This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.

Tsvika Dagan, Yuval Montvelisky, Mirco Marchetti, Dario Stabili, Michele Colajanni, Avishai Wool (2020). Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity. SAE INTERNATIONAL JOURNAL OF TRANSPORTATION CYBERSECURITY AND PRIVACY, 3(1), 19-39 [10.4271/11-02-02-0006].

Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity

Mirco Marchetti;Michele Colajanni;
2020

Abstract

This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings. Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety. Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well. The authors demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so the authors developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, the authors' VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. The authors' system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. The authors note that their system can rely upon any deployed anomaly-detection system to identify the potential attack. The authors point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.
2020
Tsvika Dagan, Yuval Montvelisky, Mirco Marchetti, Dario Stabili, Michele Colajanni, Avishai Wool (2020). Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity. SAE INTERNATIONAL JOURNAL OF TRANSPORTATION CYBERSECURITY AND PRIVACY, 3(1), 19-39 [10.4271/11-02-02-0006].
Tsvika Dagan; Yuval Montvelisky; Mirco Marchetti; Dario Stabili; Michele Colajanni; Avishai Wool
File in questo prodotto:
File Dimensione Formato  
VSM_Journal-R2.pdf

accesso aperto

Tipo: Postprint
Licenza: Licenza per accesso libero gratuito
Dimensione 724.61 kB
Formato Adobe PDF
724.61 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/811615
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact