendsoutanRFsignalthatispickedupbythe
transponderinthekey.ThetransponderthenreturnsauniqueRFsignaltothevehicle'scomputer,
givingitconfirmationtostartandcontinuetorun.Thisallhappensinlessthanasecond.Iftheon
boardcomputerdoesnotreceivethecorrectidentificationcode,certaincomponentssuchasthefuel
pumpand,onsome,thestarterwillremaindisabled.

Theinstrumentcluster(IC)forthe2010FordEscape


ThePATSsensorforthe2010FordEscape

Range:~10centimeters.

Analysis:Itmaybepossibletocreateadenialofserviceattackthatwouldcausethecarnottostart,
evenwiththeproperkeyinserted.Asfarasremoteattacksareconcerned,thisattacksurfaceisvery
small.Theonlydatatransferred(andprocessedbythesoftwareontheIC)istheidentificationcodeand
theunderlyingRFsignal.Itishardtoimagineanexploitablevulnerabilityinthiscode,andevenifthere
was,youwouldhavetobeveryclosetothesensor,asitisintentionallydesignedtoonlypickupnearby
signals.Theauthorsbelievethemainexploitationvectorwouldbeforvehicletheft,notremotecode
execution.

TirePressureMonitoringSystem(TPMS)
Eachtirehasapressuresensorthatisconstantlymeasuringthetirepressureandtransmittingrealtime
datatoanECU.IntheEscape,thereceivingsensoriswiredintotheSmartJunctionBox(SJB).Thisradio
signalisproprietary,butsomeresearchhasbeendoneinunderstandingtheTPMSsystemforsome
vehiclesandinvestigatingtheirunderlyingsecurity[1][2].

TheSJBfromthe2010FordEscape.

ThecircuitboardfromwithintheSJBofthe2010FordEscape.

TheSJBcontainsaMAX1471A315MHz/434MHzLowPower,3V/5VASK/FSKSuperheterodyneReceiver
[5],seebelow,toreceivetheRFsignals.

AcloseupoftheRFchiplocatedontheSJB.

Range:~1meter.

Analysis:ItiscertainlypossibletoperformsomeactionsagainsttheTPMS,suchascausingthevehicle
tothinkitishavingatireproblem,orproblemwiththeTPMSsystem.Additionally,researchershave
shown[2]thatitispossibletoactuallycrashandremotelybricktheassociatedECUinsomecases.
Regardingcodeexecutionpossibilities,itseemstheattacksurfaceisrathersmall,butremotebricking
indicatesthatdataisbeingprocessedinanunsafemannerandsothismightbepossible.Additionally,
manytimestheTPMSisnotconnectedtothevehiclenetwork,andisonlyresponsibleforilluminatinga
lightontheinstrumentcluster.

RemoteKeylessEntry/Start(RKE)
KeyfobscontainashortrangeradiotransmitterthatcommunicateswithanECUinthevehicle.The
radiotransmittersendsencrypteddatacontainingidentifyinginformationfromwhichtheECUcan
determineifthekeyisvalidandsubsequentlylock,unlock,andstartthevehicle.Forexample,inthe
ToyotaPrius,theysmartkeysendsasignaltoareceiver,whichinturnsendstheinformationtothe
SmartKeyECUthatisconnectedtotheCANandLINbuses.

SmartKeyDiagram2010ToyotaPrius


SmartKeyECU2010ToyotaPrius
Range:~520meters
Analysis:Again,itmaybepossibletocauseadenialofservicethatwouldnotallowthecartobe
remotelylocked/unlocked/startedandinsomecasesitmaybepossibletounlock/startthecarwithout
theproperkeyfob.Withregardstoremotecodeexecution,theattacksurfaceisquitesmall.TheSmart
KeyECUmusthavesomefirmwaretohandlereadingRFsignals,encryption/decryptioncode,somelogic
toidentifydatafromthekeyfob,andtobeprogrammedforadditional/replacementkeyfobs.While
thisisapossibleavenueofremotecodeexecution,theattacksurfaceisquitesmall.

Bluetooth
MostvehicleshavetheabilitytosyncadeviceoverBluetoothwiththevehicle.Thisrepresentsa
remotesignalofsomecomplexityprocessedbyanECU.IntheEscape,theBluetoothisreceivedand
processedbytheFordSYNCcomputeralsoknownastheAccessoryProtocolInterfaceModule(APIM).
Thisallowsthecartoaccesstheaddressbookofthephoneandmakephonecalls.Thecarmayalso
accessandstreammusicandpicturesfromthephone.

TheAPIMforthe2010FordEscape

InordertopairaphonetotheEscape,youhavetopressthephonebuttonontheACM,thenaddnew
phone.TheACMdisplaysarandom6digitPINnumberthatneedstobeenteredonthephone.The
ACMevenhasarecordedvoiceinstructingyouwhattodo.Theredoesnotappeartobeawayto
covertlyaddaBluetoothdevicewithoutuserinteraction,althoughanunsolicitedpairingvulnerabilityis
notoutoftherealmofpossibility.

Unliketheothersignalsuptonow,theBluetoothstackisquitelargeandrepresentsasignificantattack
surfacewhichhashadvulnerabilitiesinthepast[10].Therearegenerallytwoattackscenariosinvolving
aBluetoothstack.Thefirstattackinvolvesanunpairedphone.Thisattackisthemostdangerousasany
attackercanreachthiscode.Thesecondmethodofexploitationoccursafterpairingtakesplace,which
islessofathreatassomeuserinteractionisinvolved.Previously,researchershaveshownremote
compromiseofavehiclethroughtheBluetoothinterface[3].ResearchersfromCodenomiconhave
identifiedmanycrashesincommonBluetoothreceiversfoundinautomobiles[7].

Range:~10meters,possiblymoredependingontheprotocolandantenna.

Analysis:RightnowtheauthorsofthispaperconsiderBluetoothtobeoneofthebiggestandmost
viableattacksurfacesonthemodernautomobile,duetothecomplexityoftheprotocolandunderlying
data.Additionally,Bluetoothhasbecomeubiquitouswithintheautomotivespectrum,givingattackersa
veryreliableentrypointtotest.

RadioDataSystem
Theradioreceivesnotonlyaudiosignals,butsomeotherdataaswell.IntheEscape,theAudioControl
Module(ACM)hasmanysuchremoteinputs,suchasGPS,AM/FMRadio,andSatelliteradio.These
signalsaremostlysimplyconvertedtoaudiooutputanddontrepresentsignificantparsingofdata,
whichmeanstheyarelikelytonotcontainexploitablevulnerabilities.Onepossibleexceptionislikelyto
betheRadioDataSystemdatathatisusedtosenddataalongwithFManaloguesignals(orthe
equivalentonsatelliteradio).Thisistypicallyseenasradioswillsaythenamesofstations,thetitleof
thesongplaying,etc.Here,thedatamustbeparsedanddisplayed,makingroomforasecurity
vulnerability.

TheACMforthe2010FordEscape

Range:Theoreticallymiles,butmorerealisticallyaround100meters
Analysis:AlthoughtheendresultisthesameasBluetooth,thelikelihoodofthisattackoccurringand
beingsuccessfulismuchlower.ThereforewhileyoucouldhavecontroloftheACM,wedontperceive
thethreattobeasgreat.

Telematics/Cellular/WiFi
Manymodernautomobilescontainacellularradio,whichisusedtoconnecttothevehicletoacellular
network,forexampleGMsOnStar.Itcanalsobeusedtoretrievedata,suchastrafficorweather
information.Insomenewervehicles,itevenservesasaremoteWiFihotspot.
TheToyotaPriuscamewiththeSafetyConnectfeature,moregenericallyknownasatelematics
system.TheSafetyConnectsystemspermitforemergencycalling,stolenvehicletracking,androadside
assistanceviaaudioanddatacommunicationsbetweenthecallcenterandthevehicle.


ThetelematicsreceiverinthePriususedaQualcommchipandcommunicatesovera3G/CDMA
connection,asshownbelow.

TelematicsECU2010ToyotaPrius
Range:Board/Varying
Analysis:Thisistheholygrailofautomotiveattackssincetherangeisquitebroad(i.e.aslongasthecar
canhavecellularcommunications).EventhoughatelematicsunitmaynotresidedirectlyontheCAN
bus,itdoeshavetheabilitytoremotelytransferdata/voice,viathemicrophone,toanotherlocation.
Researcherspreviouslyremotelyexploitedatelematicsunitofanautomobilewithoutuserinteraction
[3].

