Abstract
With increased connectivity of safety-critical systems such as vehicles and industrial control systems, the importance of secure software rises in lock-step. Even systems that are traditionally considered to be non safety-critical can become safety-critical if they are willfully manipulated. In this paper, we identify 8 important security issues of automotive software based on a conceptually simple yet interesting example. The issues encompass problems from the design phase, including requirements engineering, to the choice of concrete parameters for an API. We then investigate how these issues are perceived by automotive security experts through a survey.
The survey results indicate that the identified issues are indeed problematic in real industry use-cases. Based on the collected data, we draw conclusions which problems deserve further attention and how the problems can be addressed. In particular, we find that key distribution is a major issue. Finally, many of the identified issues can be addressed by improved documentation and access to security experts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As stated earlier, we did not track company affiliations to preserve anonymity.
- 2.
There are several other coding guidelines for embedded, safety-critical or secure software, such as the JPL C Coding Standard, the SEI CERT C Coding Standard, or The Power of 10 - Rules for Developing Safety Critical Code, but a more detailed discussion is out of scope for this paper.
References
Acar, Y., et al.: Comparing the usability of cryptographic APIs. In: Proceedings of the 38th IEEE Symposium on Security and Privacy (2017)
Anderson, R.: Why cryptosystems fail. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 215–227. ACM, New York (1993)
Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)
Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, pp. 77–92, August 2011
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 49–60. ACM (2013)
Firesmith, D.G.: Common concepts underlying safety security and survivability engineering. Technical report CMU/SEI-2003-TN-033, Software Engineering Institute - Carnegie Mellon University, December 2003
Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14. ACM (2016)
Jonsson, E.: Towards an integrated conceptual model of security and dependability. In: The First International Conference on Availability, Reliability and Security, ARES 2006, pp. 646–653. IEEE (2006)
Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)
Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462, May 2010
Lazar, D., Chen, H., Wang, X., Zeldovich, N.: Why does cryptographic software fail? A case study and open problems. In: Proceedings of 5th Asia-Pacific Workshop on Systems, APSys 2014, pp. 1–7. ACM, New York (2014)
Line, M., Nordland, O., Røstad, L., Tøndel, I.: Safety vs. security. In: Proceedings of the 8th International Conference on Probabilistic Safety Assessment and Management (PSAM), pp. 685–699. IAPSAM (2006)
Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Technical report, Defcon 23, August 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf
Myers, B.A., Stylos, J.: Improving API usability. Commun. ACM 59(6), 62–69 (2016)
Nowdehi, N., Lautenbach, A., Olovsson, T.: In-vehicle CAN message authentication: an evaluation based on industrial criteria. In: 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall), pp. 1–7. IEEE (2017)
Piètre-Cambacédès, L., Chaudet, C.: The SEMA referential framework: avoiding ambiguities in the terms “security” and “safety”. Int. J. Crit. Infrastruct. Prot. 3(2), 55–66 (2010)
SAE International: SAE \(\text{J}3061\_201601\) - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems, January 2016
Seacord, R.C.: Secure Coding in C and C++. Pearson Education, London (2005)
Stevens, M., et al.: Announcing the first SHA1 collision, February 2017. https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Studnia, I., Nicomette, V., Alata, E., Deswarte, Y., Kaaniche, M., Laarouchi, Y.: Survey on security threats and protection mechanisms in embedded automotive networks. In: 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 1–12 (2013)
Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62, May 2013
van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_5
Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2
Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems. In: Proceedings of the Workshop on Embedded Security in Cars (ESCAR), November 2004
Zalman, R., Mayer, A.: A secure but still safe and low cost automotive communication technique. In: Proceedings of the 51st Annual Design Automation Conference, DAC 2014, pp. 1–5. ACM, New York (2014)
Acknowledgments
We would like to thank all survey participants for their valuable time and input. We would also like to thank all anonymous reviewers for their constructive feedback. The research leading to these results has been partially supported by VINNOVA, the Swedish Governmental Agency for Innovation Systems, through the project “HoliSec” (2015-06894), and by the Swedish Civil Contingencies Agency (MSB) through the project “RICS”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lautenbach, A., Almgren, M., Olovsson, T. (2019). Understanding Common Automotive Security Issues and Their Implications. In: Hamid, B., Gallina, B., Shabtai, A., Elovici, Y., Garcia-Alfaro, J. (eds) Security and Safety Interplay of Intelligent Software Systems. CSITS ISSA 2018 2018. Lecture Notes in Computer Science(), vol 11552. Springer, Cham. https://doi.org/10.1007/978-3-030-16874-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-16874-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16873-5
Online ISBN: 978-3-030-16874-2
eBook Packages: Computer ScienceComputer Science (R0)