A taxonomy of attack mechanisms in the automotive domain

In the last decade, the automotive industry incorporated multiple electronic components into vehicles introducing various capabilities for adversaries to generate diverse types of attacks. In comparison to older types of vehicles, where the biggest concern was physical security, modern vehicles might be targeted remotely. As a result, multiple attack vectors aiming to disrupt different vehicle components emerged. Research and practice lack a comprehensive attack taxonomy for the automotive domain. In this regard, we conduct a systematic literature study, wherein 48 different attacks were identified and classified according to the proposed taxonomy of attack mechanisms. The taxonomy can be utilized by penetration testers in the automotive domain as well as to develop more sophisticated attacks by chaining multiple attack vectors together. In addition, we classify the identified attack vectors based on the following five dimensions: (1) AUTOSAR layers, (2) attack domains, (3) information security principles, (4) attack surfaces, and (5) attacker profile. The results indicate that the most applied attack vectors identified in literature are GPS spoofing, message injection, node impersonation, sybil, and wormhole attack, which are mostly applied to application and services layers of the AUTOSAR architecture.


Introduction
Due to the openness and interconnectedness of modern embedded systems, various security issues arise [1]. Attackers try to exploit these vulnerabilities, which can result in numerous consequences such as financial loss, sabotage or an accident with a fatal outcome. An example of such systems are modern vehicles, which communicate with multiple devices such as traffic lights (V2I) or other vehicles (V2V). Initially, the automotive industry focused on addressing functionality and safety aspects of a vehicle [2]. In addition, the physical security represented the biggest concern. However, modern vehicles are highly connected systems wherein security is becoming an important subject [3].
Modern vehicles represent complex systems that consist of multiple Electronic Control Units (ECUs) designed based on the AUTomotive Open System ARchitecture (AUTOSAR) [4]. Due to the fact that they contain multiple hardware and software components, it is possible for an attacker to target such systems by applying various types of attacks. For example, these attack vectors include GPS spoofing [5], altering sensor values [6] and modifying traffic signs [7]. They range from very general types, such as a denial of service attack to attacks that are very specific for the automotive domain, namely, traffic control attack [8] or camera/radar/LiDAR spoofing [9].
Since the number and complexity of corresponding attacks is constantly increasing, it makes it difficult to keep track about existing threats. There are existing attack taxonomies in the automotive domain such as [10] and [11]. However, a comprehensive attack taxonomy that can be applied by penetration testers in the automotive domain is still missing. Thus, we address the following two research questions: • (RQ1) What are the attack mechanisms in the automotive domain? • (RQ2) What are the characteristics of identified attack vectors?
In order to answer the aforementioned research questions, we conducted a systematic literature review [12]. As a result, we identified a set of 48 attack vectors. We systematically developed a taxonomy of attack mechanisms under which we classified the identified attack vectors according to the multi-level dimensions. Furthermore, we proposed a classification scheme in order to investigate the characteristics of specific attacks and map them to the AUTOSAR architecture. Finally, we discussed how the taxonomy and the classification scheme can be applied for the purpose of security testing.
The classification and analysis was conducted based on the proposed taxonomy of attack mechanisms and the classification scheme. The results suggest that the most applied attack vectors are GPS spoofing, message injection, node impersonation, sybil, and wormhole attack, which are mostly applied to application and services layers of the AUTOSAR architecture. Finally, a majority of the attack vectors are applied via close proximity and remote access, wherein the affected information security principles are utility as well as possession and control. The remainder of this paper is structured as follows: Section 2 provides background information on classifying attack vectors in the automotive domain. Section 3 examines related work regarding the classification of attack vectors and attack taxonomies in other domains. Section 4 discusses the research questions and the applied research method to develop the taxonomy of attack mechanisms and the classification scheme. Section 5 outlines the resulting taxonomy and provides the results of classification of attack vectors. Section 6 discusses the key findings as well as the application of the taxonomy for security testing. Finally, Section 7 concludes the paper and provides an outlook on the future work

Classifying attack vectors in the automotive domain
In this section, we provide the necessary background information on attack vectors and their classification. Attack vectors are defined as paths or means by which an attacker can gain access to a computer or network server in order to deliver a payload or malicious outcome [13]. The dimensions we discuss are: AUTOSAR layers, attack domains, information security principles (Parkerian hexad), attack surfaces, and attacker profile.