Internet/Apps
Ascarsmoveintothefuture,theyarebeingmoreconnectedwithfeaturesnormallyfoundindesktop
computerslikeappsandevenwebbrowsers.The2014JeepCherokeeevenhasaWiFihotspotwith
openports(whennotusingencryption).

Starting Nmap 6.01 ( http://nmap.org ) at 2014-07-27 21:57 CDT


Nmap scan report for 192.168.5.1
Host is up (0.0022s latency).
Not shown: 998 closed ports
PORT
STATE SERVICE
VERSION
2021/tcp open servexec?
6667/tcp open irc?
$ nc 192.168.5.1 2021
<GCF 000059 TS_10_0000517828>CALL NADPhone:4564 NetAccess_Read handle=1
codec=CODEC_HEX;
<GCF 000084 TS_10_0000517829>CALL NADPhone:4565 NetAccess_Write handle=1
codec=CODEC_HEX data='41542B434545520D';
<GCF 000058 TS_10_0000517830>RESP NADPhone:4565 NetAccess_Write
error=WRITE_ERROR_NONE;
<GCF 000158 TS_10_0000517983>RESP NADPhone:4564 NetAccess_Read
data='0D0A2B434545523A204E6F20636175736520696E666F726D6174696F6E20617661696C61626C650D
0A0D0A4F4B0D0A' error=READ_ERROR_NONE;

BMWrunningawebbrowserhttp://www.techradar.com/news/cartech/bmwupgrades
connecteddrivewithtouch3ginternetappsandmore1159983/2

Range:N/A

Analysis:Webelievethisnewtechnologyopensupmanyattackvectorsthatdidnotexistbefore,such
aswebbrowserexploits,maliciousapps,andinternetserviceexploitation.Notonlyistheaddedattack
surfacebeingaddedindroves,buttheunderlyingresearchandexploitationmethodologiesarewidely
understoodbyattackers.Complexcodeisbeingaddedtovehiclesandthereisnoreasontobelieve
correspondingantiexploitationtechnologiesarebeingaddedwiththem.

Cyberphysicalfeatures
Inthefinalstageofacyberphysicalattack,theattackerwishestosendmessagestoasafetycriticalECU
andmakeittakesomeunsafeaction,suchaslockingupthebrakesorturningthesteeringwheel.While
thismaybepossibleevenwithoutcyberphysicalfeatures,havingthepresenceofcomputersthat
controlphysicalactionsmakethelikelihoodofcyberphysicalattacksmuchhigher.Theseadvanced
technologyfeaturesensurethattheseECUsarelisteningtothemessagesonthenetworkandmaking
physicalchangestothevehiclebasedonmessagesseen.Wehaveseensafetymechanismsbuiltinto
ECUsthatcanlimitwhatanattackercando.Forexample,themessageswhichindicatethesteeringECU
toturnthewheelforparkingassistmayonlyworkifthevehicleismovingveryslowlyorthemessages
whichtellthesteeringECUtoturnthewheelforlanekeepassistmayonlyallowverysmallmovements
ofthewheel.Inotherwords,thepresenceofthesefeaturesisnotnecessarilyforattackandcanhave
protectionsbuiltin,butattacksarelikelyeasierintheirpresencethanintheirabsence.Belowwebriefly
introducesomeofthesecyberphysicalfeaturespresentonsomemodernautomobiles.

Parkassist
Parkassist,alsoreferredbysomemanufacturersasintelligentparkassist,activeparkassist,parking
maneuverassistant,orautomaticselfparkinghelpsthedriverparkintightspots.Thereisusuallya
dedicatedECUthattakesindatafromsensorsandcalculateshowthesteeringwheelshouldbeturned
toparkinaspot.ItcommunicatesthedesiredsteeringwheelpositionwiththesteeringwheelECUthat
thenturnsthewheel.Thisfeaturesmeansthatundersomeconditions,thesteeringcanbeturnedby
sendingmessagesovertheautomotivenetwork.Thisfeatureisonlyneededwhenthevehicleismoving
veryslowly,andinpracticetherearetypicallysafetymechanismsthattrytopreventthewheelfrom
turningduetothisfeaturewhenthevehicleisatanythingbutslowspeed.

Adaptivecruisecontrol
Adaptivecruisecontrolisafeaturethattriestomaintainthedesiredspeedofthevehicleeveninthe
presenceofothervehicles.Asthevehicleapproachesaslowercar,itwillapplythebrakestoslow
down,sometimesallthewaytoastopifnecessary.Astheslowercarspeedsuporgetsoutoftheway,
theautomobilewillspeedupagaintothedesiredspeed.Thismeansthatacomputeriscontrollingthe
brakingandaccelerationofthevehiclebasedonsensorreadings.Portionsofthevehiclecontrolare
performedovertheinternalvehiclenetworkandaredesignedtoworkatspeed.

Collisionprevention
Collisionpreventionsystems,sometimescalledcrashmitigation,automaticbraking,citybraking,orpre
collisionsystemsaredesignedtopreventorlessencrashesbyapplyingthebrakeswhenacrashis
eminent.ThesensorsandcollisioncalculationsaretypicallyperformedbyoneECUandmessagesare
senttothebrakestotellthemtoengage.Thissystemisdesignedtoworkatspeed.

Lanekeepassist
Lanekeepassist,sometimescalledactivelaneassist,LaneSense,orlanekeepingassistisdesignedto
preventcarsfromleavingtheirlaneonaccident.AcameradetectsthelinesofthelaneandanECU
computesifthecarisabouttoleavethelane.Byeithersendingmessagestothesteeringorbrakes,the
carisabletoadjustthelocationofthecarwithinthelane.Thisisanothersystemdesignedtoworkat
speed.

EvolutionofAutomotiveNetworks
Asvehicleshavegottenmorecomplex,theremoteattacksurfacehasexpanded.Additionally,the
numberofECUsinavehiclehasgoneupwiththecomplexityoftheautomotivenetworkincreasing.For
example,considertheJeepCherokeefrom2010vs2014.Injust4years,thenumberofECUshasmore
thandoubled.BelowareillustrationsoftheCANCnetworkforthisvehiclefrom2010and2014.

CANCNetwork2010JeepCherokee

CANCNetwork2014JeepCherokee

Asyoucansee,the2014JeephasalmosttwiceasmanyECUs,resultinginaddedcomplexityandalso
denotesamanufacturersnecessitytomultiplexmoreoftheautomobile.Newfeaturesaremoreeasily
addedintoexistingautomobileinfrastructure,insteadofrunningnewwiresoraddingadditional
networks.

RemoteSurvey
Thecarsexaminedinthispaperhavehadtheirfeatures,standards,andnetworkarchitectureexamined
todeterminethefunctionalityandsubsequentremoteattacksurfacedocumented.Foreachvehiclewe
document

Theremoteattacksurface(i.e.Bluetooth,telematics,etc)
Thecyberphysicalcomputercontrolledfeatures.Thetermcyberphysicalisusedtodenote
automotivefeaturesthatperformphysicalactionsthroughtheinputofmessageonthe
automotivenetwork,suchasadaptivecruisecontrol,collisionprevention,andmanyothers
Layoutoftheinternalautomotivenetwork,includingtheECUswithremoteattacksurfaceand
theECUswithsafetycriticalcomponents

Bylookingatthelayoutoftheinternalautomotivenetworks,thelocationsofthevariousECUs,and
consideringthesafetycriticalcomputercontrolledfeatures,onecanbegintogetagrasponthe
difficulty(orsimplicity)ofremoteattacksagainstthatparticularvehicle.
Obviouslywewerenotabletoacquireeachvehiclefordetailedtesting,butthefirststepinany
automotiveassessmentwouldbeafeaturesandarchitecturereview.ECUsthatareboldedhave
significancewithregardstowirelessexploitation,communicationsbridging,orhavingcyberphysical
functionality.
Wewereawarethatcertainmanufacturersarenotpresentinthispaper.Manytimesitwasdueto
overlapinparentcompanysvehiclesandothertimeswefoundtheironlineexperiencetoopainfulto
navigate.

