Session B12
108
Disclaimer—This paper partially fulfills a writing requirement for first year (freshman) engineering students at the
University of Pittsburgh Swanson School of Engineering. This paper is a student, not a professional, paper. This paper is
based on publicly available information and may not provide complete analyses of all relevant data. If this paper is used for
any purpose other than these authors’ partial fulfillment of a writing requirement for first year (freshman) engineering
students at the University of Pittsburgh Swanson School of Engineering, the user does so at his or her own risk.
THE VULNERABILITY OF ELECTRONIC CONTROL UNITS OF PASSENGER
VEHICLES
Kathleen Bracken, [email protected], Mena 3:00, Elizabeth Rager, [email protected], Mena 3:00
Abstract—Automobiles are no longer exclusively
mechanical. Cars today are equipped with Wi-Fi
connectivity, on-board diagnostics, and navigation. With this
connectivity comes a growing cybersecurity threat. Vehicle
manufacturers are failing to upgrade security as hacking
threats escalate. One of the most vulnerable parts of the car
is the Electronic Control Unit, or ECU.
All passenger vehicles produced today use ECUs to
control all components of the car, from the transmission to
the entertainment controls. These ECUs are interconnected
through the Controller Area Network, a series of codeconducting wires, and have the ability to connect to the
Internet through software services. ECUs have made
vehicles lighter, more intelligent, and more environmentally
and economically sustainable. They have also increased our
reliance on the Internet; however, this creates security risks.
In one case, hackers managed to remotely infiltrate a 2014
Jeep Cherokee. They were then able to access and
manipulate vehicle ECUs, including the air conditioning,
radio, and even the engine. Such breaches in security are a
critical issue to vehicle safety. Engineers must secure ECUs
in order to protect vehicle owners from hackers.
We have assembled the latest research regarding the
safety and sustainability of connected vehicles. By
investigating the technology behind ECUs, we have
uncovered their security flaws and summarized some
proposed solutions to the growing issue of Electronic
Control Unit security in automobiles.
Key Words—Automotive Software, Cybersecurity, Electronic
Control Units, Hacking, Internet of Things, Vehicles
HACKERS BEHIND THE WHEEL
Cars were once mechanical systems—the steering wheel
turned the wheels, the brake pedal brought them to a halt,
and the windows went up and down with the turn of a
handle. Today, windows rise and fall at the push of a button,
and even the vehicle transmission is controlled by electrical
impulses. Nearly every component of a modern automobile
relies on signals that are sent and processed by Electronic
Control Units (ECUs).
University of Pittsburgh Swanson School of Engineering 1
31.03.2017
ECUs are the fundamental technology that allow a
passenger to control the temperature, listen to satellite radio,
and navigate through a built-in GPS. These luxuries would
not be possible without being connected to the Internet, WiFi, or a cellular network. ECUs therefore connect the
components of the car not only to each other, but to the
outside world as well. This has allowed cars to enter the
ever-growing Internet of Things, a term used to describe the
connection of everyday devices to the Worldwide Web.
By using electricity rather than mechanics, ECUs provide
a lighter, more streamlined method of internal
communication. This reduced weight translates to greater
fuel efficiency and improves the environmental
sustainability of the
automobile
industry.
The
computerization of cars also makes maintenance more
efficient and economical. By enabling electronic safety
features such as Adaptive Cruise Control, ECUs can even
protect passengers by reducing collisions.
While the connective abilities of ECUs give automobiles
many useful capabilities, they also present a question of
security. Research has shown that cars, like computers and
any other Internet-connected device, are now vulnerable to
hacking. If steps are not taken to protect vehicles and their
passengers, hackers could potentially seize control of
vehicles. In fact, security experts Charlie Miller and Chris
Valasek, a University of Pittsburgh graduate, managed to
remotely kill the engine of a 2014 Jeep Cherokee while it
was driving on the highway [1]. This dramatic hacking feat
has led to a growing interest in securing ECUs, which are
the foundation of the connected car.
ELECTRONIC CONTROL UNITS
Connectivity is a critical aspect of today’s fast-paced and
digital world; it even translates into passenger vehicles. The
most integral part of this connectivity is the electronic
control unit. Hundreds of these connected ECUs comprise
the main control system of modern vehicles.
