Cyber-security internals of a Skoda Octavia vRS: a hands on approach

Colin Urquhart, Xavier Bellekens*, Christos Tachtatzis, Robert Atkinson, Hanan Hindy, Amar Seeam

*Corresponding author for this work

Research output: Contribution to journalArticle

7 Downloads (Pure)

Abstract

The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can be life-critical (e.g. breaking, acceleration, cruise control, emergency communication, etc. . . ). As vehicular technology advances, in-vehicle networks are connected to external networks through 3 and 4G mobile networks, enabling manufacturer and customer monitoring of different aspects of the car. While these services provide valuable information, they also increase the attack surface of the vehicle, and can enable long and short range attacks. In this manuscript, we evaluate the security of the 2017 Skoda Octavia vRS 4x4. Both physical and remote attacks are considered, the key fob rolling code is successfully compromised, privacy attacks are demonstrated through the infotainment system, the Volkswagen Transport Protocol 2.0 is reverse engineered. Additionally, in-car attacks are highlighted and described, providing an overlook of potentially deadly threats by modifying ECU parameters and components enabling digital forensics investigation are identified.
Original languageEnglish
Pages (from-to)146057-146069
Number of pages13
JournalIEEE Access
Volume7
Early online date25 Sep 2019
DOIs
Publication statusPublished - 18 Oct 2019

Fingerprint

Communication
Railroad cars
Cruise control
Mobile phones
Information technology
Wireless networks
Servers
Network protocols
Controllers
Monitoring
Digital forensics

Cite this

Urquhart, C., Bellekens, X., Tachtatzis, C., Atkinson, R., Hindy, H., & Seeam, A. (2019). Cyber-security internals of a Skoda Octavia vRS: a hands on approach. IEEE Access, 7, 146057-146069. https://doi.org/10.1109/ACCESS.2019.2943837
Urquhart, Colin ; Bellekens, Xavier ; Tachtatzis, Christos ; Atkinson, Robert ; Hindy, Hanan ; Seeam, Amar. / Cyber-security internals of a Skoda Octavia vRS : a hands on approach. In: IEEE Access. 2019 ; Vol. 7. pp. 146057-146069.
@article{a7ba533b9bae432985babef0cca9e7af,
title = "Cyber-security internals of a Skoda Octavia vRS: a hands on approach",
abstract = "The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can be life-critical (e.g. breaking, acceleration, cruise control, emergency communication, etc. . . ). As vehicular technology advances, in-vehicle networks are connected to external networks through 3 and 4G mobile networks, enabling manufacturer and customer monitoring of different aspects of the car. While these services provide valuable information, they also increase the attack surface of the vehicle, and can enable long and short range attacks. In this manuscript, we evaluate the security of the 2017 Skoda Octavia vRS 4x4. Both physical and remote attacks are considered, the key fob rolling code is successfully compromised, privacy attacks are demonstrated through the infotainment system, the Volkswagen Transport Protocol 2.0 is reverse engineered. Additionally, in-car attacks are highlighted and described, providing an overlook of potentially deadly threats by modifying ECU parameters and components enabling digital forensics investigation are identified.",
author = "Colin Urquhart and Xavier Bellekens and Christos Tachtatzis and Robert Atkinson and Hanan Hindy and Amar Seeam",
year = "2019",
month = "10",
day = "18",
doi = "10.1109/ACCESS.2019.2943837",
language = "English",
volume = "7",
pages = "146057--146069",
journal = "IEEE Access",
issn = "2169-3536",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

Urquhart, C, Bellekens, X, Tachtatzis, C, Atkinson, R, Hindy, H & Seeam, A 2019, 'Cyber-security internals of a Skoda Octavia vRS: a hands on approach', IEEE Access, vol. 7, pp. 146057-146069. https://doi.org/10.1109/ACCESS.2019.2943837

Cyber-security internals of a Skoda Octavia vRS : a hands on approach. / Urquhart, Colin; Bellekens, Xavier; Tachtatzis, Christos; Atkinson, Robert; Hindy, Hanan; Seeam, Amar.

In: IEEE Access, Vol. 7, 18.10.2019, p. 146057-146069.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Cyber-security internals of a Skoda Octavia vRS

T2 - a hands on approach

AU - Urquhart, Colin

AU - Bellekens, Xavier

AU - Tachtatzis, Christos

AU - Atkinson, Robert

AU - Hindy, Hanan

AU - Seeam, Amar

PY - 2019/10/18

Y1 - 2019/10/18

N2 - The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can be life-critical (e.g. breaking, acceleration, cruise control, emergency communication, etc. . . ). As vehicular technology advances, in-vehicle networks are connected to external networks through 3 and 4G mobile networks, enabling manufacturer and customer monitoring of different aspects of the car. While these services provide valuable information, they also increase the attack surface of the vehicle, and can enable long and short range attacks. In this manuscript, we evaluate the security of the 2017 Skoda Octavia vRS 4x4. Both physical and remote attacks are considered, the key fob rolling code is successfully compromised, privacy attacks are demonstrated through the infotainment system, the Volkswagen Transport Protocol 2.0 is reverse engineered. Additionally, in-car attacks are highlighted and described, providing an overlook of potentially deadly threats by modifying ECU parameters and components enabling digital forensics investigation are identified.

AB - The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can be life-critical (e.g. breaking, acceleration, cruise control, emergency communication, etc. . . ). As vehicular technology advances, in-vehicle networks are connected to external networks through 3 and 4G mobile networks, enabling manufacturer and customer monitoring of different aspects of the car. While these services provide valuable information, they also increase the attack surface of the vehicle, and can enable long and short range attacks. In this manuscript, we evaluate the security of the 2017 Skoda Octavia vRS 4x4. Both physical and remote attacks are considered, the key fob rolling code is successfully compromised, privacy attacks are demonstrated through the infotainment system, the Volkswagen Transport Protocol 2.0 is reverse engineered. Additionally, in-car attacks are highlighted and described, providing an overlook of potentially deadly threats by modifying ECU parameters and components enabling digital forensics investigation are identified.

U2 - 10.1109/ACCESS.2019.2943837

DO - 10.1109/ACCESS.2019.2943837

M3 - Article

VL - 7

SP - 146057

EP - 146069

JO - IEEE Access

JF - IEEE Access

SN - 2169-3536

ER -

Urquhart C, Bellekens X, Tachtatzis C, Atkinson R, Hindy H, Seeam A. Cyber-security internals of a Skoda Octavia vRS: a hands on approach. IEEE Access. 2019 Oct 18;7:146057-146069. https://doi.org/10.1109/ACCESS.2019.2943837