What is automotive attack mapping?
With automotive attack mapping, VicOne breaks down the cyberattack life cycle into its component stages to provide a simulation of an automotive attack. By understanding what attackers are trying to achieve and their attack methods, security analysts can gain a clear picture of the attack scope and implement necessary remediation and improvement plans.
Given the key role in IT security of MITRE ATT&CK® as a curated knowledge base of adversarial tactics, techniques, and procedures (TTPs), and in turn the role of IT security in the automotive industry, VicOne highlights tactics and techniques in the MITRE ATT&CK framework that are also applicable to cyberattacks on connected vehicles.
| Manipulate Environment | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Affect Vehicle Function | Impact |
| Rogue Cellular Base Station | Drive-by Compromise | Command and Scripting Interpreter | Modify System Image | Exploit OS Vulnerability | Subvert Trust Controls | Adversary-in-the-Middle | Location Tracking | Exploitation of Remote Services | Adversary-in-the-Middle | Application Layer Protocol | Exfiltration Over C2 Channel | Unintended Vehicle Control Message | Loss of Availability |
| Rogue Wi-Fi Access Point | Exploit via Radio Interface | Command-Line Interface | Modify Trusted Execution Environment | Code Injection | Bypass Mandatory Access Control | Network Sniffing | Network Service Scanning | Exploit ECU for Lateral Movement | Access Personal Information | Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Manipulation of CAN Bus Message | Loss of Control |
| Jamming or Denial of Service | Supply Chain Compromise | Native API | Abuse UDS for Persistence | Exploit TEE Vulnerability | Bypass UDS Security Access | Brute Force | System Network Connections Discovery | Abuse UDS for Lateral Movement | Access Vehicle Telemetry | Communication Through Removable Media | Exfiltration Over Physical Medium | Trigger System Function | Loss of Safety |
| Manipulate Device Communication | Deliver Malicious App | Hardware Fault Injection | Weaken Encryption | Unsecured Credentials | File and Directory Discovery | Abuse UDS for Collection | Receive-Only Communication Channel | Exfiltration Over Alternative Protocol | Denial of Control | ||||
| ADAS Sensor Attack | Hardware Additions | Abuse Elevation Control Mechanism | OS Credential Dumping | Process Discovery | Data from Local System | Short-Range Wireless Communication | Exfiltration Over Web Service | Vehicle Content Theft | |||||
| Downgrade to Insecure Protocols | Exploit via UDS | Disable or Modify System Firewall | Input Capture | Software Discovery | Capture SMS Messages | Cellular Communication | Transfer Data to Cloud Account | ||||||
| Exploit via Removable Media | Input Prompt | System Information Discovery | Capture Camera | ||||||||||
| Capture SMS Messages | System Network Connections Discovery | Capture Audio |
(with some terminology adopted from Auto-ISAC Auto Threat Matrix)
VicOne points out the following threat techniques that are not part of the MITRE ATT&CK framework and are unique to attacks targeting connected cars. As such, these are threat techniques that VicOne recommends for consideration by car OEMs when looking into automotive cyberattacks:
- ADAS Sensor Attack
- Exploit via UDS
- Bypass UDS Security Access
- Exploit ECU for Lateral Movement
- Access Vehicle Telemetry
- Unintended Vehicle Control Message
- Manipulation of CAN Bus Message
What unique insights can automotive attack mapping provide OEMs?
Mapping tactics and techniques used in automotive cyberattacks reveals the life cycle of a cyberattack on a connected car and how each stage of such an attack is conducted. This step-by-step breakdown gives car OEMs a unique glimpse into the mindset of an attacker by revealing their goals and chosen methods. With this knowledge, car OEMs can better integrate security into the earliest stages of connected car design and production, rather than adding it as an afterthought.
Request a Demo
Learn More
How did VicOne come up with this automotive attack mapping?
VicOne, through the expertise of and research conducted by Trend Micro, used technical details from studies on car hacking to determine how attack chains were executed. It is important to note that none of these studies provide complete step-by-step attack chains to avoid the risk of giving cybercriminals actionable guides to compromising connected cars. Using reverse-engineering and their programming experience, researchers were able to theorize and fill in any gaps in the attack chains.
Why are most of these tactics and techniques also applicable to the IT world?
Connected cars share hardware, software, and communication protocols with the IT industry. Thanks to this industry’s already rich development environment, it has also successfully provided many of the technologies that connected vehicles need to function. More importantly, the IT industry has reduced the development costs of these vehicles by removing the need to create custom-built hardware and software. It is therefore not surprising that breaking down vehicle attack chains leads to the revelation of threats uncannily like everyday IT cyberattacks.
Know More From Our Resources
Gain Insights Into Automotive Cybersecurity
