Experimental Security Analysis of a Modern Automobile

Link to the Paper: http://www.autosec.org/pubs/cars-oakland2010.pdf

Summary:

This paper explains the transition of how cars which were once entirely mechanical devices have made the transition into the 21st Century to become more digital and computerized. The reality of this transformation is the number of subsystems that contain computers. When the first computers were introduced into cars it was in response to regulation such as the Clean Air Act which required pollution control. But since then most cars now have 60-70 Electronic Control Units which contain thousands of lines of code. This paper looks at how to exploit 2, 2009 vehicles in 3 different states.

 

What I didn't like:

  1. The study only explored 2 cars - both of which were form 2009 which begs the study could be outdated

  2. The study noted that modern EV's are much more prone to having a lot more ECU's given their specific hardware requirements but never really flushed this out more. I think this was bad given that EV's are supposed to be the future of automobiles.

  3. The study says its not clear if auto designers made their systems in expectation of an adversary - I think that this could have been solved with a very easy survey that could have been included in this study

  4. Study is really general ie "Looking forward, we discuss the complex challenges in addressing vulnerabilities in the context of the automotive ecosystem" (loosely quoting)

  5. The study is very specific and doesn't go after trends in the industry when noting cyber security challenges - this means its very hard to draw lessons for the general industry

 

 

What I liked:

  1. The study paints a clear story of why cybersecurity hasn't kept up. We went from no computers to 50-70 computers really fast.

  2. The study really explained a lot of the different ECU's and how they differ in. a bunch of different cars

  3. The study explores a lot of different facets of car security which aren't just the automatic go to's when you think of a car ie just onstar

  4. The study makes sure to consider actors such as "car tuners" who might not be malicous actors but want more custom control of their car

  5. The study explored experiments on the car in 3 different settings ie (Bench, Stationary, and on the Road)

 

 

Points for Discussion:

  1. How easy it is to infiltrate ECUs as a regular user?

  2. Are modular cars a thing right now? How long until I see one on the road in mass production?

  3. Has regulation in the car industry which led to the introduction of ECU's been a positive or negative in the realm of cybersecurity?

  4. What actions in the short term can be taken to help secure cars against future attacks?

  5. How long until we see cars as a major vector for cyber attacks against people?

 

New Ideas:

  1. How hard would it be to patch ECC bugs with over the network updates

  2. Given the vulnerabilities in cars is it best for some critical systems to stay analog on cars?

  3. Would consolidation of the vehicle software industry improve cybersecurity for automobiles?

  4. Can OnStar be used to leverage new cyber protections for cars - can we learn anything from how they keep their data safe

  5. How does the necessity for cars to be serviced by 3rd parties compromise the vehicle's security?