This talk looks back at the maturation of cybersecurity in the automotive industry from early anti-theft systems to the use of technical measures to protect electronic vehicle systems up to today’s requirements regarding technical and organizational measures to protect current vehicles against attacks. The talk reports on experiences from this maturing process as well as current and future challenges. Technical but also organizational trends will be highlighted and discussed in the conflict resulting from an increasing rigidity of concrete (regulatory) requirements on the one hand and the required degree of freedom for the development of alternative solutions on the other hand. Empirical success criteria and high dynamics regarding environmental conditions for automotive cybersecurity will be one focus area of the discussion.

ISO/SAE 21434:2021 discusses the calculation of the Attack Feasibility Rating through various methods, including the CVSS-based approach and the Attack Potential (AP)-based approach.

During the concept and development phases (e.g., TARA), the more detailed Attack Potential approach finds widespread use. Conversely, the CVSS-based approach continues to dominate continual cybersecurity activities due to the availability of public vulnerability database ratings based on CVSS. As both CVSS and Attack Potential approaches have their respective advantages and applications, it is evident that the coexistence of these methods will persist.

However, our concrete project experiences have revealed that the application of different approaches does not consistently yield identical results, even when considering the same attack paths. This disparity becomes particularly problematic when trying to integrate CVSS-based information into Risk Value calculations originally designed for the Attack Potential-based approach. Until this issue is addressed in upcoming releases of ISO/SAE 21434, the industry requires a solution to maintain a holistic product cybersecurity risk and vulnerability management approach throughout the entire product lifecycle. Therefore, there is a pressing need for a stable and consistent conversion methodology between the Attack Potential and CVSS-based approaches.

This presentation aims to explain the differentiation between the CVSS-based and Attack Potential approaches, highlighting their individual advantages and disadvantages. It also acknowledges the continued significance of both approaches in Road Vehicles Cybersecurity Engineering and proposes conversion methods. These are then elaborated with detailed calculations, and examples are provided to demonstrate the consistency of the results.

This talk will explore the challenges and benefits of integrating automated end-to-end security testing into the automotive development lifecycle. It will discuss solutions for infrastructure, asynchronous messages, fast-changing backends, and emerging technologies to meet UN R155 criteria.

The industry generally acknowledges that Ultra Wide Band (UWB) technology can theoretically mitigate relay attacks targeting traditional Low Frequency (LF) and Bluetooth Passive Keyless Entry (PKE) systems. UWB localization technology has been increasingly incorporated into the latest digital car key systems, so the functionality of UWB ranging is directly tied to the car’s susceptibility to relay attacks and the proper operation of the car key. However, during a security test project at GoGoByte, we discovered that merely adhering to the IEEE 802.15.4z and Car Connectivity Consortium (CCC) Digital Key standards does not ensure the reliable performance of the UWB ranging function. We have proposed a “sniper” jamming attack on High Rate Pulse (HRP) UWB ranging. For confidentiality reasons, we used the iPhone 14 and AirTag as demonstration devices and created an attack device called GoGoBark. Once GoGoBark is activated, the UWB-based ranging function of the iPhone fails, with a success rate of 99%. This attack method impacts not only Apple smartphones but also digital car keys that utilize IEEE 802.15.4z HRP UWB ranging.

This talk paints the picture of the challenges the automotive industry is facing in the era of software-defined vehicles (SDVs) where software security suffers from the tragedy of the commons. Coverage-guided fuzzing has proven to be very effective in finding security-relevant bugs in software. Despite a large slew of open-source tools, applying coverage-guided fuzzing to automotive software still has a high entry barrier for adoption. To alleviate the challenge, this talk presents system and module-level fuzzing approaches to lower the entry barrier for fuzzing automotive software. To make the approaches tangible, short live demonstrations of the system and module fuzzing approaches will be presented.

