Autonomous Emergency Braking (AEB) System

a. Item boundary

b. Item functions
The AEB system activates or deactivates the emergency braking function in accordance with the vehicle's operational mode and
sensor inputs. If the vehicle is in motion and an obstacle is detected ahead, the AEB system automatically applies the brakes to
prevent or mitigate a collision. It also adjusts the braking force based on the obstacle's distance and speed relative to the vehicle.
When the vehicle is approaching an obstacle at a critical distance, the AEB system switches from a warning mode to an automatic
braking mode if the driver does not intervene. It automatically releases the brakes if the obstacle is no longer detected or if the
driver takes control of the vehicle.

The AEB system integrates with external interfaces (e.g., cellular, Bluetooth) via the Navigation ECU and Gateway ECU to receive
real-time updates or alerts that may influence its operation. It ensures safe and efficient operation by continuously monitoring the
vehicle's surroundings and adjusting its response accordingly.
c. Description of operational environment
The item (Autonomous Emergency Braking System) is connected with the gateway ECU and
Fusion Sensor ECU. The gateway ECU is connected with 2 ECUs navigation ECU and
Powertrain ECU. The gateway ECU is connected with the navigation ECU by data
communication.
Navigation ECU has external communication interfaces:
• Bluetooth
• Cellular
Assumption
• Navigation ECU has firewall to prevent invalid data communication from external
interfaces.
Gateway ECU has external communication interfaces (not indicated in the diagram):
• OBD-II
Assumption
• Gateway ECU has strong security controls and a firewall function.
Fusion Sensor ECU is connected to 3 sensors
• Lidar Sensor
• Radar Sensor
• Camera Sensor
Assumption
• Fusion Sensor ECU has strong security controls and a firewall function
d. Asset Identification
Asset Cybersecurity property Damage scenario
C I A
Data X X Vehicle experiences delay in breaking because the breaking function was inhibited
communication while parked (e.g., via stealthy malware or unauthorized code execution)
(break request)
X X Vehicle experiences unexpected acceleration while driving because the breaking
function was inhibited while parked
Signal cannot reach Brake Control ECU because of flooded can bus

Data X Drivers of oncoming car are frightened; it is caused by not being able to slow down
communication during driving.
(oncoming car X X Malfunctioning automatic breaking function caused by car staying in particular
information) speed regardless of the speed of oncoming car.
Data X Malfunctioning of Vehicle automatic speed adjustment caused by staying in
communication particular speed regardless of need to slow down to navigate a bend
(navigating bends)
Brake control ECU X Malfunctioning of brake control ECU due to hardware faults or software bugs
firmware X Malfunctioning of brake control ECU due to presence of illegitimate firmware
X Brake control ECU in unusable state because of failure during OTA firmware update
process.
Encryption keys
e. Threat scenario identification
Asset Damage scenarios Threat Scenarios

Data Vehicle experiences delay in breaking Spoofing

communication because the breaking function was An attacker impersonates a legitimate ECU or sensor to send false
(break request) inhibited while parked (e.g., via stealthy signals to the brake control ECU.
malware or unauthorized code execution) Tampering
Vehicle experiences unexpected An attacker modifies the brake control ECU firmware or
acceleration while driving because the configuration to inhibit braking functionality.
breaking function was inhibited while Repudiation
parked The attacker alters or deletes logs related to firmware updates on
Signal cannot reach Brake Control ECU the braking function, making it difficult to trace the source of the
because of flooded can bus attack.
Information Disclosure
Attacker intercepts unencrypted traffic between ECUs about the,
enabling an attacker to exploit vulnerabilities.
Denial of Service
The attacker floods the CAN bus or brake control ECU with
malicious messages, preventing legitimate brake commands from
being processed.
The attacker gains unauthorized administrative access to the brake
control ECU, allowing them to inhibit its functionality.

