Techniques
TID | Name | Description |
---|---|---|
ATE-001 | Downgrade Attacks via Rogue Base station |
Downgrade attacks, especially in the context of Rogue Cellular Base Station (RBS), involve forcing a device to connect to a less secure network or protocol, making it easier for attackers to exploit vulnerabilities, intercept communications, or attacking privacy. |
ATE-002 | Rogue Cellular Base Station |
In 4G networks, RBSs or International Mobile Subscriber Identity (IMSI) catchers targeting the IMSIs of User Equipment (UE) during the initial attachment process. Once an IMSI is stolen, subscriber privacy can be severely compromised. Man-in-the-Middle (MitM) attacks are common, where a malicious third party's RBS masquerades as a genuine network's BS. In 5G Cellular Vehicle to Everything (C-V2X) autonomous platooning scenarios, attackers deploy RBS near roads. By overpowering legitimate signals, the RBS hijacks platoon communications. |
ATE-004 | GNSS Attacks |
NA |
ATE-004.01 | GNSS Spoofing Attacks |
GNSS Spoofing Attacks deceive receivers by transmitting counterfeit GNSS signals. The spoofing signals must match the authentic signals Pseudo Random Noise (PRN) code sequence and frequency. The number of spoofed satellites usually equals the number of authentic signals. The navigation data bit stream structure remains the same, but content can be manipulated. The initial carrier phase alignment between spoofed and authentic signals is challenging, requiring precise relative positioning. |
ATE-004.02 | GNSS Jamming |
GNSS Jamming involves transmitting |
ATE-005 | Sybil Attack |
In a Sybil attack, a malicious node |
ATE-006 | Camera Attacks |
NA |
ATE-006.01 | General Attacks on Camera Systems |
Cameras in ITS can detect traffic signs, delineation, or objects. These can be attacked in various ways: Traffic Sign Detection, can be fooled by placing fake traffic signs at improper locations or by hiding traffic signs with other shapes/colors to confuse the detection algorithms. Lane Detection can be confused by painting additional lines on the road or using different colors. Object Tracking is limited due to computational power or resolution. A denial of service can be caused by presenting too many objects to track. Deep Neural Networks (DNNs), which are used in camera software, can be easily fooled by images that are unrecognizable to humans but are recognized by DNNs with high confidence. |
ATE-006.02 | Camera Feature Attacks |
Cameras have features like automatic exposure controls, auto-focus, and light-sensitivity. These can be targeted in attacks. Cameras normalize lighting conditions iteratively. Directing light at the image sensor can cause the camera to tune down its sensitivity and exposure, leading to undesired effects. For instance, auto exposure tuning down due to headlights at night could hide information in the background, such as traffic signs or pedestrians. The Google Driverless Car has been noted to be susceptible to this problem. These attacks are aiming to influence the camera's auto controls in the period before the image recovers and stabilizes. It's harder to detect because it consists of bursts of light instead of a constant beam. The longer it takes for the image to stabilize, the longer the car is vulnerable to undetected objects. This attack is different from situations like driving out of a tunnel, where the camera can adapt more gradually to new conditions. |
ATE-006.03 | Blinding the Camera |
Fully or partially blind the camera by emitting light into it to hide objects. Not detecting objects like speed limit signs or traffic lights can jeopardize safety. Blinding occurs when the camera can't adjust the auto exposure or gain anymore, resulting in an overexposed image. The effectiveness of the blinding attack depends on three variables: Environmental light (brighter environments require more light to blind the camera), the light source used for blinding (i.e., wavelength), the distance between the light source and the camera. The attack involves using commodity hardware like a laser pointer or cheap LEDs. The effectiveness of the attack is assessed using the tonal distribution, representing the distribution of the number of pixels per grayscale value. |
ATE-007 | LiDAR Attacks |
LiDAR systems emit light pulses and |
ATE-007.01 | LiDAR Replay Attacks |
LiDAR Replay Attacks captures legitimate LiDAR signals and re-transmits them to deceive the system. |
ATE-007.02 | LiDAR Relaying Attack |
LiDAR Relaying Attack is an extension of the replay attack. The attack aims to to relay the original signal sent from the target vehicle's LiDAR from a different position, creating fake echos. This can make real objects appear closer or further than their actual locations. A relay attack is most likely to be executed from the road side, where an attacker might receive LiDAR signals from vehicles and relay them to another vehicle located elsewhere. |
