Experimental security analysis of a modern automobile

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Snachám, Stefan Savage

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In this paper we experimentally evaluate these issues on a modern automobile and demonstrate the fragility of the underlying system structure. We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input - including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on. We find that it is possible to bypass rudimentary network security protections within the car, such as maliciously bridging between our car's two internal subnets. We also present composite attacks that leverage individual weaknesses, including an attack that embeds malicious code in a car's telematics unit and that will completely erase any evidence of its presence after a crash. Looking forward, we discuss the complex challenges in addressing these vulnerabilities while considering the existing automotive ecosystem.

    Original languageEnglish (US)
    Title of host publication2010 IEEE Symposium on Security and Privacy, SP 2010 - Proceedings
    Pages447-462
    Number of pages16
    DOIs
    StatePublished - 2010
    Event31st IEEE Symposium on Security and Privacy, SP 2010 - Berkeley/Oakland, CA, United States
    Duration: May 16 2010May 18 2010

    Publication series

    NameProceedings - IEEE Symposium on Security and Privacy
    ISSN (Print)1081-6011

    Other

    Other31st IEEE Symposium on Security and Privacy, SP 2010
    CountryUnited States
    CityBerkeley/Oakland, CA
    Period5/16/105/18/10

    Keywords

    • Automobiles
    • Communication standards
    • Communication system security
    • Computer security
    • Data buses

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Fingerprint Dive into the research topics of 'Experimental security analysis of a modern automobile'. Together they form a unique fingerprint.

    Cite this