Simply put, ECUs are computer devices that are
interconnected to control various aspects of systems. The
ECU is a combination of hardware and software located
within a larger system [1]. According to the Internal
Combustion Engine Handbook, a series of switches and
code-carrying wires transmit instructions from input controls
Kathleen Bracken
Elizabeth Rager
to the various mechanisms of a larger device, such as a car
[2]. The input signals can be digital or analog, and once they
reach the ECU, they are “converted into digital voltages and
frequencies that represent information readable by the
microcontroller” [2]. This means that the ECU takes the data
packets it receives and transforms them into a form that is
able to be understood by the microcontroller. Once the
information is processed by the ECU, the command is sent
to an actuator, which is the component of a system that
moves the mechanical parts of the apparatus. The integration
of ECUs into technology has made it easier to control large
systems remotely.
Figure 2 shows the core of the ECU. The signals enter
and exit the microcontroller, which processes and converts
the signals. These input and output signal pathways are
designated by I/O drivers. The watchdog and applicationspecific integrated circuit (ASIC) components are guard
computing systems that check the microcontroller’s
processing and reset or terminate processing in the event of a
negative response like a timeout error, which occurs when
the ECU runs out of time to return its data. Memory storage
is also included within the ECU core, as well as further
communication connections shown as the address and data
buses [3].
Computerizing Cars
Although ECUs are relatively small compared to the size
of a vehicle, they perform an invaluable job within their
host. ECUs have almost completely replaced mechanical
vehicular systems. For example, in older cars, gear shifting
entailed moving a physical linkage that would change the
transmission speed. Today, an ECU changes the gears by
sending signals. Vehicular systems such as the transmission,
radio, and air conditioning are all connected to ECUs that
are responsible for the processing of data and transmission
of code for execution of the data commands [2]. First, the
ECUs receive a command from the operator to perform a
specific task. This could be anything from rolling the car
windows down to accelerating. The ECU then processes the
request and evaluates it using various algorithms. After
evaluation, the request is sent from the ECU to the vehicle
system for execution [2].
The following images from Paderborn University in
Germany illustrate this transfer of signals through the ECU
[3]. Figure 1 shows the main ECU component. It
clarifies that signals from external components of a vehicle
enter the ECU, are converted into packets of data to be
processed, and are then sent to the mechanical component to
be executed [3].
FIGURE 2 [3]
ECU Core schematic
These address and data buses can also deliver excess data to
be stored in the external memory banks [3].
While ECUs execute critical processes, they are actually
easier to program than one might think. In fact, according to
Martin Salfer and Claudia Eckert, researchers at the
Technical University of Munich, most ECUs are
programmed using common languages such as Java, C++, or
C, which are readily taught in basic coding classes [4]. This
ease of programming can also allow others to access and
change the code by decompiling it and making amendments
[1].
Although a single ECU only controls one aspect of a
vehicle, all of the ECUs within a car are connected via the
Controller Area Network (CAN) Bus, or by another similar
connectivity network. As explained by Craig Smith, author
of The Car Hacker’s Handbook: A Guide for the Penetration
Tester, the CAN is one of today’s most widely used
protocols for electronic network connectivity within
vehicles; it provides a pathway through which ECUs can
communicate [5]. The CAN Bus is comprised of a series of
two wires, CAN high (CANH) and CAN low (CANL), that
connect some of the ECUs in a vehicle, allowing the devices
to communicate with one another [5]. When the CAN Bus
receives a signal from an ECU, it uses differential signaling
to transmit the message to other connected ECUs [5].
Differential signaling is a type of messaging that uses a
signal and its inverse to transmit packets of information that
dictate commands to ECUs. An example of differential
signaling is shown in the following figure from The Car
Hacker’s Handbook [5].
FIGURE 1 [3]
Main ECU design schematic
As referenced in the figure, the sensor drivers detect the
command processed in the core of the ECU, and the actor
drivers deliver the command to the vehicular system [3].
2
Kathleen Bracken
Elizabeth Rager
Environmental and Economic Effects of ECUs
The almost exclusive use of Electronic Control Units in
passenger vehicles has many sustainability benefits for both
the vehicle operator and the manufacturer. Sustainability
encompasses ensuring that future generations will have the
natural resources they require. It also includes improving the
long term economic health of an industry and the safety of
the public.
The article “A Car Hacking Experiment: When
Connectivity Meets Vulnerability” illustrates some of these
ECU benefits [6]. First, using ECUs to connect vehicle
systems instead of traditional mechanical methods allows the
vehicle to be much lighter [6]. Large cable bundles
previously used to connect systems have been reduced to the
CAN Bus’s dual-wire system, reducing the amount of
conductive metals used to transmit messages between ECUs.