ATE-007.03 | LiDAR Spoofing Attacks |
LiDAR Spoofing Attacks builds on the relay attack and exploit the system's light pulse mechanism to manipulate perceived object distances in ITS. By injecting counterfeit signals and controlling parameters like delay and pulse sequences, attackers can create illusions of objects at varying distances. This technique can deceive the vehicle's sensors, presenting significant vulnerabilities in the safety and functionality of ITS. |
ATE-008 | Spoofing FMCW Radar |
FMCW radars emit electromagnetic waves and measure reflections to determine object distances and velocities. An attacker vehicle is positioned in front of the victims vehicle. The attacker uses a modified radar system, transmitting a powerful signal that overpowers the real reflected signal. The attacker's radar measures the true relative distance and velocity from the victim's vehicle to execute the attack. |
ATE-009 | Black Hole Attacks |
Black Hole Attacks in VANET involve malicious vehicles that drop all received packets instead of forwarding them. The objectives of these attacks are to inhibit the forwarding of packets from one vehicle to its neighboring "destination node", prevent the reception of packets from other vehicles, and disrupt the overall communication network, thereby posing significant threats to the safety and functionality of self-driving ITS. |
ATE-010 | TPMS Attacks |
NA |
ATE-010.01 | TPMS Jamming |
The significant communication range of TPMS messages is approx 10 meters from the ITS with a basic antenna, and up to 40 meters with an low noise amplifier. Attackers can interfere with or jam these TPMS message transmissions from a distance. |
ATE-010.02 | TPMS Spoofing |
The TPMS communications are based on standard modulation schemes and simple protocols without cryptographic mechanisms. The in-vehicle system appears to fully trust all received messages, lacking basic security practices like input validation. This makes spoofing attacks feasible, allowing adversaries to send counterfeit messages, causing the TPMS to malfunction. Transmissions can be spoofed from the roadside or a nearby vehicle. |
ATE-012 | Radio Data System (RDS) Attacks |
RDS Attacks involves tricking victims into installing a benign-looking app that uses the RDS interface. Initially, this app exhibits no malicious behavior. Post-installation, the app dynamically downloads a backdoor, reassembling RDS packets to execute the payload. The exploit remains undetected as antiviruses can't scan runtime downloads. The attack bypasses Android's security checks of the vehicles infotainment system, exploiting vulnerabilities in the FM Radio API. |
ATE-013 | Malicious SMS |
An attacker can unlock a car and control other critical functions through malicious SMS. |
ATE-014 | Exploitation of Wi-Fi Stack |
Attackers target vulnerabilities within the vehicle's WiFi communication stack, gaining unauthorized access or control. |
ATE-015 | Gain access to Wi-Fi Hotspot |
Attackers exploiting vulnerabilities or weak configurations in a vehicle's onboard WiFi system. |
ATE-016 | Exploitation via Bluetooth |
Vulnerabilities in bluetooth stack may allow an attacker to execute code and gain access to the system. |
ATE-017 | Exploitation via C-V2X |
Attackers target vulnerabilities within the vehicle's C-V2X communication system, which facilitates information exchange between vehicles and infrastructure. This could potentially also compromise safety and traffic management systems. |
ATE-018 | Exploitation via DSRC |
Attackers target vulnerabilities within the vehicle's DSRC system, used for V2V and V2I communications. Attackers can interfere with critical safety functions and traffic coordination. |
ATE-019 | Exploitation via Repair Shop/Garage/Factory |
Attackers leveraging compromised systems within vehicle repair shops, garages, or factories. By exploiting these vulnerabilities, attackers can gain unauthorized access to the vehicle's systems, allowing them to introduce and execute malicious software. |
ATE-020 | Exploitation of OBD Dongles |
OBD dongle connects to a vehicle's OBD interface. This interface is present in all modern automotive vehicles and is used for vehicle diagnosis and monitoring. Dongles can communicate via Wifi, Bluetooth, LTE, 5G and can be accessed from the Internet. An attacker could transfer malicious software to the OBD dongle to later gain access to the vehicle or compromise the control units. |
ATE-021 | Hardware addition |
NA |
ATE-021.01 | Physical Access (CAN-Injection) |
