A Study on Security Evaluation for Secure Software Update Management System in Automotive
![]() |
Seo, Jaewan
(ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University)
Kwak, Jiwon (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University) Hong, Paul (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University) Cho, Kwangsoo (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University) Kim, Seungjoo (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University) |
1 | C. Miller and C. Valasek "Remote Exploitation of an Unaltered Passenger Vehicle," Black Hat USA, Aug. 2015. |
2 | UNECE, "Uniform provisions concerning the approval of vehicles with regards to software update and software updates management system," UN R156, Mar. 2021. |
3 | A. Shostack, Threat modeling: Designing for security, 1st Ed., John Wiley & Sons, Feb. 2014. |
4 | S. Nie, L. Liu and Y. Du, "Free-Fall: Hacking Tesla from Wireless to CANBus," Black Hat USA, Jul. 2017. |
5 | R.P. Weinmann, B. Schmotzle, "T-BONE: Drone vs. Tesla," CanSecWest Conference, Apr. 2021. |
6 | C. Ponsard and D. Darquennes, "Towards Formal Security Verification of Over-the-Air Update Protocol: Requirements, Survey and UpKit Case Study," In Proceedings of the 7th International Conference on Information Systems Security and Privacy - Volume 1: ForSE, pp. 800-808, Jan. 2021. |
7 | Z. Wu, T. Liu, X. Jia and S. Sun, "Security design of OTA upgrade for intelligent connected vehicle," In Proceedings of the 1st International Conference on Control and Intelligent Robotics, pp. 736-739, Jun. 2021. |
8 | A. Ghosal, S. Halder and M. Conti, "Secure Over-the-Air Software Update for Connected Vehicles," Computer Networks, Vol. 218, Dec. 2022. |
9 | J. Yu, S. Wagner and F. Luo, "An STPA-based Approach for Systematic Security Analysis of In-vehicle Diagnostic and Software Update Systems," Computer Science, Jun. 2020. |
10 | C.W. Lee and S. Madnick "A system theoretic approach to cybersecurity risks analysis of passenger autonomous vehicles," MIT Sloan Research Paper, no. 5724-18, pp. 1-34, Feb. 2018. |
11 | M. Hamad, "A Multilayer Secure Framework for Vehicular Systems," Ph.D. Thesis, Carolo-Wilhelmina Technical University, Feb. 2020. |
12 | A. Lautenbach and M. Islam, "Security models," D2, HEAVENS, Mar. 2016. |
13 | A. Mukherjee, R. Gerdes and T. Chan tem, "Trusted Verification of Over-the-Air (OTA) Secure Software Updates on COTS Embedded Systems," In Proceedings of the Third International Wo rkshop on Automotive Vehicle Security, Jan. 2021. |
14 | V.K. Saini, Q. Duan, V. Paruchuri, "Threat Modeling Using Attack Trees," Journal of Computing Sciences in Colleges, Vol. 23, Issue. 4, pp. 124-131, Apr. 2008. |
15 | M. Salfer and C. Eckert, "Attack surface and vulnerability assessment of automotive Electronic Control Units," In Proceedings of the 12th International Conference on Security and Cryptography, pp. 317-326, Jul. 2015. |
16 | V.LL. Thing and J. Wu, "Autonomous Vehicle Security: A Taxonomy of Attacks and Defences," IEEE International conference on internet of things (ithings) and IEEE green computing and communications (greencom) and IEEE cyber, physical and social computing (cpscom) and IEEE smart data (smartdata), pp. 164-170, Dec. 2016. |
17 | FASTR Connectivity and Cloud Work Group, "Automotive Industry Guidelines for Secure Over-the-Air Updates," Oct. 2018. |
18 | C. Riggs, C.E. Rigaud, R. Beard, T. Douglas and K. Elish, "A survey on connected vehicles vulnerabilities and countermeasures," Journal of Traffic and Logistics Engineering, Vol. 6, no. 1, pp. 11-16, Jun. 2018. |
19 | M. Zoppelt, R.T. Kolagari, "UnCle SAM: Modeling Cloud Attacks with the Automotive Security Abstraction Model," International Conference on Cloud Computing, GRIDs, and Virtualization, pp. 67-72, May. 2019. |
20 | Myoungsu Kim, Junyoung Park, Eunseon Jeong, Insu Oh, Kangbin Yim, Junghoon Park, "OTA Vulnerability on User Equipment in Cloud Services," International Conference on Information Technology Systems and Innovation, pp. 425-428, Oct. 2018. |
21 | GENIVI Alliance, "Security Threats&Mitigations," https://genivi.github.io/rvi_sota_server/sec/security-threats-mitigations.html, Oct 2021. |
22 | University of Missouri - St. Louis, "Data Flow Diagrams Examples," http://www.umsl.edu/~sauterv/analysis/dfd/dfd_intro.html, Oct. 2021. |
23 | MITRE, "CWE," https://cwe.mitre.org/data/definitions, Sep. 2021. |
24 | Lucidchart. "What is a Data Flow Diagram," https://www.lucidchart.com/pages/data-flow-diagram, Oct. 2021. |