Additionally, the heavy mechanical systems that formerly
controlled processes like switching gears were replaced by
much lighter ECUs, lowering the overall weight of the
vehicle. Lighter vehicles lead to higher vehicular fuel
economy, using less gasoline to travel more miles and
reducing the use of petroleum. In addition to reducing
environmental effects, this also reduces consumer spending
on gasoline.
Reducing the amount of materials used to build the car is
also a direct result of using ECUs. Using fewer natural
resources like elemental metals and oil to produce vehicles
aids in the protection of some of the Earth’s most vital
natural resources. By cutting back on supplies needed to
build communication networks, vehicle manufacturers can
reduce the cost of production, thus maintaining a
sustainable cost for consumers and boosting the economic
sustainability of the automobile industry [6].
Using ECUs and the CAN Bus also allows for easier
maintenance of the vehicle [6]. The more compact wiring
structure of ECUs, as compared to mechanical systems, is
easier to navigate when performing tweaks and repairs of the
vehicle. This has increased the productivity of auto
mechanics and minimized the margin of error that could
come about as a result of interfering with the other vehicular
systems. Another added maintenance feature is the On-board
Diagnostics (OBD) port, which creates a wired connection to
the CAN Bus [6]. This tool can help mechanics locate
problems within ECUs. More efficient maintenance allows
auto mechanics to take more appointments. This can also
improve the quality of vehicle owners’ lives because they
are able to return to their daily routines more quickly.
Furthermore, ECUs increase the overall safety of vehicles
through technologies like Adaptive Cruise Control (ACC),
which keeps drivers using cruise control from getting too
close to the car in front of them [1]. Other available safety
features that add protection to drivers are Forward Collision
Warning Plus (FCP+) and Lane Departure Warning (LDW+)
that alert drivers to objects or movements that could cause a
FIGURE 3 [3]
Example of differential signaling
The darker top signal is transmitted by CANH, while the
lighter bottom signal is transmitted by CANL. As shown, the
top signal is a mirror image of the bottom [5]. This complete
signal is conveyed to ECUs through the CAN. The use of
differential signaling in vehicles is especially important
because this type of signal processing is not susceptible to
noise interference from the engine or tires [5].
The CAN Bus can also ensure that one faulty ECU does
not compromise the performance of the rest of the vehicle.
Because ECU signals travel along the CAN to be conveyed
and executed, if one ECU fails, the others will still be able to
communicate and execute commands [5]. CAN protocol is
an integral part of the transmission of ECU commands
throughout a vehicle.
Connecting Cars
Today, almost everyone is connected to the Internet via
smartphones, tablets, and even watches. This connectivity
has spread to vehicles. While ECUs connect various parts of
a vehicle together, they also connect vehicles to the Internet.
For example, the 2014 Jeep Cherokee’s radio ECU has the
ability to process Bluetooth and GPS signals as well as radio
signals [1]. Furthermore, the radio ECU links the vehicle to
an external cellular network, connecting the car to the
Internet [1]. While this connection allows the car to
communicate with applications that collect data from the
Internet, it also gives Internet servers the ability to access
information throughout the car. Once the car is connected to
the Internet, anyone with the necessary technical knowledge
could use the Internet connection to access any ECU
connected through the CAN Bus. The inclusion of vehicles
in the connectivity of the twenty-first century allows them to
be more in tune with the user, but it also allows for remote
external access to the vehicle control systems.
3
Kathleen Bracken
Elizabeth Rager
collision [1]. Services such as these lessen the dangers of
driving by preventing crashes and injuries. These services
can also reduce costs for drivers; fewer accidents mean that
vehicle owners and insurance companies do not need to
spend as much money on car repairs.
Transitioning to the almost exclusive use of ECUs in
passenger vehicles has greatly enhanced the driving
experience in some regards. However, ECUs are not without
fault. One of the most critical issues with ECUs is their lack
of security protection [1]. This shortcoming became an issue
as a result of connecting vehicles to the Internet.
HOW TO HACK A CAR
Figure 4 [7]
Scanning setup used to find vulnerable vehicles
Highway Hackers
This proved that the Wi-Fi feature was insecure, but most
Chrysler owners do not pay for this additional service. With
the ultimate goal of being able to seize any vehicle anywhere
in the country, they decided to broaden their scope to
hacking solely over the cellular network. They succeeded in
remotely communicating with their Jeep using their own
miniature cellular tower, called a femtocell, which conveys
signals over a small range. They used a femtocell because
they “assumed that normal Sprint towers would block
communications between two devices” [1]. However, they
soon discovered that was not the case. When Valasek and
Miller examined the Sprint cellular network, which is used
for Uconnect, they were surprised to find that “any Sprint
device anywhere in the country can communicate with any
other Sprint device anywhere in the country” [1]. This meant
that if they connected their laptop to a hotspot on the Sprint
network, they had the ability to communicate with the target
Jeep or any other connected Chrysler vehicle anywhere in
the entire country [1].