Legend

2014AudiA8

http://image.motortrend.com/f/roadtests/sedans/1307_2014_audi_a8_l_tdi_first_test/52692898/2013audia8l30tsideinmotion.jpg

Standards:CAN,LIN,MOST,FlexRay
WirelessCommunications:RemoteKeylessEntry/Start,Bluetooth,Cellular,WiFi,AM/FM/XMRadio,
ProprietaryRadio,AudiConnect
CyberPhysical:AdaptiveCruiseControl,ActiveLaneAssist,AudiPreSense
DrivetrainCAN
1. ECM(J623)
2. ABS(J104)
3. AirbagControl(J234)
4. TransmissionControlModule(J217)
5. ElectricalDriveMainRelay(J437)
6. ElectroMechanicalParkingBrakeControlModule(J540)
7. LevelControlSystemControlModule(J197)
8. SteeringAngleSensor(G85)
9. DataBusonBoardDiagnosticInterface(J533)

ConvenienceCAN
1. DriversDoorControlModule(J386)
2. FrontPassengersDoorControlModule(J387)
3. LeftRearDoorControlModule(J388)
4. RightRearDoorControlModule(J389)
5. MemorySeat/SteeringColumnAdjustmentControlModule(J136)
6. PassengerMemorySeatControlModule(J521)
7. TowingRecognitionControlModule(J345)
8. SteeringColumnElectronicsSystemControlModule(J527)
9. TirePressureMonitoringControlModule(J502)
a. ConnectedviaLINtoTPMSTransmitters
10. ClimatronicControlModule(J255)
a. ConnectedviaLINtoA/C
11. ComfortSystemCentralControlModule(J393)
12. VehicleElectronicSystemControlModule(J519)
13. Access/StartControlModule(J518)
a. ConnectedviaLINtoAccess/StartAuthorizationSwitch(E415)&KeylessAccess
AuthorizationAntennaReader(J723)
14. VehicleElectricalSystemControlModule(J520)
15. ParkingAidControlModule(J446)
16. AuxiliaryHeaterControlModule(J364)
17. EnergyManagementControlModule(J644)
18. DataBusonBoardDiagnosticInterface(J533)

InstrumentCluster/GatewayCAN
1. InstrumentClusterControlModule(J285)
2. DataBusonBoardDiagnosticInterface(J533)

DistanceControlCAN
1. DistanceRegulationControlModule(J428)
2. DataBusonBoardDiagnosticInterface(J533)

MOSTRing
1. CDChanger(R41)
2. DigitalSoundSystemControlModule(J525)
3. Radio&SpeechInputControlModule(J507)
4. TVTuner(R78)
5. Navigationsystemw/CDDriveControlModule(J401)
6. Telephone/TelematicsControlModule(J526)
a. Bluetooth
b. TelephoneHandset(R37)
7. TelephoneTransceiver(R36)
8. FrontInformationControlHeadControlModule(J523)
9. DataBusonBoardDiagnosticInterface(J533)

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
AccessControlModule
TirePressureControlModule
TelematicsControlUnit
RadioControlModule
TelematicsControlModule
AudiConnectSystem

Bus
ConvenienceCAN
ConvenienceCAN
MOSTRing
MOSTRing
MOSTRing
MOSTRing

Diagram

2014HondaAccordLX(Sedan)

http://images.newcars.com/images/carpictures/original/2014HondaAccordSedanLX4drSedanPhoto.png

Standards:CAN,KLine,SNET
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio,
HondaLink
CyberPhysical:AdaptiveCruiseControl,ForwardCollisionWarning,LaneWatch
BCAN
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

UnderDashFuse/RelayBox
AudioUnit/NavigationUnit
HVACControl/ClimateControlUnit
PowerWindowMasterSwitch
CenterJunctionBox
DriversJunctionBox
SunlightSensor
GaugeControlModule
KeylessAccessControlUnit
PowerSeatControlUnit

FCAN
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.

PowertrainControlModule(PCM)
VSAModulatorControlUnit
EPSControlUnit
EngineMountControlUnit
SRSUnit
ANC/ActiveSoundControlUnit
DLC
CenterJunctionBox
SteeringAngleSensor
GaugeControlModule
ACCUnit
AudioUnit/NavigationUnit
DriversJunctionBox
FCW/LDWCameraUnit

KLine
1.
2.
3.
4.
5.
6.
7.
8.
9.

FrontPassengersWeightSensor
VSAModulatorControlUnit
EPSControlUnit
UnderDashFuse/RelayBox
ANC/ActiveSoundControlUnit
AudioUnit/NavigationUnit
KeylessAccessControlUnit
DLC
CenterJunctionBox

SNET
1. UnderDashFuse/RelayBox
2. KeylessAccessControlUnit
3. PCM

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
KeylessAccessControlUnit
VSAModulatorControlUnit
AudioUnit/NavigationUnit
AudioUnit/NavigationUnit
N/A
HondaLink

Bus
BCAN/KLine/SNET
FCAN
FCAN/BCAN/KLine
FCAN/BCAN/KLine
N/A
FCAN/BCAN/KLine

Diagram

2014InfinitiQ50

http://images.dealer.com/autodata/us/640/color/2014/USC40INC251A0/GAC.jpg

Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,Cellular,AM/FM/XMRadio,Proprietary
Radio,InfinitiConnect
CyberPhysical:AdaptiveCruiseControl,DirectAdaptiveSteering,Steerbywire,DriverAssistance
System
IntelligentTransportationSystems(ITS)CommunicationsCircuit
1. SideRadarLH
2. AroundviewMirrorControlUnit
3. DriverAssistanceBuzzerControlUnit
4. SideRadarRH
5. AccelerationPedalActuator
6. SonarControlUnit
7. ICCSensor
8. ADASControlUnit(GATEWAY)

ChassisCommunicationsCircuit
1. SteeringAngleMainControlModule
2. LaneCameraUnit
3. ChassisControlModule(Gateway)

CANCommunicationsCircuit2
1. ChassisControlModule(Gateway)
2. ADASControlUnit(Gateway)
3. ABSControlUnit
4. PreCrashSeatBeltControl
5. AWDControlUnit
6. DriverSeatControlUnit
7. SteeringForceControlModule
8. SteeringAngleSensor
9. DLC(ODBII)
10. CANGateway(Gateway)

CANCommunicationsCircuit1
1. IPDME/R(IntelligentPowerDistributionModuleEngineRoom)
2. CombinationMeter
3. AFSControlUnit(AdaptiveFrontlightingSystem)
4. HighBeamAssistControlModule
5. ECM(EngineControlModule)
6. TCM(TransmissionControlModule)
7. A/CAutoAmp
8. AirbagDiagnosisSensorUnit
9. DisplayControlUnit
10. TCU(TelematicsControlUnit)
11. BCM(BodyControlModule)
12. DLC(ODBII)
13. CANGateway(Gateway)

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
BCM
BCM
TCU
TCU
TCU
TCU

Bus
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1
CANCommunicationsCircuit1

Diagram

2010InfinitiG37(Sedan)

http://images.thecarconnection.com/lrg/2010infinitig37sedan_100234015_l.jpg

Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,PreCrashSystem
CANNetwork
1. SteeringAngleSensor
2. UnifiedMeterandA/CAmp
3. TCM(TransmissionControlModule)
4. PreCrashSeatBeltControlUnit
5. ECM(EngineControlModule)
6. AWDControlUnit
7. A/VControlUnit
8. AirbagDiagnosisSensorUnit
9. BCM(BodyControlModule)
10. ICCIntegratedCircuit(IntelligentCruiseControl)
11. IPDME/R(IntelligentPowerDistributionModuleEngineRoom)
12. ABSActuatorandECU
13. 4WASMainControlUnit
14. DriverSeatControlUnit
15. DLC

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
BCM
BCM
A/VControlUnit
A/VControlUnit
N/A
N/A

Bus
CAN
CAN
CAN
CAN
N/A
N/A

Diagram

2006InfinitiG35(Sedan)

http://upload.wikimedia.org/wikipedia/commons/f/f2/2006InfinitiG35sedan.jpg

Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,PreCrashSystem
CANCommunications
1. ABS/TCS/VDS
2. IntelligentKeyUnit
3. IPDME/R
4. ECM
5. AWDECU
6. CombinationMeter
7. BCM
8. SteeringAngleSensor
9. DriverSeatControlUnit
10. TransmissionControlModule(A/TAssembly)
11. DLC

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
BCM
BCM
A/VControlUnit
A/VControlUnit
N/A
N/A

Bus
CAN
CAN
None
None
N/A
N/A

Diagram

2014JeepCherokee

http://www.digitaltrends.com/wpcontent/uploads/2013/02/2014jeepcherokee1.jpg

Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,WiFi,
ProprietaryRadio,Uconnect
CyberPhysical:AdaptiveCruiseControlwithStopandgo,ParallelandPerpendicularParkingAssist,
ForwardCollisionWarningwithCrashMitigation,LaneSenseLaneDepartureWarning

