Cars, Hackers & Cyber Security

Automotive networks face an alarming threat: Man-in-the-Middle (MITM) attacks exploiting the SOME/IP protocol. This episode explores how attackers intercept and manipulate communications between ECUs using in-vehicle Ethernet networks, enabling them to falsify data, disrupt services, and compromise safety.

We outline the attack setup, flow, and the devastating impacts on vehicle behavior, from denial of service to user information disclosure. Using real-world examples, we show how attackers exploit vulnerabilities in SOME/IP Service Discovery mechanisms to gain control.

Tune in to learn how proactive automotive cybersecurity measures are shaping the future of connected vehicles and protecting against the growing threat of SOME/IP protocol hijacks.

Chapters:
(00:00) Introduction to MitM Attacks on SOME/IP Protocol
(01:44) Background to SOME/IP and Service Discovery
(02:51) Reference Attack Setup
(03:24) MitM Attack Flow 
(05:30) Attack Mitigation
(06:44) The Role of the SOME\IP in the E/E Architecture
(08:08) Outro of MitM Attacks on SOME/IP Protocol Episode

Contact us:
https://www.linkedin.com/company/plaxidityx/
https://www.youtube.com/@PlaxidityX
contact@plaxidityx.com 

What is Cars, Hackers & Cyber Security?

As cars become smarter and more connected, the demand for top-tier automotive cyber security has never been higher. With expert insights from PlaxidityX, a leading automotive cyber security company, we’ll guide you through the challenges and solutions protecting millions of vehicles worldwide. Whether you’re an industry expert or just curious about how cars are secured in the digital age, this podcast comprehensively looks at how cyber defenses are developed, tested, and deployed.

We don’t just talk about the technology; we talk about what it means for you—the driver, the manufacturer, the tech enthusiast. We explore how automotive cyber security solutions are applied in real-world scenarios to safeguard everything from onboard infotainment systems to critical vehicle control units.

Tune in to gain a deeper understanding of how manufacturers are staying one step ahead of hackers and ensuring a more secure, connected world.

00:00:00:09 - 00:00:03:12

Welcome to cars, hackers and cybersecurity.

00:00:04:01 - 00:00:07:01

Here we break down the latest in automotive cybersecurity,

00:00:07:01 - 00:00:10:16

helping you stay ahead in building secure connected vehicles.

00:00:12:20 - 00:00:16:22

Hi. Today we'll describe a man in the middle or mid term

00:00:16:22 - 00:00:19:01

attack on automotive applications.

00:00:19:01 - 00:00:24:17

using some IP protocol over in-vehicle Ethernet networks, and how it can be mitigated.

00:00:24:17 - 00:00:37:08

Node a MIT attack involves the secret interception and manipulation of communications between two parties in order to facilitate effective and high bandwidth in-vehicle network connections.

00:00:37:10 - 00:01:10:08

In-Vehicle Ethernet links are becoming more common in vehicle E architecture. In order to use Ethernet in the automotive world, dedicated application layer protocols were developed, such as diagnostics over IP and some IP. In addition, a typical automotive Ethernet stack can also include common Ethernet protocols from the IT world, such as ICMP, ARP, and Dhcp. A general analysis of in-vehicle network security refers mainly to the following high level impacts of attack patterns.

00:01:10:10 - 00:01:11:01

One.

00:01:11:01 - 00:01:30:16

Denial of service two. Tampering with ICU behavior. Third. Malicious triggering of vehicle behavior. Four. Falsified driver information. Five. User information disclosure. Six. Compromise. Intellectual property.

00:01:30:16 - 00:01:43:06

Four of the above threats can be caused by this MIT attack. Denial of service. Malicious triggering of vehicle behavior. Falsify driver information and user information. Disclosure.

00:01:44:05 - 00:01:47:08

Background to some IP in service discovery.

00:01:48:01 - 00:01:51:16

Some IP or scalable service oriented middleware over IP.

00:01:51:16 - 00:01:52:15

is an automotive

00:01:52:15 - 00:01:53:01

middleware

00:01:53:01 - 00:02:20:05

protocol designed to support vehicle communication needs such as high data rate, low transportation overhead, and short initiation time. It is designed for client server communication, where generally the server provides services to its clients. Services can supply notifications about in-vehicle events and remote procedure call mechanisms, which allow a client to invoke functions on the server or request information.

00:02:20:07 - 00:02:46:20

Some IP has a service discovery feature, some IP SD enabling dynamic subscription to services. Typically, a server sends offer messages to everyone in the network telling them about the services it supplies. Clients then send subscribed messages subscribing to the services relevant for them. After the subscription is complete, the server will supply the service to the client, meaning it will send notifications and answer requests.

