Modern vehicles are not just simple mechanical devices with an engine and four wheels like they used to be. With the revolution of microcontrollers in the ’80s, more and more functionality got replaced from mechanic to electronic solution. These interconnected Electronic Control Units (ECU) are responsible for controlling the vehicle, monitoring the drivers’ every movement, and keeping them safe on the road while additionally providing convenience features. They keep track of the steering angle, the angular velocity of the wheels, the pedal positions, the fuel-air mixture ratio, the emissions of the engine, and so on.
Manufacturers and auto part makers put a great emphasis on the safety of the vehicles. There are ABS, ESP, crash avoidance systems, or even better and better crumple zones in every car. The inter-component communication channels are protected against errors caused by the high noise environment, but the security of these components seems less critical. The ECUs are rarely designed to be secure from a potential attacker. However, modern vehicles have several wireless communication solution, such as Bluetooth, WiFi, 3G, 4G, which all pose a remote attack surface for an attacker. No ECU is entirely secure due to the complexity of such devices. Having access to the same internal communication networks as the vehicle controller ECUs poses an enormous risk. Although it is convenient that, for example, a driver can connect their phone to the car’s head unit, getting their brakes disabled during their travel via a remote exploit is not so convenient. Thus, it is crucial for manufacturers to make their products not just safe but secure as well.
We held an Automotive Cybersecurity Awareness Training for a major auto industry manufacturer. During the training, the participants learned about basic security concepts, risk management, and factors affecting security risks. They were introduced to modern vehicles’ attack surfaces with examples and countermeasures. They also got an introduction to embedded device hacking, which included several live demos and a hands-on workshop, where the participants could try the learned techniques for themselves in a playful, competitive manner.
Copyright 2021 Ukatemi Technologies LLC.