Data Drivers of oncoming car are frightened; it is Spoofing

communication caused by not being able to slow down An attacker impersonates a legitimate component of the braking
during driving. system (e.g., a sensor or ECU) to send false data.
(on coming car Malfunctioning automatic breaking Tampering
information) function caused by car staying in particular An attacker modifies the braking system's firmware or
speed regardless of the speed of oncoming configuration settings, leading to malfunction.
car. Elevation of Privilege
Data Malfunctioning of Vehicle automatic speed An attacker gains unauthorized administrative access to critical
communication adjustment caused by staying in particular systems controlling braking functions.
(navigating bends) speed regardless of need to slow down to
navigate a bend
Brake control ECU Malfunctioning of brake control ECU due to
firmware hardware faults or software bugs
Malfunctioning of brake control ECU due to Spoofing
presence of illegitimate firmware An attacker impersonates legitimate firmware or ECUs to
introduce illegitimate firmware into the brake control system.

Brake control ECU in unusable state Spoofing

because of failure during OTA firmware An attacker impersonates a legitimate firmware update source to
update process. deliver unauthorized or malicious firmware.
f. Attack path analysis

Threat Scenario Attack Path

An attacker impersonates a legitimate ECU AP1
or sensor to send false signals to the brake i. The attacker identifies vulnerabilities in the vehicle's infotainment system
control ECU. (TS1) ii. The attacker connects a smartphone or other device to the infotainment
system, exploiting a vulnerability to upload malicious firmware or commands.
iii. Attacker manipulate the infotainment unit to gain access to the vehicle's
internal networks, including the CAN bus.
iv. Attacker impersonates legitimate sensors or ECUs by sending false data to the
brake control ECU.
AP2
i. The attacker gains physical access to the vehicle through the OBD-II port
ii. Using a specially crafted USB device or cable, the attacker uploads malicious
software directly into the ECU.
iii. Attacker alters ECU settings or firmware, enabling them to spoof sensor data
sent to the brake control ECU.
iv. The compromised ECU can now send false signals regarding vehicle speed or
braking status.
AP3
i. Attacker exploits vulnerabilities in wireless communication protocols (e.g.,
Bluetooth, Wi-Fi) used by the vehicle's systems.
ii. Attacker sends crafted messages over these connections to inject malicious
commands into the vehicle's network.
iii. Attacker manipulates the brake control ECU or other relevant ECUs to send
false signals.
iv. The compromised ECU sends altered data regarding braking and speed, leading
to potential malfunctions.
 AP4
i. Attacker identifies weaknesses in shared telematics systems
ii. Attacker sends a vehicle’s identification number (VIN) to trick telematics
services into believing they are legitimate users using a simple program.
iii. Attacker remotely control aspects of the vehicle, such as unlocking doors or
starting the engine.
iv. Attacker spoofs braking signals sent to the brake control ECU.
An attacker modifies the brake control ECU AP1
firmware or configuration to inhibit braking i. The attacker identifies vulnerabilities in the OTA update mechanism used by the
functionality. (TS2) vehicle’s manufacturer.
ii. Attacker exploits these vulnerabilities to intercept or inject malicious firmware
during the OTA update process.
iii. The attacker uploads modified firmware that alters braking functionality, such
as disabling brake engagement or changing response times.

AP2
i. The attacker gains physical access to the vehicle through the OBD-II port.
ii. The attacker connects a specialized device or dongle, to the OBD-II port and
uploads modified firmware directly to the brake control ECU.
iii. The attacker alters configuration settings that inhibit braking functionality or
introduce bugs that affect performance.
AP3
i. The attacker uses a compromised device (e.g., a connected smartphone) to
remotely connect to Bluetooth.
ii. The attacker exploits vulnerabilities in wireless communication protocols (e.g.,
Bluetooth, Wi-Fi) used by the vehicle's systems.
iii. Attacker upload malicious firmware remotely.
iv. The attacker sends specially crafted messages over these connections, the
attacker injects commands that modify the brake control ECU’s firmware or
configurations.
 AP4
i. Attacker gains access to legitimate diagnostic tools, either through social
engineering or exploiting vulnerabilities.
ii. The attacker upload modified firmware or change settings on the brake control
ECU.
iii. The attacker introduces malicious code without detection via unsigned
firmware uploads due to lax security measures.
iv. Modified ECU inhibit braking functionality based on altered configurations.