Over-the-Air Software Update is widely used by Car OEMs to ensure maintenance of Vehicles Software through regular updates containing either bug fixes, vulnerability patches or introduction of new features or functionalities throughout vehicle serial-life on Connected Vehicles.

Introduction of ISO/SAE-21434 standard and UNR.155/UNR.156 regulations have largely contributed to helping OEMs and Suppliers at standardizing methodologies within engineering flows and processes while impacting security architecture. This initial step could largely be extended in the future and become even more beneficial to Vehicle end-users since security serves common objectives for all OEMs and automotive suppliers with ultimate winners being end-users with more secure products running in our streets. Knowledge sharing should be encouraged to continue to strive for continuous improvements.

Goal of this session is to share current strategies & methodologies used at Renault to enhance Security Architecture on future SDV platforms and cope with the challenges of updating very frequently multiple execution environments including sensitive automotive functions while still controlling security risks.

This presentation will be a live demonstration of an incident response Tabletop Exercise, designed to outline the benefits of conducting exercises within businesses and governments and provide attendees with firsthand experience of what an event like this would entail.

The exercise will be interactive with the audience, relying on them to help drive the incident through each stage of the process:

Identify
Triage
Validate
Mitigate
Disclose

This will be a fictional incident for a fictional company/device not targeted to the automotive industry, with some actionable tips to enhance or establish incident response tabletops within private and public organizations.

Having been involved in the automotive cybersecurity industry since early 2017, Kamel has gotten to experience the growth of the field firsthand. Over the years, the industry has changed greatly, with industry standards and legislation coming to completion, the emergence of different groups and organizations, books specific to the subject of automotive security published, and more. In this talk, Kamel will recount his time in the industry, answering many of the most common questions he receives from newcomers to the industry eager to find guidance on how to navigate it.

For the last six years, Upstream has been carefully monitoring and analyzing automotive and smart mobility cybersecurity incidents and risks.

In addition to an extensive report published annually, last year we added a new mid-year version of the report – focusing on major trends we identified recently that drive new attack vectors and risks.

In our latest H1’2023 report we identified three significant trends that directly derive from the SDV transformation the industry is undergoing:

1. Steep rise in backend server attacks – enabling access to sensitive vehicle data and controls
2. The critical role of continuous SBOM analysis (dynamic TARA) and how it can be utilized to boost threat intelligence
3. Agriculture, construction, and heavy machinery vehicles – new targets by malicious are being targeted by threat actors – these SDVs are more susceptible than ever to cybersecurity threats

In this session, we’ll dive deep into the opportunities delivered by SDVs, and help assess the emerging cybersecurity threats. We’ll provide insights on recent incidents and discovered vulnerabilities in 2023, and how OTA – which are at the heart of SDV transformation – are also a very effective mitigation tool.

As the automotive industry embraces cutting-edge technology, the need for robust security measures becomes paramount. This presentation delves into our research, which involved successfully hacking thousands of heavy vehicles and shines a spotlight on the significant challenges encountered during the vulnerability disclosure process.

In this talk, we present a novel method for exploiting vulnerabilities in secure embedded bootloaders, which are the foundation of trust for modern vehicle software systems. Specifically, we demonstrate the feasibility of code execution attacks by leveraging a combination of software and hardware weaknesses in the secure software update process of electronic control units (ECUs), which is standardized across the automotive industry. Our method utilizes an automated approach, eliminating the need for static code analysis, and utilizes a novel algorithm for identifying fault injection parameters, enabling code execution in a matter of minutes to hours. Additionally, we demonstrate the ability to perform information leakage and program execution tracing through fault injection on PowerPC and ARM processors, which are commonly used in safety-critical applications. These experiments were conducted using electromagnetic fault injection techniques, without any hardware modifications to the targeted systems. Our results indicate that the standardized secure software update process currently used in the automotive industry is in need of revision in light of the security risks demonstrated.

