1 main reason is that the social and

1 Introduction

Connected vehicles are already rising in percentage at a rapid rate. Not only
car companies, but many of the most innovative and well funded companies
are trying to be the top in this segment and bring these to the market. The
main reason is that the social and economic benefits they will produce are

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

But just like any other innovative technology, this also will bring about
additional challenges and risks along with benefits.

As vehicle cyber-security is still a mostly unknown area, even for the people
working at the bleeding edge of the technology spectrum. This makes it one of
the largest threats which the society will have to endure as the transportation
industry evolves rapidly.

Until now, no major malicious attacks on automobiles haven’t taken place.
But the looming danger was brought to light when two security researchers
remotely took over the control of a Jeep Cherokee 1 and changed the trans-
mission to neutral from drive, while it was cruising on a highway. They were
also able to control the entertainment system, windshield washers, air condi-
tioning, etc, in a completely remote manner.

The central challenge in vehicles are that almost all electronic and electrical
components inside a vehicle are interconnected using an internal network. So,
in case a hacker is able to hack into a vulnerable point, maybe the Bluetooth
or music system, they will be able to take over the control of almost all other
ECUs like engine, transmission, breaks, etc and cause major damage.

As most of the vehicles manufactured nowadays include complex electronic
network which consists of around 100 ECUs and maybe around 100Million
lines of code, this opens up a very large surface where attack is possible. A
more concerning issue is that there is no central entity that is in familiar with,
or in control of the vehicle’s entire source code as most ECUs are sourced from
various suppliers. So, regulation or standardization is a hurdle that have to be

Here, the discussion is on the underlying problem, possible attack vectors
and prevention of attacks using various methods.

1.1 Connected Vehicles

Connected cars are equipped with Internet connectivity, and mostly con-
tains a wireless local area network too. So the car is able to share Internet
connectivity with peripherals present inside as well as outside the car. For
safety-critical applications, cars are usually equipped with Dedicated Short
Range Communication (DSRC) Radios, which operate in the 5.9GHz band
with an extremely low latency.

Connected cars can be classified into the following segments.

• Mobility Management
• Safety

Department of CSE, GEC, Thrissur


INTRODUCTION CS14-806(P) Seminar, 2018

• Vehicle management
• Driver assistance
• Entertainment
• Well Being

The main connections that are present inside a connected car are

Components to Components: Various components inside the car commu-
nicate with each other to send necessary data and control signals while driving.

Vehicle to User: The cars communicate with the user using web or mo-
bile interface to facilitate various functions which are very useful for the user.

Vehicle to Infrastructure: The vehicle communicate with the company
infrastructure to send and receive necessary data. Over the air updates and
other security related services are usually served trough this connection.

Vehicle to Vehicle: The vehicle communicate with the neighbouring ve-
hicles using DSRC network to send useful data between them and create a
connected smart grid which they use for increasing the efficiency and safety.

Figure 1: Connected Vehicles

Department of CSE, GEC, Thrissur


INTRODUCTION CS14-806(P) Seminar, 2018
1.2 Network Types

Modern cars have around 30-100 ECUs that communicate in real time
with each other. For enabling this communication, there are different types
of networks present inside the computer that facilitate the high speed com-
munication based on the bandwidth requirements specified by each sensor or

Network Types:

• Controller Area Network (CAN).
• Local Interconnect Network (LIN).
• Media-Oriented Systems Transport (MOST).

1.2.1 Controller Area Network (CAN)

Figure 2: Controller Area Network

The Controller Area Network (CAN) was originally developed by Bosch
in 1985 for in-vehicle networks. Previously, every component was connected di-
rectly, which meant a very high wiring overhead and cost. By developing CAN,
all devices could be connected to a single bus, which reduced the complexity
and cost drastically.

Benefits of CAN include:

• Low-Cost, Lightweight Network.
• Broadcast Communication.
• Priority.
• Error Checking Capabilities.

Department of CSE, GEC, Thrissur


INTRODUCTION CS14-806(P) Seminar, 2018

Figure 3: Reduction in wiring using CAN

1.3 Organization of Report

Section 2 explains security threats that are present for connected vehicles.
Section 3 deals with the defense mechanisms and their classifications. Section
4,5 and 6 explains the major technologies like Secure Flash Programming,
EVITA and SHE. Section 7 Concludes the report.

Department of CSE, GEC, Thrissur


SECURITY THREATS CS14-806(P) Seminar, 2018
2 Security Threats

Figure 4: Connected Vehicle Attack Taxonomy 2

2.1 Attackers

Before trying to understand the problems faced by connected vehicles,
analysis should be done on from where the attacks might arise. There are
different categories of attackers that may try to infiltrate the security system
of the cars. They can be classified into the following categories.