In order to demonstrate the scale of this vulnerability, the
researchers performed another scan to search for vehicles
that could potentially have the same vulnerability as the
2014 Jeep Cherokee. A single scan found 2,695 vehicles
that could, through this flaw, receive remote
communications without authentication [1]. They
extrapolated this data and were able to estimate that between
292,000 and 471,000 vulnerable vehicles existed [1].
The ability to communicate with the Jeep remotely gave
them a direct connection through Uconnect to the CAN. The
CAN network could then relay their messages to the various
ECUs throughout the vehicle. Now that they had access,
they had to determine how to program their own commands
to control these ECUs. Miller and Valasek downloaded IAR
workbench, which is used by automotive engineers to
compile code [1]. According to their paper, they were lucky
to find “that IAR workbench came with example code for
our exact processor and it included sample code for sending
and receiving CAN messages” [1]. They used these
examples to reverse engineer functions in C++, Java, and
Python that could be used to control various ECUs.
At the 2015 Black Hat USA conference, security experts
Charlie Miller and Chris Valasek revealed that they had
discovered how to hack a car—and they released a paper
describing exactly how they managed to do it. The
researchers, who had backgrounds in security at Twitter and
IOactive, used Miller’s 2014 Jeep Cherokee for their work
[7]. They made use of Fiat Chrysler’s Uconnect
entertainment service, which relies on the Sprint cellular
network [7]. The Uconnect service is found in most vehicles
manufactured by Fiat Chrysler Automobiles, and as Miller
and Valasek point out in their conference paper, it is the
“source for infotainment, Wi-Fi connectivity, navigation,
apps, and cellular communications” [1]. Because this service
connects the car to the outside world, it opens up a host of
vulnerabilities.
The UConnect features are essential to understanding the
vulnerabilities of the vehicle. The standard Uconnect system
uses the cellular network to perform services such as GPS
navigation and roadside assistance. In this case, Miller’s
Jeep was equipped with an additional Wi-Fi service, which
is an optional Uconnect feature that comes at additional cost.
Adding the Wi-Fi capability allows full internet browsing,
and it lets any device with internet capabilities connect to the
Web through the car. Creating a full-fledged Wi-Fi hotspot
opens up the possibility that an unauthorized user could
connect to the car [1].
Miller and Valasek demonstrated the procedure a hacker
might use to exploit this Wi-Fi vulnerability. First, they ran a
port scan to check for their best point of entry, or “port,” and
found that “not only were there ports open, but there were
several open” [1]. They selected Port 6667 as their target,
which “on a normal server is used for Internet Relay Chat
(IRC), but on a Jeep, it’s used for something called D-Bus,
an interprocess communications mechanism” [1]. According
to Miller, D-Bus “can require authentication, but the Jeep
implementation did not” [1]. In other words, the
manufacturers had failed to implement a basic security
procedure and left open a port that could allow external
access to the vehicle’s ECUs.
4
Kathleen Bracken
Elizabeth Rager
The researchers were then able to send their messages
over the cellular network, into the target Jeep, and into the
CAN network. The messages were then relayed through the
CAN to the ECUs, which did not recognize that these
instructions were not authentic. Through this process, the
researchers gained the ability to manipulate the air
conditioning, brakes, radio, and other ECUs in the vehicle.
They could even force the vehicle to display an image of
their choice on the Uconnect touch screen.
In light of this discovery, Miller and Valasek now had the
power to remotely seize control of thousands of vehicles. In
one high-profile stunt, they put a reporter from Wired behind
the wheel. From the comfort of their living room, they
seized control of the vehicle and stalled the Jeep’s engine
while the reporter was driving on the highway [8]. The
researchers could easily have wreaked havoc on thousands
of unsuspecting drivers, caused collisions, or forced audio
systems to blast uncontrollable rap music. However, they
chose to put their knowledge to more ethical use and notified
Chrysler of the vulnerability [7].
easily utilized by members of the public. This method of
software sharing allows collaborative development and has
been an essential part of the advancement of computers over
the past decades. In this case, however, it has the
disadvantage of allowing hackers to exploit software in a
way that was not intended by the developer [9]. Anyone with
the determination to hack a vehicle could download this
software and expand upon this method. If these
vulnerabilities are not fixed, car hacking could soon be
accessible and cheap—even to the common criminal.
