Techniques

TID Name Description
ATE-001 Downgrade Attacks via Rogue Base station

Downgrade attacks, especially in the context of Rogue Cellular Base Station (RBS), involve forcing a device to connect to a less secure network or protocol, making it easier for attackers to exploit vulnerabilities, intercept communications, or attacking privacy.

ATE-002 Rogue Cellular Base Station

In 4G networks, RBSs or International Mobile Subscriber Identity (IMSI) catchers targeting the IMSIs of User Equipment (UE) during the initial attachment process. Once an IMSI is stolen, subscriber privacy can be severely compromised. Man-in-the-Middle (MitM) attacks are common, where a malicious third party's RBS masquerades as a genuine network's BS. In 5G Cellular Vehicle to Everything (C-V2X) autonomous platooning scenarios, attackers deploy RBS near roads. By overpowering legitimate signals, the RBS hijacks platoon communications.
This unauthorized control can mislead autonomous vehicles, leading to potential traffic disruptions or major incidents. An undetected RBS can lead to DoS attacks and subscriber privacy breaches.

ATE-004 GNSS Attacks

NA

ATE-004.01 GNSS Spoofing Attacks

GNSS Spoofing Attacks deceive receivers by transmitting counterfeit GNSS signals. The spoofing signals must match the authentic signals Pseudo Random Noise (PRN) code sequence and frequency. The number of spoofed satellites usually equals the number of authentic signals. The navigation data bit stream structure remains the same, but content can be manipulated. The initial carrier phase alignment between spoofed and authentic signals is challenging, requiring precise relative positioning.

ATE-004.02 GNSS Jamming

GNSS Jamming involves transmitting
high-power signals to GNSS receivers, exploiting theweaker
satellite signals that reach the ground. Jammers can degrade the carrier-to-noise ratio (C/N 0) of the victim receiver or even cause it to "unlock."

ATE-006 Camera Attacks

NA

ATE-006.01 General Attacks on Camera Systems

Cameras in ITS can detect traffic signs, delineation, or objects. These can be attacked in various ways: Traffic Sign Detection, can be fooled by placing fake traffic signs at improper locations or by hiding traffic signs with other shapes/colors to confuse the detection algorithms. Lane Detection can be confused by painting additional lines on the road or using different colors. Object Tracking is limited due to computational power or resolution. A denial of service can be caused by presenting too many objects to track. Deep Neural Networks (DNNs), which are used in camera software, can be easily fooled by images that are unrecognizable to humans but are recognized by DNNs with high confidence.

ATE-006.02 Camera Feature Attacks

Cameras have features like automatic exposure controls, auto-focus, and light-sensitivity. These can be targeted in attacks. Cameras normalize lighting conditions iteratively. Directing light at the image sensor can cause the camera to tune down its sensitivity and exposure, leading to undesired effects. For instance, auto exposure tuning down due to headlights at night could hide information in the background, such as traffic signs or pedestrians. The Google Driverless Car has been noted to be susceptible to this problem. These attacks are aiming to influence the camera's auto controls in the period before the image recovers and stabilizes. It's harder to detect because it consists of bursts of light instead of a constant beam. The longer it takes for the image to stabilize, the longer the car is vulnerable to undetected objects. This attack is different from situations like driving out of a tunnel, where the camera can adapt more gradually to new conditions.

ATE-006.03 Blinding the Camera

Fully or partially blind the camera by emitting light into it to hide objects. Not detecting objects like speed limit signs or traffic lights can jeopardize safety. Blinding occurs when the camera can't adjust the auto exposure or gain anymore, resulting in an overexposed image. The effectiveness of the blinding attack depends on three variables: Environmental light (brighter environments require more light to blind the camera), the light source used for blinding (i.e., wavelength), the distance between the light source and the camera. The attack involves using commodity hardware like a laser pointer or cheap LEDs. The effectiveness of the attack is assessed using the tonal distribution, representing the distribution of the number of pixels per grayscale value.

ATE-007 LiDAR Attacks

LiDAR systems emit light pulses and
measures their reflection time for vehicle environment perception.
The earlier LiDAR receives the signal, the closer the object will appear. The primary goal of LiDAR attacks is to introduce noise, create fake echos, or generate fake objects.

ATE-007.01 LiDAR Replay Attacks

LiDAR Replay Attacks captures legitimate LiDAR signals and re-transmits them to deceive the system.

ATE-007.02 LiDAR Relaying Attack

LiDAR Relaying Attack is an extension of the replay attack. The attack aims to to relay the original signal sent from the target vehicle's LiDAR from a different position, creating fake echos. This can make real objects appear closer or further than their actual locations. A relay attack is most likely to be executed from the road side, where an attacker might receive LiDAR signals from vehicles and relay them to another vehicle located elsewhere.

ATE-007.03 LiDAR Spoofing Attacks

LiDAR Spoofing Attacks builds on the relay attack and exploit the system's light pulse mechanism to manipulate perceived object distances in ITS. By injecting counterfeit signals and controlling parameters like delay and pulse sequences, attackers can create illusions of objects at varying distances. This technique can deceive the vehicle's sensors, presenting significant vulnerabilities in the safety and functionality of ITS.

ATE-008 Spoofing FMCW Radar

FMCW radars emit electromagnetic waves and measure reflections to determine object distances and velocities. An attacker vehicle is positioned in front of the victims vehicle. The attacker uses a modified radar system, transmitting a powerful signal that overpowers the real reflected signal. The attacker's radar measures the true relative distance and velocity from the victim's vehicle to execute the attack.

ATE-011 Attacks on Road Side Units/Balise

This technique focuses on compromising or manipulating RSU}/Balises and thus the communication and data exchange between vehicles and the infrastructure elements. Such attacks can disrupt the normal functioning of a vehicle by feeding it misleading information or by blocking essential signals, potentially leading to unsafe conditions or operational inefficiencies.

ATE-012 Radio Data System (RDS) Attacks

RDS Attacks involves tricking victims into installing a benign-looking app that uses the RDS interface. Initially, this app exhibits no malicious behavior. Post-installation, the app dynamically downloads a backdoor, reassembling RDS packets to execute the payload. The exploit remains undetected as antiviruses can't scan runtime downloads. The attack bypasses Android's security checks of the vehicles infotainment system, exploiting vulnerabilities in the FM Radio API.

ATE-014 Exploitation of Wi-Fi Stack

Attackers target vulnerabilities within the vehicle's WiFi communication stack, gaining unauthorized access or control.

ATE-015 Gain access to Wi-Fi Hotspot

Attackers exploiting vulnerabilities or weak configurations in a vehicle's onboard WiFi system.

ATE-019 Exploitation via Repair Shop/Garage/Factory

Attackers leveraging compromised systems within vehicle repair shops, garages, or factories. By exploiting these vulnerabilities, attackers can gain unauthorized access to the vehicle's systems, allowing them to introduce and execute malicious software.

ATE-021 Hardware addition

NA

ATE-021.02 Connect device network via USB-Ethernet

An attacker can plug in a USB flash drive that acts like a LAN cable to gain Ethernet access to the system

ATE-021.03 Code Execution via USB

Malicious code or malware runs when a USB device or memory card is connected. Many computers and devices are configured to automatically run software after connecting a USB device or memory card. The malicious code is executed and attackers can then gain access to a system.

ATE-021.04 Code Execution via SD Card

Attackers introducing malicious code into a vehicle's system through an infected SD card, commonly used in navigation or infotainment systems.

ATE-021.05 Code Execution via CD

Attackers exploit vulnerabilities by inserting a CD with malicious code into the vehicle's audio or infotainment system, potentially gaining unauthorized access to connected systems.

ATE-023 Supply Chain Compromise

Products, software, and workflows are initially infected or counterfeited. They are manipulated before reaching the end consumer and are then utilized to gain access to control systems. The ultimate objective is to compromise data or systems once infected products enter the target environment.

ATE-024 Unsecured Web APIs

The increasing use of APIs in vehicle systems provides entry points for adversaries. Unsecured APIs provide opportunities for adversaries to exploit them.

ATE-025 Hacking in-vehicle apps

Adversaries exploit vulnerabilities or security gaps in the software applications integrated into a vehicle. These can be web browsers, multimedia applications, navigation apps.

ATE-026 Malicious App Delivery

Adversaries can trick, manipulate, or deceive users into installing malicious applications. This can be achieved through fake e-mails / websites / notifications / advertisements. Users believe that they are downloading a legitimate application when in fact they are receiving malware. Although app stores have strict security policies and reviews for published apps, some malicious apps can still bypass these reviews and appear in the official stores.

ATE-027 Drive-by Compromise

Attackers can install malicious code or malware on a victim system when the user visits an infected website without the user having to actively click anything or download a file. This technique exploits vulnerabilities in web browsers, browser extensions or plugins to deliver the malicious payload to the victim's system.

ATE-030 Service Compartment Access

By physically accessing compartments designed for maintenance or service tasks, attackers can connect to internal networks or systems of the vehicle. This technique is especially concerning for rail vehicles where service compartments might grant access to critical control systems.

