This content is not included in
your SAE MOBILUS subscription, or you are not logged in.
Vehicle Safe-Mode, Concept to Practice Limp-Mode in the Service of Cybersecurity
Abstract:
This article describes both a concept and an implementation of vehicle safe-mode (VSM) - a mechanism that may help reduce the damage of an identified cyberattack to the vehicle, its driver, the passengers, and its surroundings.
Unlike other defense mechanisms that try to block the attack or simply notify of its existence, the VSM mechanism responds to a detected intrusion by limiting the vehicle’s functionality to safe operations and optionally activating additional security countermeasures. This is done by adopting ideas from the existing mechanism of Limp-mode that was originally designed to limit the damage of a mechanical, or an electrical, malfunction and let the vehicle “limp back home” in safety.
Like Limp-mode, the purpose of safe-mode is to limit the vehicle from performing certain functions when conditions arise that could render full operation dangerous: Detecting a malfunction in the Limp-mode case is analogous to detecting an active cybersecurity breach in the safe-mode case, and the reactions should be analogous as well.
We demonstrate that the VSM can be implemented, possibly even as an aftermarket add-on: to do so we developed a proof-of-concept (PoC) system and actively tested it in real time on an operating vehicle. Once activated, our VSM system restricts the vehicle to Limp-mode behavior by guiding it to remain in low gear, taking into account the vehicle’s speed and the driver’s actions. Our system does not require any changes to the electronic control units (ECUs), or to any other part of the vehicle, beyond connecting the safe-mode manager (SMManager) to the correct bus. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack.
We point out that restricting the vehicle to Limp-mode-like behavior by an aftermarket system is just an example. If a car manufacturer would integrate such a system into a vehicle, they would have many more options, and the resulting system would probably be safer and with a better human-machine interface.