Cyber Security Assignment: Security Threat & Vulnerability of Autonomous Car

Question

Task

Write a cyber security assignment on the topic “Survey on Security threat and vulnerability of autonomous car”.

Answer

1. Introduction
The automotive sector is in a “transition phase” towards complete vehicle autonomy. The recent development in the sector has shown promise with companies as Tesla and Google have heavily invested in its development. Autonomy in any vehicle mainly requires sensors, control units (CPUs), network systems, and actuators. The addition of components and sub-components increases the ports for security breaches. Wireless interfaces used for the contactless transfer of information, like Bluetooth or Wireless Local Area Network (WLAN), are most vulnerable to security breaches (Sommer et al., 2019). The risk posed by the wireless and open port IoT enabled vehicles is a major concern for the automotive makers. The concern is mainly because of the increase in vehicle cost due to extra security measures as well as anxiety of ownership for the customer. The following report discusses and surveys the security risk possessed by autonomous vehicles over the years and its future scopes of improvement.

2. Security Threats of Autonomous cars
Due to the trends of development within the automotive industry, autonomous driving is increasing with time. Along with that, the risk of security attacks is also increasing for such vehicles (Sommer et al., 2019). Scholars stated that numerous vehicles were attacked by cyber-criminals which triggered different types of functions. Wireless interfaces like WLAN (“Wireless Local Area Network”) and Bluetooth technology are widely used in such vehicles that led the vehicle communication system more complex. As a result, it increased the "attack surface" and the cyber-criminals can access and control the vehicle from outside. In addition to exploiting the "attack surfaces," the hackers also can influence the operational safety of the autonomous vehicle. Currently, the vehicles are developing with higher levels of connectivity and automated systems.

It is a crucial factor that with all networking and computerized devices, there is a higher chance of attacks from cyber-criminals. It also increases the opportunities for hackers for implementing a successful attack. The main behind developing and releasing the CAV ("Connected and Autonomous Vehicles") is to provide more reliability and safety. However, such vehicles have the inevitable requirement for network connection and computerized technology (Parkinson et al., 2017). An increase in the level of computerized functionality also increases the possibility of vulnerabilities and resulting in a higher frequency of future attacks. According to the scholars, failures of autonomous vehicles could be categorized into 2 groups. The first one is the component failure and the second one is the failure of infrastructure. The failures may be related to sensor failure, integration platform failure, or hardware system failure (Cui et al., 2019).

It has been considered that autonomous vehicles include several advanced technologies that enable efficient and safer transportation. However, these vehicles create communication with other vehicles via "external networks" and could be exploited by cyber-criminals and hackers. It has been considered that as the autonomous vehicles are still running in the experimental phase, sometimes it is still unclear that what types of personal information the vehicle is collecting. Risks related to owner and passenger information needed to be considered and it may be collected by the vehicle for different purposes. Along with that, tracking the location is also another significant feature of an autonomous vehicle that may pose the passenger to risk as the system could be exploited easily by the attackers. In an interactive survey regarding autonomous vehicles, the majority of the users mentioned that there is a possibility that the vehicle could be hacked. Several scholars and researchers discovered numerous vulnerabilities in the autonomous vehicle system. Accessing the entertainment system and the CAN bus of the autonomous vehicles, several remote manipulations are possible to exploit such cars. It includes the AC (Air conditioner) control, steering, transmission and even disabling of the brakes. The mentioned vulnerabilities could occur in normal vehicles also, but autonomous vehicles lack the ability so that the passenger could take complete control of the vehicle, unlike normal vehicles. Regarding this issue, the vulnerabilities and safety threats on an autonomous car could be more acute.

Another source of risk that is related to autonomous cars are bugs. Software bugs could be referred to as a critical security issue and it could result in severe accidents and even death. Autonomous vehicles use algorithms to make decisions. It includes several risk potentials. For example, if the programming of the car is not correct, it will never be able to avoid accidents. Another significant factor is needed to be focused on the current scenario. Human drivers can make "real-time" decisions at the time of driving. However, while driving; autonomous vehicles make decisions that are based on the inputs that are available from the "sensor data." It could be referred to as a security risk as the sensors could be hacked that will be discussed in the next points below.

