Mapping Automotive Threats

Mapping Automotive Threats

Common tactics and techniques observed in automotive cyberattacks

Mapping Automotive Threats

VicOne breaks down the cyberattack life cycle into its component stages to provide a simulation of an automotive attack based on Trend Micro’s global threat intelligence and automotive expertise. By understanding what attackers are trying to achieve and their attack methods, security analysts can gain a clear picture of the attack scope and implement necessary remediation and improvement plans.

Given the key role in IT security of MITRE ATT&CK® as a curated knowledge base of adversarial tactics, techniques, and procedures (TTPs), and in turn the role of IT security in the automotive industry, VicOne highlights threats in the ATT&CK Matrix that are also applicable to cyberattacks on connected vehicles.

From MITRE ATT&CK Mobile

From MITRE ATT&CK Enterprise


From VicOne

Manipulate Environment

Initial Access



Privilege Escalation

Defense Evasion

Credential Access


Lateral Movement


Command and Control


Affect Vehicle Function


Rogue Cellular Base StationDrive-by CompromiseCommand and Scripting InterpreterModify System ImageExploit OS VulnerabilitySubvert Trust ControlsAdversary-in-the-MiddleLocation TrackingExploitation of Remote ServicesAdversary-in-the-MiddleApplication Layer ProtocolExfiltration Over C2 ChannelUnintended Vehicle Control MessageLoss of Availability
Rogue Wi-Fi Access PointExploit via Radio InterfaceCommand-Line InterfaceModify Trusted Execution EnvironmentCode InjectionBypass Mandatory Access ControlNetwork SniffingNetwork Service ScanningExploit ECU for Lateral MovementAccess Personal InformationNon-Application Layer ProtocolExfiltration Over Other Network MediumManipulation CAN Bus MessageLoss of Control
Jamming or Denial of ServiceSupply Chain CompromiseNative APIAbuse UDS for PersistenceExploit TEE VulnerabilityBypass UDS Security Access BruteForceSystem Network Connections DiscoveryAbuse UDS for Lateral MovementAccess Vehicle TelemetryCommunication Through Removable MediaExfiltration Over Physical MediumTrigger System FunctionLoss of Safety
Manipulate Device CommunicationDeliver Malicious AppHardware Fault InjectionWeaken EncryptionUnsecured CredentialsFile and Directory DiscoveryAbuse UDS for CollectionReceive-only Communication ChannelExfiltration Over Alternative ProtocolDenial of Control
ADAS Sensors AttackHardware AdditionsAbuse Elevation Control MechanismOS Credential DumpingProcess DiscoveryData from Local SystemShort-Range Wireless CommunicationExfiltration Over Web ServiceVehicle Content Theft
Downgrade to Insecure ProtocolsExploit via UDSDisable or Modify System FirewallInput CaptureSoftware DiscoveryCapture SMS MessagesCellular CommunicationTransfer Data to Cloud Account
Exploit via Removable MediaInput PromptSystem Information DiscoveryCapture Camera
Capture SMS MessagesSystem Network Connections DiscoveryCapture Audio

VicOne lists the following threats that are not part of the ATT&CK Matrix and are specific to the automotive industry:

  • ADAS Sensor Attack
  • Exploit via UDS
  • Bypass UDS security access
  • Exploit ECU for Lateral Movement
  • Access Vehicle Telemetry
  • Unintended Vehicle Control Message
  • Manipulation CAN Bus Message

What unique insights can mapped threats provide OEMs?

Mapping threats used in automotive cyberattacks reveals the life cycle of a cyberattack on a connected car and how each stage of such an attack is conducted. This step-by-step breakdown gives car OEMs a unique glimpse into the mindset of an attacker by revealing their goals and chosen methods. With this knowledge, car OEMs can better integrate security into the earliest stages of connected car design and production, rather than adding it as an afterthought.

Frequently Asked Questions (FAQs)

More Information

A MyKings Retrospective: Using the MITRE ATT&CK Matrix for Increased Visibility

A MyKings Retrospective: Using the MITRE ATT&CK Matrix for Increased Visibility

MITRE Engenuity™ ATT&CK Evaluations: Trend Micro Proves Exceptional Attack Protection

MITRE Engenuity™ ATT&CK Evaluations: Trend Micro Proves Exceptional Attack Protection

Using MITRE ATT&CK to Identify an APT Attack

Using MITRE ATT&CK to Identify an APT Attack

Start your journey to better automotive cybersecurity