An attacker plugs his own hardware into the system or network as a "theft device". |
ATE-021.02 | Connect device network via USB-Ethernet |
An attacker can plug in a USB flash drive that acts like a LAN cable to gain Ethernet access to the system |
ATE-021.03 | Code Execution via USB |
Malicious code or malware runs when a USB device or memory card is connected. Many computers and devices are configured to automatically run software after connecting a USB device or memory card. The malicious code is executed and attackers can then gain access to a system. |
ATE-021.04 | Code Execution via SD Card |
Attackers introducing malicious code into a vehicle's system through an infected SD card, commonly used in navigation or infotainment systems. |
ATE-021.05 | Code Execution via CD |
Attackers exploit vulnerabilities by inserting a CD with malicious code into the vehicle's audio or infotainment system, potentially gaining unauthorized access to connected systems. |
ATE-022 | Exploitation via OBD Interface |
The OBD interface is a physical or wireless interface usually used by authorized mechanics or diagnostic equipment to access the vehicle's diagnostic data. Attackers can connect devices to the OBD interface and access and manipulate the vehicle's ECUs to introduce malicious software into the vehicle. This allows attackers to gain access later and even control it remotely. |
ATE-023 | Supply Chain Compromise |
Products, software, and workflows are initially infected or counterfeited. They are manipulated before reaching the end consumer and are then utilized to gain access to control systems. The ultimate objective is to compromise data or systems once infected products enter the target environment. |
ATE-024 | Unsecured Web APIs |
The increasing use of APIs in vehicle systems provides entry points for adversaries. Unsecured APIs provide opportunities for adversaries to exploit them. |
ATE-025 | Hacking in-vehicle apps |
Adversaries exploit vulnerabilities or security gaps in the software applications integrated into a vehicle. These can be web browsers, multimedia applications, navigation apps. |
ATE-026 | Malicious App Delivery |
Adversaries can trick, manipulate, or deceive users into installing malicious applications. This can be achieved through fake e-mails / websites / notifications / advertisements. Users believe that they are downloading a legitimate application when in fact they are receiving malware. Although app stores have strict security policies and reviews for published apps, some malicious apps can still bypass these reviews and appear in the official stores. |
ATE-027 | Drive-by Compromise |
Attackers can install malicious code or malware on a victim system when the user visits an infected website without the user having to actively click anything or download a file. This technique exploits vulnerabilities in web browsers, browser extensions or plugins to deliver the malicious payload to the victim's system. |
ATE-028 | Exploitation via charging station |
Attackers exploit vulnerabilities in EVSE or their communication protocols to gain unauthorized access to the vehicle's systems. |
ATE-029 | Keyless Go Attacks |
NA |
ATE-029.01 | Replay Attack |
Attackers captures legitimate Keyless Go signals and re-transmits them to deceive the system. |
ATE-029.02 | Relay Attack |
Relay Attack is an extension of the replay attack. Attackers relay the original signal and transmit signals between the vehicle and its key fob, deceiving the system into believing the key is in closer proximity, thereby enabling unauthorized access or ignition. |
ATE-029.03 | Roll Jam Attack |
Attackers intercepting and delaying the signal transmitted by a key fob, causing a temporary disruption in the communication between the key and the vehicle. |
ATE-029.04 | Roll Back Attack |
Attackers manipulate the sequence numbers or timestamps of the signals sent by the key fob. By "rolling back" these values, attackers can replay previous legitimate signals, deceiving the vehicle's security system and potentially gaining unauthorized access. |
ATE-034 | Command and Scripting Interpreter |
Attackers exploit command and script interpreters to execute commands, scripts, or binaries. These interpreters are fundamental tools for interacting with computer systems and can be found on various platforms. |
ATE-035 | Inter-process Communication: D-Bus |
D-Bus is a communication protocol that facilitates data exchange between various software components within the vehicle, enhancing interoperability and enabling event-driven communication |
ATE-036 | Native API |
Adversaries use the native OS application programming interface (API) to perform various actions. Native APIs allow controlled access to low-level OS services, including hardware, memory, and processes. These APIs are essential during system boot and regular operations. |