CYBERSECURITY SOLUTIONS
As several experts have demonstrated, the use of vehicle
ECUs creates many security issues, but the benefits of ECUs
are also undeniable. In a consumer world that demands the
ease of automatic windows, satellite radio, and the ability to
turn a car into a Wi-Fi hotspot, ECUs cannot be eliminated.
However, Miller and Valasek point out that “as new
technology is added to vehicles, new attacks become
possible” [1]. If the danger of insecure ECUs continues to
grow at this rate, with advancements in convenience
outstripping advancements in safety, the public may begin to
avoid purchasing new cars in order to protect themselves.
The peril could soon outweigh the appeal. If high-profile
hacks become more common, consumers will take notice,
and the automobile industry could suffer a blow. In order to
protect the economic sustainability of their own livelihood,
vehicle manufacturers must find a way to balance the luxury
of ECUs with passenger safety.
Protecting Our Passengers
Valasek and Miller’s efforts demonstrated to the world
that vehicle hacking is a tangible threat, not a fantasy. Their
work caused Chrysler to recall a massive 1.4 million
automobiles [7]. Chrysler also released a patch for their
software [7]. Additionally, cellular provider Sprint blocked
access to the vital Port 6667 and upgraded their security,
which means that now, the “only way to attack a vulnerable,
unpatched vehicle” requires “close range to the vehicle”
instead of being able to utilize Sprint’s vast network of
cellular towers [1].
These upgrades have improved security, and as of the
researchers’ second talk at the following year's Black Hat
Conference, Chrysler vehicles can no longer be remotely
hacked. However, Miller and Valasek were still able to
perform hacks via the Universal Serial Bus (USB) port by
inserting a stick filled with infectious code to manipulate the
steering and brakes [9]. Since this type of attack requires
physical access to the car, Chrysler shrugged off this new
research and did not choose to recall or patch vehicles with
this vulnerability [9].
While Valasek and Miller’s Jeep exploits are a highprofile example of engineering efforts to address car
security, they are hardly the first to discover a way to
compromise vehicle ECUs. Researchers at the University of
Luxembourg developed their own way to infiltrate a vehicle.
They performed their experiments on a Renault Twizy 80,
and were able to force the vehicle to slow down, stop, and
change gears [6]. For their work, they used the “Open
Vehicle Monitoring System (OVMS), which is an open
source tool that brings remote access to a number of
electric cars in order to retrieve various information such as
the battery state, location, and other readings” [6]. Since this
software is open source, it can be found online and might be
Vulnerability Assessment
The path to security begins with assessing which ECUs
are the most vulnerable. Claudia Eckert and Martin Salfer of
the Technical University of Munich developed a series of
mathematical models that can be used to evaluate the
security of any ECU. Their method, which is based on the
principles of probability and “ECU development data and
software flash images,” assesses the “attack surface and
vulnerability” of the ECU [4]. In other words, it provides a
quantitative way to determine how easy it might be to hack a
particular ECU. The formula the researchers developed is
modeled by the Bernoulli process. This equation involves
the number of vulnerabilities (X), the probability of a single
attack surface spot being free from vulnerabilities (Q), the
number of attack surface spots (i), the average code size of
these spots (x), and the vulnerability density (v) [4].
Vulnerability density is defined as:
𝑣 =
𝑠𝑒𝑐𝑢𝑟𝑡𝑦 𝑟𝑒𝑣𝑒𝑙𝑎𝑛𝑡 𝑑𝑒𝑓𝑒𝑐𝑡𝑠
𝑐𝑜𝑑𝑒 𝑠𝑖𝑧𝑒
(1) [4]
In other words, it is a ratio of the security flaws in the code
to the amount of code. This property is useful for describing
5
Kathleen Bracken
Elizabeth Rager
how many flaws exist in a segment of code. The
aforementioned variables are all used to derive the equation:
𝑃𝐵 (𝑋 > 0) = 1 − 𝑃𝐵 (𝑋 = 0) = 1 − 𝑞𝑖𝑥 = 1 − (1 − 𝑣)𝑖𝑥 (2) [4]
PB is the likelihood that a security vulnerability exists in the
software of a specific ECU [4]. It quantitatively describes
how easy it might be to hack a particular ECU based on
various factors related to weak points in the software itself.