ATE-031 Maintenance Notebook Infection

Manufacturers and operators of rail vehicles carry out maintenance and diagnostic work using maintenance notebooks. A notebook infected with malware is used to gain unauthorized access to the train network or other critical systems.

ATE-032 Exploitation of Internet Accessible Device

Internet exposed components of the vehicle can allow attackers to gain access to the vehicle. These are components that are unintentionally exposed to the Internet or are not sufficiently protected.

ATE-033 Remote Maintenance Accesspoint

For diagnosis and maintenance of the vehicles, OEM / manufacturers have remote access to the vehicles. Vehicles can be maintained via this interface.

ATE-034 Command and Scripting Interpreter

Attackers exploit command and script interpreters to execute commands, scripts, or binaries. These interpreters are fundamental tools for interacting with computer systems and can be found on various platforms.

ATE-035 Inter-process Communication: D-Bus

D-Bus is a communication protocol that facilitates data exchange between various software components within the vehicle, enhancing interoperability and enabling event-driven communication

ATE-036 Native API

Adversaries use the native OS application programming interface (API) to perform various actions. Native APIs allow controlled access to low-level OS services, including hardware, memory, and processes. These APIs are essential during system boot and regular operations.

ATE-037 Scheduled Task/Job

Attackers use the task scheduling feature to execute malicious code, either as a one-time event or at recurring intervals. Task scheduling is used to achieve persistence by running programs at system startup or on a schedule. It can also allow them to run processes using specific user account contexts, perhaps with elevated privileges.

ATE-038 User Execution

Users are tricked into taking actions using social engineering that result in the execution of malware or other malicious activities. Users are manipulated through phishing, vishing (voice phishing) or other forms of interaction.

ATE-039 Persistence via Credentials

Accounts that are already compromised can be used by an attacker to gain permanent access to the system.

ATE-040 Firmware Installation - Reprogram ECU

An attacker can flash the ECU with modified firmware to remain on the target system.

ATE-042 Modify TEE

Malicious alteration of the \acf{tee} in a vehicle's system. By tampering with the TEE, adversaries can maintain persistent unauthorized access or control, potentially compromising the secure execution of critical vehicle functions.

ATE-043 Exploit Application Vulnerability

Attackers use this technique to gain higher privileges on a computer system by exploiting a vulnerability in application software. The attacker looks for vulnerabilities in application software installed on the target system. This could be a security vulnerability in any application such as web browsers, office programs, PDF viewers or other software. After the vulnerability is identified, the attacker develops a special "exploit" that targets the vulnerability. The attacker executes the exploit on the target system using the application affected by the vulnerability. After successful execution, the attacker can gain higher privileges on the system.

ATE-044 Exploit OS Vulnerability

Attackers exploit a vulnerability in the operating system (OS) to gain higher permissions or privileges on a computer system. This could be a security hole, a software malfunction or unexpected behavior in the operating system. The attacker develops an exploit that is specifically tailored to the identified vulnerability. Once executed, the attacker can gain access to system resources, administrative accounts, or other sensitive information.

ATE-045 Hardware Fault Injection

Refers to the deliberate introduction of faults into a vehicle's hardware components to exploit vulnerabilities and escalate privileges. This technique manipulates the hardware's normal operations, potentially granting attackers unauthorized access or control over vehicle systems.

ATE-046 Exploit TEE Vulnerability

An attacker can gain privileges held by the TEE by exploiting the Trusted Execution Environment (TEE) vulnerabilities. This can give him access to sensitive data and cryptography material or allow manipulation of the data.

ATE-047 Reprogram ECU for privilege escalation

An attacker installs a new firmware that grants him more rights on the systems.

ATE-048 Bypass SecurityAccess

An attacker can exploit vulnerabilities in Securityaccess to gain unauthorized access to sensitive data, execute diagnostic commands, and make changes to ECU.

ATE-054 Adversary-in-the-Middle

Attackers intercepting and potentially altering communications between two vehicle components or systems. This can lead to unauthorized access or manipulation of sensitive data, such as authentication credentials or command signals, compromising the integrity and security of the entire vehicle system.

ATE-065 Exploitation of Remote Services

Attackers can exploit vulnerabilities in remote services to move from asset to asset within the vehicle.

ATE-066 Remote Services

Attackers can use various remote services to move from asset to asset within the vehicle.

ATE-099 Denial of Control

Attackers disrupting a vehicle's control systems, preventing operators or automated systems from making desired actions, critical in scenarios like emergency braking in both automotive and rail contexts.