Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Study of Vulnerabilities and Weaknesses in Connected Cars
KTH, School of Electrical Engineering and Computer Science (EECS).
2019 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesisAlternative title
En studie av sårbarheter och svagheter i uppkopplade bilar (Swedish)
Abstract [en]

Security vulnerabilities in connected cars can have devastating consequences. For this reason we compiled and analyzed vulnerabilities in connected cars using empirical data to gain an understanding of the security issues in the automobile industry. The data is gathered from the U.S. National Vulnerability Database (NVD) and analyzed with the help of the CVSS system and the CVE and CWE databases. 183 reports were found from the company Qualcomm and 28 reports were found from the rest of the industry. Qualcomm was analyzed seperately to avoid skewed results. Exploitability and impact trends of the vulnerabilities were analyzed and we found that the vulnerabilities generally were highly exploitable and had an high impact according to CVSS standards. The CWE classifications of the vulnerabilities were also analyzed. We found that the most common weaknesses among the major car companies were Protection Mechanism Failure, Information Exposure, Improper Restriction of Operations within the Bounds of a Memory Buffer and Improper Input Validation. The most common weaknesses for Qualcomm components were Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Access Control, NULL Pointer Dereference, Improper Validation of Array Index and Information Exposure. Looking deeper into the vulnerable components we found that 47% of the vulnerabilities were in the Infotainment system and 39% were in the Telematics Control Unit.

Abstract [sv]

Sårbarheter i uppkopplade bilar kan få allvarliga konsekvenser. Syftet med denna rapport är att sammanställa och analysera sådana sårbarheter genom empirisk data för att få en ökad förståelse av säkerhetsproblemen inom bilindustrin. Data samlades in från NVD (the U.S. National Vulnerability Database) och analyserades med hjälp av CVSS (Common Vulnerability Scoring System) och databasen för CWE:er (Common Weakness Enumeration). Totalt analyserades 211 kända sårbarheter. Varav 183 stycken kommer från företaget Qualcomm och resterande 28 från andra delar av bilindustrin, därför analyserades Qualcomm separat för att undvika förvrängda resultat. Enligt CVSS-klassificeringen var både exploitability och impact högt för många av de sårbarheter som analyserades. För bilsårbarheter generellt (exkluderat Qualcomm) var de mest förekommande svagheterna Protection Mechanism Failure, Information Exposure, Improper Restriction of Operations within the Bounds of a Memory Buffer and Improper Input Validation. Medan de mest förekommande svagheterna i Qualcomm-produkter var Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Access Control, NULL Pointer Dereference, Improper Validation of Array Index and Information Exposure. 47% av svagheterna relaterade till Infotainment-systemet och 39% till Telematic Control Unit (TCU).

Place, publisher, year, edition, pages
2019. , p. 35
Series
TRITA-EECS-EX ; 2019:488
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-260965OAI: oai:DiVA.org:kth-260965DiVA, id: diva2:1356203
Supervisors
Examiners
Available from: 2019-10-18 Created: 2019-10-01 Last updated: 2019-10-18Bibliographically approved

Open Access in DiVA

fulltext(895 kB)29 downloads
File information
File name FULLTEXT01.pdfFile size 895 kBChecksum SHA-512
1d038243c5065fba8ce5bdc6619de099d2538e5e556721e48facc60ffe63161c15f3bb9e14bf1b21d097b64e8d69465d4d7de59d5848213ea14009eda6512f4d
Type fulltextMimetype application/pdf

By organisation
School of Electrical Engineering and Computer Science (EECS)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 29 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 85 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf