active remote control via the Internet and real-time data
exfiltration of position, speed and surreptitious streaming
of cabin audio (i.e., anything being said in the vehicle) to
an outside recipient. Finally, we also explore potential at-
tack scenarios and gauge whether these threats are purely
conceptual or whether there are plausible motives that
transform them into actual risks. In particular, we demon-
strate complete capabilities for both theft and surveillance.
Synthesis.
On reflection, we noted that the vulnera-
bilities we uncovered have surprising similarities. We
believe that these are not mere coincidences, but that
many of these security problems arise, in part, from
systemic structural issues in the automotive ecosystem.
Given these lessons, we make a set of concrete, pragmatic
recommendations which significantly raise the bar for
automotive system security. These recommendations are
intended to “bridge the gap” until deeper architectural
redesign can be carried out.
2 Background and Related Work
Modern automobiles are controlled by a heterogeneous
combination of digital components. These components,
Electronic Control Units (ECUs), oversee a broad range
of functionality, including the drivetrain, brakes, lighting,
and entertainment. Indeed, very few operations are not
mediated by computer control in a modern vehicle (with
the parking brake and steering being the last holdouts,
though semi-automatic parallel parking capabilities are
available in some vehicles and full steer-by-wire has been
demonstrated in several concept cars). Charette estimates
that a modern luxury vehicle includes up to 70 distinct
ECUs including tens of millions of lines of code [
5
]. In
turn, ECUs are interconnected by common wired net-
works, usually a variant of the Controller Area Network
(CAN) [
12
] or FlexRay bus [
8
]. This interconnection
permits complex safety and convenience features such as
pre-tensioning of seat-belts when a crash is predicted and
automatically varying radio volume as a function of speed.
At the same time, this architecture provides a broad
internal attack surface since on a given bus each compo-
nent has at least implicit access to every other component.
Indeed, several research groups have described how
this architecture might be exploited in the presence
of compromised components [
15
,
24
,
26
,
27
,
28
] or
demonstrated such exploits by spoofing messages to
isolated components in the lab [
10
]. Most recently,
our own group documented experiments on a complete
automobile, demonstrating that if an adversary were
able to communicate on one or more of a car’s internal
network buses, then this capability could be sufficient
to maliciously control critical components across the
entire car (including dangerous behavior such as forcibly
engaging or disengaging individual brakes independent of
driver input) [
14
]. However, these results raise the ques-
tion of how an adversary might be able to access a car’s
internal bus (and thus compromise its ECUs) absent direct
physical access, a question that we answer in this paper.
About the latter question — understanding the external
attack surface of modern vehicles — there has been
far less research work. Among the exceptions is Rouf
et al.’s recent analysis of the wireless Tire Pressure
Monitoring System (TPMS) in a modern vehicle [
22
].
While their work was primarily focused on the privacy
implications of TPMS broadcasts, they also described
methods for manipulating drivers by spoofing erroneous
tire pressure readings and, most relevant to our work,
an experience in which they accidentally caused the
ECU managing TPMS data to stop functioning through
wireless signals alone. Still others have focused on the
computer security issues around car theft, including
Francillon et al.’s recent demonstration of relay attacks
against keyless entry systems [
9
], and the many attacks
on the RFID-based protocols used by engine immobi-
lizers to identify the presence of a valid ignition key,
e.g., [
2
,
6
,
11
]. Orthogonally, there has been work that
considers the future security issues (and expanded attack
surface) associated with proposed vehicle-to-vehicle
(V2V) systems (sometimes also called vehicular ad-hoc
networks, or VANETs) [
4
,
13
,
21
]. To the best of our
knowledge, however, we are the first to consider the full
external attack surface of the contemporary automobile,
characterize the threat models under which this surface is
exposed, and experimentally demonstrate the practicality
of remote threats, remote control, and remote data
exfiltration. Our experience further gives us the vantage
point to reflect on some of the ecosystem challenges that
give rise to these problems and point the way forward
to better secure the automotive platform in the future.
3 Automotive threat models
While past work has illuminated specific classes of threats
to automotive systems — such as the technical security
properties of their internal networks [
14
,
15
,
24
,
26
,
27
,
28
] — we believe that it is critical for future work to place
specific threats and defenses in the context of the entire
automotive platform. In this section, we aim to bootstrap
such a comprehensive treatment by characterizing the
threat model for a modern automobile. Though we
present it first, our threat model is informed significantly
by the experimental investigations we carried out, which
are described in subsequent sections.
In defining our threat model, we distinguish between
technical capabilities and operational capabilities.
Technical capabilities describe our assumptions con-
cerning what the adversary knows about its target vehicles
as well as her ability to analyze these systems to develop
malicious inputs for various I/O channels. For example,
we assume that the adversary has access to an instance of