Using this equation, engineers can determine which ECUs
have the most vulnerable code and use that knowledge to
focus their security efforts.
Keeping Up With Updates
Other researchers have proposed more tangible solutions
to the security issue. One of the biggest challenges for
automotive companies is the difficulty associated with
updating ECU software. Researchers from the Kanagawa
Institute of Technology and Soka University in Japan point
out that “Vehicles these days have roughly one hundred
Electronic Control Units” [10]. All of these ECUs are
controlled by software, and “it is difficult to release software
without bugs. Thus, it is very important to quickly fix the
bugs once they are detected” [10]. Just as the software in
phones and computers must be kept up-to-date, automobile
software should be in a constant state of improvement in
order to fix bugs and improve security as new threats arise.
A vehicle has so many ECUs that the process of updating
software is inconvenient and time-consuming because “the
vehicle must be stopped and cannot be controlled by the
driver. However, the engine must be activated” [10]. This
process is similar to the familiar ordeal of updating one’s
phone. When a new version of software comes out for an
iPhone or similar device, the installation process can be a
nuisance. The owner must plug the phone into a charger and
cannot use the phone for several minutes while the update is
in progress. This familiar process is almost identical in
vehicles, but on a much larger scale, which makes it even
more inconvenient. Instead of missing out on calls or texts
for a few minutes, a vehicle owner must take the car to the
dealer and wait for the software to be installed [10].
In order to ensure that vehicle owners take the necessary
steps to protect themselves by keeping up with releases of
improved software, this inconvenience must be minimized.
Ideally, software updates might one day become fast and
simple enough to be done at home instead of at the
dealership. Figure 5 illustrates the current update process
and suggests the possibility of simpler future updates if
greater efficiency can be achieved.
Figure 5 [10]
The future of vehicle updating
In order to attain this efficiency, these researchers suggest
implementing a bsdiff code compression algorithm, which is
“a famous and efficient algorithm for PC software” [10].
This algorithm compresses code by identifying similar and
different segments of code [10]. Compression reduces the
size of the file so that fewer bits must be transmitted, which
in turn makes the transfer of data faster. The researchers
showed that their proposed bsdiff method is somewhat
effective, but more work must be done to apply their work to
ECU software [10]. Hopefully, improvements in updating
efficiency will allow automotive manufacturers to keep up
with changing security needs, especially as bugs and
vulnerabilities are discovered by researchers such as the Jeep
and Luxembourg hackers.
Cloud Defense
The specific threats faced by connected automobiles must
also be considered in order to prepare for likely scenarios.
Vehicle ECUs are threatened by malware, or the injection of
malicious code [11]. There are many types of malware,
including spyware, worms, and ransomware [11]. These may
be familiar terms in the realm of the Internet, but the
prospects are even more frightening when applied to a
personal vehicle. Spyware could be used to extract personal
data, worms could spread from car to car, and ransomware
could be used to remotely lock the car doors and “ransom” a
vehicle until its owner pays for its release [11]. Vehicles
today have little protection against such scenarios.
Researchers from Cisco Systems, Inc. state that, thanks to
the onboard diagnostic systems in cars today, “attackers can
install malware on the ECUs as easily as car enthusiasts can
tune and reprogram their ECUs” [11]. Malware could also
be downloaded via embedded web browsers [11]. It might
even enter through an infected USB stick, which can be
inserted into some vehicle systems like Uconnect in order to
import music [1]. Due to these various points of entry,
6
Kathleen Bracken
Elizabeth Rager
vehicles are vulnerable on many fronts. One of the
challenges faced by automobile manufacturers is to
determine how to mitigate these threats. Many vehicles run
on Linux-based operating systems, which are often more
secure against malware “than other operating systems such
as Microsoft Windows and Android” [11]. However, even
Linux is not immune, and automobiles still require a
stronger form of defense.
Types of malware are constantly evolving, which also
presents a challenge. As the Cisco researchers point out,
vehicles have increasingly long life spans, and the average
age of “passenger cars and light trucks on the U.S. roads
reached 11.4 years in 2013” [11]. This makes it difficult to
ensure that older vehicles are kept up to date. Once again,
software updating presents a problem, but rather than
suggesting a code compression technique such as the
previously recommended bsdiff algorithm, these experts
propose a cloud-based security system [11]. Using a cloud
would allow the car to rely on external protections that could
be maintained and updated by the manufacturer.