Figure 1: “Possible attacks on autonomous vehicles” (Kumar et al., 2018)

2.1. Smart Remote Key Attacks
An autonomous vehicle includes remote keys and pass-codes that are based on Bluetooth and IR ("Infrared Radiation") technologies. Cyber-criminals can attempt "Brute-Force" attacks to crack the IR communication and can exploit the Bluetooth technology to get private information.

2.2. Attacks on Cloud Network
It is a difficult factor that a single autonomous vehicle could support multiple applications and complex computing efficiently. It requires a higher storage capacity to generate "real-time" navigation data. To handle this difficulty, autonomous vehicles are evolving into a cloud network. In addition to improved user experience, cloud computing also dynamically integrates the resources. By using cloud computing, autonomous vehicles acquire different types of LBS ("Location-Based Services"). For example, a hospital is within 2 kilometers from the current vehicle location (Kang et al., 2016). However, LBS is always provided by third-party service providers who are also responsible for protecting privacy and databases. Hackers or cyber-criminals can compromise the data that could be misused and may result in vehicle safety issues.

Figure 2: “Cloud-enabled Internet of Vehicles”(Kang et al., 2016)

2.3. Malware Attacks and Software Security
Ensuring safety for autonomous vehicles is critical due to their public adoption and mass deployment. It has been considered that autonomous vehicles are vulnerable to malware and could be exploited. Malware attacks like the "RoboTack” attack against autonomous vehicles could modify the sensor data of the vehicle. It can fool the vehicle by taking control of the perception module and may lead the vehicle to make unsafe decisions during the driving time (Jha et al., 2020). Along with that, the malware can misguide the vehicle by changing the lane which may result in a severe accident. Moreover, the lack of "secure coding" practices and vulnerability testing by vehicle manufacturers is also responsible for exposing the vehicles to security threats.

3. Types of Vulnerabilities and Attacks

3.1. Sensor Attacks
Autonomous vehicles are operated by several sensors like GPS, cameras, and "LiDAR." Each of the sensors has its own strengths and weaknesses in terms of reliability, capabilities, and range. These sensors help the vehicle detecting other vehicles or handle any unexpected dangers. Intruders or hackers can attack these sensors and misguide the vehicle as the sensors are vulnerable to security threats.

3.2. GPS
GPS spoofing is a direct threat to autonomous vehicles. According to scholars, these vehicles perform "centimeter-level localization" regarding the global position provided on the map (Shen et al., 2020). The localization function ability is highly critical regarding the safety and security of the vehicle. In the public domain, data provided by the GPS satellites could be easily accessed by the cyber-criminals and attackers. As a result, the attackers can manipulate this GPS data to take the routing control of the vehicle. This may lead to safety and security issues for the passengers.

Figure 3: “GPS Spoofing Attack on Autonomous Vehicles”(Kang et al., 2020)

3.3. LiDAR (“Light Detection and Ranging”)
One of the fundamental pillars of the autonomous vehicle is perception. It leverages a sensor which is known as LiDAR ("Light Detection and Ranging"). It is actually used for understanding the driving environment. The sensor of the LiDAR functions by firing “laser pulses” that captures the reflection by using “photodiodes.” As a result, a LiDAR can detect objects for the Autonomous vehicle by generating a "point cloud." When a spoofing attack is conducted against LiDAR, it uses the same channel to manipulate the reading of the sensor (Cao et al., 2019). The strategy of the attack does not require any direct contact with the sensor and the sensor is unable to recognize the attack. It provides erroneous data to the victim sensor which looks legitimate. Scholars considered that the spoofing attack replays the laser pulses of the LiDAR by creating fake points other than the location of the attacking point.

Figure 4: “LiDAR Spoofing Attack”(Cao et al., 2019)

3.4. IMU (“Inertial Measurement Unit”)
IMU could be referred to as the electronic device which is used in autonomous vehicles to measure the acceleration, velocity, and orientation. Along with that, it also monitors the changes in the environment dynamically. Attackers can maliciously modify the IMU data resulting in "false recognition" of the changes. This can slow down the vehicle speed slowing down the entire flow of traffic. It should be considered that the ability of the intruder is improving with type to launch these types of GPS or DDoS attacks (Quinonez et al., 2020). These attacks could be launched from long distances. Additionally, scholars considered that GPS spoofing attacks are achieving higher accuracy levels and even have the ability to take over the GPS.