CANCBus
1. ABSMODULEANTILOCKBRAKES
2. AHLMMODULEHEADLAMPLEVELING
3. ACCMODULEADAPTIVECRUISECONTROL
4. BCMMODULEBODYCONTROL
5. CCBCONNECTORSTARCANCBODY
6. CCIPCONNECTORSTARCANCIP
7. DLCDATALINKCONNECTOR
8. DTCMMODULEDRIVETRAINCONTROL
9. EPBMODULEELECTRONICPARKINGBRAKE
10. EPSMODULEELECTRICPOWERSTEERING
11. ESMMODULEELECTRONICSHIFT
12. FFCMCAMERAFORWARDFACING
13. IPCCLUSTER
14. OCMMODULEOCCUPANTCLASSIFICATION
15. ORCMODULEOCCUPANTRESTRAINTCONTROLLER
16. PAMMODULEPARKASSIST
17. PCMMODULEPOWERTRAINCONTROL(2.4L)
18. RADIOMODULERADIO
19. RFHMODULERADIOFREQUENCYHUB
20. SCMMODULESTEERINGCONTROL
21. SCLMMODULESTEERINGCOLUMNLOCK
22. TCMMODULETRANSMISSIONCONTROL

CANIHSBus
1. AMPAMPLIFIERRADIO
2. BCMMODULEBODYCONTROL
3. CCBCONNECTORSTARCANIHSBODY
4. CCIPCONNECTORSTARCANIHSIP
5. DDMMODULEDOORDRIVER
6. DLCDATALINKCONNECTOR
7. EDMMODULEEXTERNALDISC
8. HSMMODULEHEATEDSEATS
9. HVACMODULEA/CHEATER
10. ICSMODULEINTEGRATEDCENTERSTACKSWITCH
11. IPCMODULECLUSTER
12. LBSSSENSORBLINDSPOTLEFTREAR
13. MSMMODULEMEMORYSEATDRIVER
14. PDMMODULEDOORPASSENGER
15. PLGMMODULEPOWERLIFTGATE
16. RADIOMODULERADIO(NotaBridge)
17. RBSSSENSORBLINDSPOTRIGHTREAR

LINBus
1. AGSACTUATORGRILLSHUTTER
2. AHLMMODULEHEADLAMPLEVELING
3. ASBMSWITCHBANK
4. ASUSIREN
5. BCMMODULEBODYCONTROL
6. CRVMMASSEMBLYREARVIEWMIRROR
7. DDMMODULEDOORDRIVER
8. DSBMSWITCHWINDOW/DOORLOCKDRIVER
9. FLLAASSEMBLYLAMPLEFTFRONT
10. FRLAASSEMBLYLAMPRIGHTFRONT
11. GENGENERATOR
12. HUMSENSORHUMIDITY
13. IBSSENSORBATTERYCURRENT
14. IPCMODULECLUSTER
15. ITMMODULEINTRUSION
16. LRSMMODULELIGHTRAINSENSOR
17. PADLLAMPAIRBAGDISABLE
18. PCMMODULEPOWERTRAINCONTROL
19. PCMDieselMODULEPOWERTRAINCONTROL
20. RVCMASSEMBLYVIDEOCAMERA
21. SCCMMODULESTEERINGCONTROL
22. TSBMMODULETERRAINSWITCHBANK
23. VSMMODULEVOLTAGESTABILITY
24. WCPMMODULECHARGERWIRELESS

EntryPoint
ECU
RKE
RFHM
TPMS
RFHM
Bluetooth
Radio
FM/AM/XM
Radio
Cellular
Radio
Internet/Apps
Radio

Bus
CANC
CANC
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS

Diagram

2014DodgeRam3500

http://images6.alphacoders.com/417/417590.jpg

Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,WiFi,
ProprietaryRadio,Uconnect
CyberPhysical:Itsbig.Itburnslotsofgas.
CANCBus
1. ABS
2. ASCM
3. BCM
4. DTCM
5. ITBM
6. PAM
7. PCM
8. ORC
9. RADIO
10. RFH
11. SCCM
12. TCM
13. VSIM

CANIHSBus
1. AMP
2. BCM
3. DDM
4. EDM
5. HSM
6. HVAC
7. ICS
8. MSM
9. PDM
10. RADIO

LINBus
1. BCM
2. COM
3. DDM
4. LRSM
5. SCCM

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
RFH
RFH
Radio
Radio
Radio
Radio

Bus
CANC
CANC
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS
CANC,CANIHS

Diagram

2014Chrysler300

http://www.chrysler.com/assets/images/Vehicles/2014/300/PhotosVideos/Exterior/large/300_ext_expand_0000_15.jpg

Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,Uconnect
CyberPhysical:AdaptiveCruiseControl,ParkAssist
CANCBus
1. ABS
2. AFLS
3. BCM
4. IPC
5. ORC
6. PAM
7. PCM
8. RFH
9. SCCM
10. TCP
11. TPM


CANIHSBus
1. BCM
2. DDM
3. HSM
4. HVAC
5. MSM
6. PDM
7. RADIO

LINBus
1. AFLS
2. BCM
3. COM
4. DDM
5. LRSM
6. SCCM

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
RFH
TPM
Radio
Radio
Radio
Radio

Bus
CANC
CANC
CANIHS
CANIHS
CANIHS
CANIHS

Diagram

2014DodgeViper

http://www.drivesrt.com/news/wpcontent/uploads/2013/09/TAColor.jpg

Standards:CAN,LIN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,Uconnect
CyberPhysical:Fast
CANCBus
1. ABS
2. ADCM
3. BCM
4. ORC
5. PCM
6. RFH
7. SCCM
8. TPM

LINBus
1. BCM
2. DDM
3. SCCM

CANIHSBus
1. BCM
2. DDM
3. HVAC
4. ICS
5. PDM
6. RADIO

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
RFH
TPM
Radio
Radio
Radio
Radio

Bus
CANC
CANC
CANIHS
CANIHS
CANIHS
CANIHS

Diagram

2015CadillacEscaladeAWD

http://image.motortrend.com/f/roadtests/suvs/1310_2015_cadillac_escalade_first_look/54528620/2015cadillacescalade
frontthreequartersview.jpg

Standards:CAN,MOST,LIN
WirelessCommunicationsRemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,OnStar
CyberPhysical:Frontandrearautomaticbreaking,Automaticcollisionpreparation,Fullspeedadaptive
cruisecontrol
PTCAN(powertraincontrollerareanetwork)
1. DME
2. ACSM
3. KAFAS
4. EKPS
5. EGS
6. GWS

LowSpeedGMLAN(CAN)
1. infodisplaymodule
2. radio
3. telematicscommunicationinterfacemodule(TCIM)
4. HVAC
5. mediadiscplayer
6. instrumentcluster
7. passengerpresencemodule
8. keylessentrycontrolmodule(KECM)
9. trailerinterfacecontrolmodule
10. frontandrearparkingassistcontrolmodule
11. sideobjectsensormoduleleft
12. activesafetycontrolmodule
13. bodycontrolmodule
14. liftgatecontrolmodule
15. videoprocessingcontrolmodule
16. inflatablerestraintsensinganddiagnosticmodule
17. assiststepcontrolmodule

HighSpeedGMLAN(CAN)
1. distancesensingcruisecontrolmodule
2. enginecontrolmodule
3. transmissioncontrolmodule
4. activesafetycontrolmodule**
5. telematicscommunicationinterfacecontrolmodule(TCIM)
6. humanmachineinterfacecontrolmodule
7. powersteeringcontrolmodule
8. bodycontrolmodule
9. electronicbrakecontrolmodule
10. parkbrakecontrolmodule
11. suspensioncontrolmodule
12. chassiscontrolmodule

LIN
1. BCM
2. TPIM

MOST
1. RADIO
2. Instrumentcluster
3. Amp
4. Mediadiskplayer
5. Humaninterfacecontrolmodule

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
KECM
KECM
TCIM
Radio
TCIM
TCIM

Bus
LowSpeedCAN
LowSpeedCAN
Low&HighSpeedCAN
MOST
Low&HighSpeedCAN
Low&HighSpeedCAN

Diagram

2006FordFusion

http://www.blogcdn.com/www.autoblog.com/media/2006/03/FordFusionCrashtestresized.jpg

Standards:CAN
WirelessCommunications:RemoteKeylessEntry,AM/FMRadio,ProprietaryRadio
CyberPhysical:None
HSCAN
1. ABS
2. RCM
3. OCS
4. IC
5. TCM
6. PCM

MSCAN
1. HCS(heated/cooled)
2. MM(memmodule)
3. Dsp
4. Sjb
5. Ddm
6. Radio
7. Eatc
8. Datc
9. IC

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
SJB
SJB
N/A
Radio
N/A
N/A

Bus
MSCAN
MSCAN
N/A
MSCAN
N/A
N/A

Diagram

2014FordFusion

http://upload.wikimedia.org/wikipedia/commons/b/be/2013_Ford_Fusion_Titanium__2012_NYIAS.JPG

Standards:CAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,SYNC
CyberPhysical:Lanekeepingassist,Adaptivecruisecontrolwithforwardcollisionwarning(collision
warningonlyprechargesbrakes),ActiveParkassist

HSCAN1
1.
2.
3.
4.
5.
6.

