Scientists Find Vehicles Susceptible to Remote Cyberattacks in Award-Winning Paper

Cybersecurity researchers have discovered new vulnerabilities that could provide criminals with wireless access to the computer systems in automobiles, aircraft, factories, and other cyber-physical systems.

The computers used in vehicles and other cyber-physical systems rely on a specialized internal network to communicate commands between electronics. Because it took place internally, it was traditionally assumed that attackers could only influence this network through physical access. 

In collaboration with Hyundai, researchers from 色花堂鈥檚 (CPSec) observed that threat models used to evaluate the security of these technologies were outdated. 

The team, led by Ph.D. student Zhaozhou Tang, found that vehicle technology advancements allowed attackers to launch new attacks, improve existing attacks, and circumvent current defense systems. 

For example, Tang鈥檚 findings included the possibility for attackers to remotely compromise the computers used in cars and aircraft through Wi-Fi, cellular, Bluetooth, and other wireless channels. 

鈥淥ur job was to thoroughly review existing information and find ways to protect against these attacks,鈥 he said. 鈥淲e found new threats and proposed a defense system that can protect against the new and old attacks.鈥

In response to their findings, the team developed , the first comprehensive defense system against this new generation of attackers. Designed to detect new and old attacks, ERACAN can deploy defenses when necessary. 

The system also classifies the attacks it reacts to, providing security experts with the tools for detailed analysis. It has a detection rate of 100% for all attacks launched by conventional methods and detects enhanced threat models 99.7% of the time.

The project received a distinguished paper award at the 2024 ACM Conference on Computer and Communications Security (CCS 24) held in Salt Lake City. Tang presented the paper at the October conference.

鈥淭his was Zhaozhou鈥檚 first paper in his Ph.D. program, and he deserves recognition for his groundbreaking work on automotive cybersecurity,鈥 said , associate professor in the and the . 

The U.S. Department of Homeland Security has designated the transportation sector as one of the nation鈥檚 16 critical infrastructure sectors. Ensuring its security is vital to national security and public safety. 

鈥淢odern vehicles, which rely heavily on controller area networks for essential operations, are integral components of this infrastructure,鈥 said Zonouz. 鈥淲ith the increasing sophistication of cyberthreats, safeguarding these systems has become critical to ensuring the resilience and security of transportation networks.鈥

This paper introduced to the scientific community the first comprehensive defense system to address advanced threats targeting vehicular controller area networks.

The CPSec team is putting the technology it has developed into practice in collaboration with Hyundai America Technical Center, Inc., which sponsors the work. Tang hopes ERACAN鈥檚 success will raise awareness of these new threats in the research community and industry. 

鈥淚t will help them build future defenses,鈥 he said. 鈥淲e have demonstrated the best practice to defend against these attacks.鈥

Tang received his bachelor鈥檚 degree at 色花堂, where he first performed security-related work for the automobile industry. While working with Zonouz on his master鈥檚 degree, he decided to change course and pursue research initiatives like vehicle security in a Ph.D. program. 

鈥淚t is interesting how it came full circle,鈥 he said. 鈥淚 will continue on this path of automobile security throughout my Ph.D.鈥 

ERACAN: Defending Against an Emerging CAN Threat Model, was written by Zhaozhou Tang, Khaled Serag from the Qatar Computing Research Institute, Saman Zonouz, Berkay Celik and Dongyan Xu from Purdue University, and , professor and dean of the College of Engineering. The is a collaboration between the School of Cybersecurity and Privacy and the School of Electrical and Computer Engineering.