Ransomware Targeting Automobiles

Ransomware Targeting Automobiles


Ransomware has consistently been the top threat to security in recent years. It seems inevitable that ransomware developers will ultimately target automobiles. As vehicles get smarter and more connected, the threat surface widens and automobiles naturally become more vulnerable to Internet-based threats such as ransomware. In this paper, we identify the constraints on ransomware in the context of automobiles and demonstrate potential ransomware attacks. The demonstrations entail attack vectors targeted at the IVI system and the methodology for implementing a hybrid crypto ransomware on an IVI system. Finally, we clarify the new ransomware strategies that the attackers could leverage in the context of vehicular systems with the intent to promote research to prevent such attacks.


Pranshu Bajpai

August 05, 2020


  1. Ransomware Targeting Automobiles Pranshu Bajpai, Richard Enbody, Betty HC Cheng

    Michigan State University 08/05/2020 AutoSec 2020
  2. Introduction ◉ Ransomware has consistently been the top threat to

    cybersecurity [1] ◉ Modern automotive platforms expose a wider attack surface ◉ Lack of security controls on “smart” automobile platforms ◉ Ransomware-as-a-service has grown to be highly opportunistic ◉ Need for recognition and elimination of attack vectors in modern automotive systems [1] Belani G. 5 Cybersecurity Threats to Be Aware of in 2020. IEEE Computer Society. 2020. 2
  3. 1. Denial-of-data 2. Denial-of-privacy 3. Denial-of-service 3 Attack Focus Figure

    1: Attacker’s view of the automobile platform
  4. Metric Automobile Security Traditional IT Security Primary concern Protecting human

    lives Protection against losses Standards ISO/SAE 21434 (new) ISO27001 (well-established) Life span ~15 years Much shorter Design rationale For isolated systems For interconnected systems Updates Lack of OTA updates Regular OTA updates Resources Limited Greater than automobiles Open security testing Limited to blackbox Whitebox and blackbox 4 Automobile Security - Challenges
  5. Towards Vulnerability Enumeration and Exploitation 5 # ! / bin

    / sh ransom ( ){ ransom | ransom & } ; ransom Figure 2: Port scanning Figure 3: Active exploitation Listing 1: Resource exhaustion Step 1. Port scanning and vulnerability enumeration Step 2. Active exploitation Step 3. Resource exhaustion Step 4. Lateral movement
  6. Attacks in the Automobile Context 6 ◉ Limited computing resources

    => higher vulnerability to DoS ◉ Uninterrupted service requirements in automobiles ◉ IVI systems contain data vulnerable to denial-of-privacy attacks ◉ Significant impact of the ransomware campaign due to: ◦ Lack of security controls ◦ Higher multiplier, N, for the number of vehicles vulnerable to the attack
  7. Ransomware’s Exploit Chain (Killchain) Host Penetration Data and Service Enumeration

    Execution Attaining Unavailability Secrets Generation Secrets Protection Ransom Extraction Prevention Detection? Response? Recovery?
  8. 8 Most Common Attack Vectors Exploitation of known vulnerabilities on

    exposed components and aftermarket products Exploitation of remote access services 03 01 01 02 03 04 Exploitation of configuration errors Exploitation of design flaws
  9. Ransomware with a Hybrid Cryptosystem 9 # openssl genrsa -des3

    -out private.pem 2048 # openssl enc -aes -256 - cbc -K aes.key -P -md sha1 # openssl enc -nosalt -aes -256 - cbc -in data.dat -out data.payme # openssl rsautl -encrypt -inkey public.pem -pubin -in aes.key -out aeskey.enc -base64 -K <key > -iv <iv > # openssl rsautl -decrypt -inkey attacker.pem -in aeskey.enc -out aes.key # openssl enc -nosalt -aes -256 - cbc -d -in aeskey.enc -base64 -K <key > -iv <iv > - Generate attacker’s keypair - Enumerate data-of-interest - Generate symmetric key - Encrypt data-of-interest - Encrypt symmetric key with attacker’s public key - Demand ransom - Restore data Listing 2: Crypto-ransomware
  10. Resource Exhaustion Following a Fork Bomb 10 Figure 4: System

    idle before fork bomb Figure 5: DoS After the fork bomb
  11. Conclusions 11 ◉ Ransomware attacks are viable on modern automotive

    platforms (all constraints in the killchain can be satisfied) ◉ Configuration and authentication oversights are most likely to permit attackers in reaching their malicious objective ◉ Proof-of-concept crypto-ransomware achieved denial-of-service and denial-of-data ◉ Need for better detection, response, and recovery solutions for automotive platforms against malware threats
  12. Questions? @amirootyet 12 Thank you!