The idea of using a cloud to protect systems is not new—
it has been used for computers as well. The process is
relatively simple. Instead of directly handling requests for
communication, the computer redirects the request to a
security cloud “where the traffic will be scanned for
malware before relayed to the source computer” [11]. If
implemented in automobiles, this would mean that messages
received from an outside source would be carefully
examined for authenticity before being relayed to the target
ECU. This system would not protect the vehicle against
physical intrusion, such as an infected USB stick, so it is not
a complete solution. It would also render the vehicle
dependent on the cloud, but in a world with increasingly
broad cellular coverage, the likelihood of this becoming a
major problem is minute.
While this cloud defense is not perfect, delegating some
malware detection to a cloud would allow the systems that
are on the vehicle “to be lightweight in terms of processing
and storage, and yet have a full spectrum of malware defense
capabilities that are kept up-to-date over time” [11]. In other
words, the cloud would augment the vehicle’s local security,
and it could be sustained by the manufacturer without
requiring an extensive update of the physical car. This
cloud-assisted framework could be adapted for different
vehicles to “to match their specific malware risk profiles and
protection needs” [11]. This proposed solution has the
potential to reduce the burden of updating software, and it
could reduce the amount of security needed on the vehicle
itself.
ECUs are vulnerable in their current state, but electrical
and computer engineers across the globe are striving to
remedy this problem. Vulnerability assessment can help
researchers decide where to focus their efforts. The bsdiff
algorithm or another code compression technique could
make frequent software updates more feasible. To make
security less burdensome, cloud-based defense could
minimize the amount of on-car protection needed. These
techniques are steps forward in the vital, but often
overlooked, field of vehicle security. The evolution of the
increasingly computerized automobile industry depends on
ensuring that new technology is safe for consumers. In order
to continue to make vehicles environmentally sustainable
through new computing technology, the issue of safety must
be controlled. Hopefully, the security of automotive ECUs
will continue to improve, and the convenience of connected
cars will not have to come at the steep price of safety.
CATCHING UP TO CODE
In today’s fast-paced digital world, many forms of
technology have evolved and developed to keep up with the
twenty-first century. One such technology is the electronic
control unit. ECUs are now used almost exclusively in
passenger vehicles as a way to control systems such as air
conditioning and transmission.
The use of ECUs has increased the sustainability of
vehicles by reducing their weight, making them more fuelefficient, reducing maintenance times, and lowering both the
environmental and economic costs of production.
Furthermore, new safety features controlled by ECUs help to
keep vehicle occupants safer in the event of operator neglect
or emergency. These added benefits illustrate the importance
of ECUs in passenger vehicles from an ethical standpoint,
promoting safety, efficiency, and environmental protection.
ECUs now also have the capacity to link to the Internet
and gather information from applications. However, this
connectivity is not without complications. One of the
greatest issues facing ECUs is the lack of security against
hacking via the Internet connection. Security experts
demonstrated the gravity of this shortcoming with their hack
of a 2014 Jeep Cherokee. By gaining access to the CAN
network of the vehicle through the radio ECU, they were
able to control many of the vehicle’s systems.
Their research brought to light previously unconsidered
issues. As a result, many other groups have begun to
examine solutions to these problems. For example, a group
of researchers devised an equation to assess the
vulnerabilities of ECUs. Other more tangible solutions
include updates using the bsdiff algorithm, an update similar
to mobile phone updates, and a cloud-based security feature
that examines code before it is implemented in ECUs. Using
such approaches will allow automotive manufacturers and
technicians to appropriately diagnose and update ECU issues
and code.
Vehicle ECUs prove to be an integral component of
today’s digital world. Connecting to one another and the
Worldwide Web, ECUs provide a number of sustainable
benefits. As with any technology, there are also some
downfalls in the form of security issues. However, with the
recognition of these problems will come a solution, as
researchers have already begun proposing and testing fixes.
7
Kathleen Bracken
Elizabeth Rager
Finding solutions to ECU vulnerabilities will help to usher in
a new wave of autonomous automotive options and services.
ata=JnNpdGU9ZWhvc3QtbGl2ZQ%3d%3d#AN=11727310
6&db=aph
[10] Y. Onuma, Y. Terashima, M. Nozawa, R. Kiyohara.
“Improved Software Updating for Automotive ECUs.” 2016
40th IEEE Annual Computer Software and Applications
Conference. 2016. Accessed 1.26.2017.
http://ieeexplore.ieee.org.pitt.idm.oclc.org/stamp/stamp.jsp?t
p=&arnumber=7552226
[11] T. Zhang, H. Antunes, S. Aggarwal. “Defending
Connected Vehicles Against Malware: Challenges and a
Solution Framework.” IEEE Internet of Things Journal.