This presentation explores the crucial role of Software Bill of Materials (SBOMs) in automobile cybersecurity, given the increased vulnerability due to connected cars and autonomous vehicles. SBOMs help identify security risks and vulnerabilities in the software supply chain of vehicles. We discuss challenges in obtaining SBOMs, contractual issues, and suppliers’ limited knowledge. We showcase tools for SBOM management/generation and draw lessons from successful implementations in other industries. Targeted at cybersecurity professionals, automobile industry leaders, and policymakers, this session highlights the significance of SBOMs in enhancing automobile cybersecurity.

The story of the investigation into the device that I believe was used to steal my 2021 Toyota RAV4 and how easy it is to do using ‘CAN Injection ‘ most details are in the following blog post-https://kentindell.github.io/2023/04/03/can-injection/

This presentation aims to give you an overview of the various initiatives that are propelling automotive cybersecurity forward. We will provide a roadmap of important topics and the organizations necessary to be successful.

During our discussion, we will explore the efforts made in the field of automotive cybersecurity, emphasizing their importance and the effects they have. We will also look at the latest advancements and industry trends, discussing how they are shaping the future of automotive security. Furthermore, we will stress the essential steps that the community needs to take in order to proactively prepare for the constantly changing threat landscape.

In this panel, we will explore the maturity for CSMS implementations across the automotive industry, and how it varies in different markets. We will discuss the most common process gaps and key challenges that OEMs and Suppliers face during audits, and how they can better prepare for them. Our high-profile Panelists will share their insights and experiences from an auditor’s perspective.

PANEL MODERATOR:
Dr. Jetzabel M. Serna-Olvera is the CEO and Co-founder of SAPAR GmbH, bringing over 18 years of global cybersecurity expertise. With a PhD in cybersecurity from the Universitat Politécnica de Catalunya, BarcelonaTech, she has excelled in various roles. Dr. Serna-Olvera began as a software engineer at the Tijuana City Council and went on to become a security researcher at esCERT-UPC. She further contributed as a senior security intelligence researcher at LaCaixa Bank and an assistant professor at the Goethe University of Frankfurt. In the automotive industry, she made strides as a cybersecurity strategist, advisor, and security culture lead at leading companies including Continental, Robert Bosch GmbH, and Geely. Her focus areas encompass Vulnerability Management, Incident Response, Threat Intelligence, and fostering a Cybersecurity Culture. Additionally, her extensive knowledge of privacy-enhancing technologies, GDPR compliance, and privacy-centric machine learning drives her mission of simplifying cybersecurity and privacy, cultivating expertise, and integrating them into core business operations.

The talk focuses on the discovery of invaluable data captured in infotainment modules suspected of crashing, which can aid serious crime or collision investigations. This data is often found in Diagnostic Log Trace (DLT) files associated with the AUTOSAR (Automotive Open System Architecture) standardisation initiative for automotive electronic control units (ECUs).

The AUTOSAR framework enables modular development and software component reuse across different automotive platforms, reducing development costs and improving system quality and safety. The DLT file format within AUTOSAR logs and traces diagnostic and software event information in ECUs, providing a standardised way of analysing and diagnosing issues.

The DLT files have been observed to contain data such as entered destinations, tracklogs (GPS fixes), connected devices, connected phonebooks, connection times, engine on/off events, and odometer readings. However, the conditions under which these DLT files are created and their exact sources remain unclear to the Vehicle Systems Forensics community.

The presenter shares their personal experience with one vehicle equipped with systems capable of storing DLT files. They acquired data from the infotainment system using various techniques and are currently conducting ongoing testing to understand the creation and content of these files fully.

The ultimate goal of this research is to enable vehicle systems forensics investigators to better comprehend DLT files and the associated data for existing vehicles and ongoing criminal investigations. Additionally, it aims to raise awareness among automotive cybersecurity professionals about the potential risks of personal data captured within infotainment systems via this protocol and the need for enhanced data security in the future.

