Graduate School and Research Center in Digital Sciences

Security and privacy in automotive on-board networks

Schweppe, Hendrik


In recent decades, vehicles have been equipped with an increasing number of electronic features and controllers. They have become a vital part of automotive architecture. This architecture consists of an internal network of microcontrollers and small computers, called Electronic Control Units (ECUs). Such ECUs may be part of an entertainment system, which will interact with the driver, or they complement technical and mechanical systems such as power steering, brakes, or engine control. Every ECU is usually connected to one or more networks as well as a number of sensors and actuators. Vehicles have become multi-connected places: i) Entertainment systems allow data to be retrieved directly from the internet, typically trac conditions, weather or navigational information, ii) Increasingly consumer devices are being connected by wired and wireless interfaces in order to control vehicle functions or distribute multimedia content, iii) Assistance functions to augment trac safety and eciency are currently being standardized, allowing vehicles and infrastructure units to communicate autonomously via dedicated radio channels. All of these new communication interfaces should be properly secured, as failure to do so could have severe consequences, such as loss of control over the vehicle or private data being accessed by third party applications, which could, for example, record conversations or track usage behavior. Recent security analyses show that current vehicle architectures are vulnerable to the above described threats. It has been shown that by exploiting implementation aws, attackers can control the vehicle's behavior from a device inside the car or even remotely. This dissertation focuses on securing in-vehicle networks. Historically, vehicle buses such as the Controller Area Network (CAN) were considered as isolated embedded systems. However, an e ective isolation of on-board networks is dicult if not impossible to achieve with the rises of connectivity inside the vehicle for internal functions and, at the same time, for third party devices and internet services. Upcoming safety and assistance functions use Car-to-Car and Car-to-Infrastructure communication (Car2X). These assistance functions rely on remotely received data. It is imperative that these data are trustworthy. A high level of trust can only be achieved by securing the on-board platform as a whole, and by protecting both the integrity and the authenticity of network communication as well as software execution. The main contributions of this thesis are i) an approach to securing the communication of in-vehicle networks, ii) an approach to applying dynamic data ow analysis to the distributed embedded applications of on-board networks, by using taint-tag tracking in order to detect and avoid malicious activities, iii) working prototypes for di erent aspects of the overall security problem, showing simulations and real-world results of the techniques developed in this thesis. The approach that is presented combines multiple mechanisms at di erent layers of the vehicular communication and execution platform. Cryptographic communication protocols are designed and implemented in order to authenticate data exchanged on the buses. Hardware Security Modules (HSMs) are used to complement the actual microcontroller by providing a secure storage and by acting as a local root of trust. We distribute usage-restricted symmetric key material between HSMs. Their use is limited to certain functions, like generating or verifying authentication codes. Thereby, they can be used asymmetrically for group-communication patterns. This is a common communication paradigm in automotive applications, in particular for distributing vehicle-wide signals. A proof of concept system has been implemented as part of this thesis, showing the feasibility of integrating security features on top of automotive buses and for use with Car2X communication. We simulated the behavior of a CAN network and compare our results for di erent network designs with data collected from a real vehicle and with simulations based on a Simulink toolkit. In order to account for untrusted program code, we use a distributed data flow tracking based approach for securing code execution on the ECUs of the automotive network. This means that a high level of trust can be placed in applications even when mechanisms, such as software review and applications signatures, fall short of the desired security levels, or cannot be applied at all. If this approach is taken then the use of applications of unknown origin along side those controlling critical functions becomes possible. In addition to plain policy rules, we use a declarative approach to represent the kind of data used on communication links. Binary instrumentation techniques are used to track data ows throughout the execution and between control units. For the Car2Car Communication Consortium Forum in November 2011, a part of the prototype implementations was integrated into two research vehicles to demonstrate an \Active Brake" safety scenario using secure in-vehicle and Car2X communication. It demonstrated the e ectiveness and applicability of our communication security solution.

Document Bibtex

Title:Security and privacy in automotive on-board networks
Department:Digital Security
Eurecom ref:3852
Copyright: © TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
Bibtex: @phdthesis{EURECOM+3852, year = {2012}, title = {{S}ecurity and privacy in automotive on-board networks}, author = {{S}chweppe, {H}endrik}, school = {{T}hesis}, month = {11}, url = {} }
See also: