Techniques
TID | Name | Description |
---|---|---|
ATE-001 | Downgrade Attacks via Rogue Base station |
Downgrade attacks, especially in the context of Rogue Cellular Base Station (RBS), involve forcing a device to connect to a less secure network or protocol, making it easier for attackers to exploit vulnerabilities, intercept communications, or attacking privacy. |
ATE-002 | Rogue Cellular Base Station |
In 4G networks, RBSs or International Mobile Subscriber Identity (IMSI) catchers targeting the IMSIs of User Equipment (UE) during the initial attachment process. Once an IMSI is stolen, subscriber privacy can be severely compromised. Man-in-the-Middle (MitM) attacks are common, where a malicious third party's RBS masquerades as a genuine network's BS. In 5G Cellular Vehicle to Everything (C-V2X) autonomous platooning scenarios, attackers deploy RBS near roads. By overpowering legitimate signals, the RBS hijacks platoon communications. |
ATE-004 | GNSS Attacks |
NA |
ATE-004.01 | GNSS Spoofing Attacks |
GNSS Spoofing Attacks deceive receivers by transmitting counterfeit GNSS signals. The spoofing signals must match the authentic signals Pseudo Random Noise (PRN) code sequence and frequency. The number of spoofed satellites usually equals the number of authentic signals. The navigation data bit stream structure remains the same, but content can be manipulated. The initial carrier phase alignment between spoofed and authentic signals is challenging, requiring precise relative positioning. |
ATE-004.02 | GNSS Jamming |
GNSS Jamming involves transmitting |
ATE-006 | Camera Attacks |
NA |
ATE-006.01 | General Attacks on Camera Systems |
Cameras in ITS can detect traffic signs, delineation, or objects. These can be attacked in various ways: Traffic Sign Detection, can be fooled by placing fake traffic signs at improper locations or by hiding traffic signs with other shapes/colors to confuse the detection algorithms. Lane Detection can be confused by painting additional lines on the road or using different colors. Object Tracking is limited due to computational power or resolution. A denial of service can be caused by presenting too many objects to track. Deep Neural Networks (DNNs), which are used in camera software, can be easily fooled by images that are unrecognizable to humans but are recognized by DNNs with high confidence. |
ATE-006.02 | Camera Feature Attacks |
Cameras have features like automatic exposure controls, auto-focus, and light-sensitivity. These can be targeted in attacks. Cameras normalize lighting conditions iteratively. Directing light at the image sensor can cause the camera to tune down its sensitivity and exposure, leading to undesired effects. For instance, auto exposure tuning down due to headlights at night could hide information in the background, such as traffic signs or pedestrians. The Google Driverless Car has been noted to be susceptible to this problem. These attacks are aiming to influence the camera's auto controls in the period before the image recovers and stabilizes. It's harder to detect because it consists of bursts of light instead of a constant beam. The longer it takes for the image to stabilize, the longer the car is vulnerable to undetected objects. This attack is different from situations like driving out of a tunnel, where the camera can adapt more gradually to new conditions. |
ATE-006.03 | Blinding the Camera |
Fully or partially blind the camera by emitting light into it to hide objects. Not detecting objects like speed limit signs or traffic lights can jeopardize safety. Blinding occurs when the camera can't adjust the auto exposure or gain anymore, resulting in an overexposed image. The effectiveness of the blinding attack depends on three variables: Environmental light (brighter environments require more light to blind the camera), the light source used for blinding (i.e., wavelength), the distance between the light source and the camera. The attack involves using commodity hardware like a laser pointer or cheap LEDs. The effectiveness of the attack is assessed using the tonal distribution, representing the distribution of the number of pixels per grayscale value. |
ATE-007 | LiDAR Attacks |
LiDAR systems emit light pulses and |
ATE-007.01 | LiDAR Replay Attacks |
LiDAR Replay Attacks captures legitimate LiDAR signals and re-transmits them to deceive the system. |
ATE-007.02 | LiDAR Relaying Attack |
LiDAR Relaying Attack is an extension of the replay attack. The attack aims to to relay the original signal sent from the target vehicle's LiDAR from a different position, creating fake echos. This can make real objects appear closer or further than their actual locations. A relay attack is most likely to be executed from the road side, where an attacker might receive LiDAR signals from vehicles and relay them to another vehicle located elsewhere. |
ATE-007.03 | LiDAR Spoofing Attacks |
LiDAR Spoofing Attacks builds on the relay attack and exploit the system's light pulse mechanism to manipulate perceived object distances in ITS. By injecting counterfeit signals and controlling parameters like delay and pulse sequences, attackers can create illusions of objects at varying distances. This technique can deceive the vehicle's sensors, presenting significant vulnerabilities in the safety and functionality of ITS. |