AUTOSAR Layers
AUTOSAR is an open and standardized software architecture for ECUs in the automotive domain. It is a widely accepted standard for automotive basic software specification. In addition, it has a strong focus on re-usability of various functions, tools, methods and software. This was acknowledged and supported by more than 280 companies worldwide. The architecture enables the realization of functional requirements with the support for some non-functional requirements such as safety, portability, maintainability and efficiency [4]. As depicted in Fig. 1, the general AUTOSAR layered architecture consists of the following four layers: • Application Layer: It contains various types of applications that provide multiple functionalities and are executed depending on the usecase. • Runtime Environment: It provides communication services to the application layer. • Basic Software Layer: It enables the abstraction between the hardware and the application software. It consists of the following four sublayers: • Services Layer: It offers operating system functionality, network communication, memory services, diagnostic services, ECU state management and program flow monitoring. • ECU Abstraction Layer: It provides an API in order to access peripherals and devices regardless of their location and connection to the operating system. • Microcontroller Abstraction Layer: It consists of internal drivers, allowing direct access to the operating system and internal peripherals. • Complex Drivers: It provides capabilities to integrate additional functionalities, which are not specified within the AUTOSAR architecture. • Microcontroller: It runs services, microcontroller abstraction and complex drivers layers.

Attack domains
Attack vectors can be classified according to the domain that is being affected by the attack. These domains were obtained from the Common Attack Pattern Enumeration and Classification (CAPEC) [15] attack database. It represents a dictionary of known attack patterns that are applied by adversaries in order to exploit known system weaknesses. These are used by security experts and researchers for analysis, testing and education for the purpose of developing and improving countermeasures against existing security threats. According to CAPEC, attack vectors are classified into the following six domains: (1) Software, i.e. exploitation of software applications, (2) Hardware, i.e. exploitation of physical hardware in computing systems, (3) Communication, i.e. exploitation of communications and related protocols such as Vehicular Ad-hoc Network (VANET) or Controller Area Network (CAN) bus, (4) Supply Chain, i.e. disruption of supply chain by manipulation of software, hardware or services for the purpose of espionage or theft, (5) Social Engineering, i.e. manipulation and exploitation of people and (6) Physical Security, i.e. exploitation of physical security.

Information security principles
Attack vectors can be classified based on the information security principles that they aim to disrupt. In this context, we apply the Parkerian hexad [16], which is considered as an extension of the traditional CIA triad as it includes three additional attributes. The Parkerian hexad can be easily mapped to the CIA and allows more detailed classification of identified attack vectors by providing more concrete categories. Moreover, there is a minor difference in the definition of integrity because the Parkerian hexad puts emphasis on the data completeness, whereas the CIA encompasses authorization as well. Thus, the Parkerian hexad distinguishes among the following six dimensions [17]: (1) Confidentiality: Preventing disclosure of information to unauthorized parties; (2) Integrity: Assuring that the data has not been altered or destroyed in an unauthorized manner; (3) Availability: Making the data accessible to a party that requested it; (4) Authenticity: Co-responding to the intended meaning of data; (5) Control: Avoiding, detecting, counteracting, or minimizing the security risks; and (6) Utility: Ensuring that the system and data remain stable and usable.

Attack surfaces
According to [8,18], attack vectors can be classified based on the attack entry point. In this context, a modern vehicular system consists of several layers, wherein each layer may be affected by attackers due to the vulnerabilities in the infrastructure. This can be achieved by targeting various devices and ECUs, cables or network (VANET). Thus, attack vectors can be classified based on the following three types of access: (1) Physical Access represents the lowest layer, which involves the access to wires and control boxes. This affects the following components: On-board diagnostic port (OBD-II), ECUs, on-board computers, modules, media systems (e.g., radio, media player, USB), navigation system, and dashboard. (2) Close Proximity describes attacks on the communication layer, where an attacker attempts to either insert, replace or steal the data. This also includes providing the wrong data to sensors. As a result, the following components pose the potential attack surface: Bluetooth, key/ignition (e.g., RKES, PKES), sensors, tire pressure monitoring system (TPMS), dedicated short range communication (DSRC), Wi-Fi, WAVE, voice controllable and speech recognition system (VCS/SRS). Finally, (3) Remote Access includes attacks that are conducted from large distances over the network. For example, an attacker may attempt to eavesdrop messages that are sent to a vehicle from a command unit controlled by a vendor. The potential attack surfaces include: gps, radio, cellular or mobile network (3G/4G/5G), internet (using applications or a web browser).

Attacker profile
According to [19,20], an attacker profile can be described by the following bipolar categories: (1) Membership, (2) Objective, (3) Activity and (4) Scope. In this context, according to the Membership, an attacker can be: (a) Insider: Authenticated user with knowledge about the network, its structure, and topology; or (b) Outsider: Unauthenticated user with little or no knowledge about the network. Based on the Objective, an attacker can be: (a) Malicious: Disrupts functionality of the network with no personal benefits disregarding corresponding costs and consequences; or (b) Rational: Gains profits from attacks, which is considered more predictable in terms of attack means and target. Furthermore, according to the Activity, an attacker can be: (a) Active: Generates, modifies, and sends malicious packets in the network; or (b) Passive: Silently monitors and eavesdrops network activities but does not generate packets or alter network information. Finally, based on the Scope, an attacker can be: (a) Local: Performs attacks and possesses entities in limited reach and scope; or (b) Extended: Controls several entities scattered across the network and in wider reach.

