A Study of Security Vulnerabilities and Software Weaknesses in Vehicles

  • Wenjun XiongEmail author
  • Melek Gülsever
  • Koray Mustafa Kaya
  • Robert Lagerström
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)


In this paper, we conduct an empirical study with the purpose of identifying common security vulnerabilities discovered in vehicles. The vulnerability information is gathered for 60 vehicle OEMs (Original Equipment Manufacturers) and common vehicle components from the National Vulnerability Database (NVD). Each vulnerability (CVE) is analyzed with respect to its software weakness type (CWE) and severity score (CVSS). 44 unique CVEs were found in NVD and analyzed. The analysis results show that about 50% of the vulnerabilities fall into the medium severity category, and the three most common software weaknesses reported are protection mechanism failure, buffer errors, and information disclosure.


Vehicles Cyber security Vulnerabilities Weaknesses 


  1. 1.
    Aksu, M., Bicakci, K., Dilek, M., Ozbayoglu, A., Tatlı, E.: Automated generation of attack graphs using nvd. In: CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy, pp. 135–142. Association for Computing Machinery (2018)Google Scholar
  2. 2.
    Buttigieg, R., Farrugia, M., Meli, C.: Security issues in controller area networks in automobiles. In: 18th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering, pp. 1–6 (2017)Google Scholar
  3. 3.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium, San Francisco, pp. 77–92 (2011)Google Scholar
  4. 4.
    Currie, R.: Hacking the can bus: basic manipulation of a modern automobile through can bus reverse engineering. The SANS Institute, InfoSec Reading Room Report Series (2017)Google Scholar
  5. 5.
    Dorottya Papp, Z.M., Buttyan, L.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: 2015 13th Annual Conference on Privacy, Security and Trust (PST), pp. 145–152 (2015)Google Scholar
  6. 6.
    Durrwang, J., Braun, J., Rumez, M., Kriesten, R.: Security evaluation of an Airbag-ECU by reusing threat modeling artefacts. In: 2017 International Conference on Computational Science and Computational Intelligence (CSCI), pp. 37–43. IEEE (2017)Google Scholar
  7. 7.
    Gülsever, M.: A Study on Vulnerabilities in Connected Cars. Degree project, KTH Royal Institute of Technology, Stockholm, Sweden (2019)Google Scholar
  8. 8.
    Jajodia, S.: Topological analysis of network attack vulnerability. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, p. 2. ACM (2007)Google Scholar
  9. 9.
    Johnson, P., Lagerström, R., Ekstedt, M., Franke, U.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Trans. Dependable Secur. Comput. 15(6), 1002–1015 (2018)CrossRefGoogle Scholar
  10. 10.
    Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)Google Scholar
  11. 11.
    Kaya, K.M.: A Study of Vulnerabilities and Weaknesses in Connected Cars. Degree project, KTH Royal Institute of Technology, Stockholm, Sweden (2019)Google Scholar
  12. 12.
    Treetippayaruk, S., Senivongse, T.: Security vulnerability assessment for software version upgrade. In: 2017 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 283–289 (2017)Google Scholar
  13. 13.
    Välja, M., Korman, M., Lagerström, R.: A study on software vulnerabilities and weaknesses of embedded systems in power networks. In: Proceedings of the 2nd Workshop on Cyber-Physical Security and Resilience in Smart Grids, pp. 47–52. ACM (2017)Google Scholar
  14. 14.
    Xiong, W., Krantz, F., Lagerström, R.: Threat modeling and attack simulations of connected vehicles: a research outlook. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy (ICISSP) (2019)Google Scholar
  15. 15.
    Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)CrossRefGoogle Scholar
  16. 16.
    Xiong, W., Lagerström, R.: Threat modeling of connected vehicles: a privacy analysis and extension of vehicleLang. In: International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident). IEEE (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Wenjun Xiong
    • 1
    Email author
  • Melek Gülsever
    • 1
  • Koray Mustafa Kaya
    • 1
  • Robert Lagerström
    • 1
  1. 1.School of Electrical Engineering and Computer ScienceKTH Royal Institute of TechnologyStockholmSweden

Personalised recommendations