OWASP-AUTOSEC online lunch seminar 2020 – Summary


January 16, 2021

Open Web Applications and Security Project (OWASP) and AutoSec came together once again on December 12, 2020, over an online lunch seminar on the Zoom platform. The day’s agenda included welcome notes by AUTOSEC and OWASP followed by two timely presentations by Tomas Olovsson from the Chalmers University of Technology and Mateek Malik from RISE Research Institutes of Sweden AB, focusing on automotive cybersecurity issues. Below is a summary of the key issues discussed in the online seminar.

The talks started with Tomas Olovsson, presenting a solid overview of research and activities trending in automotive security. He addressed the future potentials of cooperative vehicle safety systems. His statement indicates a collaborative setting where each vehicle broadcasts its GPS info to its neighborhood. Such cooperation can be realized by leveraging the key communication protocol enablers such as cellular communications (i.e., 4G, 5G) and IEEE 802.11p for Vehicle-to-everything (V2X) communications (e.g., vehicle to vehicle, vehicle to infrastructure, etc.). He also highlighted some new attacks and problem areas, especially from the automotive security perspective. Given that attackers will always use design flaws and design shortcoming on an ever-increasing complex system, he discussed the many potential attacks on visual identifiers and decision systems of automated vehicles by machine learning techniques. By quoting the NASA study on flight software complexity, he talked of the discrepancy in defect insertion rate (per thousand lines of code) and the defect removal rate (per thousand lines of code) where the latter is lower. This disparity leads to a complex digital system with 65M lines of code to still have a remaining 130 000 defects. The discussion further extended to ECU attacks and the 2020 malicious remote control of a Mercedes Benz car (remotely opening a car’s door, starting the engine, etc.), caused by tampering with the TCU’s (Telematics ECU) file system to gain root shell access. Next, he outlined the many challenges of using standard security tools related on constraints in terms of resources, cost, lifetime, and performance. Finally, some concluding remarks on the recent automotive research, including privacy bumps of vehicles, 5G ecosystem, quantum-resistant ciphers, intrusion detection, and peer-based reputation systems, etc., were discussed. When asked by the audience about which risk is the most critical for the automotive systems, he pointed out the fleet-wide attacks, capable of compromising all vehicles of a particular brand (remotely controlled or grounded).

Following that, Mateen Malik presented his current research on fault and attack injection-based verification and validation (V&V) of automated systems for safety and cybersecurity. This research is also connected to the VALU3S project supported by the European Union’s Horizon 2020 research. Mateen’s ongoing research focuses on the Model-In-the-Loop (MIL) and Software-in-the-Loop (SIL) test environments for simulation-based fault and attack injection at the system level. Highlighting the fault and attacks injection as an effective verification method, he discussed the associated challenges of cost and time-consumption. Therefore, he will look into various optimization techniques to reduce the time, cost, and effort of V&V methods for autonomous systems with pre-injection analysis, post-injection analysis, and machine learning techniques.
Please visit this link to watch the whole zoom meeting. Also, feel free to contact us if you have any further queries.

Written by Nishat Mowla

Related Articles


Black-Hat Hackers caught

Earlier this year in an AutoSec Newsletter it was reported that source code of mobile apps and internal tools developed and used by Nissan North America was circulating the Internet. The data had been shared on Telegram channels and different forums for hackers in the...

read more