ATE-008 | Spoofing FMCW Radar |
FMCW radars emit electromagnetic waves and measure reflections to determine object distances and velocities. An attacker vehicle is positioned in front of the victims vehicle. The attacker uses a modified radar system, transmitting a powerful signal that overpowers the real reflected signal. The attacker's radar measures the true relative distance and velocity from the victim's vehicle to execute the attack. |
ATE-011 | Attacks on Road Side Units/Balise |
This technique focuses on compromising or manipulating RSU}/Balises and thus the communication and data exchange between vehicles and the infrastructure elements. Such attacks can disrupt the normal functioning of a vehicle by feeding it misleading information or by blocking essential signals, potentially leading to unsafe conditions or operational inefficiencies. |
ATE-012 | Radio Data System (RDS) Attacks |
RDS Attacks involves tricking victims into installing a benign-looking app that uses the RDS interface. Initially, this app exhibits no malicious behavior. Post-installation, the app dynamically downloads a backdoor, reassembling RDS packets to execute the payload. The exploit remains undetected as antiviruses can't scan runtime downloads. The attack bypasses Android's security checks of the vehicles infotainment system, exploiting vulnerabilities in the FM Radio API. |
ATE-014 | Exploitation of Wi-Fi Stack |
Attackers target vulnerabilities within the vehicle's WiFi communication stack, gaining unauthorized access or control. |
ATE-015 | Gain access to Wi-Fi Hotspot |
Attackers exploiting vulnerabilities or weak configurations in a vehicle's onboard WiFi system. |
ATE-019 | Exploitation via Repair Shop/Garage/Factory |
Attackers leveraging compromised systems within vehicle repair shops, garages, or factories. By exploiting these vulnerabilities, attackers can gain unauthorized access to the vehicle's systems, allowing them to introduce and execute malicious software. |
ATE-021 | Hardware addition |
NA |
ATE-021.02 | Connect device network via USB-Ethernet |
An attacker can plug in a USB flash drive that acts like a LAN cable to gain Ethernet access to the system |
ATE-021.03 | Code Execution via USB |
Malicious code or malware runs when a USB device or memory card is connected. Many computers and devices are configured to automatically run software after connecting a USB device or memory card. The malicious code is executed and attackers can then gain access to a system. |
ATE-021.04 | Code Execution via SD Card |
Attackers introducing malicious code into a vehicle's system through an infected SD card, commonly used in navigation or infotainment systems. |
ATE-021.05 | Code Execution via CD |
Attackers exploit vulnerabilities by inserting a CD with malicious code into the vehicle's audio or infotainment system, potentially gaining unauthorized access to connected systems. |
ATE-023 | Supply Chain Compromise |
Products, software, and workflows are initially infected or counterfeited. They are manipulated before reaching the end consumer and are then utilized to gain access to control systems. The ultimate objective is to compromise data or systems once infected products enter the target environment. |
ATE-024 | Unsecured Web APIs |
The increasing use of APIs in vehicle systems provides entry points for adversaries. Unsecured APIs provide opportunities for adversaries to exploit them. |
ATE-025 | Hacking in-vehicle apps |
Adversaries exploit vulnerabilities or security gaps in the software applications integrated into a vehicle. These can be web browsers, multimedia applications, navigation apps. |
ATE-026 | Malicious App Delivery |
Adversaries can trick, manipulate, or deceive users into installing malicious applications. This can be achieved through fake e-mails / websites / notifications / advertisements. Users believe that they are downloading a legitimate application when in fact they are receiving malware. Although app stores have strict security policies and reviews for published apps, some malicious apps can still bypass these reviews and appear in the official stores. |
ATE-027 | Drive-by Compromise |
Attackers can install malicious code or malware on a victim system when the user visits an infected website without the user having to actively click anything or download a file. This technique exploits vulnerabilities in web browsers, browser extensions or plugins to deliver the malicious payload to the victim's system. |
ATE-030 | Service Compartment Access |
By physically accessing compartments designed for maintenance or service tasks, attackers can connect to internal networks or systems of the vehicle. This technique is especially concerning for rail vehicles where service compartments might grant access to critical control systems. |
ATE-031 | Maintenance Notebook Infection |
Manufacturers and operators of rail vehicles carry out maintenance and diagnostic work using maintenance notebooks. A notebook infected with malware is used to gain unauthorized access to the train network or other critical systems. |
ATE-032 | Exploitation of Internet Accessible Device |
Internet exposed components of the vehicle can allow attackers to gain access to the vehicle. These are components that are unintentionally exposed to the Internet or are not sufficiently protected. |
ATE-033 | Remote Maintenance Accesspoint |
For diagnosis and maintenance of the vehicles, OEM / manufacturers have remote access to the vehicles. Vehicles can be maintained via this interface. |
ATE-034 | Command and Scripting Interpreter |
Attackers exploit command and script interpreters to execute commands, scripts, or binaries. These interpreters are fundamental tools for interacting with computer systems and can be found on various platforms. |
ATE-035 | Inter-process Communication: D-Bus |
D-Bus is a communication protocol that facilitates data exchange between various software components within the vehicle, enhancing interoperability and enabling event-driven communication |
ATE-036 | Native API |
Adversaries use the native OS application programming interface (API) to perform various actions. Native APIs allow controlled access to low-level OS services, including hardware, memory, and processes. These APIs are essential during system boot and regular operations. |
ATE-037 | Scheduled Task/Job |
Attackers use the task scheduling feature to execute malicious code, either as a one-time event or at recurring intervals. Task scheduling is used to achieve persistence by running programs at system startup or on a schedule. It can also allow them to run processes using specific user account contexts, perhaps with elevated privileges. |
ATE-038 | User Execution |
Users are tricked into taking actions using social engineering that result in the execution of malware or other malicious activities. Users are manipulated through phishing, vishing (voice phishing) or other forms of interaction. |
ATE-039 | Persistence via Credentials |
Accounts that are already compromised can be used by an attacker to gain permanent access to the system. |
ATE-040 | Firmware Installation - Reprogram ECU |
An attacker can flash the ECU with modified firmware to remain on the target system. |
ATE-042 | Modify TEE |
Malicious alteration of the \acf{tee} in a vehicle's system. By tampering with the TEE, adversaries can maintain persistent unauthorized access or control, potentially compromising the secure execution of critical vehicle functions. |
ATE-043 | Exploit Application Vulnerability |
Attackers use this technique to gain higher privileges on a computer system by exploiting a vulnerability in application software. The attacker looks for vulnerabilities in application software installed on the target system. This could be a security vulnerability in any application such as web browsers, office programs, PDF viewers or other software. After the vulnerability is identified, the attacker develops a special "exploit" that targets the vulnerability. The attacker executes the exploit on the target system using the application affected by the vulnerability. After successful execution, the attacker can gain higher privileges on the system. |
ATE-044 | Exploit OS Vulnerability |
Attackers exploit a vulnerability in the operating system (OS) to gain higher permissions or privileges on a computer system. This could be a security hole, a software malfunction or unexpected behavior in the operating system. The attacker develops an exploit that is specifically tailored to the identified vulnerability. Once executed, the attacker can gain access to system resources, administrative accounts, or other sensitive information. |
ATE-045 | Hardware Fault Injection |
Refers to the deliberate introduction of faults into a vehicle's hardware components to exploit vulnerabilities and escalate privileges. This technique manipulates the hardware's normal operations, potentially granting attackers unauthorized access or control over vehicle systems. |
ATE-046 | Exploit TEE Vulnerability |
An attacker can gain privileges held by the TEE by exploiting the Trusted Execution Environment (TEE) vulnerabilities. This can give him access to sensitive data and cryptography material or allow manipulation of the data. |
ATE-047 | Reprogram ECU for privilege escalation |
An attacker installs a new firmware that grants him more rights on the systems. |
ATE-048 | Bypass SecurityAccess |
An attacker can exploit vulnerabilities in Securityaccess to gain unauthorized access to sensitive data, execute diagnostic commands, and make changes to ECU. |
ATE-054 | Adversary-in-the-Middle |
Attackers intercepting and potentially altering communications between two vehicle components or systems. This can lead to unauthorized access or manipulation of sensitive data, such as authentication credentials or command signals, compromising the integrity and security of the entire vehicle system. |
ATE-065 | Exploitation of Remote Services |
Attackers can exploit vulnerabilities in remote services to move from asset to asset within the vehicle. |
ATE-066 | Remote Services |
Attackers can use various remote services to move from asset to asset within the vehicle. |
ATE-099 | Denial of Control |
Attackers disrupting a vehicle's control systems, preventing operators or automated systems from making desired actions, critical in scenarios like emergency braking in both automotive and rail contexts. |