1.23.2014. Accessed 1.26.2017.
http://ieeexplore.ieee.org/document/6720160/. P.10-21
SOURCES
[1] C. Valasek, C. Miller. “Remote Exploitation of an
Unaltered Passenger Vehicle.” IOActive, Inc. 2015.
Accessed 1.10.2017.
http://www.ioactive.com/pdfs/IOActive_Remote_Car_Hacki
ng.pdf
[2] R. van Basshuysen, F. Schäfer. Internal Combustion
Engine Handbook. SAE International. 2016. Accessed
2.17.2017.
https://app.knovel.com/web/toc.v/cid:kpICEHBC04/viewerT
ype:toc/root_slug:internal-combustionengine/url_slug:kt0113ZWVC
[3] “Electronic Control Units (ECUs).” Paderborn
University. 2014. Accessed 1.26.2017.
http://www.ccs-labs.org/teaching/c2x/2014s/05-ecus.pdf
[4] C Eckert, M. Salfer. “Attack Surface and Vulnerability
Assessment of Automotive Electronic Control Units.” 2015
12th International Joint Conference on e-Business and
Telecommunications. 7.20-22.2015. Accessed 1.26.2017.
http://ieeexplore.ieee.org.pitt.idm.oclc.org/stamp/stamp.jsp?
arnumber=7518052
[5] C. Smith. The Car Hacker’s Handbook: A Guide for the
Penetration Tester. No Starch Press. 3.6.2016. Accessed
1.11.2017.
http://proquest.safaribooksonline.com/book/softwareengineering-and-development/softwaretesting/9781457198847/firstchapter
[6] S. Jafarnejad, L.Codeca, W. Bronzi, et al. “A Car
Hacking
Experiment:
When
Connectivity
Meets
Vulnerability.” 2015 IEEE Globecom Workshops. 12.610.2015. Accessed 1.11.2017.
http://ieeexplore.ieee.org.pitt.idm.oclc.org/xpls/icp.jsp?arnu
mber=7413993&tag=1
[7] S. Kerner. “Researchers Demo How They Hacked a Jeep
Remotely.” eWeek. 8.6.2015. Accessed 1.10.2017.
http://web.b.ebscohost.com/ehost/detail/detail?sid=b665cd61
-33fb-4e37-8203a4c0b5859b14%40sessionmgr106&vid=1&hid=124&bdata=
JkF1dGhUeXBlPWlwLHVpZCZzY29wZT1zaXRl#AN=10
9363539&db=aph
[8] A. Greenberg. “Hackers Remotely Kill a Jeep on the
Highway—With Me in It.” Wired. 7.21.2015. Accessed
1.14.2016.
https://www.wired.com/2015/07/hackers-remotely-kill-jeephighway/
[9] S. Kerner. “Car Hackers Return to Black Hat to Reveal
New Flaws.” eWeek. 8.4.2016. Accessed 1.10.2017.
http://web.a.ebscohost.com/ehost/detail/detail?sid=39038cba
-a259-43c2-bcbc53810d22a1f7%40sessionmgr4007&vid=20&hid=4107&bd
ADDITIONAL SOURCES
W. Rash “Your New Car May Connect You to Greater
Cyber-Risk.” eWeek. 2.27.2016. Accessed 1.10.2017.
http://web.a.ebscohost.com/ehost/detail/detail?sid=198ec9b4
-5f70-4599-bc0b586f386b8fd4%40sessionmgr4008&vid=1&hid=4107&bdat
a=JkF1dGhUeXBlPWlwLHVpZCZzY29wZT1zaXRl#AN=
113449383&db=aph
ACKNOWLEDGEMENTS
We would like to extend our gratitude to our Freshman
Conference Chair Mr. Greg Wunderley for reviewing our
paper and sharing his advice. We would also like to thank
our Co-Chair Alyssa Srock for reviewing our progress and
keeping us on track, and our writing instructor, Professor
Prymus, for answering our questions and providing
constructive feedback. Kathleen would also like to thank her
parents, Eric and Kimberly Bracken, who have supported
her journey toward engineering by answering countless
questions about calculus, keeping her well-fed, and
proofreading this paper. Elizabeth would like to thank her
father Roger Rager for getting her interested in electrical
engineering, Carl Rager for showing her the ropes of power
engineering, and Matthew Rager for encouraging her to stick
with electrical engineering.
8