Related work
In this section, we discuss related work in the context of classifying attack vectors in the automotive domain and the development of attack taxonomies in general.

Classification of attack vectors in the automotive domain
Sumra et al. [21] proposed classification of attacks for VANETs. The authors classify attack vectors into five main dimensions: spamming, monitoring, social, application, and network attacks. Furthermore, different stages of attacks, attacker types and communication types are described. However, their work is strictly related to VANETs, while in addition to that we consider attack vectors for all the AUTOSAR layers as well.
Sheehan et al. [22] introduced a cyber-risk classification framework for connected and autonomous vehicles (CAV). In doing so, different attack types, attack vectors and attack surfaces are addressed. In addition, vulnerability data is used together with bayesian networks in order to classify cyber-risks for CAV systems. Each node represents a possible attack vector together with an additional information such as the attack complexity and scope. The Bayesian network model is validated using an out-of-sample test showing almost 100% prediction accuracy of the quantitative risk score and qualitative risk level. In comparison to our work, Sheehan et al. do not consider any automotive architectures.
Sommer et al. [10] developed a taxonomy to address attacks in the automotive domain. In order to gather the list of attacks, various vulnerability databases were investigated, from which attack related data was gathered. As a result, multiple dimensions such as attack type, exploitability rating, affected component, related vulnerabilities, and vehicle type were considered. However, compared to our work, their taxonomy is focused on addressing dimensions related to vulnerability information. This is because their data comes from vulnerability databases where broader attacks are not covered. Instead, we obtain our data from the scientific literature.
Ahmad et al. [23] proposed a systematic asset-based approach for cyber security in VANETs. As a result, multiple vulnerabilities, threats, assets, and attacks related to VANET were identified. In addition, a platform for the identification of various parameters during the development process of security frameworks was provided. However, similar to [21], their approach is strictly related to the network layer and does not consider attack vectors focusing on other layers.
Finally, we identified a taxonomy of attacks and defences for autonomous vehicles proposed by Thing et al. [11]. Consequently, the following five categories were investigated: attacker, attack vector, target, motive, and potential consequences. However, their research is on a very high abstraction level and does not consider attack vectors in technical detail. Furthermore, their work focuses only on autonomous vehicles, while we consider attack vectors on vehicles in general.

Attack taxonomies in other domains
In addition to the aforementioned attack classifications in the automotive domain, there exist related attack taxonomies from other domains, which we discuss here.
Lai et al. [24] proposed an attack taxonomy for classification of web attacks. As a result, attacks were classified according to the HTTP method (GET, POST, PUT and DELETE), type of an attack, platform, damage, markup language and Common Vulnerabilities and Exposures (CVE) reference. Their findings indicate that most of the attacks focus on GET and POST HTTP methods.
Dotter et al. [25] presented a conceptual cloud attack and risk assessment taxonomy, wherein the following five dimensions were investigated: source, vector, target, impact and defense. In addition, the associated risk for each attack scenario was calculated by considering the likelihood of a successful attack and the impact of an incident.
Gruschka et al. [26] proposed another taxonomy of attacks that target cloud systems. Compared to the aforementioned taxonomy, combinations of different attack surfaces were considered as well. In order to evaluate the proposed approach, the taxonomy was applied to four up-to-date attack incidents of cloud computing scenarios.
Simmons et al. [27] introduced a cyber attack taxonomy, in which five major classification criteria are used: the classification by attack vector, operational impact, defense, information impact and target. In addition, efficient cause, action, defense, analysis and target process metrics are proposed, which are used for attack classification. The results show an increase in an organizations attack resiliency in all functional areas, when applying the developed taxonomy. However, the taxonomy is not applicable to any type of physical attacks.
Papp et al. [28] conducted a systematic review on the existing threats and vulnerabilities for embedded systems. According to the identified information, an attack taxonomy is developed, where the CVE data is classified according to the following five dimensions: precondition, vulnerability, target, method and effect of the attack. The results suggest that the taxonomy can assist analysis and design of embedded systems during the system development lifecycle.
Joshi et al. [29] proposed an attack taxonomy to classify attacks according to their nature. Thus, the following five dimensions are investigated: classification by attack vector, defense, method, impact and target. The taxonomy is evaluated by classifying various types of attacks such as the blaster worm and melissa. The proposed taxonomy can be used for attack mitigation and planning of defense strategies.
Finally, Hunt et al. [30] introduced a new approach for developing attack taxonomies for network security. In doing so, a model is proposed, which can be adapted for particular cases in the context of attack classification and vulnerability detection. This model includes four main dimensions: network categories, attack categories, attack techniques and protection technologies. In addition, the proposed model is applied to three case studies in order to demonstrate the usefulness of the developed taxonomy.
The aforementioned attack taxonomies have been developed for specific types of systems. Despite some commonalities between them and our classification, such as the categorization by attack surface, it is evident that none of the other taxonomies can be applied to the automotive domain. This is mainly due to the combination of specific architectures and component structures used in automotive engineering. Therefore, it is necessary to consider attacks affecting multiple architectures and various devices. For example, these include ECUs, CAN bus, VANET and media devices.