APIM
BCM
PCM
DCtoDCconvertercontrolmodule
HCM(headlampcontrol)
Gatewaymodule

HSCAN2
1. RCM
2. OCSM
3. ADIM(autodimminginteriormirror)
4. Proximitywarningradarunit
5. ABS
6. PSCM
7. SCCM(steeringcolumn)
8. HUDMheadsupdisplay
9. VDMVehicleDynamics
10. TRCM(transmissionrangecontrol)
11. FSCM(frontseatclimatecontrol)
12. PMCSM(passengermulticontourseatmodule)
13. CCMcruisecontrolmodule
14. Gatewaymodule

HSCAN3
1. APIM
2. ACM
3. FCDM
4. IPCinstrumentpanel
5. ADSPM(audiodigitalprocessing)
6. CD
7. Gatewaymodule

MSCAN
10. GPSM
11. APIM
12. FCIM(frontcontrolinterface)
13. PCM
14. RTM(radiotransceivermodule)
15. DDM(driverdoor)
16. DSM(driverseat)
17. SODL(sideobstacledetectleft)
18. SODR
19. HSWM(heatedsteeringwheel)
20. DMCSM(drivermulticontourseatmodule)
21. DSM(driverseatmodule)
22. DDM(driverdoormodule)
23. Reargatetrunkmodule
24. Sideobstacledetectioncontrolmodule
25. Gatewaymodule

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
BCM
RTM
APIM
ACM
APIM
APIM

Bus
HSCAN1
MSCAN
MSCAN,HSCAN1,HSCAN3
HSCAN3
MSCAN,HSCAN1,HSCAN3
MSCAN,HSCAN1,HSCAN3

Diagram

2014BMW3Series(F30)

http://www.roadandtrack.com/cm/roadandtrack/images/zQ/0013GT.jpg

Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Parkingassistmodule,Collisiondetection(vibratewheel),Lanewarning(light)
KCAN(bodycontrollerareanetwork)
1. IHKA
2. CON
3. TRSVC
4. TPMS
5. SMFA
6. FEMfrontelectronicsmodule

KCAN2
1. Headunit
2. Combox
3. Rearelectronicmodule
4. Fzd
5. Pmaparkingmaneuverassistant
6. Fla


PTCAN(powertraincontrollerareanetwork)
7. DMEdigitalmotorelectronics
8. ACSM
9. KAFAS
10. EKPS
11. EGS
12. GWS

Flexray
3. SWW
4. EPSelectromechanicalpowersteering
5. VDM
6. DSCdynamicstabilitycontrol(brakes)
7. ICM
8. DME

MOST
6. Headunit
7. Comboxcomboxemergencycall,multimediacombox
8. Kombi
9. Dvdc
10. Ampt

EntryPoint
ECU
RKE
FEM
TPMS
TPMS
Bluetooth
Headunit
FM/AM/XM
Headunit
Cellular
Combox
Internet/Apps
Combox

Bus
KCAN
KCAN
KCAN2,MOST
KCAN2,MOST
KCAN2,MOST
KCAN2,MOST

Diagram

2014BMWX3(F25)

http://static.autoexpress.co.uk/sites/autoexpressuk/files/111061559231880430.jpg

Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Dynamiccruisecontrol(includesbraking),Parkingassistmodule,Collisiondetection
(vibratewheel),Lanewarning(light)
KCAN(bodycontrollerareanetwork)
1. IHKA
2. CON
3. CID
4. HUD
5. FLA
6. TRSVC
7. TPMS
8. SMFA
9. HKL
10. ZGM
11. CIC


KCAN2
1. ZGM
2. FRM
3. FZD
4. JBE
5. CAScaraccesssystem
6. RAD

PTCAN(powertraincontrollerareanetwork)
1. DME
2. ACSM
3. EKPS
4. EGS
5. GWS
6. EMF

Flexray
1. EPS
2. VDM
3. DSC
4. ICM
5. VTG

MOST
1. CIC
2. Combox
3. Kombi
4. Dvdc
5. ampt

EntryPoint
ECU
RKE
CAS
TPMS
TPMS
Bluetooth
CIC
FM/AM/XM
CIC
Cellular
Combox
Internet/Apps
Combox

Bus
KCAN2
KCAN
MOST,KCAN
MOST,KCAN
MOST,KCAN2
MOST,KCAN2

Diagram

2014BMWi12

http://upload.wikimedia.org/wikipedia/commons/d/db/BMW_Concept_Vision_Efficient_Dynamics_Front.JPG

Standards:CAN,Flexray,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,ConnectedDrive
CyberPhysical:Collisionwarningwithcitybrakingfunction,Dynamiccruisecontrol(includesbraking)
KCAN(bodycontrollerareanetwork)
1. IHKAIntegratedautomaticheating/airconditions
2. CONcontroller
3. ASDactivesounddesign
4. AMPamplifier
5. TBXtouchbox
6. TCBtelematicscommunicationbox

KCAN2
1. FZDrooffunctioncenter
2. TRSVCtoprearsideviewcamera
3. PDCparkdistancecontrol

KCAN3
1. FLERfrontallightelectronicsright
2. FLELfrontallightelectronicsleft
3. VSGvehiclesoundgenerator

PTCAN(powertraincontrollerareanetwork)
1. LIMcharginginterfacemodule
2. DMEdigitalengineelectronics
3. TFEhybridpressurerefuelingelectroniccontrolunit
4. GWSgearselectorswitch
5. EGSelectronictransmissioncontrol
6. EMFelectmechanicalparkingrake
7. KAFAScamerabaseddriversupportsystems
8. EMEelectricalmachineelectronics

PTCAN2(powertraincontrollerareanetwork)
1. REMErangeextenderelectricalmachineelectronics
2. SMEbatterymanagementelectronics
3. DMEdigitalengineelectronics
4. GWSgearselectorswitch
5. EGSelectronictransmissioncontrol
6. EMEelectricalmachineelectronics

Flexray
1. ACSMadvancedcrashsafetymodule
2. EPSelectornicpowersteering
3. SASoptionalequipmentsystem
4. DSCdynamicstabilitycontrol
5. DMEdigitalengineelectronics
6. EMEelectricalmachineelectronics

MOST
1. Headunit
2. Kombiinstrumentcluster

EntryPoint
ECU
RKE
ZGM/BDC
TPMS
BDC
Bluetooth
Headunit
FM/AM/XM
Headunit
Cellular
TCB
Internet/Apps
TCB

Bus
ALL
ALL
MOST
MOST
KCAN
KCAN

Diagram

2014RangeRoverEvoque

http://evoque.landrover.com/static/images/content/l538puremodels930x530.jpg

Standards:CAN,LIN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,WiFi,Cellular,
ProprietaryRadio,InControl
CyberPhysical:ElectronicPowerAssistedSteering(EPAS),AdaptiveCruiseControl,AutomaticSelf
Parking
CANHSChassisSystem
1. RestraintsControlModule
2. ModuleParkingAidControl
3. ModuleAWDControl
4. ModuleDampingContinuouslyVariable
5. ModuleGeneralProximitySensor
6. SwitchpackTerrainResponse
7. DiagnosticConnector
8. ModuleGateway
9. ModulePowerSteering
10. ModuleIntegratedBrakeControl
11. ModuleSteeringWheel

CANHSPowertrainSystem
1. JunctionboxCentral(BCM)
2. ModuleGateway
3. ModuleSteeringColumnLock
4. RestraintsControlModule
5. ModuleAWDControl
6. DiagnosticConnector
7. InstrumentCluster
8. SwitchAutomaticTransmission
9. ModuleElectricParkBrakeControl
10. ModuleTelematicControl
11. ModuleControlOccupantClassification
12. ModuleControlOccupantClassificationSensor
13. ModuleIntegratedBrakeControl
14. ModuleAdaptiveSpeedControl
15. ModuleHeadlampLeveling
16. ModuleTransmissionControl
17. ECM

CANMSBodySystem
1. JunctionBoxCentral
2. DiagnosticConnector
3. ModuleDriverDoor
4. ModuleTelematicControl
5. MirrorRearView
6. ModulePassengerDoor
7. ModuleSeatMemoryPassenger
8. ModulePoweredlidLuggageCompartment
9. KeylessVehicleModule
10. ModuleSeatMemoryDriver
11. ModuleGateway