00:02:46:22 - 00:03:17:06

This subscription process is periodic, usually once every two seconds. Reference attacks set up. The attack set up represents a common use case in the automotive world. Two x, A and B are connected via a switch and communicate over some IP. EQU A is the server supplying a service S1 to ECU B, which is the client. In addition, there is another ECU connected to this switch EC.

00:03:17:08 - 00:03:24:08

The attack scenario assumes that ecu C was compromised and it is able to send spoofed messages to the network.

00:03:24:08 - 00:03:25:10

Attack flow.

00:03:25:10 - 00:03:26:08

In this

00:03:26:08 - 00:03:26:19

attack,

00:03:26:19 - 00:03:48:21

the attacker hijacks the service communication between ECU A and ECU B, forcing the communication to go through ECU c normally ECU a send service discovery offer messages offering S1 service. These messages are sent in multicast, therefore E, c, u, c will receive them to to execute the attack. For each offer as

00:03:48:21 - 00:03:50:14

one message it receives.

00:03:50:16 - 00:04:00:14

ECU C does two things. It subscribes to the service by sending a subscribe s one message to ECU a and then sends a spoofed offer s

00:04:00:14 - 00:04:13:00

one message to Ecobee ECU B receives both the original offer as one packet and the spoofed one, but it subscribes only to the second one as it arrives just after the first one.

00:04:13:02 - 00:04:39:09

In this way, two connections are initiated ECU a server to ECU C client and ECU server to ECU, B client, ECU c then relays messages between ECU A and B. For example, if ECU A sends a notification to its client ECU C, it will immediately forward its content to ECU. B the service, subscription process and message relaying are repeated throughout the

00:04:39:09 - 00:04:40:05

attack.

00:04:40:07 - 00:04:52:14

The adversary gains two things from executing such an attack. The first is the ability to eavesdrop on the communication between ECUs A and B. This communication is not visible to ECU c

00:04:52:14 - 00:05:04:19

thus the attacker without the attack, as the switch forwards only the relevant packets to each switch port. The second is the ability to control and spoof the communication between the ECU.

00:05:04:21 - 00:05:30:03

By performing this attack, the adversary is able to send false notifications to the client, invoke remote functions on the server, change messages data, or drop critical messages, all without causing any detectable communication errors on the server or client. We were able to perform this attack using two simulated ECUs connected through an automotive Ethernet switch, and an attack script.

00:05:30:08 - 00:05:43:06

Attack mitigation. There are several ways to mitigate this kind of attack. The preferred choice depends mainly on the network properties. In some cases, applying a basic firewall using the switch capabilities

00:05:43:06 - 00:05:45:05

For example, t cam rules.

00:05:45:05 - 00:06:04:22

might prevent the attack, but in other cases it will not be enough. It is highly recommended to use advanced security mechanisms as an intrusion detection prevention system, or IDPs or advanced firewall, like in the auto saw firewall standard that will filter the traffic not only based on regular network parameters.

00:06:04:24 - 00:06:41:11

Mac addresses IP addresses and UDP TCP ports, but also an automotive specific network parameters such as some IP service ID and some IP SD message type. Using authentication or encryption has a limited benefit in preventing this attack. Some IP traffic has a multicast nature, so it cannot be authenticated or encrypted using a standard protocol. The sum IP traffic can be authenticated or encrypted, but it will not prevent the attack as the attacking ECU is sending some IP messages on behalf of its own.

00:06:41:13 - 00:06:45:21

After legitimately subscribing to the service. Conclusion.

00:06:45:21 - 00:06:50:06

The role that the sum IP and the E architecture continues to grow.

00:06:50:06 - 00:07:11:24

and the susceptibility to cyber threats is exemplified by the described MIT VM attack exploiting the same IP protocol. The scenario involves an adversary hijacking a connection between two applications on two separate ECUs, enabling the attacking ECU to eavesdrop on communications between them and manipulate the data sent.

00:07:12:01 - 00:07:45:01

This concerning trend underscores the critical need for robust cybersecurity measures. The type of mitigation methods that can be used depends on the network properties, but the use of advanced automotive specific security mechanisms is highly recommended to prevent attacks like this one. Mitigating such vulnerabilities requires the implementation of advanced automotive specific security mechanisms to thwart potential attacks. Moreover, this looming risk associated with some IP has not gone unnoticed within regulatory frameworks.

00:07:45:03 - 00:08:08:13

For example, the Jasper Japanese regulation has duly identified and highlighted this vulnerability, emphasizing the imperative for stringent security protocols in automotive communication standards. Safeguarding against exploits and systems utilizing some IP remains a pivotal concern, warranting proactive measures to fortify these frameworks against evolving cyber threats.

00:08:09:16 - 00:08:15:14

That's all for today's episode. Keep your engines running smooth and your cyber defense is sharp.

00:08:15:14 - 00:08:20:02

Stay connected by subscribing and visiting placidity. X-Com.

00:08:20:02 - 00:08:24:02

Until next time, stay safe on the road and in the cloud.