Table 1: Classification of Attackers

2.2 Attack Vectors

Attack vectors are the possible routes that the attacker can user to infiltrate
the system. They can be classified into two main categories, Physical and
Remote. While physical attacks are easier and may be able to cause more
danger, they are of lower risk as the attacker need direct access to the vehicle
in order to carry out the attack. But in case of remote attacks, the attacker
can be in a secure remote location and take over the vehicle.

Department of CSE, GEC, Thrissur


Threat Level



Extremely High


SECURITY THREATS CS14-806(P) Seminar, 2018

Signal Spoofing: Attackers make use of rogue signal of the same fre-
quency as of the required signals, like fake GPS signals or fake DSRC
signals which confuses the vehicle to think that the rogue signal is the
original one and act accordingly.

Jamming: Here, instead of rogue signals, random noise of the same
frequency as of the required signals are used to obscure the necessary
signal. So the vehicle cannot get the required data in order to function

Code Modification: The factory code inside chips are modifies per-
manently, creating modified version of the software running inside the
vehicle. These may have easy back doors for the hacker to exploit.

Packet Sniffing: The attacker uses special software to monitor all the
packets that are being sent un-encrypted via the network. These will
have necessary information for the hacker to later exploit.

Packet Spoofing: It happens when the attacker uses the knowledge
gained by sniffing to create new modified packets which contain instruc-
tions that he can decide, and inject them into the network to control the

2.3 Targets

As our vehicles get more and more advanced, the attack surface that is
available for hackers to exploit also grows significantly. One simple loophole in
any of the possible entry points may sacrifice the entire security of the vehicle,
leading to a zero day exploit that might require the call back of millions of
vehicles, which will cost millions of dollars.

Figure 5: Possible attack points in a vehicle

Department of CSE, GEC, Thrissur


DEFENSE CS14-806(P) Seminar, 2018
3 Defense

The fact that there are multiple attack vectors and modes of attack em-
phasize that there must be multiple modes of defense against almost all known
attack vectors. Based on their nature, they can be classified as shown below.

Figure 6: Classification of defense mechanisms

3.0.1 Preventive Defense

Preventive Defense is mainly focused on methods of protection to defend
and attempt to prevent an attack from happening or succeeding. It also makes
sure that the normal working is not interrupted or that not too much of re-
sources are used.

• Secure communication: Encryption is the fundamental requirement
for secure communication. By encrypting messages, it can be ensured
that the data is safe and confidential. There are methods used to verify
the identity of the sender if required.

• In-Vehicle Device Authentication: Ensuring trust between compo-
nents are a major challenge. Certificates and public keys are used to
verify the components when they have to communicate with each other.

• User Authentication: If thieves or hackers pretend as real owner of
the vehicle and try to steal it, there must be safeguards that prevents
them from doing so. Advanced technology like Bio metric authentication
can be maked use of to authenticate the user correctly.

• Firewall: When protection is needed from external entities, firewalls are
deployed to create a barrier between the two networks. A secure set of
firewall rules can be used to regulate the traffic flow via the firewall. This
also helps weeding out known address vehicle.

Department of CSE, GEC, Thrissur


DEFENSE CS14-806(P) Seminar, 2018
3.0.2 Passive Defense

When adversaries have the intent, opportunity and capability to cost dam-
ages or do harm, they will most usually get past the first barrier very easily.
Passive defense forms a second layer of security inside the system. They don’t
require human analysis and intervention to operate.

• Detection: Detecting alerts are classified into two main parts.

– Intrusion Detection: Like vehicle alarms help detect physical
intrusion into the vehicle, systems that can detect software intrusion
are also needed. It is very hard to detect software intrusion as it
can happen in a multitude of ways.

– Anti Malware: Anti malware systems have to capable of defending
the system from dangerous malwares that may be trying to infiltrate
the system. As auto malwares are still in infancy, there might not
be a whole lot of malwares available. Still, this system should be
robust enough to check any future attacks.

• Response:
– Nullification: It refers to the capacity of a system to invalidate or

neutralize a cyber-attack by using electronic or cyber capability.

– Isolation: In the event that an attack occurs, the system should
be able to isolate it to a quarantine and not let it infect other parts
of the system.

3.0.3 Active Defense

Active defense forms a robust layer of security which tackles the threats
as they occur and are able to adapt to variety of situations.

• Continuous Security Monitoring: As the consequences of a compro-
mised system is disastrously huge, real-time health monitoring check to
provide awareness regarding the status of critical parts of the system is

• Adaptive Security: No system can be fully secure with a static set
of defenses. A self configuring, self learning defense mechanism that
automatically reconfigure and learn about attacks and put up necessary
defense mechanisms is crucial in providing the necessary security.

