Advertisement

Understanding Common Automotive Security Issues and Their Implications

  • Aljoscha LautenbachEmail author
  • Magnus Almgren
  • Tomas Olovsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11552)

Abstract

With increased connectivity of safety-critical systems such as vehicles and industrial control systems, the importance of secure software rises in lock-step. Even systems that are traditionally considered to be non safety-critical can become safety-critical if they are willfully manipulated. In this paper, we identify 8 important security issues of automotive software based on a conceptually simple yet interesting example. The issues encompass problems from the design phase, including requirements engineering, to the choice of concrete parameters for an API. We then investigate how these issues are perceived by automotive security experts through a survey.

The survey results indicate that the identified issues are indeed problematic in real industry use-cases. Based on the collected data, we draw conclusions which problems deserve further attention and how the problems can be addressed. In particular, we find that key distribution is a major issue. Finally, many of the identified issues can be addressed by improved documentation and access to security experts.

Keywords

Automotive application development Automotive security Expert survey 

Notes

Acknowledgments

We would like to thank all survey participants for their valuable time and input. We would also like to thank all anonymous reviewers for their constructive feedback. The research leading to these results has been partially supported by VINNOVA, the Swedish Governmental Agency for Innovation Systems, through the project “HoliSec” (2015-06894), and by the Swedish Civil Contingencies Agency (MSB) through the project “RICS”.

References

  1. 1.
    Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: Proceedings of the 38th IEEE Symposium on Security and Privacy (2017)Google Scholar
  2. 2.
    Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 215–227. ACM, New York (1993)Google Scholar
  3. 3.
    Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  4. 4.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, pp. 77–92, August 2011Google Scholar
  5. 5.
    Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 49–60. ACM (2013)Google Scholar
  6. 6.
    Firesmith, D.G.: Common concepts underlying safety security and survivability engineering. Technical report CMU/SEI-2003-TN-033, Software Engineering Institute - Carnegie Mellon University, December 2003Google Scholar
  7. 7.
    Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14. ACM (2016)Google Scholar
  8. 8.
    Jonsson, E.: Towards an integrated conceptual model of security and dependability. In: The First International Conference on Availability, Reliability and Security, ARES 2006, pp. 646–653. IEEE (2006)Google Scholar
  9. 9.
    Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)CrossRefGoogle Scholar
  10. 10.
    Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462, May 2010Google Scholar
  11. 11.
    Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail? A case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, APSys 2014, pp. 1–7. ACM, New York (2014)Google Scholar
  12. 12.
    Line, M., Nordland, O., Røstad, L., Tøndel, I.: Safety vs. security. In: Proceedings of the 8th International Conference on Probabilistic Safety Assessment and Management (PSAM), pp. 685–699. IAPSAM (2006)Google Scholar
  13. 13.
    Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Technical report, Defcon 23, August 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf
  14. 14.
    Myers, B.A., Stylos, J.: Improving API usability. Commun. ACM 59(6), 62–69 (2016)CrossRefGoogle Scholar
  15. 15.
    Nowdehi, N., Lautenbach, A., Olovsson, T.: In-vehicle CAN message authentication: an evaluation based on industrial criteria. In: 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), pp. 1–7. IEEE (2017)Google Scholar
  16. 16.
    Piètre-Cambacédès, L., Chaudet, C.: The SEMA referential framework: avoiding ambiguities in the terms “security” and “safety”. Int. J. Crit. Infrastruct. Prot. 3(2), 55–66 (2010)CrossRefGoogle Scholar
  17. 17.
    SAE International: SAE \(\text{J}3061\_201601\) - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, January 2016Google Scholar
  18. 18.
    Seacord, R.C.: Secure Coding in C and C++. Pearson Education, London (2005)Google Scholar
  19. 19.
    Stevens, M., et al.: Announcing the first SHA1 collision, February 2017. https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
  20. 20.
    Studnia, I., Nicomette, V., Alata, E., Deswarte, Y., Kaaniche, M., Laarouchi, Y.: Survey on security threats and protection mechanisms in embedded automotive networks. In: 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 1–12 (2013)Google Scholar
  21. 21.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62, May 2013Google Scholar
  22. 22.
    van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33338-5_5CrossRefGoogle Scholar
  23. 23.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_2CrossRefGoogle Scholar
  24. 24.
    Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems. In: Proceedings of the Workshop on Embedded Security in Cars (ESCAR), November 2004Google Scholar
  25. 25.
    Zalman, R., Mayer, A.: A secure but still safe and low cost automotive communication technique. In: Proceedings of the 51st Annual Design Automation Conference, DAC 2014, pp. 1–5. ACM, New York (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations