Analyzing the Jeep Attack through the lens of ISO 21434

In 2015, Miller et al [1] disclosed how they were able to attack a Jeep Chrysler remotely over mobile network, and were able to fully control the car, including sending CAN messages. As a result of this Fiat Chrysler Automobiles (FCA) had to do a recall 1.4 million vehicles.

They attack allowed them to remotely send CAN messages, and control breaks, steering wheel, wipers, etc. The attack started through via an open port (6667) in the Open Multimedia Application Platform (OMAP), then to inject malicious code into the V850 ECU via SPI. As a result, they could control the entire car.

Let’s analyze this specific attack vector, using the just published version of the ISO 21434, a standardization effort that started just one year after the disclosure of this attack.
Even though they were two experts, I choose to only detail 1 expert, they didn’t need any specific knowledge about the car, the window of opportunity was unlimited, but they had to buy specialized equipment, which is an onboard diagnostics tool ($7K), in order to reverse engineer the checksum algorithm.

I guesstimated the elapsed time to make the attack, as only bits and pieces was revealed in the Blackhat video [2], where they mentioned it took 3.5 months to just read the datasheet and reverse engineer the code of the Renesas V850 MCU, and based on the other steps of the identification phase, we are reaching more than 6 months.

If we put this in the calculation, using the published version of ISO 21434:2021, we see that the attack rating is 29, which results in an attack feasibility of “Very Low”

Attack Potential wiht Attack Feaisbility according to ISO 21434

Interestingly, the full attack, as disclosed and analyzed using Attack Potential, could well be missed by OEM even today, as the Attack Feasibility is “Very Low”, and result Risk Value is “2”, as the Impact to be Severe (S:4). A subset of the attack path, that would only attack the OMAP, would certainly be spotted and would remove the vulnerability entirely, as the OEM and TIER-1 supplier is obliged to conform to ISO 21434 in EU for new vehicles introduced in July-2022 and onwards, and if implemented correctly, it will add cyber-security consistenly to the full supply chain.

It’s unlikely that we will see such obvious security holes in the future, but as the complexity grows, and with more and more V2X communication and more complex driving systems, it’s a safe bet that we will see new attacks in the future, as attack surface and complexity increases.

To remain safe in an ever-increasing automotive complexity, it’s necessary for the OEM to identify and allocate cyber-activities to entry-points, and one way to do that is to assign Cyber Assurance Level (CAL) to critical items, interfaces, and trust boundaries. It also allows the department to allocate budget for cyber-security activities during development, that could include external reviews and penetration testing. Most important, is to ensure that cyber-experts are involved, that can assist the architects in the cyber-security related activities. CAL is optional in ISO21434, but could be a tool to assist to pin-point where to invest more in cyber-security activities.

References:
[1] Miller, Valasesk: Remote Exploitation of an Unaltered Passenger Vehicle, August 10, 2015 (http://illmatics.com/Remote%20Car%20Hacking.pdf, accessed Sept-11, 2021)
[2] https://www.youtube.com/watch?v=MAcHkASmXEc
[3] ISO/SAE 21434: 2021 – Road vehicles — Cybersecurity engineering

Attack Path evolution over time

In the previous post we talked about the difficulty of rating attack paths.

In this post, we re-use the same attack path, but looks on how tools and exploitation affects attack feasibility ratings over time.

Once a attack tool has been developed for a vulnerability, the Attack Feasibility Rating may dramatically change.

Side channel attacks is a field that have evolved quickly the last years, you can today buy a side-channel tool for <100$, freely available online with guidance on how to use these tools. This means that the Expertise drops and Equipment also gets easier/cheaper to acquire. Once the Identification of an attack path has been completed, Elapsed Time and even Knowledge of the TOE may decrease as well.

By looking at the picture below, we first see the current side-channel attack from the previous post with an attack rating of 18.

In our evolved scenario, the Expertise drops from Expert to Proficient, as we can make use of documentation and guidance available on the internet. Equipment goes from Bespoke to Specialised, as we can purchase such equipment on the internet. Such scenario is shown on the second line, where the attack potential goes down to 12 (High), resulting in an Attack Feasibility Rating of “High”.

Same attack path, showing evolution in attack rating

If we look at CVSS for the same attack, attack complexity on the evolved case changes (to low), but the Attack Feasibility Rating remains at “Very Low” (CVSS=0.9).

In summary, it means that we have 3 steps in difference between the evolved attack (High vs Very Low). For an organization this may cause issues both ways, either the organization over-spend money on cyber-security assurance, or the organization may end up with vulnerabilities in the field, that can be hard to mitigate in the field.

These two blog-posts demonstrates that there is a discrepancy between the methodologies, which needs to be taken into account. Maybe the ISO/SAE 21434 standardization group will refine this in upcoming revisions of the standards.

Cyber-security takes expertise and experience to understand and master.