Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2019: Secure IT Systems pp 204–218Cite as

A Study of Security Vulnerabilities and Software Weaknesses in Vehicles

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11875))

Abstract

In this paper, we conduct an empirical study with the purpose of identifying common security vulnerabilities discovered in vehicles. The vulnerability information is gathered for 60 vehicle OEMs (Original Equipment Manufacturers) and common vehicle components from the National Vulnerability Database (NVD). Each vulnerability (CVE) is analyzed with respect to its software weakness type (CWE) and severity score (CVSS). 44 unique CVEs were found in NVD and analyzed. The analysis results show that about 50% of the vulnerabilities fall into the medium severity category, and the three most common software weaknesses reported are protection mechanism failure, buffer errors, and information disclosure.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://en.wikipedia.org/wiki/CAN_bus.

  2. 2.

    https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

  3. 3.

    https://cve.mitre.org.

  4. 4.

    https://nvd.nist.gov.

  5. 5.

    https://www.first.org/cvss/.

  6. 6.

    https://cwe.mitre.org.

  7. 7.

    https://www.cpomagazine.com/cyber-security/connected-cars-a-new-and-dangerous-vector-for-cyber-attacks/.

  8. 8.

    http://autosec.se/wp-content/uploads/2018/04/1.2-holisec-state-of-the-art.pdf.

  9. 9.

    https://www.securityfocus.com.

  10. 10.

    https://www.us-cert.gov/ics/advisories-by-vendor.

  11. 11.

    https://www.upstream.auto/.

  12. 12.

    https://www.qualcomm.com/products/snapdragon-820-automotive-platform.

  13. 13.

    https://automotive.softing.com/en/standards/bus-systems.html.

  14. 14.

    https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project.

  15. 15.

    https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication.

  16. 16.

    https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure.

  17. 17.

    https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control.

  18. 18.

    https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration.

References

  1. Aksu, M., Bicakci, K., Dilek, M., Ozbayoglu, A., Tatlı, E.: Automated generation of attack graphs using nvd. In: CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy, pp. 135–142. Association for Computing Machinery (2018)

    Google Scholar 

  2. Buttigieg, R., Farrugia, M., Meli, C.: Security issues in controller area networks in automobiles. In: 18th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering, pp. 1–6 (2017)

    Google Scholar 

  3. Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium, San Francisco, pp. 77–92 (2011)

    Google Scholar 

  4. Currie, R.: Hacking the can bus: basic manipulation of a modern automobile through can bus reverse engineering. The SANS Institute, InfoSec Reading Room Report Series (2017)

    Google Scholar 

  5. Dorottya Papp, Z.M., Buttyan, L.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST), pp. 145–152 (2015)

    Google Scholar 

  6. Durrwang, J., Braun, J., Rumez, M., Kriesten, R.: Security evaluation of an Airbag-ECU by reusing threat modeling artefacts. In: 2017 International Conference on Computational Science and Computational Intelligence (CSCI), pp. 37–43. IEEE (2017)

    Google Scholar 

  7. Gülsever, M.: A Study on Vulnerabilities in Connected Cars. Degree project, KTH Royal Institute of Technology, Stockholm, Sweden (2019)

    Google Scholar 

  8. Jajodia, S.: Topological analysis of network attack vulnerability. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, p. 2. ACM (2007)

    Google Scholar 

  9. Johnson, P., Lagerström, R., Ekstedt, M., Franke, U.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Trans. Dependable Secur. Comput. 15(6), 1002–1015 (2018)

    Article  Google Scholar 

  10. Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)

    Google Scholar 

  11. Kaya, K.M.: A Study of Vulnerabilities and Weaknesses in Connected Cars. Degree project, KTH Royal Institute of Technology, Stockholm, Sweden (2019)

    Google Scholar 

  12. Treetippayaruk, S., Senivongse, T.: Security vulnerability assessment for software version upgrade. In: 2017 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 283–289 (2017)

    Google Scholar 

  13. Välja, M., Korman, M., Lagerström, R.: A study on software vulnerabilities and weaknesses of embedded systems in power networks. In: Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, pp. 47–52. ACM (2017)

    Google Scholar 

  14. Xiong, W., Krantz, F., Lagerström, R.: Threat modeling and attack simulations of connected vehicles: a research outlook. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)

    Google Scholar 

  15. Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)

    Article  Google Scholar 

  16. Xiong, W., Lagerström, R.: Threat modeling of connected vehicles: a privacy analysis and extension of vehicleLang. In: International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident). IEEE (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, KTH Royal Institute of Technology, Stockholm, Sweden

    Wenjun Xiong, Melek Gülsever, Koray Mustafa Kaya & Robert Lagerström

Authors
  1. Wenjun Xiong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Melek Gülsever
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Koray Mustafa Kaya
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robert Lagerström
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wenjun Xiong .

Editor information

Editors and Affiliations

  1. Aarhus University, Aarhus, Denmark

    Aslan Askarov

  2. Aalborg University, Aalborg, Denmark

    René Rydhof Hansen

  3. IT University of Copenhagen, Copenhagen, Denmark

    Willard Rafnsson

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Xiong, W., Gülsever, M., Kaya, K.M., Lagerström, R. (2019). A Study of Security Vulnerabilities and Software Weaknesses in Vehicles. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35055-0_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35054-3

  • Online ISBN: 978-3-030-35055-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation