Off is Not Off: On the Security of Parked Vehicles

While various ways of attacking and thus controlling the vehicle have been demonstrated, all these attacks were shown to be feasible and effective only while the vehicle is running, i.e., ignition is on. In this paper, we invalidate the conventional belief that remote vehicle attacks are feasible and hence their defenses are required only when the vehicle's ignition is on. We first analyze how operation (e.g., normal, sleep, listen) modes of electronic control units (ECUs) are defined in various invehicle network standards and how they are implemented in real vehicles. From this analysis, we discover that an adversary can exploit the wake-up function of in-vehicle networks-which was originally designed for enhanced user experience/convenience (e.g., remote diagnosis, remote temperature control) -as an attack vector. Ironically, the battery-saving feature in in-vehicle networks makes it easier for an attacker to wake up ECUs and, therefore, mount Battery-Drain (BD) orDenial-of-Bodycontrol (DoB), and Unattended Control (UC). In particular, we show that the adversary mounting the BD attack can completely drain the vehicle battery within an hour in the worst case, the attack mounting the DoB attack can disable the communications between the vehicle and its key-fob by shutting down the associated ECU, thus immobilizing the vehicle, and the adversary can physically access a vehicle by controlling the door and/or trunk locks via the UC attack.