The United Nations Regulation No. 155 sets provisions for cybersecurity and cyber security management systems in vehicles. A notable section of the document is Annex 5, which lists 69 attack vectors affecting vehicle cybersecurity. In order to help organizations comply with this regulation, we conducted a threat modelling exercise on the defined attack vectors as a form of risk assessment.
One of the challenges presented by the regulation is for manufacturers to conduct their own risk assessments in order to best implement cybersecurity measures, with Annex 5 serving as a guide.
In our research paper, “Identifying Cybersecurity Focus Areas in Connected Cars Based on WP.29 UN R155 Attack Vectors and Beyond,” we used the DREAD threat model to assess the risk level of the attack vectors listed in Annex 5. First, we considered the current technological and threat landscape to make our assessment. Then we conducted the exercise again, based on our predictions of how these technologies and threats would evolve. This blog entry provides an overview of this process.
UN R155’s attack vectors and current risk ratings
The Annex 5 attack vectors were grouped into factors that affect the connected car ecosystem, such as the backend, communication channels, update procedures, external connectivity, and data/code. We used the DREAD threat model to identify areas that would, at present, likely demand the most focus for its high-risk vectors.
We put the attack vectors through the DREAD threat model by applying current technologies; hacker tools, techniques, and procedures (TTPs); and learnings from published research in the car hacking domain. From the attack vectors in Annex 5, we rated many of those regarding vehicle data/code as high-risk. One the reasons for this rating is how the manipulation of vehicle parameters could have serious consequences that could even endanger lives.
The future of connected cars
Our risk assessments were based on current technologies, hacker TTPs, and published research. In the next decade, many of these factors would have already changed (especially with 5G networks on the horizon), therefore transforming threat profiles. Based on past studies, we predicted the changes the current connected cars ecosystem would undergo.
A few examples of these predictions include how vehicle-to-everything (V2X) communication will become mainstream; the data supply chain (which equates to the data lifecycle) will become a critical component in the safety of connected cars; and head units will support a large third-party app ecosystem. The full list can be found in our research, but from these three we can infer how such changes can influence the risk ratings of different attack vectors, such as those related to the communication channel and data/code.
Future risk assessment
Given these likely evolutions in the connected car technologies, we attempted to predict how the risk assessments will change by reevaluating the attack vectors via the DREAD threat model. We found that in the future, risks at the communication channel will increase dramatically. We rated communication channel risks as higher because vehicles are bound to be better connected through improved APIs both internally and externally. While this will happen in the near future, car cybersecurity should be designed with great consideration for back ends, APIs, and data security from the beginning to have a better coverage over both current and future risks.
A more general observation showed that none of the attack vectors remained at low risk. In the future, the threats defined by UN Regulation no. 155 would either be medium-risk or high-risk threats.
One of the reasons we saw this outcome is because in the next decade, hacking techniques, which need expertise to execute, will one day be achieved using simple plug-and-play dongles purchased from a dark web marketplace or wirelessly over the internet. The development of off-the shelf technology can also make the attack vectors reproducible and is one of the factors considered in the DREAD threat model. With time, malicious actors that target connected cars can become more adept at compromising vehicles and their tools could become more accessible. Luckily, developments in technology can also enable more advanced security, especially with the help of the cloud.
Conclusion and recommendations
The goal for the current and updated threat model is to discover shifts in the threat profile and help stakeholders develop long-term plans for addressing these threats. In a nutshell, immediate focus should be placed on the backend and data security while preparing for a future where risks at the communication channel will dramatically increase. As we have also mentioned based on both the current and updated risk assessments, we advise manufacturers to have a good understanding of back ends, APIs, and data security from the design phase of their cars as it will help against current risks and prepare for those in the next five to 10 years.
It is important for manufacturers and other stakeholders to conduct their own risk assessments as stated in the UN Regulation No. 155. Risk assessments such as this can help organizations decide how to best deploy cybersecurity solutions since it is not realistic to implement solutions all at once due to various restrictions. After determining the priority of what to focus on and in what order, manufacturers can take a phased approach in deploying solutions. In general, given how threats evolve in parallel with the evolution of technology, we recommend designing connected cars in a way that is oriented toward raising protection at a high speed.
For more details of our current risk ratings, the future of connected cars, and other focus areas beyond the scope of the regulation, read the research paper, “Identifying Cybersecurity Focus Areas in Connected Cars Based on WP.29 UN R155 Attack Vectors and Beyond.”