Methodology
As stated in Section 1, this paper addresses on the following two research questions: In order to address these research questions, we conducted a systematic literature review by combining the keyword search [12] and snowballing [31] methodologies (see Section 4.1). As a result, we collected publications describing various types of attacks (see Section 4.2). Based on the identified papers, we extracted 48 different attack vectors. Furthermore, we systematically developed a taxonomy of attack mechanisms, which was used to classify the identified attack vectors and address RQ1 (see Section 5.1). Moreover, we built the classification schema, where we applied the proposed taxonomy of attack mechanisms (see Section 4.4). Finally, we conducted the analysis of results and addressed RQ2 with corresponding sub-research questions (see Section 5). In this section, we describe the applied research methodology in more detail as represented in Fig. 2.

Search strategy
The literature study was based on keyword search as well as forward and backward snowballing. The keyword search was managed using multiple online publication libraries. These included the following: ACM, Science Direct, IEEE Explore, Springer Link and Wiley [12]. We chose these as they represent the standard publication libraries that are commonly used within the domains of software engineering, electronic engineering and hardware security, which encompass the areas relevant for the study. In addition, we complemented our search with DBLP, Sage Journals, Taylor and Francis and AIS eLibrary, allowing us to identify additional highly relevant papers that were not detected by other publication libraries.
In order to obtain additional publications and improve the overall publication coverage, backward (cf. examining the references of a publication being studied) and forward (cf. identification of new publications that cite the one being examined) snowballing iterations were executed. According to Kitchenham and Brereton [12], applying multiple publication search methodologies achieves sufficient literature coverage.

Search process
The search process demonstrated in Fig. 3 includes the following three phases: keyword identification, database search and snowballing.
Keyword identification. The search string was formed by combining multiple terms related to attack vectors and the automotive domain. As a result, the following search string was formed: (attack OR threat) AND (car OR vehicle OR (autonomous AND (car OR vehicle)) OR automotive OR VANET OR (intelligent AND transporation AND system)).
Keyword Search. We conducted a database search using the aforementioned publication libraries and the search string. Based on this, we obtained a set of 59 publications. However, some libraries such as Taylor and Francis, Wiley, AIS eLibrary and CiteSeer did not provide any results. This might be due to the fact that these libraries do not address topics such as automotive security.
In a selection process, we applied the exclusion criteria (see Section 4.3) and performed a full-text reading of each paper whereby its content was examined regarding attack vectors. The exclusion was done in the early stage of the search process in order to develop a good starting set for the application of snowballing iterations. After that, we reduced our set to 35 papers.
Snowballing. We applied the snowballing methodology after the inclusion and exclusion criteria. This ensured that we start with a set of relevant publications. As a result, we performed backward and forward snowballing to the 35 papers identified in the previous step using Google Scholar. This resulted in 17 additional publications, which were added to the final set of 52 papers.

Inclusion and exclusion criteria
The selection of publications was performed based on the inclusion and exclusion criteria defined in Table 1. In order to obtain a set of high quality papers, we considered peer-reviewed articles, including academic publications, journal papers, conference proceeding, books and standards. In addition, we only selected publications available in full-  text. This prevented us from dealing with incomplete information, thereby allowing us to determine if a paper should be part of our resulting set of publications. Furthermore, we only considered papers within a time period from year 2014 to the middle of year 2019 in order to obtain a current set of publications. Finally, we only selected papers from which it is possible to extract information about attack vectors, attack surfaces, and attack steps. We excluded grey literature including the following types of publications: technical/vendor reports, preprints, news/press, articles, work in progress, unpublished results, expert opinions/experiences based on theory, blog entries, and tweets. In addition, we excluded non-English articles due to the difficulties to fully understand them. Furthermore, we encountered duplicate publications that were identified by multiple publication search engines. These were selected and removed from the final set. Finally, all the papers that considered general automotive security-related topics, that did not present any information regarding specific attacks, were excluded.

