Paper Review: Comprehensive Experimental Analyses of Automotive Attack Surfaces

This is a paper review for: Checkoway, Stephen, et al. "Comprehensive experimental analyses of automotive attack surfaces." USENIX Security Symposium. Vol. 4. 2011.

Summary

Modern vehicles are made up of several distributed compute resources(components). Each of these components has an implicit connection to other components. This architecture provides a broad surface for attacks. The authors made a vulnerability study, and for each vulnerability, they were able to control the whole vehicle's distributed system. They found that all vulnerabilities are at the interface boundaries between code written by distinct organizations. The authors performed a threat assessment showing the different types of attacks that can be done like mass car theft and surveillance. The authors then provided implementation fixes like the usage of app-level authentication and encryption, limiting Bluetooth pairing, and limiting capabilities that can be done via the cellular interface. Besides that, the paper discussed the reasoning behind why these vulnerabilities are already there, although the fixes are known. The authors attributed this to outsourcing components from different proprietary vendors and to the fact that no large-scale attacks had ever happened regularly.

Things I liked

Things I did not like:

Further research

A study on interface tests that asserts security for components in a black box fashion that has no access to source code simulating proprietary source code of car manufacturers

;