Tobias Hoppe

Security Threats to Automotive CAN Networks --- Practical Examples and Selected Short-Term Countermeasures

The IT security of automotive systems is an evolving area of research. To analyse the current situation we performed several practical tests on recent automotive technology, focusing on automotive systems based on CAN bus technology. With respect to the results of these tests, in this paper we discuss selected countermeasures to address the basic weaknesses exploited in our tests and also give a short outlook to requirements, potential and restrictions of future, holistic approaches.

Security threats to automotive CAN networks—Practical examples and selected short-term countermeasures

Abstract The IT security of automotive systems is an evolving area of research. To analyse the current situation and the potentially growing tendency of arising threats we performed several practical tests on recent automotive technology. With a focus on automotive systems based on CAN bus technology, this article summarises the results of four selected tests performed on the control systems for the window lift, warning light and airbag control system as well as the central gateway. These results are supplemented in this article by a classification of these four attack scenarios using the established CERT taxonomy and an analysis of underlying security vulnerabilities, and especially, potential safety implications. With respect to the results of these tests, in this article we further discuss two selected countermeasures to address basic weaknesses exploited in our tests. These are adaptations of intrusion detection (discussing three exemplary detection patterns) and IT-forensic measures (proposing proactive measures based on a forensic model). This article discusses both looking at the four attack scenarios introduced before, covering their capabilities and restrictions. While these reactive approaches are short-term measures, which could already be added to today’s automotive IT architecture, long-term concepts also are shortly introduced, which are mainly preventive but will require a major redesign. Beneath a short overview on respective research approaches, we discuss their individual requirements, potential and restrictions.

Future perspectives: the car and its IP-address - a potential safety and security risk assessment

The fast growing Internet technology has affected many areas of human life. As it offers a convenient and widely accepted approach for communication and service distribution it is expected to continue its influence to future system design. Motivated from this successful spreading we assume hypothetical scenarios in our paper, whereby automotive components might also be influenced by omnipresent communication in near future. If such a development would take place it becomes important to investigate the influence to security and safety aspects. Based on todays wide variety of Internet based security attacks our goal is therefore to simulate and analyze potential security risks and their impact to safety constraints when cars would become equipped and connected with an IP based protocol via unique IP addresses. Therefore, our work should motivate the inserting of security mechanisms into the design, implementation and configuration of the car IT systems from the beginning of the development, which we substantiate by practical demo attacks on recent automotive technology.

Automotive IT-Security as a Challenge: Basic Attacks from the Black Box Perspective on the Example of Privacy Threats

Since automotive IT is becoming more and more powerful, the IT-security in this domain is an evolving area of research. In this paper we focus on the relevance of the black box perspective in the context of threat analyses for automotive IT systems and discuss typical starting points and implications of respective attacks. We put a special focus on potential privacy issues, which we expect to be of increasing relevance in future automotive systems. To motivate appropriate provision for privacy protection in future cars we discuss potential scenarios of privacy violations. To underline the relevance even today, we further present a novel attack on a recent gateway ECU enabling an attacker to sniff arbitrary internal communication even beyond subnetwork borders.

Adaptive Dynamic Reaction to Automotive IT Security Incidents Using Multimedia Car Environment

Modern cars offer an increasingly powerful multimedia environment. While also the potential for an application as human computer interface (HCI) is growing, in this paper we concentrate on already existing possibilities for their use as computer-human-interface (CHI) to communicate system security related information to the driver. After identifying the intrusion detection approach from desktop IT as a promising supplemental measure for the IT security of future automotive systems and successfully testing it in practice, in this paper we investigate about how such an automotive intrusion detection system (IDS) could communicate security-related information to the driver. We propose an adaptive dynamic concept to address the frequently changing environmental conditions in the automotive domain and discuss it using three exemplarily selected scenarios.

