🚗 Introduction to Automotive Cybersecurity

Connected cars, once a vision of the future, are now everyday reality and so are their vulnerabilities. We'll cover real world exploits, communication models, penetration testing tactics, and the technologies attackers commonly abuse.

🧠 Introduction

In 2002, a vulnerability was discovered in VxWorks OS via UDP port 17185. Years later, this port used for remote debugging was found exposed in countless systems including cars, helicopters, and submarines. This is just one example of how security oversights in embedded systems can lead to automotive cyber risks.

🚗 Computers on Wheels

Modern cars contain up to 100 million lines of code and more than 150 microprocessor based ECUs. These systems communicate across various in vehicle networks like

CAN (Controller Area Network)
FlexRay
MOST (Media Oriented Systems Transport)
Ethernet
LIN (Local Interconnect Network)

📘 Key Terms in Automotive Cybersecurity

As connected cars continue to evolve, it’s critical to understand the foundational terminology used within automotive cybersecurity. The media and industry voices sometimes blur definitions, so here’s a concise breakdown of the most relevant terms

🚗 Inter Vehicle Communications (IVC)

IVC refers to communication between a vehicle and external entities, such as

Other vehicles (V2V)
Mobile networks
Roadside Units (RSUs)

✅ Note: IVC does not refer to internal communication between a vehicle’s ECUs (Electronic Control Units). That is known as intra vehicle networking.

🚙 Vehicular Ad Hoc Network (VANET)

VANETs are dynamic, temporary networks created between vehicles to exchange information without relying on centralized infrastructure.

📌 Example: Two vehicles forming a wireless network to alert each other about a pothole or road hazard.

🚦 Intelligent Transportation System (ITS)

ITS broadly refers to the digital integration of vehicles and infrastructure. It often encompasses

IVC technologies
Smart road systems
Standardization efforts (e.g., IEEE 802.11P)

🧠 Originally, ITS started as an attempt to make roads smarter (known as IVHS Intelligent Vehicle Highway Systems), rather than the vehicles themselves.

🔄 V2V, V2I, and V2X Communications

These acronyms refer to communication endpoints

V2V: Vehicle to Vehicle
V2I: Vehicle to Infrastructure
V2X: Vehicle to Everything (including pedestrians, networks, etc.)

💡 These terms help describe who or what the vehicle is communicating with. "C2C" (Car to Car) and "C2X" are less formal synonyms occasionally used.

📶 IEEE 802.11 and 802.11P

IEEE 802.11 is the Wi-Fi standard (e.g., 802.11a/b/g/n/ac).

IEEE 802.11P was developed for vehicle communication, especially in the 5.9 GHz band, to support

Short range, low latency connections
Reliable communication for high-speed vehicles
Use in VANETs and RSU integration

🛡 Vulnerability Assessment

A vulnerability assessment is the identification and classification of security flaws in systems or networks. It does not require the flaw to be exploitable to be valid.

🔍 This can be done manually or through automation and typically assesses risks to confidentiality, integrity, and availability (CIA triad).

💥 Penetration Testing (Pentesting)

Penetration testing simulates real world attacks in a sanctioned manner to

Identify exploitable vulnerabilities
Validate the risk impact of discovered flaws
Demonstrate actual attack paths used by adversaries

🧱 Cyber Kill Chain (CKC)

The Kill Chain Model, adapted from military strategy and formalized by Lockheed Martin, outlines 7 steps of a cyberattack

Reconnaissance Scanning GSM, Wi-Fi, or Bluetooth interfaces
Weaponization Building payloads for head unit, TCU, or OTA update injection
Delivery Via rogue base station, Bluetooth spoofing, or CAN injection
Exploitation Firmware reflashing, command injection via dbus or Android shell
Installation Persisting via rootkits or OTA hijack
C2 (Command & Control) Using compromised LTE or MQTT channels
Actions on Objective Physical manipulation or data exfiltration

🧠 While C2 on devices like TCUs (Telematics Control Units) may sound unlikely, it’s demonstrated to be possible under certain architectures.

⚖️ Risk (in IT)

Risk is the potential impact of a threat exploiting a vulnerability, measured by

Likelihood of occurrence
Impact on the asset

📌 It’s a cornerstone metric in cybersecurity risk management and threat modeling frameworks.

🔐 Common Attack Surfaces

Head Units & Infotainment Systems
Wi-Fi hotspots and Bluetooth are often insecurely implemented, leading to remote access and command execution.
Telematics Control Units (TCUs)
Connected to cellular networks (GSM, 3G, 4G), often poorly firewalled. Attackers can remotely reach internal services like dbus (TCP/6667).
CAN Bus Access
Gaining access to the CAN bus allows an attacker to send commands like braking, steering, and ignition control. Physical access isn't always required as shown by Charlie Miller & Chris Valasek’s Jeep hack in 2015.
Unsecured Firmware
Many OEMs fail to sign firmware updates, allowing attackers to backdoor ECUs and reflash microprocessors.

🧰 Tools of the Trade

SDR (Software Defined Radio) like USRP or HackRF
CAN interfaces: USBtin, CANtact, ValueCAN
Wi-Fi & Bluetooth sniffers
Firmware analysis platforms like Binwalk, QEMU, and Ghidra
Android Debug Bridge (ADB) for infotainment systems

🔄 OTA Update Hijacking

Over the air update mechanisms are often unauthenticated or vulnerable to MITM attacks. This allows attackers to push malicious firmware or intercept sensitive data.

🧱 Defensive Measures

Signed firmware and secure boot
ECU authentication on CAN
Segmented networks between infotainment and critical controls
Rate limiting and anomaly detection on CAN messages
Full disk encryption on TCU storage

🚘 Future Challenges

With the rise of autonomous vehicles, attack surfaces will grow

More ECUs (up to 300 million LOC predicted)
Heavy reliance on VANET & V2X communication
ADAS sensors as new input vectors (LIDAR, radar)

📦 Final Thoughts

The car hacking landscape is a blend of traditional pentesting, reverse engineering, and embedded exploitation. For researchers, it's a rewarding yet dangerous space. For OEMs, it's a high stakes responsibility.

Next: Pre-Engagement →