Analyzing the Jeep Attack through the lens of ISO 21434

In 2015, Miller et al [1] disclosed how they were able to attack a Jeep Chrysler remotely over mobile network, and were able to fully control the car, including sending CAN messages. As a result of this Fiat Chrysler Automobiles (FCA) had to do a recall 1.4 million vehicles.

They attack allowed them to remotely send CAN messages, and control breaks, steering wheel, wipers, etc. The attack started through via an open port (6667) in the Open Multimedia Application Platform (OMAP), then to inject malicious code into the V850 ECU via SPI. As a result, they could control the entire car.

Let’s analyze this specific attack vector, using the just published version of the ISO 21434, a standardization effort that started just one year after the disclosure of this attack.
Even though they were two experts, I choose to only detail 1 expert, they didn’t need any specific knowledge about the car, the window of opportunity was unlimited, but they had to buy specialized equipment, which is an onboard diagnostics tool ($7K), in order to reverse engineer the checksum algorithm.

I guesstimated the elapsed time to make the attack, as only bits and pieces was revealed in the Blackhat video [2], where they mentioned it took 3.5 months to just read the datasheet and reverse engineer the code of the Renesas V850 MCU, and based on the other steps of the identification phase, we are reaching more than 6 months.

If we put this in the calculation, using the published version of ISO 21434:2021, we see that the attack rating is 29, which results in an attack feasibility of “Very Low”

Attack Potential wiht Attack Feaisbility according to ISO 21434

Interestingly, the full attack, as disclosed and analyzed using Attack Potential, could well be missed by OEM even today, as the Attack Feasibility is “Very Low”, and result Risk Value is “2”, as the Impact to be Severe (S:4). A subset of the attack path, that would only attack the OMAP, would certainly be spotted and would remove the vulnerability entirely, as the OEM and TIER-1 supplier is obliged to conform to ISO 21434 in EU for new vehicles introduced in July-2022 and onwards, and if implemented correctly, it will add cyber-security consistenly to the full supply chain.

It’s unlikely that we will see such obvious security holes in the future, but as the complexity grows, and with more and more V2X communication and more complex driving systems, it’s a safe bet that we will see new attacks in the future, as attack surface and complexity increases.

To remain safe in an ever-increasing automotive complexity, it’s necessary for the OEM to identify and allocate cyber-activities to entry-points, and one way to do that is to assign Cyber Assurance Level (CAL) to critical items, interfaces, and trust boundaries. It also allows the department to allocate budget for cyber-security activities during development, that could include external reviews and penetration testing. Most important, is to ensure that cyber-experts are involved, that can assist the architects in the cyber-security related activities. CAL is optional in ISO21434, but could be a tool to assist to pin-point where to invest more in cyber-security activities.

References:
[1] Miller, Valasesk: Remote Exploitation of an Unaltered Passenger Vehicle, August 10, 2015 (http://illmatics.com/Remote%20Car%20Hacking.pdf, accessed Sept-11, 2021)
[2] https://www.youtube.com/watch?v=MAcHkASmXEc
[3] ISO/SAE 21434: 2021 – Road vehicles — Cybersecurity engineering

Attack Path evolution over time

In the previous post we talked about the difficulty of rating attack paths.

In this post, we re-use the same attack path, but looks on how tools and exploitation affects attack feasibility ratings over time.

Once a attack tool has been developed for a vulnerability, the Attack Feasibility Rating may dramatically change.

Side channel attacks is a field that have evolved quickly the last years, you can today buy a side-channel tool for <100$, freely available online with guidance on how to use these tools. This means that the Expertise drops and Equipment also gets easier/cheaper to acquire. Once the Identification of an attack path has been completed, Elapsed Time and even Knowledge of the TOE may decrease as well.

By looking at the picture below, we first see the current side-channel attack from the previous post with an attack rating of 18.

In our evolved scenario, the Expertise drops from Expert to Proficient, as we can make use of documentation and guidance available on the internet. Equipment goes from Bespoke to Specialised, as we can purchase such equipment on the internet. Such scenario is shown on the second line, where the attack potential goes down to 12 (High), resulting in an Attack Feasibility Rating of ”High”.

Same attack path, showing evolution in attack rating

If we look at CVSS for the same attack, attack complexity on the evolved case changes (to low), but the Attack Feasibility Rating remains at ”Very Low” (CVSS=0.9).

In summary, it means that we have 3 steps in difference between the evolved attack (High vs Very Low). For an organization this may cause issues both ways, either the organization over-spend money on cyber-security assurance, or the organization may end up with vulnerabilities in the field, that can be hard to mitigate in the field.

These two blog-posts demonstrates that there is a discrepancy between the methodologies, which needs to be taken into account. Maybe the ISO/SAE 21434 standardization group will refine this in upcoming revisions of the standards.

Cyber-security takes expertise and experience to understand and master.

The difficulty of rating attack paths

When doing the attack feasibility rating, as defined in ISO/SAE 21434, the options are to either use CVSS, Attack Potential, or Attack Vector. The CVSS and Attack Potential are both adopted for the automotive industry, and differs from what you might have seen in the past.

These three methods differs in the way they rate feasibility, where the resulting rating may differ substantially.

It’s clear and logically that from the standardization work, remote attacks are those attacks that have the main priority, as physical attacks are generally much more difficult to achieve. They are also not systemic in the same manner as a remote attack may be. However, impact on a physical attack may have large financial and reputational damage.

For physical attacks, from what we have seen in the past is that CVSS sometimes generate a lower feasibility rating, compared to attack potential.

Let’s estimate the following Attack Path: A side-channel attack, where an expert attacker needs 5 months to extract the firmware or keys from an ECU or TCU module, requiring specialised equipments.

Let’s now calculate the attack feasbility for both Attack Potential and CVSS:

Attack Potential:

  • Expert requiring 5 months of effort (Identification + Exploitation)
  • The attacker has easy access to target
  • Access to public documentation
  • Bespoke equipment
  • ”AttackPotential:/TIME:4/EXPE:6/KNOW:0/OPPO:1/EQUI:7 = 18”
Attack Potential calculation

By using a simple excel-sheet, we can calculate the attack rating to 18, which is then translated to a ”Medium” attack feasibility, as defined in Annex I of ISO/SAE 21434.

CVSS

By using the same Attack Path, we estimate the Attack Feasibility using CVSS

  • Access Vector: Physical (P)
  • Attack Complexity: High (H)
  • Privileges Required: None (N)
  • User Interaction: None (N)
  • AUTO-CVSS:3.1/AV:P/AC:H/UI:N/PR:N = 0.5
CVSS (Auto-CVSS)

As we see the table above, the CVSS score is 0.5, which is then translated to Attack Feasibility Rating of ”Very Low”. Please note that that ISO/SAE 21434 CVSS scoring does not correspond to traditional CVSS.

For the same Attack Path, the Attack Feasibility Rating differes with 2 steps, where it is “Medium” for Attack Potential, and “Very Low” for CVSS.

The conclusion is that it is important to select the correct attack feasibility rating methodology for your attack paths.

Based on my own experience, I would say that the attack potential in this example is more accurate, especially for high-assurance assets, such as cryptographic keys.

Here are a few takeaways:

  • For high-impact assets or high-assurance items, a senior cyber-security expert should assist the teams to assess the attack feasibility
  • The security assessor should be aware of the limitations of CVSS for physical attacks