CANMSComfortandConvenienceSystem
1. ModuleGateway
2. FuelFiredBoosterHeater
3. UnitMultiInformationDisplay
4. TouchScreen
5. ModuleClimateControl
6. IntegratedControlPanel
7. DiagnosticConnector
8. ModuleNavigationControl
9. ModuleBlindSpotMonitoringRight
10. CameraRearView
11. ModuleBlingSpotMonitoringLeft
12. ModuleImageProcessing
13. InstrumentCluster


LIN(AllLINSubsystems)
1. UnitImmobiliserAntenna
2. JunctionBoxCentral
3. MotorRoofBlindFront
4. ConsoleOverheadFront
5. SensorRain
6. SounderBatteryBackup
7. ModuleSteeringWheel
8. CruiseControlsRemote
9. Clockspring
10. ModuleHeaterControlSteeringWheel
11. SwitchRemoteICE
12. ModuleHeatedSeatPassenger
13. ModuleClimateControl
14. SensorHumidity
15. RHRearSeatHeaterModule
16. RHALRTemperatureDoorMotor
17. ScreenAirDistributionDoorMotor
18. MotorRecirculation
19. LHAirTemperatureDoorMotor
20. ModuleClimateControl
21. MotorAirDistributionFeet/Face
22. ModuleHeatedSeatDriver
23. SwitchpackRearConsole
24. LHRearSeatHeaterModule
25. ModuleDriverDoor
26. SwitchpackMirrorWindowDriver
27. ModuleRearDoorLeft
28. ModulePassengerDoor
29. ModuleRearDoorRight
30. ModuleHeadlampLevelingControl
31. HeadlampLeft
32. HeadlampRight
33. ModuleGateway
34. Generator
35. ReceiverRF
36. KeylessVehicleModule
37. ModuleVoltageQuality
38. ModuleBatteryMonitoringSystem
39. ModuleControlQuiescentCurrent

MOSTRings
1. TouchScreen
2. ConnectorMOSTDiagnostic
3. IntegratedAudio
4. ModuleAudioAmplifier
5. EntertainmentModule
6. ModuleTVControl
7. ModuleTunerDAB

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleNavigationControl
ModuleNavigationControl
ModuleTelematicControl
ModuleNavigationControl

Bus
CANMSBodySystem
CANMS/CANHS
CANMSComfort&Convenience
CANMSComfort&Convenience
CANHSPowertrain
CANMSComfort&Convenience

Diagram

2010RangeRoverSport

http://static.cargurus.com/images/site/2009/07/14/18/33/2010landroverrangeroversportscpic57937.jpeg

Standards:CAN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl,CollisionRestraintSystem
CANMS
1. JunctionboxCentral
2. ModulePassengerDoor
3. ModuleDriverDoor
4. MemoryControlModule
5. KeylessVehicleModule
6. ModuleClimateControl
7. ModuleParkingAid
8. ModuleCameras
9. MirrorElectrochromic
10. FuelfiredBoosterHeater
11. AudioHeadUnit
12. IntegratedControlPanelUpper
13. ModuleClimateControl
14. DiagnosticSocket
15. InstrumentCluster


CANHS
1. ECM
2. AFSControlModule
3. ABSModule
4. ModuleSpeedControl
5. DynamicResponseModule
6. TCMandControlValveBody
7. TransferBoxControlModule
8. JunctionboxCentral
9. DiagnosticSocket
10. InstrumentCluster
11. ModuleSteeringColumnLock
12. ModuleAirSuspension
13. SensorOccupancyDetector
14. SwitchpacketCenterConsole
15. RestraintsControlModule
16. SensorSteeringAngle
17. RearDifferentialControlModule
18. ModuleDampingContinuouslyVariable
19. ModuleParkingBrake

MOSTRings
1. AudioHeadUnit
2. TouchScreenDisplay
3. AmplifierPower
4. ModulePortableAudioInterface
5. SeatEntertainmentModule
6. ModuleTuner
7. ModuleTelephone

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleTelephone
AudioHeadUnit
N/A
N/A

Bus
CANMS
CANMS/CANHS
MOST
CANMS
N/A
N/A

Diagram

2006RangeRoverSport

http://images.thecarconnection.com/med/2006landroverrangeroversport4drwgnwhite_100047815_m.jpg

Standards:CAN,MOST
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:AdaptiveCruiseControl
CANMS
1. InstrumentCluster
2. DiagnosticSocket
3. FuelFiredBoosterHeater
4. TirePressureMonitoringControlModule
5. AudioHeadUnit
6. AutomaticTemperatureControlModule
7. ParkingAidControlModule
8. CentralJunctionBox

CANHS
1. InstrumentCluster
2. AirSuspensionControlModule
3. SensorSteeringAngle
4. DiagnosticSocket
5. SwitchpackCenterConsole
6. RearDifferentialControlModule
7. ParkingBrakeModule
8. RestraintsControlModule
9. SpeedControlModule
10. ECM
11. Generator
12. TransmissionControlModule
13. TransferBoxControlModule
14. ABS
15. DynamicResponseModule
16. AFSECU

MOSTRings
1. AudioHeadUnit
2. TouchScreenDisplay
3. AmplifierPower
4. ModulePortableAudioInterface
5. SeatEntertainmentModule
6. ModuleTuner
7. ModuleTelephone

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
KeylessVehicleModule
JunctionBoxCentral
ModuleTelephone
AudioHeadUnit
N/A
N/A

Bus
CANMS
CANMS/CANHS
MOST
CANMS
N/A
N/A

Diagram

2014ToyotaPrius

http://image.automobilemag.com/f/63379071+q100+re0/2014toyotapriusthreequartersdriversview001.jpg

Standards:CAN,LIN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,Proprietary
Radio,SafetyConnect
CyberPhysical:AdaptiveCruiseControl,SelfParkingSystem,PreCollisionSystem
LINPowerWindowsandSlidingRoof
1. MainBodyECU
2. PowerWindowRegulationMotorAssembly(frontpassenger)
3. PowerWindowRegulationMotorAssembly(frontdriver)
4. PowerWindowRegulationMotorAssembly(rearpassenger)
5. PowerWindowRegulationMotorAssembly(reardriver)
6. SlidingRoofECU
7. MultiplexNetworkMasterSwitchAssembly

LINSmartKeySystem
1. PowerManagementControlECU
2. TransmissionControlECU
3. ImmobiliserCodeECU
4. CertificationECU

LINAirConditioningSystem
1. AirConditioningAmplifierAssembly
2. AirConditioningControlAssembly

CANv1Bus
1. MainBodyECU(LINAlso)
2. ECM
3. PowerManagementECU(LIN,PowerManagementBus,CANv2Bus)
4. TransmissionControlECU(LINAlso)
5. NavigationReceiverAssembly
6. MainBodyECU
7. PowerSteeringECU
8. CertificationECU
9. YawRateandAccelerationSensor
10. AirbagECUAssembly
11. SteeringAngleSensor
12. SkidControlECU
13. DLC3
14. CombinationMeter

CANPowerManagementBus
1. ECM
2. AirConditioningAmplifierAssembly
3. SkidControlECU/ABS
4. PowerManagementControlECU

CANv2Bus
1. PowerManagementControlECU
2. SeatBeltControlECU
3. DrivingSupportECU

CANParkingAssistBus
1. DrivingSupportECU
2. LaneRecognitionCamera
3. MillimeterWaveSensor

AVCLAN
1. StereoComponentAmplifierAssembly
2. XMSatelliteRadioTuner
3. NavigationReceiver

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
CertificationECU
TPMS(Displaylightonly)
NavigationReceiverAssembly
NavigationReceiverAssembly
TelematicsECU
N/A

Bus
LIN/CANv1
CANv1(Displaylightonly)
CANv1
CANv1
None
N/A

Diagram

2010ToyotaPrius

ChrisPrius!