Statistical detection of malicious PE-Executables for fast offline analysis

While conventional malware detection approaches increasingly fail, modern heuristic strategies often perform dynamically, which is not possible in many applications due to related effort and the quantity of files. Based on existing work from [1] and [2] we analyse an approach towards statistical malware detection of PE executables. One benefit is its simplicity (evaluating 23 static features with moderate resource constrains), so it might support the application on large file amounts, e.g. for network-operators or a posteriori analyses in archival systems. After identifying promising features and their typical values, a custom hypothesis-based classification model and a statistical classification approach using the WEKA machine learning tool [3] are generated and evaluated. The results of large-scale classifications are compared showing that the custom, hypothesis based approach performs better on the chosen setup than the general purpose statistical algorithms. Concluding, malicious samples often have special characteristics so existing malware-scanners can effectively be supported.

A new forensic model and its application to the collection, extraction and long term storage of screen content off a memory dump

In this paper we show how to extract graphics content within a memory dump of a Windows-based system. This includes the assurance of integrity and authenticity of evidence gathered this way using cryptographic mechanisms. We introduce a forensic data model and investigate different forensic analysis steps within a phase-oriented manner to classify potential forensic methods. Furthermore we discuss approaches for long term preservation for the forensic data aquired from the memory dumps to ensure authenticity and integrity.

Theoretical analysis of security warnings in vehicles and design challenges for the evaluation of security warnings in virtual environments

In this paper, we present an approach for designing security warnings in vehicles for software based security incidents. With this we pursue the goal of reducing safety relevant component failures, which can be caused by manipulated or malicious software. The basis of our work is a theoretical analysis of the correlation of manipulated software (including malware) in automotive systems with the safety relevant failures of system components. We describe the potential of a security warning, which can be presented in time ahead of a traditional safety warning: The latter would only indicate safety-relevant implications that potentially arise later as an implication of the preceding security incident. In this paper we suggest three exemplary icons for a combined security-safety warning. Combined warning means a warning not at the time of a safety-relevant failure but already in the detection of the security-violation (e.g. manipulated software in the vehicle). An essential precondition is a recognition algorithm for such malicious software, which has been examined in previous research like [3]. Based on theoretical analyses, we introduce an exemplary design for the testing of these warnings in a virtual environment, precisely, in a driving simulator. A couple of factors play a central role in such evaluations, such as: perception, reaction of the driver, interpretation of warnings and security awareness. The results can be interpreted in the context of the fundamental aim: the reduction of accidents by security alerts. They thus serve as a recommended course of action for implementation in future vehicles.

Vehicle systems: comfort & security enhancement of face/speech fusion with compensational biometric modalities

Biometric modalities can be used to improve security, safety and comfort in different applications. For example it is possible to restrict access to computer systems or buildings by biometric authentication. Since the usage of biometric modalities is considered more and more also for vehicles, in this paper we review two existing approaches of fusing speech, face and additional biometric modalities in automotive applications. We also combine them to an extended concept for an improvement of the achievable comfort and security. Especially we include additional soft biometric modalities to compensate failures of the biometric sensors to ensure business continuity through enhanced availability. However, enhancements of the comfort of biometric authentication systems on one side, often lead to a decrease of their security on the other. In a first theoretical simulation we show the overall comfort improvement, compare the new concept with the selected two existing approaches and discuss potential security implications.

Statistical Pattern Recognition Based Content Analysis on Encrypted Network: Traffic for the TeamViewer Application

In the course of a forensic investigation it might be required to distinguish between different network activities. While various means to analyse network traffic exist, encrypted traffic often makes such an analysis problematic. The focus of this paper is to introduce a method based on statistical pattern recognition on network recordings of encrypted sessions to distinguish between different actions within these sessions. For demonstration purposes the popular remote support and online-meeting application TeamViewer is selected to introduce and discuss an approach to distinguish between file transfers, voice conferences, video conferences, text chat and normal remote sessions within TeamViewer sessions.