Attack Mapping
Common Threat Techniques Used in Automotive Cyberattacks
What is automotive attack mapping?
With automotive attack mapping, VicOne breaks down the cyberattack life cycle into its component stages to provide a simulation of an automotive attack. By understanding what attackers are trying to achieve and their attack methods, security analysts can gain a clear picture of the attack scope and implement necessary remediation and improvement plans.
Given the key role in IT security of MITRE ATT&CK® as a curated knowledge base of adversarial tactics, techniques, and procedures (TTPs), and in turn the role of IT security in the automotive industry, VicOne highlights tactics and techniques in the MITRE ATT&CK framework that are also applicable to cyberattacks on connected vehicles.
| Manipulate Environment | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Affect Vehicle Function | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Rogue Cellular Base Station | Drive-by Compromise | Command and Scripting Interpreter | Modify System Image | Exploit OS Vulnerability | Subvert Trust Controls | Adversary-in-the-Middle | Location Tracking | Exploitation of Remote Services | Adversary-in-the-Middle | Application Layer Protocol | Exfiltration Over C2 Channel | Unintended Vehicle Control Message | Loss of Availability |
| Rogue Wi-Fi Access Point | Exploit via Radio Interface | Command-Line Interface | Modify Trusted Execution Environment | Code Injection | Bypass Mandatory Access Control | Network Sniffing | Network Service Scanning | Exploit ECU for Lateral Movement | Access Personal Information | Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Manipulation of CAN Bus Message | Loss of Control |
| Jamming or Denial of Service | Supply Chain Compromise | Native API | Abuse UDS for Persistence | Exploit TEE Vulnerability | Bypass UDS Security Access | Brute Force | System Network Connections Discovery | Abuse UDS for Lateral Movement | Access Vehicle Telemetry | Communication Through Removable Media | Exfiltration Over Physical Medium | Trigger System Function | Loss of Safety |
| Manipulate Device Communication | Deliver Malicious App | Hardware Fault Injection | Weaken Encryption | Unsecured Credentials | File and Directory Discovery | Abuse UDS for Collection | Receive-Only Communication Channel | Exfiltration Over Alternative Protocol | Denial of Control | ||||
| ADAS Sensor Attack | Hardware Additions | Abuse Elevation Control Mechanism | OS Credential Dumping | Process Discovery | Data from Local System | Short-Range Wireless Communication | Exfiltration Over Web Service | Vehicle Content Theft | |||||
| Downgrade to Insecure Protocols | Exploit via UDS | Disable or Modify System Firewall | Input Capture | Software Discovery | Capture SMS Messages | Cellular Communication | Transfer Data to Cloud Account | ||||||
| Exploit via Removable Media | Input Prompt | System Information Discovery | Capture Camera | ||||||||||
| Capture SMS Messages | System Network Connections Discovery | Capture Audio |
(with some terminology adopted from Auto-ISAC Auto Threat Matrix)
VicOne points out the following threat techniques that are not part of the MITRE ATT&CK framework and are unique to attacks targeting connected cars. As such, these are threat techniques that VicOne recommends for consideration by car OEMs when looking into automotive cyberattacks:
- ADAS Sensor Attack
- Exploit via UDS
- Bypass UDS Security Access
- Exploit ECU for Lateral Movement
- Access Vehicle Telemetry
- Unintended Vehicle Control Message
- Manipulation of CAN Bus Message
What unique insights can automotive attack mapping provide OEMs?
Mapping tactics and techniques used in automotive cyberattacks reveals the life cycle of a cyberattack on a connected car and how each stage of such an attack is conducted. This step-by-step breakdown gives car OEMs a unique glimpse into the mindset of an attacker by revealing their goals and chosen methods. With this knowledge, car OEMs can better integrate security into the earliest stages of connected car design and production, rather than adding it as an afterthought.
Request a DemoLearn More
How did VicOne come up with this automotive attack mapping?
Why are most of these tactics and techniques also applicable to the IT world?
Know More From Our Resources
GAIN INSIGHTS INTO AUTOMOTIVE CYBERSECURITY
Prerequisites for Vulnerability Management in Automotive Cybersecurity in the AI Era
As AI accelerates exploit development, CVSS scores alone no longer suffice. Here's what automotive OEMs and suppliers must prioritize now.
READ MORE →
Copy Fail and DirtyFrag: When Linux Kernel Flaws Become Automotive Cybersecurity Risks
Copy Fail (CVE-2026-31431) exposes how a Linux kernel flaw can impact automotive systems. See the risk, MITRE mapping, and xCarbon response.
READ MORE →
VicOne Situational Awareness Report: Cybersecurity in the Automotive, Transportation, and Logistics Sectors in Q1 2026
VicOne recorded 405 automotive cybersecurity incidents in Q1 2026. Ransomware persisted, EV charging incidents tripled, and AI emerged as a new attack surface. This report breaks down the threats by region, domain, and vulnerability type.
READ MORE →
AI Supply Chain Attacks Are Here: What Automotive OEMs Need to Know
AI supply chain attacks are no longer theoretical. VicOne's Automotive CyberThreat Research Lab breaks down how attackers are exploiting AI development tooling, why automotive OEMs face elevated exposure, and what security teams should do now.
READ MORE →