Standards:CAN,LIN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,Cellular,Proprietary
Radio,SafetyConnect
CyberPhysical:AdaptiveCruiseControl,SelfParkingSystem,PreCollisionSystem
LINPowerWindowsandSlidingRoof
1. MainBodyECU
2. PowerWindowRegulationMotorAssembly(frontpassenger)
3. PowerWindowRegulationMotorAssembly(frontdriver)
4. PowerWindowRegulationMotorAssembly(rearpassenger)
5. PowerWindowRegulationMotorAssembly(reardriver)
6. SlidingRoofECU
7. MultiplexNetworkMasterSwitchAssembly

CANPowerManagementBus
1. ECM
2. AirConditioningAmplifierAssembly
3. SkidControlECU/ABS
4. PowerManagementControlECU

CANv2Bus
1. PowerManagementControlECU
2. SeatBeltControlECU
3. DrivingSupportECU

CANv1Bus
1. MainBodyECU(LINAlso)
2. ECM
3. PowerManagementECU(LIN,PowerManagementBus,CANv2Bus)
4. TransmissionControlECU(LINAlso)
5. NavigationReceiverAssembly
6. MainBodyECU
7. PowerSteeringECU
8. CertificationECU
9. YawRateandAccelerationSensor
10. AirbagECUAssembly
11. SteeringAngleSensor
12. SkidControlECU
13. DLC3
14. CombinationMeter

CANParkingAssistBus
1. DrivingSupportECU
2. LaneRecognitionCamera
3. MillimeterWaveSensor

AVCLAN
1. StereoComponentAmplifierAssembly
2. XMSatelliteRadioTuner
3. NavigationReceiver

LINSmartKeySystem
1. PowerManagementControlECU
2. TransmissionControlECU
3. ImmobiliserCodeECU
4. CertificationECU

LINAirConditioningSystem
1. AirConditioningAmplifierAssembly
2. AirConditioningControlAssembly

LINAdvancedParkingGuidance
1. ParkingAssistECU
2. UltraSonicSensorLH

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
CertificationECU
TPMSECU(Displaylightonly)
NavigationReceiverAssembly
NavigationReceiverAssembly
TelematicsECU
N/A

Bus
LIN/CANv1
CANv1(Displaylightonly)
CANv1
CANv1
N/A
N/A

Diagram

2006ToyotaPrius

http://upload.wikimedia.org/wikipedia/commons/6/60/2006_Toyota_Prius.jpg

Standards:CAN,BEAN,AVCLAN
WirelessCommunications:RemoteKeylessEntry,Bluetooth,AM/FM/XMRadio,ProprietaryRadio
CyberPhysical:None
CANBus
1. ECM
2. HVECU
3. YawRateandDecelerationSensor
4. BatteryECU
5. ABSECU
6. ElectronicPowerSteering(EPS)ECU
7. SteeringAngleSensor
8. DLC3
9. GatewayECU

BEANBus
1. PowerSourceControlECU
2. CombinationMeter
3. TirePressureMonitorECU
4. CertificationECU
5. TransmissionControlECU
6. TransponderKeyECU
7. DriverSideJunctionBlock
8. A/CECU
9. GatewayECU

AVCLAN
1. NavigationECU
2. AudioAmplifier
3. RadioandMediaPlayer
4. MultiDisplay
5. GatewayECU

EntryPoint
RKE
TPMS
Bluetooth
FM/AM/XM
Cellular
Internet/Apps

ECU
TransponderKeyECU
TirePressureMonitorECU
NavigationECU
NavigationECU
N/A
N/A

Bus
BEAN
BEAN(Displaylightonly)
AVCLAN
AVCLAN
N/A
N/A

Diagram

Analysisofautomotivenetworks
Asyoucansee,eachmanufacturerdiffersnotonlyinremotecommunicationsandcyberphysical
systems,butalsonetworkarchitecture.Thismeansthatremotecompromiseswillgenerallybedifferent
foreachmanufacturerandeachcar.

Analysis

ThenumberofECUshaveincreasedovertime
o Infinitiwentfrom11in2006to34in2014
o Jeepwentfrom7in2010to17from2014
o RangeRoverwentfrom41in2010to98in2014
o ToyotaPriuswentfrom23in2006to40in2014

TherearealargenumberofECUsin2014vehiclesfrom19(DodgeViper)to98(RangeRover)

Theremoteattacksurfaceandthenumberofcyberphysicalfeatureshasincreasedastimehas
goneon.

Thenumberofdifferentnetworksincars(complexityofarchitecture)hasincreasedovertime.

TheadditionofECUsovertimeisaresultofmanufacturersrequiringmoretechnology,
specificallyarounduserexperienceandsafety,whichismosteasilyaddedtothevehicleby
patchingitintothemultiplexsystemsavailable,insteadofaddingnewwiringornetworks.

Vehiclesarehavingcommondesktoptechnology,suchaswebbrowsersandincarapps,
providingafamiliarattacksurfaceknowntoattackersformanyyears[12].

TheTPMSandRKEarethemostlikelyECUswithremoteattacksurfaceonthesamesegmentas
cyberphysicalECUs.

6outof14(42%)ofthe2014vehicleswelookedathavenoseparationbetweenatleastone
cyberphysicalECUandonewithremoteattacksurfaces.

Thediagramsofthecarsexamined(above)shownetworktopologieswithalargedegreeof
variance.Somevehiclesseparatecertainfunctionalitywhileothershadmostofthetechnology
andcyberphysicalcomponentsonthesamebus.

Ontheotherhand,Carsmanufacturedinthesameregiontendtohavesimilarnetwork
topologies.WeveseencommonarchitecturesinJapanese(Toyota&Infiniti),German(Audi/VW
&BMW),andAmerican(GM&Ford)automobiles.Thiscouldbeduetosimilarthoughtprocess
orengineerturnover.

Cyberphysicalcontrols,suchasAdaptiveCruiseControl,aremoreprevalentinnewer
automobiles.Muchofthenewtechnologyhastodowithcustomerdemandformoresafety
consciousautomobiles.Permittingcomputerstoperformphysicalactionsmakethedriversafer,

butatthesametime,giveanattackerbuiltinfunctionalityofwhichtoabusetobringpotential
harmtothepassengerandvehicle.

Oursurveyshowsnewercarshavemorecyberphysicalfeaturesbutmanytimesaresegmented
ondifferentcomputernetworks.Sincewedidnothaveallofthecarsreviewedinthispaperwe
cannotsaydefinitelyhowbigofanobstaclesegmentednetworkswouldputinfrontofan
attacker.Fromourperspective,wehaverarelyseensegmentationusedforsecurityboundaries,
insteadnetworksegmentationisusedfornoncommunicablenetworkbuses.

Howpatchableisthemodernautomobile?Rightnow,wevereceivedseveralrecallnoticesfor
the2010FordEscapeandthe2010ToyotaPrius.Allofthemrequiredustobringthevehicleto
alocaldealership.ItdoesnotappearthatmanymanufacturerssupportOvertheAir(OTA)
updateasthistime(July2014).WeveseenpatchingwasntnearlyaseffectiveuntilMicrosoft
automatedtheWindowsUpdatefunctionalityandassumevehicleswillnotbeanydifferent.

MostHackable
1. 2014JeepCherokee
2. 2015CadillacEscalade
3. 2014InfinitiQ50

LeastHackable
1. 2014DodgeViper
2. 2014AudiA8
3. 2014HondaAccord

C&CCarRatings

Car
2014AudiA8
2014Honda
AccordLX
2014Infiniti
Q50
2010InfinitiG37
2014Jeep
Cherokee
2014Dodge
Ram3500
2014Chrysler
300
2014Dodge
Viper
2015Cadillac
Escalade
2006Ford
Fusion
2014Ford
Fusion
2014BMW3
series
2014BMWX3
2014BMWi12
2014Range
RoverEvoque
2010Range
RoverSport
2006Range
RoverSport
2014Toyota
Prius
2010Toyota
Prius
2006Toyota
Prius

AttackSurface NetworkArchitecture
++

CyberPhysical
+
+

++

++

++
++

+
++

++

++

++

++

++

++

++

++

++

++
++
++

++
+
++

++

++

DefendingAgainstRemoteAttacks
Nowthatweunderstandtheentirechainofeventsnecessarytogofromremotelycommunicatingwith
vehicletocontrollingcyberphysicalfeatures,wecanhaveaninformeddiscussionabouthowtodefend
theseattacks.Assuchanattackisnecessarilymultistageinnature,itisouropinionthatthedefense
shouldbelayeredaswell,makingeachstageofsuchanattackdifficulttoachieve.Belowisalistofsuch
ideas.

SecureRemoteEndpoints
First,minimizetheattacksurfaceandlockdownremoteservicesasmuchaspossible.Thisprobably
goeswithoutsaying.However,asthehistoryofsoftwaresecurityshows,completesecurityisnot
achievable.EngineeringpowerhouseslikeMicrosoftandGooglestillhaventbeenabletomakeaweb
browserthatcangoafewmonthswithoutacriticalsecuritypatch,sothereisnoreasontothinkthat
wellhavea100%secureBluetoothstackanytimesoon.Nonetheless,tryingtominimizethenumberof
vulnerabilitiesisstillanimportantstep.Ontopofallthesecureengineeringissues,moreandmore
technologyisbeingaddedeveryyear,creatingadditionalattacksurface.Whilewecondonesecuring
remoteendpoints,wedontbelieveitshouldbetheonlyprocessusedinsecuringthemodern
automobile.

