Cybersecurity researchers have discovered new vulnerabilities that could provide criminals with wireless access to the computer systems in automobiles, aircraft, factories, and other cyber-physical systems.
The computers used in vehicles and other cyber-physical systems rely on a specialized internal network to communicate commands between electronics. Because it took place internally, it was traditionally assumed that attackers could only influence this network through physical access.
In collaboration with Hyundai, researchers from Georgia Tech's Cyber-Physical Systems Security Research Lab (CPSec) observed that threat models used to evaluate the security of these technologies were outdated.
The team, led by Ph.D. student Zhaozhou Tang, found that vehicle technology advancements allowed attackers to launch new attacks, improve existing attacks, and circumvent current defense systems.
For example, Tang's findings included the possibility for attackers to remotely compromise the computers used in cars and aircraft through Wi-Fi, cellular, Bluetooth, and other wireless channels.
"Our job was to thoroughly review existing information and find ways to protect against these attacks," he said. "We found new threats and proposed a defense system that can protect against the new and old attacks."
In response to their findings, the team developed ERACAN, the first comprehensive defense system against this new generation of attackers. Designed to detect new and old attacks, ERACAN can deploy defenses when necessary.
The system also classifies the attacks it reacts to, providing security experts with the tools for detailed analysis. It has a detection rate of 100% for all attacks launched by conventional methods and detects enhanced threat models 99.7% of the time.
The project received a distinguished paper award at the 2024 ACM Conference on Computer and Communications Security (CCS 24) held in Salt Lake City. Tang presented the paper at the October conference.
"This was Zhaozhou's first paper in his Ph.D. program, and he deserves recognition for his groundbreaking work on automotive cybersecurity," said Saman Zonouz, associate professor in the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.
The U.S. Department of Homeland Security has designated the transportation sector as one of the nation's 16 critical infrastructure sectors. Ensuring its security is vital to national security and public safety.
"Modern vehicles, which rely heavily on controller area networks for essential operations, are integral components of this infrastructure," said Zonouz. "With the increasing sophistication of cyberthreats, safeguarding these systems has become critical to ensuring the resilience and security of transportation networks."
This paper introduced to the scientific community the first comprehensive defense system to address advanced threats targeting vehicular controller area networks.
The CPSec team is putting the technology it has developed into practice in collaboration with Hyundai America Technical Center, Inc., which sponsors the work. Tang hopes ERACAN's success will raise awareness of these new threats in the research community and industry.
"It will help them build future defenses," he said. "We have demonstrated the best practice to defend against these attacks."
Tang received his bachelor's degree at Georgia Tech, where he first performed security-related work for the automobile industry. While working with Zonouz on his master's degree, he decided to change course and pursue research initiatives like vehicle security in a Ph.D. program.
"It is interesting how it came full circle," he said. "I will continue on this path of automobile security throughout my Ph.D."
ERACAN: Defending Against an Emerging CAN Threat Model, was written by Zhaozhou Tang, Khaled Serag from the Qatar Computing Research Institute, Saman Zonouz, Berkay Celik and Dongyan Xu from Purdue University, and Raheem Beyah, professor and dean of the College of Engineering. The CPSec Lab is a collaboration between the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.