TY - GEN
T1 - AutoSploit
T2 - 20th EAI International Conference on Security and Privacy in Communication Networks, SecureComm 2024
AU - Zhuang, Nan
AU - Miao, Haonan
AU - Li, Xiangxue
N1 - Publisher Copyright:
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2026.
PY - 2026
Y1 - 2026
N2 - The control features of vehicles have traditionally been focused solely on ensuring the safe operation of various integrated mechanical systems. Protocols standardized for vehicles typically concentrate on safety-related issues, and it has been widely assumed that the data provided by these protocols, such as the SAE J1979, is strictly related to safety and environmental reasons without impacting security aspects. However, this study reveals a contrasting scenario. Our interest lies particularly in the Engine Control Module (ECM), which has not received much attention until now, partly due to its intricate nature and the intersection of multiple disciplines. We use the EDC16 ECM model, commonly found in diesel engines, as a case study to demonstrate how automated scripts can identify and manipulate critical safety parameters within the extracted ECM firmware. These manipulations can lead to severe attacks, even at high speeds. Our research confirms the widespread applicability of our approach by testing it on various ECM models, including those used in hundreds of gasoline vehicle models from manufacturers like AUDI, BMW, and CHRYSLER. Our work suggests that the once clear-cut distinction between safety and security becomes increasingly blurred, necessitating a more holistic approach to vehicle design that addresses both safety mechanisms and potential security vulnerabilities.
AB - The control features of vehicles have traditionally been focused solely on ensuring the safe operation of various integrated mechanical systems. Protocols standardized for vehicles typically concentrate on safety-related issues, and it has been widely assumed that the data provided by these protocols, such as the SAE J1979, is strictly related to safety and environmental reasons without impacting security aspects. However, this study reveals a contrasting scenario. Our interest lies particularly in the Engine Control Module (ECM), which has not received much attention until now, partly due to its intricate nature and the intersection of multiple disciplines. We use the EDC16 ECM model, commonly found in diesel engines, as a case study to demonstrate how automated scripts can identify and manipulate critical safety parameters within the extracted ECM firmware. These manipulations can lead to severe attacks, even at high speeds. Our research confirms the widespread applicability of our approach by testing it on various ECM models, including those used in hundreds of gasoline vehicle models from manufacturers like AUDI, BMW, and CHRYSLER. Our work suggests that the once clear-cut distinction between safety and security becomes increasingly blurred, necessitating a more holistic approach to vehicle design that addresses both safety mechanisms and potential security vulnerabilities.
KW - CAN
KW - ECM
KW - ECU
KW - Exploit
KW - Safety-critical parameters
UR - https://www.scopus.com/pages/publications/105016212540
U2 - 10.1007/978-3-031-94455-0_18
DO - 10.1007/978-3-031-94455-0_18
M3 - 会议稿件
AN - SCOPUS:105016212540
SN - 9783031944543
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
SP - 384
EP - 405
BT - Security and Privacy in Communication Networks - 20th EAI International Conference, SecureComm 2024, Proceedings
A2 - Alrabaee, Saed
A2 - Choo, Kim-Kwang Raymond
A2 - Damiani, Ernesto
A2 - Deng, Robert H.
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 28 October 2024 through 30 October 2024
ER -