CANInjectionMitigations
OnceanattackergetscoderunningonanECU,itispossibletomakeithardertofortheattackerto
injectCANmessagesimmediately.Forexample,theBluetoothstackprobablydoesnotneedtheability
tosendCANmessages(butwecantcompletelyruleanythingout).Itseemstelematicsunitsinthe
futuremayrunAndroidwhichwouldhavethiscapability.However,asweveseenwithothersandbox
technologies(andAndroidinparticular),thereisalwaysawaytoescapethesesandboxesorelevate
privileges,saythroughaLinuxkernelexploit,tobypassthesemechanisms.

MessageCryptography
OneideaoftensuggestedistocryptographicallyverifyCANmessagestomakeinjectiondifficult.The
ideaisthatonlytheECUs(andmechanicstools)havethekeysandsoarandomattackerwouldntbe
abletosendvalidCANmessagesonthecompromisedautomotivenetwork.Thisideamaypresent
obstaclesforattackerswhoaddroguedevicestoautomotivenetworks,butinthecontextofaremote
attack,theattackerisexecutingcodeonacompromisedECU.Atthispoint,thekeysarealso
compromised,oratleasttheabilitytosendvalidCANmessages.Sothisideadoesntseemtopresent
muchofanobstacleintheremoteattackscenario,whichismostconcerningtoconsumersand
manufacturersalike.

NetworkArchitecture
Asweveseenbylookingatexistingautomotivearchitectures,someautomotivenetworkspresentmore
ofachallengetoattacksafetycriticalECUsthanothers.Thisforwardstheideathatmanufacturers
shoulddesigntheirautomotivenetworksinsuchawaytoisolatethoseECUswithremotefunctionality
fromthosethatcontrolsafetycriticalfeatures.Thisisagreatideaandisdefinitelyrecommended.

However,itisnotapanaceaanddoesnotsolvealltheproblems.First,majorarchitecturalchangeslike
thisareexpensive,takeyearstoimplement,andmostlikelyarentgoingtobehappeninganytimesoon.
OneoftheunderlyingproblemsisthatwhileyoucanisolatethesetwotypesofECUs,some
communicationbetweenthemislikely.Thismeanstherewillhavetobesomekindofbridge/gateway
betweenthem.ThisbridgeECUthenopensupthepossibilityofbeingtrickedintoforwardingmessages
orstraightupbecomingthetargetofcompromise.Whilethisdoesaddanadditionalbarrier(for
example,theacademicresearcherscitedthroughoutthisworkwereabletomovefromonenetworkto
theotherbycompromisingthebridge),itisnotgoingtobeperfect,andmayevenbecomethesingle
pointoffailure.

Additionally,withmoreconnectivitytechnology,includingVehicletoVehicle(V2V)andVehicleto
Infrastructure(V2I),becomingmoreprevalent,thereseemstobetherequirementofremote
communicationsdevicestalkingtocyberphysicalcomponents.Forexample,forV2Vcollisionavoidance
systemstoworkcorrectlyawirelesscomponentmustreceiveasignalandsendmessagesthatcontrol
brakingand/orsteering.

AttackDetection
AfinalsuggestionistoaddattackdetectionandpreventiontechnologyintocriticalCANnetworks.This
representsaninexpensiveandaccuratewaytogreatlyimprovethesecurityofCANnetworksandcanbe
addedtovehiclesimmediately,especiallysincemostmajorcyberphysicalcomponentsrelyonCAN
(althoughFlexrayandothercommunicationsprotocolsaregainingtraction).
Whileattackdetectiontypicallydoesntworkwellinenterprisenetworkenvironments,initialdata
showsthatitworksquitewellinautomotivenetworks.Theprimarydifferenceisthatautomotive
networksarehighlyregularandonlyinvolvecomputerstalkingwithcomputers,withouthuman
interaction.Furthermore,whiletypicalsoftwareexploitscanvarywidelyandcanbedesignedtobe
stealthy,thisdoesntappearpossibleinautomotivenetworks.AllknownCANinjectionattacks(both
oursandtheacademicresearchers)alltakeoneoftwoforms.TheyareeitherCANdiagnosticmessages
ortheyarestandardmessagewithahighlyinflatedsendrate.
Whileitisobviouswhydiagnosticmessagesmightbedangerous,itmayneedaquickdiscussionofwhy
normalmessagesusedforattackmustbettransmittedatamuchhigherratethannormal.Therate
mustbehigherbecausetherearealwaysmessagesgoingfromECUstoECUs.Unlesstheattacker
happenstobeontheECUthatsendstheparticularmessagetheattackerwishestoinject,theoriginal
ECUwillstillbesendingtheoriginalmessagealongwiththeattacker.

ThatmeanstheattackercansendthesamemessagebutthetargetECUwillbereceivingmessagesfrom
theoriginalECUandtheattacker.Atthispoint,therateoftheCANmessagesarehigherthannormal.
But,evenmoreso,inpractice,thewayanattackerensuresthetargetECUlistenstotheinjected
messagesandnottheoriginalonesistosendthemevenfasterthantheoriginalECU.Regardlessofthe
normalmessageinjectionattack,therateofmessageswillbetwiceashighasnormalandinpractice20
100xhigherthannormal.Thepointisthatabnormalmessagesoccurwhethertheattackerissending
diagnosticmessagesornormalmessagesatanincreasedrate,permittingeasydetectionandpossible
preventionofattacks.
Theotherinterestingaspectofdetection,unliketheotherpossibilitiesmentionedhere,isthatindividual
researcherscanbuildandtestthesedevices.Allofourattacksarepublishedandimportantaspectsof
theacademicsarepublicaswell.Asaproofofconcept,webuiltasmalldevicethatplugsintotheOBD
IIportofacar,learnstrafficpatterns,andthendetectsanomalies.Whenthedevicedoesdetect
something,itshortcircuitstheCANbus,thusdisablingallCANmessages,seeFigurebelow.

CANdefenseandprotectionmechanism
WhilethisparticulardeviceplugsintotheOBDIIport,itcouldjustaseasilybewireddirectlyintothe
CANbusormanufacturerscouldeasilyintegratethesesimplealgorithmsintoexistingECUsatalmostno
cost.

Conclusions
Remoteattacksagainstvehicleshavingphysicalimplicationswilltypicallyneedthreestages.These
threestagesareremotecompromise;sendinginjectedmessagestocyberphysicalcomponents,and
makingthedestinationECUperformsomeunsafeaction.Inthispaper,foralargevarietyofvehicles,
weidentifiedtheremoteattacksurfacetoestimatehowdifficultremotecompromisemightbe.We
thenexaminedthearchitectureoftheinternalnetworksofeachvehicle,identifyingthelocationofECUs
whichprocessexternalinputsaswellasECUsthatcontaincapabilitiestocausephysicalchangestothe
vehicle.Thiswillgiveanindicationonhoweasyitwouldbetogetmessagesfromtheformertothe
latter.Finally,weidentifythefeaturesthatthecarpossesseswhichmayhelpintakingphysicalcontrol
ofthevehicle.Combiningthisdata,wecanmakeroughestimatesonthedifficultyofremote
exploitationforthesevehicles.Sincethesetypesofremoteattackswillnecessarilybemultistage,we
recommendadefenseindepthstrategythatincludesdetectionofmessageinjectionaspartofan
overallsafetystrategy.

References
[1]http://bwrcs.eecs.berkeley.edu/Classes/icdesign/ee241_s05/Projects/Midterm/VictorWen.pdf
[2]http://ftp.cse.sc.edu/reports/drafts/2010002tpms.pdf
[3]http://www.autosec.org/pubs/carsusenixsec2011.pdf
[4]http://networksasia.net/article/fsecurewarnsagainsthtcbluetoothexploit1247839201
[5]http://www.defcon.org/images/defcon15/dc15presentations/dc15barisani_and_bianco.pdf
[6]http://datasheets.maximintegrated.com/en/ds/MAX1471.pdf
[7]http://www.codenomicon.com/resources/whitepapers/codenomicon_wp_Fuzzing_Bluetooth_20110
919.pdf
[8]http://en.wikipedia.org/wiki/Radio_Data_System
[9]http://illmatics.com/car_hacking.pdf
[10]http://www.fsecure.com/vulnerabilities/SA201106648
[11]http://www.networkworld.com/article/2231495/ciscosubnet/defconhackingtirepressure
monitorsremotely.html
[12]http://en.wikipedia.org/wiki/Pwn2Own

Das könnte Ihnen auch gefallen