Development of the classification scheme
In order to classify the collected attack vectors, a classification scheme was developed following the methodology proposed by Usman et al. [32]. Thus, we applied the following four phases: (a) Planning, (b) Identification and Extraction, (c) Design and Construction, and (d) Validation.
The first step (cf. Phase (a)) involved the planning process, where the ideas for the classification scheme were collected based on the proposed research questions. In the second step (cf. Phase (b)), dimensions for the classification of attack vectors were developed. They were drawn from the collected literature obtained through the systematic literature review, CAPEC metrics [33], AUTOSAR architecture and the grouping of the identified attacks. The latter was performed iteratively by the authors, wherein each new attack category was defined after identification of at least two attack vectors that do not belong to any of the previously created categories. For example, the attack vector category Eavesdropping or Location Tracking Attack was defined in such an iterative way. Furthermore, each classification dimension was discussed and agreed by the authors internally. Finally, the classification scheme (cf. Phase (c)) was constructed by combining multiple proposed dimensions and validated (cf. Phase (d)) by classifying all the identified attack vectors.
The classification scheme as illustrated in Fig. 4 consists of the following five dimensions: Aside from these dimensions, we also investigated the relationship between security testing techniques and attack vectors (see Section 6.4). However, this association is only considered as a discussion point because security testing techniques are not part of the classification scheme.

Classification and analysis
In order to classify the final set of attack vectors, we applied the following procedure: 1. Initially, the taxonomy and the classification scheme was built by all four authors by discussing each dimension and revising them when necessary. 2. The second step included the classification and recording of the results in a spreadsheet. 3. The verification process included the division of the final set of papers, where the classification of each paper was verified by at least three other authors. Their results and comments were recorded in the separate spreadsheet. 4. Finally, all the classification discrepancies were discussed by all four authors. When necessary, a majority vote was taken in order to resolve any differences of opinions.
The aforementioned procedure ensured that each paper was classified by at least three authors. All the results were documented in a separate final spreadsheet, which was used for analysis and answering the research questions.

Results
In this section we present the results related to the identified attack vectors. Thus, Section 5.1 addresses research question RQ1 and Section 5.2 provides answers to research question RQ2 with its corresponding sub-research questions RQ2.1 to RQ2.5.

Attack mechanisms
In the initial stage, we identified 80 attack vectors from the literature. However, some of these contained duplicate entries with similar naming, which were removed. In addition, the attack vectors with the same semantics were combined and grouped together. This reduced the number of entries, which further simplified the classification. Finally, we ended up with a final set of 48 attack vectors.
In this context, the identified attacks were classified according to the Mechanisms of Attack: CAPEC-1000 [15] in order to provide a standardized classification of attack vectors in the automotive domain. The difference between Mechanisms of Attack: CAPEC-1000 and our taxonomy is that we link each attack vectors to the specific category and omit all the categories that are not related to automotive engineering. The taxonomy, illustrated in Fig. 5, consists of three levels where the lowest levels are represented by specific attack vectors that we identified. The highest level consists of the following eight main categories with their respective sub-categories: However, the Manipulate Data Structures category was not included since none of the identified attack vectors were applicable to this category.
A detailed description of each attack vector according to mechanisms of attacks can be found in the Appendix A.

Characteristics of attack vectors
In this subsection we present the answers to the second research question (RQ2) and corresponding sub-research questions (RQ2.1 to RQ2.5).

AUTOSAR Layers
In order to investigate how the identified attack vectors relate to the automotive architecture, we mapped them to the AUTOSAR layers. As depicted in Fig. 7, the Application (25) and Services (20) layers are affected by attacks to the highest degree. The identified attack vectors include replay (eq. [34]), channel interference (eq. [35]), and password/key (eq. [36]) attacks. Other layers, such as Microcontroller Abstraction (6), ECU Abstraction (5), Complex Drivers (5), and Runtime Environment (5), are less targeted by the identified attack vectors. The attacks that are most commonly applied to these layers are ECU tampering (eq. [37]), rogue software update (eq. [38]), and malware (eq. [39]) attacks. Regarding the Microcontroller layer (1), the only applicable attack is the side-channel attack [40].
Finally, we included a Not Applicable category, which includes the attack vectors that could not be applied to any of the layers of the AUTOSAR architecture. These include attack vectors that belong to the two following attack groups: Infrastructure manipulation (eq. [41,42]) and identity spoofing (eq. [34,43]).

Attack domains
As depicted in Fig. 8, a large number of attack vectors is part of the Communication (43) and Software (29) domain. This is due to many attacks being related to content spoofing, identity spoofing, flooding, infrastructure manipulation, obstruction, traffic injection, interception and footprinting. For example, a message injection attack includes arbitrary messages to the network or bus (eq. [18]). As a result, it is part of the communication and software domains because of its impact on both of them.
In comparison, the attacks that come from Hardware (14), Social Engineering (9), and Supply Chain (3) domains are infrequently applied. Finally, we identified only a single attack vector (key fob jamming) from the Physical Security domain. In this attack, an attacker attempts to jam and record key fob rolling codes in order to use them for unlocking a vehicle [11].

Information security principles
As depicted in Fig. 9, the most affected information security principles are Possession or Control (32) and Utility (30). This is due to the fact that multiple attack vectors are related to content spoofing (eq. [41]) or identity spoofing (eq. [42]). In addition, we identified various attacks affecting Availability (25), Integrity (25), Authenticity (24), and Confidentiality (18).

Attack surfaces
With regards to the attack surfaces, we differentiate between Close Proximity, Remote Access, and Physical Access. Fig. 10 illustrates the relation of identified attack vectors to these categories. The highest number (43%) of total identified attacks are applied via close proximity. This includes attacks over Bluetooth, sensors, and Wi-Fi. An example is a RKES attack, which targets a remote keyless entry systems, such as the doors of a vehicle (eq. [36]). In addition, 41% of attack vectors are conducted using the remote access, such as GPS and mobile networks. For example, a radio signal jamming attack produces random noise in order to disrupt the genuine radio signal (eq. [39]). Finally, the lowest number of identified attack vectors (16%) are applied through the physical access by employing OBD ports, media systems, and the car's dashboard. This includes bus-off attacks, which generate or alter CAN frames to force errors on the CAN bus (eq. [44]).

Attacker profile
In order to map the identified attack vectors to an attacker profile, we investigated the following four dimensions: Membership, Objective, Activity, and Scope, which are illustrated in Fig. 11. In regards to the membership, internal attackers (38) are more common compared to the external attackers (27). Concerning the attacker's objective, malicious (37) attackers prevail over the rational ones (19). Active (43) attacks are more prevalent against passive (5) attacks. Finally, in the majority of cases, the attacker's scope is local (47). On the other hand, the extended scope (14), where an attacker controls entities over a broader range and across the network, is rarely applied.

Discussion
In the following section, we present our key findings and open challenges. In addition, we compare the proposed taxonomy of attack    mechanisms and the classification scheme to other taxonomies in the field. Furthermore, we discuss how the taxonomy can be applied for security testing. Finally, we consider possible threats to validity.

