Who Killed My Parked Car?

We find that the conventional belief of vehicle cyber attacks and their defenses—attacks are feasible and thus defenses are required only when the vehicle’s ignition is turned on—does not hold. We verify this fact by discovering and applying two new practical and important attacks: battery-drain and Denial-of-Body-control (DoB). The former can drain the vehicle battery while the latter can prevent the owner from starting or even opening/entering his car, when either or both attacks are mounted with the ignition off. We first analyze how operation (e.g., normal, sleep, listen) modes of ECUs are defined in various in-vehicle network standards and how they are implemented in the real world. From this analysis, we discover that an adversary can exploit the wakeup function of in-vehicle networks—which was originally designed for enhanced user experience/convenience (e.g., remote diagnosis, remote temperature control)—as an attack vector. Ironically, a core battery-saving feature in in-vehicle networks makes it easier for an attacker to wake up ECUs and, therefore, mount and succeed in batterydrain and/or DoB attacks. Via extensive experimental evaluations on various real vehicles, we show that by mounting the battery-drain attack, the adversary can increase the average battery consumption by at least 12.57x, drain the car battery within a few hours or days, and therefore immobilize/cripple the vehicle. We also demonstrate the proposed DoB attack on a real vehicle, showing that the attacker can cut off communications between the vehicle and the driver’s key fob by indefinitely shutting down an ECU, thus making the driver unable to start and/or even enter the car.