ATE-037 | Scheduled Task/Job |
Attackers use the task scheduling feature to execute malicious code, either as a one-time event or at recurring intervals. Task scheduling is used to achieve persistence by running programs at system startup or on a schedule. It can also allow them to run processes using specific user account contexts, perhaps with elevated privileges. |
ATE-038 | User Execution |
Users are tricked into taking actions using social engineering that result in the execution of malware or other malicious activities. Users are manipulated through phishing, vishing (voice phishing) or other forms of interaction. |
ATE-039 | Persistence via Credentials |
Accounts that are already compromised can be used by an attacker to gain permanent access to the system. |
ATE-040 | Firmware Installation - Reprogram ECU |
An attacker can flash the ECU with modified firmware to remain on the target system. |
ATE-042 | Modify TEE |
Malicious alteration of the \acf{tee} in a vehicle's system. By tampering with the TEE, adversaries can maintain persistent unauthorized access or control, potentially compromising the secure execution of critical vehicle functions. |
ATE-043 | Exploit Application Vulnerability |
Attackers use this technique to gain higher privileges on a computer system by exploiting a vulnerability in application software. The attacker looks for vulnerabilities in application software installed on the target system. This could be a security vulnerability in any application such as web browsers, office programs, PDF viewers or other software. After the vulnerability is identified, the attacker develops a special "exploit" that targets the vulnerability. The attacker executes the exploit on the target system using the application affected by the vulnerability. After successful execution, the attacker can gain higher privileges on the system. |
ATE-044 | Exploit OS Vulnerability |
Attackers exploit a vulnerability in the operating system (OS) to gain higher permissions or privileges on a computer system. This could be a security hole, a software malfunction or unexpected behavior in the operating system. The attacker develops an exploit that is specifically tailored to the identified vulnerability. Once executed, the attacker can gain access to system resources, administrative accounts, or other sensitive information. |
ATE-045 | Hardware Fault Injection |
Refers to the deliberate introduction of faults into a vehicle's hardware components to exploit vulnerabilities and escalate privileges. This technique manipulates the hardware's normal operations, potentially granting attackers unauthorized access or control over vehicle systems. |
ATE-046 | Exploit TEE Vulnerability |
An attacker can gain privileges held by the TEE by exploiting the Trusted Execution Environment (TEE) vulnerabilities. This can give him access to sensitive data and cryptography material or allow manipulation of the data. |
ATE-047 | Reprogram ECU for privilege escalation |
An attacker installs a new firmware that grants him more rights on the systems. |
ATE-048 | Bypass SecurityAccess |
An attacker can exploit vulnerabilities in Securityaccess to gain unauthorized access to sensitive data, execute diagnostic commands, and make changes to ECU. |
ATE-054 | Adversary-in-the-Middle |
Attackers intercepting and potentially altering communications between two vehicle components or systems. This can lead to unauthorized access or manipulation of sensitive data, such as authentication credentials or command signals, compromising the integrity and security of the entire vehicle system. |
ATE-062 | ECU Discovery |
Attackers identifying and mapping out the ECU within a vehicle's network. Understanding the interconnected ECU can provide insights into potential vulnerabilities and attack vectors. |
ATE-065 | Exploitation of Remote Services |
Attackers can exploit vulnerabilities in remote services to move from asset to asset within the vehicle. |
ATE-066 | Remote Services |
Attackers can use various remote services to move from asset to asset within the vehicle. |
ATE-070 | Gather information about ECU |
An attacker can use UDS and GMLAN protocols to gain sensitive information about the ECU. |
ATE-075 | C2 via SMS |
Attackers leveraging the SMS service to establish a C2 channel, enabling remote manipulation of vehicle systems. |
ATE-084 | Control Horn |
Attackers can activate/deactivate the horn. |
ATE-099 | Denial of Control |
Attackers disrupting a vehicle's control systems, preventing operators or automated systems from making desired actions, critical in scenarios like emergency braking in both automotive and rail contexts. |