Key findings & interpretation
Our findings indicate that the most applied attack vectors identified in literature are GPS spoofing (eq. [34]), message injection (eq. [37]), node impersonation (eq. [41]), sybil (eq. [43]), and wormhole (eq. [45]) attacks. This is due to the large number of approaches aiming to disrupt vehicle services over the CAN network or the vehicle-to-vehicle (V2V) communication. Compared to other attack vectors such as ECU tampering or password/key attack, these attacks are considered to be less sophisticated. In addition, attacks such as sybil or wormhole can target more than one vehicle in the network.
Regarding the AUTOSAR layers, the identified attack vectors mostly affect the services and application layers. The reason behind this is that these two layers include various applications and provide network communication, memory services and program flow monitoring. As a result, they are the most common targets for attackers. Other layers such as microcontroller and complex drivers layers are more abstracted [2]. Thus, it is more difficult to apply attack vectors in order to disrupt their services. In addition, the services layer also provides vital functionalities for the vehicle such as operating system services, network communication and memory management. As a result, it is a common target for attackers due to the possibility of disabling the part or the whole system.
In regards to the affected attack domains, the communication and software domains are affected to a high extent. This observation is consistent with the classification of attack vectors to AUTOSAR layers, where services and application layers are impacted the most. On the other hand, the physical security domain is barely tackled by approaches. The reasons behind this might be that the attack vectors aiming to penetrate physical security are kept in secret in order to suppress the possible vehicle thefts.
With respect to the information security principles, the attacks aim to affect the possession or control, and utility information security attributes. The reason behind this might be that criminals attempt to take the control of a vehicle. Other information security principles, such as confidentiality, are presumably less targeted by adversaries because they the financial gain they can obtain is very limited.
Concerning the attack surfaces, the majority of attack vectors are applied via close proximity or remote access. This corresponds with the time frame of this study (2014-2019) as we were only interested in the most recent approaches. Therefore, it is expected that the investigated approaches were only applied to the modern vehicles that contain multiple electronic components, which are usually accessed over the network. As a result, there is only a few attack vectors that require physical access (eq. [44]).
It is evident that multiple identified attack vectors could be applied outside of the automotive domain. The reasoning behind this is that a car is an embedded system connected to other entities, such as other vehicles, RSUs and data centers over multiple smaller networks. Hence, all attacks that are linked to the computer networks or network security domain can be applied to the automotive domain as well. However, we identified attacks, such as the illusion attack and the traffic control attack, which are automotive domain specific (see Appendix A).
According to the identified literature, there is a significant research focus on the application of botnets. This can be seen from the work of Garip et al. in which they show that organizing compromised vehicles into botnets and disseminating false information is feasible [46]. In addition, they utilize surveillance attack based on these botnets to track vehicles and drivers [47]. Moreover, multiple approaches [9,48] attempt to apply a large set of different attack vectors including sensor spoofing, jamming, and audio attacks in order to target on-board sensors, cameras, and the voice recognition system of modern cars. This is achieved using basic experiments and simulations, which are later transformed into more comprehensive tests using real vehicles. Since the V2V technologies are developed only to an extent, the mentioned papers are limited to specific attack scenarios, which do not cover additional factors, such as message integrity checks and the information transmitted by RSUs. Nevertheless, they provide new knowledge and information relevant for future research in the security of autonomous and smart vehicles.
Aside from looking into attack vectors separately, chained attacks were also examined. For example, adversaries generate attacks that aim to track drivers or cars by obtaining location information, such as GPS coordinates. For that purpose, they combine trajectory tracking, location tracking, and ID disclosure attacks together with the eavesdropping attack ( [49], [50], [47]). Furthermore, replay and key fob jamming attacks are applied together with channel interference, radio signal jamming, and Camera/Radar/LiDAR jamming attacks ( [51], [6], [52]). To illustrate this, consider a radio signal jamming attack wherein a perpetrator attempts to reduce a signal-to-noise ratio in order to make it difficult to differentiate between a valid signal and a background noise. This is achieved by constantly replaying different signals that can cause interference with authorized communication [18]. Moreover, in a bus-off attack, an attacker injects purposely crafted messages in order to isolate a defective ECU by deceiving it to assume it is faulty [44]. This attack is often paired with the eavesdropping attack in order for an adversary to intercept the communication that goes over the CAN bus ( [53], [54]). Another attack that can prevent communication between vehicles and obstruct traffic flow is a denial-of-service (DoS) attack. For example, this attack can cause a collision of vehicles since the warning mechanisms may never even activate. This can be achieved by chaining replay, jamming, interference, and bus-off attacks, thereby resulting in a complete shutdown of the vehicle system and communication [11].
The proposed taxonomy of attack mechanisms as well as the classification scheme provide a valuable input for information security practitioners. These can be applied during the process of security testing for the validation purposes by considering attack vectors separately or crafting custom attack chains. In this context, the identified attack vectors can be easily linked to CVE entries, where the potential weaknesses and security issues can be highlighted. For example, the remote code execution attack is related to CVE-2019-12797, where an attacker executes arbitrary commands to an OBD-II bus of a vehicle. Furthermore, the taxonomy encompasses the relevant attacks described in practice. For example, the "2020 Global Automotive Cyber Security Report" [55] by Upstream Security provides the list of the top 12 most common attack vectors on vehicles in practice from the years 2010-2020 (see Table 2). These were collected from various publicly-available online source, while strongly focusing on the most recent security incidents. In order to verify that the provided attack vectors are covered by the proposed taxonomy, each attack vector was mapped to the respective entry in the taxonomy. In this context, a keyless entry/key fob attack vector can be mapped to the Manipulate system resources→Obstruction→Key fob jamming category, wherein an attacker interrupts the communication between the key fob and the vehicle by jamming a specific frequency. Likewise, a server attack can be mapped to the Abuse existing functionality→Flooding→Network flooding attack, in which an adversary sends a large number of messages to the server in order to disable its services as well as the communication to a legitimate vehicle. Similarly, it is possible to map sensor attacks to Engage in deceptive interactions→Content spoo-fing→Camera/Radar/LiDAR spoofing category, wherein an attacker attempts to obtain readings and falsify data from specific sensor devices that are installed in a vehicle. It is important to note that the mappings demonstrated in Table 2 are provided as a single example per category. Needless to say, there exists other mappings that would apply for the listed categories.