We will discuss strategies to automatically generate the Software Bill of Materials (SBOM) of connected devices as a foundation for effective vulnerability management. SBOMs provide a comprehensive list of all software components and their dependencies in a given system – a prerequisite to identifying vulnerabilities and their potential impact. Additionally, we will delve into some intricacies and challenges when dealing with SBOM.

To avoid alert fatigue, we will further demonstrate effective strategies to automate impact assessments of vulnerabilities to filter false positives and increase the relevance of reported vulnerabilities using both open-source solutions as well as commercial services.

Attendees will gain insight into how automated SBOM generation and management can improve vulnerability management processes, reduce risks, and increase the efficiency of the product security lifecycle.

Culture, a word without hard facts, it is more about feeling. So, what is meant by that? When it comes to the specific establishment of a cybersecurity culture, we are talking about quite an unclear challenge. ISO/SAE 21434:2021 presupposes the fostering and maintenance of a strong cybersecurity culture as one of the prerequisites for developing cyber secure products. But the standard leaves the implementation of that requirement open. Additionally, it affects not only the cybersecurity team but also the whole organization. This means completely different company divisions and teams with very different backgrounds and work spheres, often distributed across many locations, are involved.

The purpose of this presentation is to show how cybersecurity culture can be addressed in different phases of the product lifecycle and propose concrete measures to strengthen that in your company.

In conclusion, the presentation discusses how to measure a proper culture and provide evidence to an auditor or technical service.

The technologies in hacking connected cars have not only advanced but also become more accessible to cybercriminals recently. They can now purchase “black box” tools that allow them to quickly overcome anti-theft technologies incorporated in modern vehicles without fully understanding CAN bus and other, similar communication protocols.

As demonstrated in Pwn2Own Vancouver 2023, malicious actors could level up by staging a complex attack scenario by combining multiple vulnerabilities — such as a time-of-check to time-of-use (TOCTOU) issue and a heap overflow and out-of-bounds write zero-day vulnerability in the in-vehicle infotainment (IVI) system — to control a Tesla Model 3 remotely.2 Compared to already known exploits on weak key fob cryptography and relay attacks, malicious activities like this are far more advanced and underscore the importance of further securing today’s vehicles against such imminent threats.

In this presentation, we will address the following questions:

– What has driven cybercriminals to be more brazen and attacks to be more sophisticated?

– How will cybercriminals monetize these advanced automo=ve vulnerabilities?

– Where could the next stages of cyberattacks come from emerging trends in automotive vulnerabilities, new attack vectors, and future targets?

– What are the industry’s counterattacks to stay ahead of a rapidly changing automotive threat
landscape?

Combination of TARAs on different levels (system and software). How to perform on those levels, using the example of architectural vulnerability analysis for Electronic Steering Column Lock function to identify cybersecurity controls.

Car hacking has been a hot topic in the security community since 2015. In the years since, vehicle OEMs and suppliers put significant effort towards protecting vehicle users from cyber security incidents. However, the journey towards secure cars is far from the end, as modern vehicles’ complexity and connectivity introduce new challenges.

This talk will communicate the specific experience of the PCAutomotive team conducting vehicle security research, covering all the steps starting with intelligence gathering to the vulnerability disclosure process. The talk will tell our story – the way we perform our black-box research, using the latest SKODA SUPERB III car, as an example.

The specific vulnerabilities found and covered in the talk will include unintended debug functionality, hard-coded passwords, weak protection of the diagnostic services, as well as information disclosure issues in the backend server API. The talk will demonstrate how insufficient protection of in-vehicle diagnostic services may result in safety issues for drivers.

The purpose of the talk is to share our experience with manufacturers and their internal security teams, automotive developers, and the general car security community – all to further secure our streets.

As automotive software organizations push security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we need them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they’ll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.

This session will detail the latest UNECE cybersecurity regulations, comparing the automotive sector to other industry benchmarks. However, regulation is not a fix-all solution and its limitations will also be highlighted – alongside an introduction into the technologies on the market which can help achieve compliance and a strong cybersecurity posture.