Threat Model
Electronic control units, or ECUs first appeared in mass-produced cars sometime in the early 1970s. Over the intervening decades, the number of these units has multiplied rapidly. A USA Today article from 2016 estimated that the average family vehicle may have up to 10 million lines of code (LOC). For high-end luxury sedans, the number comes closer to 100 million LOC, or "about 14 times more than even a Boeing 787 Dreamliner jet."
These connected and often "smart" units offer a multitude of benefits to the operation of automobiles, but they also create a huge new attack surface. A malicious broadcast to an ECU connected to the Internet, or the introduction of malware delivered through any type of software update mechanism brings with it a host of potential threats, including the ability to interfere with basic automotive operations. At its worst, in the hands of nation-state level actors, the threats generated by compromised ECUs could include such worst-case scenarios as tampering with the brakes of an entire fleet of police cars, or causing wide-spread engine failures on a highway during rush hour.
Why Updates are Vulnerable
Software updates are routinely performed on computing units for a number of reasons, including the addition of new functionality, and upgrades to improve productivity. But, the primary reason for updating software is to address existing flaws in the code itself that potentially could be exploited, causing the chaos described above. Increasingly, these updates are done using "software-over-the-air" or SOTA strategies, in which revised versions of programs are sent directly to computing units through broadcasts over the Internet. The strategy is growing in popularity because it is a much quicker and more cost-effective delivery mechanism than traditional methods, such as distributing flash drives or requiring customers to bring in their vehicles for servicing. Even established OEMs are recognizing the potential of this strategy, with both Ford and GM recently announcing they would allow access to SOTA updates in some models by 2020.
However, connecting ECUs to the Internet make them vulnerable to a wide range of attacks, some of which introduce malware masquerading as legitimate updates. The potential consequences of such attacks could be costly indeed, not only in terms of recalls or lost sales, but also potentially, in loss of life.
Potential Attacks
The types of attacks which Uptane is designed to defend against can be organized into four categories, presented here in order of increasing severity.
Read updates: The goal here is intellectual property theft, so these attackers aim to read the contents of software updates. This is generally achieved with an Eavesdrop attack, where attackers can read unencrypted updates sent from the repository to the vehicles.
Deny updates: In this group of attacks, the goal is to prevent vehicles from fixing software problems by using one of several attack strategies to deny access to updates.
- Drop-request attack: blocks network traffic outside or inside the vehicle to prevent an ECU from receiving any updates.
- Slow retrieval attack: slows delivery time of updates to ECUs so a known security vulnerability can be exploited before a corrective patch is received.
- Freeze attack: continues to send the last known update to an ECU, even if a newer update exists.
- Partial bundle installation attack: Allows only part of an update to install by dropping traffic to selected ECUs.
Deny functionality: This grouping ups the threat ante a bit further by causing vehicles to fail to function in one of the following ways:
- Rollback attack: tricks an ECU into installing outdated software with known vulnerabilities.
- Endless data attack: causes an ECU to crash by sending it an infinite amount of data until it runs out of storage.
- Mixed-bundles attack: shuts down an ECU by causing it to install incompatible versions of software updates that must not be installed at the same time. Attackers can accomplish this by showing different bundles to different ECUs at the same time.
- Mix-and-match attack: If attackers have compromised repository keys, they can use these keys to release arbitrary combinations of new versions of images.
Control: The last and most severe threat is if an ECU can be forced to install software of the attacker's choosing, thus ceding control of that unit. This means an attacker can arbitrarily modify the vehicle's performance through an arbitrary software attack, in which the software on an ECU is overwritten with a malicious software program.