Evaluating the Security of Connected Vehicles

Abstract

Interconnected vehicles are a growing commodity providing remote access to on-board systems for monitoring and controlling the state of the vehicle. Such features are built to strengthen the owners’ control and provide real-time feedback over their car but at the same time they impact its safety and security. Even though automotive security vulnerabilities directly endanger passengers’ lives, they have not yet received sufficient attention neither from researchers nor car manufacturers.In order to prove our point, in this work, we analysed security vulnerabilities of two recently released vehicles, the Renault Twizy, an all-electric and the Toyota Prius a hybrid electric car.We leveraged our findings to achieve control over safety-critical subsystems of the vehicles in order to be able to change their standard behaviour. Since these two cars are based on very different underlying architectures, we performed our study differently foreach car. Therefore, different controls were achieved per car, for instance, braking and steering for the Prius and motor control for the Twizy. Once we obtained full control over the powertrain of the Twizy, in order to demonstrate its importance, we developed a novel mobile application and a web interface to control the car remotely through theInternet, for which, Open Vehicle Monitoring System an open-source device was used.Several demonstrations were developed to highlight our findings. Then we discussed the feasibility of performing such attacks and proposed some solutions to mitigate them. Finally, since we proved that various attacks are possible against safety-critical subsystems of vehicles we conclude that vehicles are not ready to be fully connected.