25 | Carnegie Mellon University, "Checking Threat Modeling Data Flow Diagrams for Implementation Conformance and Security," http://reports-archive.adm.cs.cmu.edu/anon/isri2006/CMU-ISRI-06-124.pdf, Oct. 2021. |
26 | MITRE, "CVE," https://cve.mitre.org/cgi-bin/cvename.cgi, Sep. 2021. |
27 | Y. Ashibani and Q. H.Mahmoud, "Cyber physical systems security: Analysis, challenges and solutions," Computers & Security, Vol. 68, pp. 81-97, Jul. 2017. DOI |
28 | A.M.K Nasser, and S. Lauzon, "Safety-Driven Cyber Security Engineering Approach Applied to OTA," Embedded Systems, Cyber-physical Systems, and Applications, pp. 8-13, Feb. 2018. |
29 | R. Kirk, H.N. Nguyen, J. Bryans, S. A. Shaikh and C. Wartnaby, "A formal framework for security testing of automotive over-the-air update systems," Journal of Logical and Algebraic Methods in Programming, Vol. 130, Jan. 2023. |
30 | Kyong Tak Cho, "From Attack to Defense: Toward Secure In-vehicle Networks," Ph.D. Thesis, University of Michigan, 2018. |
31 | N. Weiss, E. Pozzobon and S. Renner, "Extending Vehicle Attack Surface Through Smart Devices," International Conference on Emerging Security Information, Systems and Technologies, pp. 131-135, Sep. 2017. |
32 | P. Bajpai, R. Enbody and B.H.C. Cheng, "Ransomware Targeting Automobiles," ACM Workshop on Automotive and Aerial Vehicle Security, pp. 23-29, Mar. 2020. |
33 | B.M. Luettmann and A.C. Bender, "Man-in-the-middle attacks on auto-updating software," Bell Labs Technical Journal, Vol. 12, Issue. 3, pp. 131-138, Sep. 2007. DOI |
34 | M.H. Eiza and Q. Ni, "Driving with sharks: Rethinking connected vehicles with vehicle cybersecurity," IEEE Vehicular Technology Magazine, Vol. 12, Issue. 2, pp. 45-51, Jun. 2017. DOI |
35 | P. Carsten, T.R. Andel, M. Yampolskiy, J.T. McDonald and S. Russ, "A System to Recognize Intruders in Controller Area Network (CAN)," International Symposium for ICS & SCADA Cyber Security Research, pp. 111-114, Sep. 2015. |
36 | S. Nie, L. Liu, Y. Du and W. Zhang, "Over-the-air: How we remotely compromised the gateway, BCM, and autopilot ECUs of Tesla cars," Black Hat USA, Aug. 2018. |
37 | T. Placho, C. Schmittner, A. Bonitz and O. Wana, "Management of automotive software updates," Microprocessors and Microsystems, Vol. 78, Oct. 2020. |
38 | M. Levi, Y. Allouche and A. Kontorovich, "Advanced Analytics for Connected Car Cybersecurity," IEEE 87th Vehicular Technology Conference, Jun. 2018. |
39 | T. Alladi, V. Chamola, B. Sikdar and Kim-Kwang R. Choo, "Consumer IoT: Security Vulnerability Case Studies and Solutions," IEEE Consumer Electronics Magazine, Vol. 9, Issue. 2, pp. 17-25, Mar. 2020. DOI |
40 | M.L. Manna, L. Treccozzi, P. Perazzo, S. Saponara and G. Dini, "Performance Evaluation of Attribute-Based Encryption in Automotive Embedded Platform for Secure Software Over-The-Air Update," Sensors, Vol.21, no. 2, Jan. 2021. |
41 | J.N. Brewer and G. Dimitoglou, "Evaluation of Attack Vectors and Risks in Automobiles and Road Infrastructure," International Conference on Computational Science and Computational Intel ligence, pp. 84-89, Dec. 2019. |
42 | M. Dibaei, X. Zheng, K. Jiang, R. Abbas, S. Liu, Y. Zhang, Y. Xiang and S. Yu, "Attacks and defences on intelligent connected vehicles: a survey," Digital Communications and Networks, Vol. 6, Issue. 4, pp. 399-421, Nov. 2020. DOI |
43 | T. Hoppe, S. Kiltz and J. Dittmann, "Security threats to automotive CAN networks-Practical examples and selected short-term countermeasures," Reliability Engineering & System Safety, Vol. 96, Issue. 1, pp. 11-25, Jan. 2010. DOI |
44 | M. Charlie, K. Harnett and A. Carter, "Characterization of potential security threats in modern automobiles: A composite modeling approach," DOT HS 812 074, National Highway Traffic Safety Administration, Oct. 2014. |
45 | ITU-T, "Secure software update capability for intelligent transportation system communication devices," ITU-T X. 1373, Dec. 2017. |
46 | S. Checkoway, "Comprehensive Experimental Analyses of Automotive Attack Surfaces," Proceedings of the 20th USENIX Security Symposium, Aug. 2011. |
47 | L. Moukahal and M. Zulkernine, "Security vulnerability metrics for connect ed vehicles," IEEE International Conference on Software Quality, Reliability and Security Companion, pp. 17-23, Jul. 2019. |
48 | P. Carsten, "In-Vehicle Networks: Attacks, Vulnerabilities, and Proposed Solutions," Cyber and Information Security Research Conference, pp. 1-8, Apr. 2015. |
49 | H. Wen, Q. Chen and Z. Lin, "Plug-N-pwned: Comprehensive vulnerability analysis of OBD-II dongles as a new over-the-air attack surface in automotive IoT," Proceedings of the 29th USENIX Security Symposium, pp. 949-965, Aug. 2020. |
![]() |