An attacker alters or deletes firmware AP1

update logs related to a braking function. i. Attackers exploit insecure firmware update mechanisms, such as unencrypted
(TS3) HTTP connections or unsigned updates, to deliver malicious code.
ii. Attacker modifying bootloaders or embedding UEFI implants to maintain
persistence.
iii. Attackers erase or modify logs related to firmware updates to mask their
activity.
AP2
i. Attackers exploit insecure firmware update mechanisms, such as unencrypted
HTTP connections or unsigned updates, to deliver malicious code.
ii. Attacker downgrade firmware to older, vulnerable versions or exploit flaws
like BootHole to execute code during boot, even with Secure Boot enabled
iii. Attackers erase or modify logs related to firmware updates to mask their
activity.
Attacker intercepts unencrypted traffic AP1
between ECUs about the, enabling an i. Attacker gains physical via OBD-II port.
attacker to exploit vulnerabilities. (TS4) ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
 iv. Resend captured commands without modification (e.g. "disable ABS")
AP2
i. Attacker gains remote access to the in-vehicle network via compromised
infotainment system.
ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
iv. Resend captured commands without modification (e.g. "disable ABS")
AP3
i. Attacker gains remote access to the in-vehicle network via vulnerable
telematics unit.
ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
iv. Resend captured commands without modification (e.g. "disable ABS")
AP4
i. Attacker gains physical via OBD-II port.
ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
iv. Exploit parsed variables to trigger buffer overflows or logic flaws in ECU
firmware
AP5
i. Attacker gains remote access to the in-vehicle network via compromised
infotainment system.
ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
 iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
iv. Exploit parsed variables to trigger buffer overflows or logic flaws in ECU
firmware.
AP6
i. Attacker gains remote access to the in-vehicle network via vulnerable
telematics unit.
ii. Capture unencrypted CAN messages between ECUs using tools like CAN bus
analyzers or software-defined radios.
iii. Use algorithms to decode discrete variables (e.g. gear state) and continuous
variables (e.g. vehicle speed) from raw CAN messages.
iv. Exploit parsed variables to trigger buffer overflows or logic flaws in ECU
firmware.
Attacker floods the CAN bus or brake AP1
control ECU with malicious messages. i. Connect to the CAN bus via the OBD-II port.
(TS5) ii. Inject high-priority messages (e.g. ID 0x00) to dominate the bus.
AP2
i. Connect to the CAN bus via the compromised infotainment system.
ii. Inject high-priority messages (e.g. ID 0x00) to dominate the bus.
AP3
i. Connect to the CAN bus via the compromised WiFi/Bluetooth interfaces.
ii. Inject high-priority messages (e.g. ID 0x00) to dominate the bus.
Attacker gains unauthorized administrative AP1
access to the brake control ECU. (TS6) i. Exploit exposed entry points like the OBD-II port
ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
iv. Send malicious CAN messages to override legitimate commands.
AP2
i. Exploit exposed entry points infotainment system
 ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
iv. Send malicious CAN messages to override legitimate commands.
AP3
i. Exploit exposed entry points like the wireless interfaces (Bluetooth/Wi-Fi).
ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
iv. Send malicious CAN messages to override legitimate commands.
AP4
i. Exploit exposed entry points like the OBD-II port
ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
iv. Reprogram the ECU to ignore driver inputs or enter a fail-safe mode, rendering
brakes unresponsive.
AP5
i. Exploit exposed entry points infotainment system
ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
iv. Reprogram the ECU to ignore driver inputs or enter a fail-safe mode, rendering
brakes unresponsive.
AP6
i. Exploit exposed entry points like the wireless interfaces (Bluetooth/Wi-Fi).
ii. Parse private CAN protocols to identify brake-related message IDs (e.g. brake
pressure or actuator commands).
iii. Exploit weaknesses in firmware update mechanisms to install malicious code.
 iv. Reprogram the ECU to ignore driver inputs or enter a fail-safe mode, rendering
brakes unresponsive.

g. Impact Rating

Threat Scenario Attack Path Attack Feasibility Assessment

ET SE KoIC WoO Eq Value AFR
TS1 AP1
AP2
AP3
AP4
TS2 AP1
AP2
AP3
AP4
TS3 AP1
AP2
TS4 AP1
AP2
AP3
AP4
AP5
AP6
TS5 AP1
AP2
AP3
TS6 AP1
 AP2
AP3
AP4
AP5
AP6
Key
ET = Elapsed Time
SE = Specialist Expertise
KoIC = Knowledge of Item or Component
WoO = Window of Opportunity
Eq = Equipment
AFR = Attack Feasibility Rating