Towards Effective Identification and Rating of Automotive Vulnerabilities

Towards Effective Identification and Rating of Automotive Vulnerabilities

https://www.amirootyet.com/

Cybersecurity is a paramount concern in automobiles since deficiencies in security controls put human lives at risk. Some security vulnerabilities are more critical than others and demand immediate attention. Therefore, it is imperative to quantify associated risks by means of rating security vulnerabilities on a scale of severity which has proven to be a useful tool for traditional IT security in comprehending the real risk associated with a vulnerability. In this paper, we present a methodology for adapting the proven CVSS scoring system to automobiles and illustrate the notion with several examples of real-world automotive security vulnerabilities. We also propose a CVV naming system, that is based on the existing CVE system by MITRE, to assign unique identifiers to these vulnerabilities which permits efficient tracking and analysis of automotive vulnerabilities.

Aacafcf81ef6d72fc43e2d83d034aee8?s=128

Pranshu Bajpai

August 05, 2020
Tweet

Transcript

  1. Towards Effective Identification and Rating of Automotive Vulnerabilities Pranshu Bajpai,

    Richard Enbody Michigan State University 08/05/2020 AutoSec 2020
  2. Introduction ◦ Vehicles are complex members of the IoT ◦

    Not designed with interconnectivity in mind (e.g. CAN) ◦ Aftermath of vulnerability discovery ▫ Quantification of severity ▫ Pattern discovery ◦ Safety and security are not the same 2
  3. Introduction ◦ Security vulnerabilities different in severity ◦ Need for

    prioritization for mitigation ◦ Vulnerability identification: ▫ What? ▫ Where? ▫ When? ▫ How? ▫ Who? 3
  4. Common Vulnerability Scoring System 4 ◦ Well-established ◦ Modular and

    adaptable ◦ Indicates root causes ◦ Measures complexity and impact
  5. CVSS (CVE-2012-1516) Vector string: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 5

  6. CVV Identifier CVV-YYYY-CP-NNNNN ◦ CVV prefix ◦ Year ◦ Component

    ◦ Arbitrary digits 6 Source ID Protocol 00 Infotainment System 01 3rd Party Devices 02 Keyfobs and Immobilizers 03 Wireless 04 App/Software/Service 05 Others 06
  7. CVV Identifier (Nissan Leaf) The Nissan Leaf vulnerability [1] CVV

    − 2016 − 05 − 45623 [1] https://www.troyhunt.com/controlling-vehicle-features-of-nissan/ 7 When Where How
  8. CVSS Adaptation to Automobiles 8 Vector Value Condition User Interaction

    Required User plugs in a 3rd party device Attack vector Network / Adjacent Network / Local / Physical Internet / Bluetooth or WiFi / Dealership / Manipulate hardware Scope Changed Keyfob -> Physical access -> OBD2 port Environmental Metrics (CIA) High Automotives are critical infrastructure
  9. CVSS Rating for CVV-2015-04-11142 “Tracking connected automobiles using wireless means”

    (University of Twente [2]) https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:L/PR: N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:R/CR:H/IR:H/AR:H/MAV: X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X Connected cars broadcast 10 unencrypted message/sec, using Wi-Fi spectrum at 5.9 gigahertz (802.11p) Messages carry unique digital signatures [2] Petit, Jonathan, Djurrre Broekhuis, Michael Feiri, and Frank Kargl. "Connected vehicles: Surveillance threat and mitigation." Black Hat Europe 11 (2015): 2015. 9
  10. CVSS Rating for CVV-2015-04-11142 “Tracking connected automobiles using wireless means”

    (University of Twente [1]) https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:L/PR: N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:W/RC:R/CR:H/IR:H/AR:H/MAV: X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X 10
  11. Conclusion ◦ Aftermath of vulnerability discovery ◦ Track vulnerability introduction

    during development cycle and lifetime ◦ Break down multi-faceted vulnerabilities ◦ Validate the assigned score ◦ Repository of automotive vulnerabilities 11
  12. Thank you! QUESTIONS? Twitter: @amirootyet 12