4. Network Attacks

4.1. V2X (“Vehicle to Everything”) Attacks
With the development of technology within the automotive industries, it has been considered that V2X technology will be the future paradigm in transportation. It is already facilitating the communication system between the subsystems of the vehicles and is improving road safety and reducing fuel and energy consumption. Along with that, it is also enhancing the overall experience of the passengers.

V2X can connect with a smart-phone, cloud-server, and even other devices. Scholars stated that the communication system between the autonomous vehicles and smart-phones is established through GSM, Bluetooth, or Wifi protocols. However, these protocols are inherently vulnerable to security attacks (Kumar et al., 2018). The protocols also include several bugs and cyber-criminals can exploit the protocols easily. As a smart-phone is considered an unfamiliar device that is external, it is always risky for the vehicle to connect with it. If the cloud data center gets compromised at the time of communicating with the vehicle it may start communication with unknown or malicious data servers.

DSRC (“Dedicated Short Range Communication”) protocol is a “duplex communication protocol” that uses a particular channel for user operation in automotive industries. It works at 5.9 GHz (Gigahertz) and has a bandwidth of 75 MHz (Megahertz). The other protocols used by V2X communication are WAVE (“Wireless Access in Vehicular Environments”) and “IEEE 802.11.” All of these protocols are considered as vulnerable and could be exploited by the cyber-criminals.

4.2. V2V (“Vehicle to Vehicle”) Attacks
V2V communication system includes a wireless network so that the autonomous vehicles can send messages to each other. V2V connected vehicles generally share information about location, speed, or braking of the vehicles. It is mainly used for preventing collisions and different types of road perils (Joy & Gerla, 2017). The main goal of this network communication is to prevent road accidents. The major problem with this communication system is the unencrypted protocols that enable the cyber-criminals to exploit the system. The attack includes a” malicious vehicle” that connects with the target vehicle to send false and malicious messages to misguide the target. Moreover, the unencrypted protocols enable hackers to monitor the traffic and data communication between other vehicles. It results in leakage of authentication keys.

4.3. V2I (Vehicle to Infrastructure) Attacks
As the cyber-attacks are dynamic, it is difficult to recognize or detect the threats in "real-time." It is also much difficult to develop an efficient countermeasure to secure the autonomous vehicle from the attack. These vehicles use a V2I system that normally communicates with the system of surrounding infrastructure namely, signals, traffic lights, and nodes of mobile networks (Comert et al., 2018). Different types of cyber-attack scenarios could be generated by using trace files such as DoS ("Denial of Service") attack, "impersonation attack" and false information attack. In this type of attack, cyber-criminals can compromise the nodes of the cellular network and infect it by gaining access to the network.

DDoS ("Distributed Denial of Service") attack is considered as one of the most dangerous attacks that the connected autonomous vehicle may experience. Several attacking procedures and mechanisms attack the service system of the vehicle resulting in "denial of services." It disrupts the flow of traffic and damages the infrastructure. It may result in severe collisions, accidents, and even death of the passengers.

5. APT (“Advanced Persistent Threats”) Attacks

5.1. ECU (“Engine Control Unit”)
In-vehicle CAN (“Controller Area Network”) bus is considered as vulnerable as it shares “weak protocol design” among numerous autonomous vehicles. It is difficult to detect the spoof attacks for the CAN bus (Yang et al., 2020). ECU could be referred to as the electronic control system that controls the actuators and sensors of the autonomous vehicle. A typical autonomous vehicle may include over 100 ECU units. To make the ECU secure, proprietary code is implemented into the ECU.

Using malicious firmware, intruders can update the ECU to manipulate it. Using hashing techniques, the attackers modify the security key and memory of the ECU. These types of attacks are referred to as direct attacks as "direct physical access" of the intruder to the ECU is involved in this method.

