LEss Injuries by making cars SecURE

Template

Please use the provided template to summarise your work and compare it to the persona (all explained in the template).

Shared references

These are links that everyone should look at. Also, feel free to read documents and articles from the other subtopics, as they might still be correlated to yours.

• [Data Collection]. TELSA refutes a journalist claim by providing a detailed log on how he used the car. https://www.tesla.com/blog/most-peculiar-test-drive
• [Driving analysis]. Pay as you drive insurance, if you brake hard to avoid an accident, you pay more :D. https://www.insurethebox.com/telematics
• [TCU and remote control]. Renault battery lease agreement. They claim they will 'block' your battery if you stop paying the lease. This is true, as we previously reverse-engineered their TCU and found they can actually do it, and much more (tracking, remote control, check and log when you speed, etc.) http://myrenaultzoe.com/Docs/BatteryHireLeaseAgreement.pdf.
• [Automotive Security & Background] Funny guys that do a lot of car attacks. Provide a good background on ECUs, CAN, etc. http://illmatics.com/carhacking.html
• [Self-driving & accountability] UBER self-driving accident, whose fault is that? How you prove it? Judges can hardly interpret a CNN output, https://en.wikipedia.org/wiki/Death_of_Elaine_Herzberg
• [Automotive testing & accountability] 'We didn't know about the 'test-mode' in our ECUs.' How can certification authorities regulate vehicles? Often composed by 20 or so ECUs, each doing something unknown to the tester? https://www.cleanenergywire.org/factsheets/dieselgate-timeline-car-emissions-fraud-scandal-germany

 

Topic 1. Data collection and analysis in vehicles

In this topic, you will analyse technologies that actively log and possibly identify a driver (e.g., log when and how you drive), identification (e.g., can the car know when you are driving and feeling unwell? can this be applied to court?), advertisements (how long before we see custom advertisements on the head unit?), etc.

• "BMW provides evidence of precise telemetry data in verdict 113 kls 34/15" (Germany only, put deepL works) http://www.verkehrslexikon.de/Texte/Rspr8507.php
• Automotive section of https://link.springer.com/content/pdf/10.1007%2F978-3-642-04468-7.pdf
• http://www.autosec.org/pubs/fingerprint.pdf
• https://www.insurethebox.com/telematics
• https://www.moneysupermarket.com/car-insurance/telematics/

 

Topic 2. Self-driving & sensor fusion

This topic is concerned more with the future of mobility. Will cars be self-driving, if yes how? How do we judge who is at fault if it is a probabilistic algorithm making a decision? How do you prove it to a judge? What could go wrong? Can we attack sensors? Can we prevent attacks? If yes, how? At which cost?

• https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-zeng.pdf
• https://www.bloomberg.com/news/articles/2019-06-19/threat-of-gps-spoofing-for-autonomous-cars-seen-as-overblown
• http://openaccess.thecvf.com/content_ECCV_2018/papers/Jinkyu_Kim_Textual_Explanations_for_ECCV_2018_paper.pdf
• https://arxiv.org/pdf/1703.10631.pdf
• https://www.wired.com/story/teslas-latest-autopilot-death-looks-like-prior-crash/
• https://pdfs.semanticscholar.org/e06f/ef73f5bad0489bb033f490d41a046f61878a.pdf
• https://towardsdatascience.com/sensor-fusion-90135614fde6

 

Topic 3. Automotive Security

In this topic, you will analyse the current state of the art in automotive security, especially in-vehicle networks. As of currently, there is no security, but in the future? Components can be replaced, updated, and possibly connected to the Internet. How do we assure that an attacker doesn't gain remote control of your vehicle? How do we protect the communication between ECUs (remember, a 50ms delay on packets telling the car to brake is unacceptable). Similarly, ECUs are cost-driven embedded controllers, with limited RAM and CPU. How will this evolve? Is the current architecture and design sufficient?

• https://eprint.iacr.org/2010/332.pdf
• https://www.usenix.org/legacy/event/sec10/tech/full_papers/Rouf.pdf
• https://en.wikipedia.org/wiki/CAN_bus
• https://support.ixiacom.com/sites/default/files/resources/whitepaper/ixia-automotive-ethernet-primer-whitepaper_1.pdf
• https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cho.pdf
• https://pdfs.semanticscholar.org/3b58/32db451b4afcfc1d75c0c346d6e1a47ff559.pdf

 

 

Topic 4. Telematic Control Unit, eCall, and connected dongles

In this topic, you will analyse TCUs and dongles (which are becoming increasingly used). They can be used for several things: from safety to data collection, remote control and debugging, update over the air etc. These devices will possibly revolutionise the automotive industry, as they will allow OEMs to (right now is not) securely push updates to 1) fix bugs, and 2) add features (e.g., TESLA). But many things could go wrong, especially as most of them have little to no security. How can we solve this?

• https://www.vwconnect.com/
• https://www.bbc.com/news/technology-31093065
• https://ec.europa.eu/transport/themes/its/road/action_plan/ecall_en
• https://www.tesla.com/support/tesla-app
• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
• https://zubie.com/

 

Topic 5. Vehicle to infrastructure (V2I) and vehicle to vehicle (V2V) communication

It is definitely true that in the future of mobility, vehicles will be connected to everything. Assuming the two main technologies will be vehicle to vehicle (V2V) and vehicle to infrastructure (V2I), how this communication will happen? Via WLAN or mobile networks? With or without secure communication? What is the state of the art technologies? How all the OEMs manage or (plan) to implement them? Are there any standards? Can this be done security? What could go wrong? How can this affect security & privacy?

• https://www.kaspersky.com/blog/electric-cars-charging-problems/20652/
• https://en.wikipedia.org/wiki/Vehicular_ad-hoc_network
• https://www.researchgate.net/publication/258248007_Vehicular_ad-Hoc_networks_VANETs-An_overview_and_challenges
• https://en.wikipedia.org/wiki/Vehicle-to-everything
• https://www.counterpointresearch.com/125-million-connected-cars-shipments-2022-5g-cars-2020/
• https://media.daimler.com/marsMediaSite/en/instance/ko/Under-the-microscope-Innovative-Mercedes-me-connect-services-Parking-Finding-a-parking-space-made-easy.xhtml?oid=39904686

 

Topic 6. Vehicle testing, attestation & dynamic homologation

As of currently, cars are black-boxes which cannot be tested if not by the makers. This makes it very difficult for a third-party to verify claims. Also, it is currently impossible to re-configure them, as they would lose their homologation. The question is, how will this process evolve? Can it be made more open and streamlined? Can the community be involved in developing a road-legal vehicle? Can and how you prove to a third party that a vehicle is running the software you signed? How do you test your vehicle?

• Dieselgate – a timeline of Germany car emissions fraud scandal
• https://debugmo.de/2015/12/dieselgate/
• There are many limitations, a small example: https://www.feabhas.com/sites/default/files/2016-06/A quick guide to ISO 26262[1]_0_0.pdf
• Don't waste too much time here, just to give an idea: https://www.autosar.org/
• https://en.wikipedia.org/wiki/Trusted_Computing
• https://www.thedrive.com/tech/26679/why-havent-over-the-air-updates-taken-over-the-auto-industry