Department of CSE, GEC, Thrissur


SECURE FLASH PROGRAMMING 6 CS14-806(P) Seminar, 2018


Secure Flash Programming 6

Figure 7: Secure Flash Programming Architecture

• Creating software image:

–  Generating base image: The software code is compiled into bi-

nary file, which will be signed and then flashed on to the flash chip.

–  Hashing: A suitable hashing algorithm is used to generate the hash
signature of the base image. This signature uniquely identifies the
image and is very difficult to spoof.

–  Signing (RSA): There is a public and private pair of keys that
belong to the manufacturer. The private key is used to securely
sign the hash of the base image.

–  Flashing: The base image, along with the signed hash is com-
binely flashed onto the chips, which are then mass manufactured in

• Verifying software image:

–  Generating hash: The base image is extracted from the flash chip
and is passed trough the same hashing algorithm which was used
during manufacturing.

–  Extracting signed hash: The signed hash is extracted and is
decrypted using the public key of the vendor. This key is available
to all and is the only one which can accurately decrypt the signed

–  Verifying the hash: Both the signed hash and generated hash
are checked for equality. If they are found equal, the base image
is loaded onto the primary memory and execution of the program
begins. Otherwise, if the software had been tampered, the modified
code will not pass the test, and will not be executed.

Department of CSE, GEC, Thrissur


E.V.I.T.A. CS14-806(P) Seminar, 2018
5 E.V.I.T.A.

E-Safety Vehicle Intrusion Protected Applications 7

Figure 8: EVITA Project Partners

5.1 EVITA Security Requirements

Integrity of hardware security module

Integrity and authenticity of in-vehicle software and data

Integrity and authenticity of in-vehicular communication

Confidentiality of in-vehicular communication and data

Proof of platform integrity and authenticity to other (remote) entities

Access Control to in-vehicle data and resources

5.2 EVITA Functional Requirements

Physical stress resistance to endure an average vehicle life of over 20

Bandwidth and latency performance that meets at least ISO 11898.

Compatibility with existing ECU security modules, i.e. with HIS-SHE

Compatibility with existing ECU microprocessor architectures

Open, patent free specifications for cost-efficient OEM-wide application

Department of CSE, GEC, Thrissur


E.V.I.T.A. CS14-806(P) Seminar, 2018
5.3 EVITA Topologies

Based on the requirements of the nodes, there are 3 categories of EVITA
Hardwares. They are introduced to reduce the cost and latency as not all
communication needs to be secured in the highest order possible.

5.3.1 EVITA Full HSM

Figure 9: Topology of EVITA full version HSM

EVITA Full HSM is the maximum security HSM which is used only where
V2X Communication takes place. It has a fully featured ECC Engine and
WHIRLPOOL Hashing engine. It is used to secure the communication with
the outward world, which requires maximum security.

5.3.2 EVITA Medium HSM

Figure 10: Topology of EVITA Medium version HSM

EVITA Medium version is used inside In-Vehicle domain control ECU’s like
Engine, PowerTrain, Brakes, etc. It does not feature the ECC engine as the
communication between ECU’s are highly time critical and thus require low
latency. So it uses simpler techniques to verify the authenticity of the data
being sent.

Department of CSE, GEC, Thrissur


E.V.I.T.A. CS14-806(P) Seminar, 2018
5.3.3 EVITA Light HSM

Figure 11: Topology of EVITA Light version HSM

EVITA Light version HSM is used in all the important sensors. It is the fastest
among all the three types of HSM’s present. But it is also the least secure as
it lacks most of the important security modules.

5.3.4 EVITA Deployment architecture

Figure 12: EVITA Deployment architecture

Department of CSE, GEC, Thrissur

6. S.H.E. CS14-806(P) Seminar, 2018
6 S.H.E.

Secure Hardware Extension

Figure 13: SHE Project Partners

The SHE specification defines a set of functions and a programmers model
(API) that allows a secure zone to coexist within any electronic control unit
installed in the vehicle.

6.1 Implementation

SHE is implemented as a dedicated but securely firewalled microcontroller
architecture called the CSE – Cryptographic Security Engine It was de-
veloped in 2008 as an Open and free standard.

Figure 14: SHE Implementation

Department of CSE, GEC, Thrissur


CONCLUSION CS14-806(P) Seminar, 2018
7 Conclusion

Connected and autonomous vehicles are one of the most promising devel-
opments that is going to happen in the near future. It is said to bring about
a huge change in lifestyle, making transportation more safe, economic and easy.
It should be noted that the major technological advances often create a plethora
of loopholes for attackers to break into. So, a high amount of concern should
be given for the safety of connected vehicles as the damages that can be caused
by hacking them are significantly huge.
Using the above mentioned practises, it can be said that many major threats
can be avoided. Constant study and research must be conducted in this field
so that the researchers can always stay ahead of the attackers.