5.2. OBD (“”Onboard Diagnostics”) Exploits
Since 2008, almost the entire manufactured vehicle includes OBD (“Onboard Diagnostics”) system and OBD ports. The main function of these ports is to collect the diagnostic data. This data includes all the vehicle performance and fault information. Through the CAN bus, OBD communicates with the ECU. It is referred to as an external device that is connected to the vehicle throughout a port (Christensen & Dannberg, 2019). Once the connection has been established, the OBD port starts sending and receiving data from the ECU of the vehicle. Attackers can exploit the OBD by manipulating the transferred data and injecting malicious code into the network of the vehicle.

6. Conclusion
The data and details given in this survey have shown that the automotive industry has a long way to go for the complete autonomy of vehicles. Security issues with autonomous vehicles like sensor attacks, bugs, decision making issues, ECU attacks, APT attacks, vulnerabilities and network attacks has been discussed in the report. With extras steps being taken for securing the portals of information in the vehicles, the feasibility of such a vehicle becomes a question. Future works on the subject may enable the automobile makers to reduce the component numbers and provide better safety protocols for autonomous vehicles. A further study may also enable autonomous vehicles to avoid accidents better due to lesser security gateway interference with the detection signals from the sensors. Also, wearable devices and vehicle key development will ensure a better ownership experience of the vehicle.

7. Bibliography
Cao, Y., Xiao, C., Cyr, B., Zhou, Y., Park, W., Rampazzi, S., Chen, Q. A., Fu, K., & Mao, Z. M. (2019). Adversarial sensor attack on lidar-based perception in autonomous driving. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2267–2281.

Christensen, L., & Dannberg, D. (2019). Ethical hacking of IoT devices: OBD-II dongles.

Comert, G., Rahman, M., Islam, M., & Chowdhury, M. (2018). Change Point Models for Real-time V2I Cyber Attack Detection in a Connected Vehicle Environment. ArXiv Preprint ArXiv:1811.12620.

Cui, J., Liew, L. S., Sabaliauskaite, G., & Zhou, F. (2019). A review on safety failures, security attacks, and available countermeasures for autonomous vehicles. Ad Hoc Networks, 90, 101823.

Jha, S., Cui, S., Banerjee, S. S., Tsai, T., Kalbarczyk, Z., & Iyer, R. (2020). ML-driven Malware that Targets AV Safety. ArXiv Preprint ArXiv:2004.13004.

Joy, J., & Gerla, M. (2017). Internet of vehicles and autonomous connected car-privacy and security issues. 2017 26th International Conference on Computer Communication and Networks (ICCCN), 1–9.

Kang, J., Yu, R., Huang, X., Jonsson, M., Bogucka, H., Gjessing, S., & Zhang, Y. (2016). Location privacy attacks and defenses in cloud-enabled internet of vehicles. IEEE Wireless Communications, 23(5), 52–59.

Kumar, A. D., Chebrolu, K. N. R., & KP, S. (2018). A brief survey on autonomous vehicle possible attacks, exploits and vulnerabilities. ArXiv Preprint ArXiv:1810.04144.

Parkinson, S., Ward, P., Wilson, K., & Miller, J. (2017). Cyber threats facing autonomous and connected vehicles: Future challenges. IEEE Transactions on Intelligent Transportation Systems, 18(11), 2898–2915.

Quinonez, R., Giraldo, J., Salazar, L., Bauman, E., Cardenas, A., & Lin, Z. (2020). {SAVIOR}: Securing Autonomous Vehicles with Robust Physical Invariants. 29th {USENIX} Security Symposium ({USENIX} Security 20), 895–912.

Shen, J., Won, J. Y., Chen, Z., & Chen, Q. A. (2020). Drift with Devil: Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under {GPS} Spoofing. 29th {USENIX} Security Symposium ({USENIX} Security 20), 931–948.

Sommer, F., Dürrwang, J., & Kriesten, R. (2019). Survey and classification of automotive security attacks. Information, 10(4), 148.

Yang, Y., Duan, Z., & Tehranipoor, M. (2020). Identify a Spoofing Attack on an In-Vehicle CAN Bus Based on the Deep Features of an ECU Fingerprint Signal. Smart Cities, 3(1), 17–30.