Open challenges
In addition to attack vectors, we also identified multiple securityrelated challenges and open issues in automotive engineering. These are often connected to self-adaptation techniques applied by vehicles, as well as the GPS communication and location tracking.
Modern vehicles that apply self-adaptation techniques could be targeted by utilizing new forms of attacks that can be applied to such systems [56]. As a result, it is necessary to dynamically adapt existing security features. For example, this can be done by applying cryptographic operations to hardware security modules or trusted platform modules [57]. In addition, an AI-based immune system is necessary, which could autonomously deal with threats and use intelligent techniques to prevent any unknown threats.
In some vehicles, global navigation satellite systems (GNSS) are crucial when it comes to positioning them on the map. The manipulation of such data could enact inaccurate maneuvers and jeopardize the lives of passengers. Multiple publications ( [58], [6], [50], [59]) suggest that the more innovative protective measures against location/trajectory tracking attacks are needed. More specifically, it is necessary to improve securing GPS signals as well as to identify GPS spoofing and fake message injection. For instance, this can be achieved by using improved cryptographic approaches in order to preserve the location privacy of vehicles.
Moreover, we identified additional open issues that include developing countermeasures against the attacks targeting the CAN scheme [40], improvement of secure routing protocols [39], prevention of malicious code injection in ECUs/CAN bus [60], consideration of bus-off attacks early in the design phase [44], enhancement of remote keyless systems [61] and consideration of botnet attacks on platooning systems that can cause more damage [46].

Comparison of taxonomies
In this section, we compare our taxonomy and classification scheme to taxonomies proposed by Sommer et al. [10] and Thing et al. [11] (see Table 3). These are the only two taxonomies of attacks for the automotive domain that were identified.
The major difference between the taxonomies is in the attack data that was used for the classification. Sommer  In regards to all aforementioned classification criteria, we consider our classification to be more thorough due to the higher number of dimensions as well as the proposed taxonomy of attack mechanisms.

Application of the taxonomy for security testing
This paper is related to our previous study on security testing techniques in automotive engineering [2]. We performed a systematic mapping study, where we investigated the following five dimensions: (1) security testing techniques, (2) AUTOSAR layers, (3) functional interfaces of AUTOSAR, (4) vehicle lifecycle phases, and (5) attacks. This involved classifying 39 selected publications based on the   aforementioned dimensions. The results indicated a high number of penetration testing and dynamic analysis, and model-based testing approaches addressing the application and services layer of the AUTOSAR architecture in the design, production, and operation phase of the vehicle lifecycle. In order to accomplish this, attacks are applied aiming to disrupt privacy and availability using the multimedia/telematics functional interface. In addition, we indicated the need for methods addressing security testing approaches combined with the consideration of safety aspects. The developed taxonomy of attack mechanisms can be used to guide security testing in the automotive domain. For that purpose, we discuss different security testing techniques [62] and relate them to identified attack vectors (see Table 4). The emphasis is on penetration testing and dynamic analysis, which can be applied to each identified attack vector. Moreover, specific attack vectors that engage in deceptive interactions, manipulate system resources, inject unexpected items, and collect and analyze information can be tested using model-based testing [63]. Besides the previously mentioned attack vectors, risk-based testing [64] can be applied by employing subvert access control. Finally, attacks that utilize probabilistic techniques and manipulate timing and state can only be tested by penetration testing and dynamic analysis.
Therefore, when performing security testing by applying attack vectors, penetration testing and dynamic analysis should be the leading choice for security testers in the automotive domain. In this regard, it is still possible to apply other testing techniques such as model-based and risk-based testing. However, they may not be applicable with all attack vectors, such as the ones dealing with subvert access control, manipulation of timing and state, and collection and analysis of information.

Threats to validity
Throughout the research process, we took into account possible threats to validity and minimized them. According to Petersen and Gencel [65], we distinguished between descriptive validity, theoretical validity, generalizability, interpretive validity and repeatability.
Descriptive validity: The taxonomy of attack mechanisms and the classification scheme were developed first and then used to classify all the identified attack vectors. Using the taxonomy and the classification scheme, it is possible to replicate the result set at any time. Additionally, multiple dimensions were obtained from the existing literature.
Theoretical validity: In order to prevent the overlooking of relevant publications, the keyword search was applied, wherein multiple publication search engines were considered. There is a risk that some papers were missed due to application of the specific search string. This was addressed by applying forward and backward snowballing iterations. Since the focus of the study was on the time period from year 2014-2019, some relevant papers written by S. Chechovay ( [66], [67]) and T. Hoppe ([68], [69], [70], [71]) were not included in the final set of papers. However, the attack vectors described within these publications are covered in the proposed taxonomy of attack mechanisms. These include: arbitrary code execution over the OBD port and ECU, eavesdropping, CAN packet fuzzing, DDoS attacks, reverse engineering, and malware attacks, such as using trojans against electronic throttle control. Furthermore, there is a risk that the selection and extraction processes are biased. In order to counter that, a cross-validation approach was applied in which the classification of each attack vector was verified by at least two authors. In the case of any difference of opinion, a majority vote was taken and the papers were re-classified. Moreover, there is a chance that we misunderstood some activities within the investigated approaches. This especially relates to AUTOSAR layers and security testing techniques because classifying these is highly complex due to the fact that the information has to be taken out of context. As a result, it is important to take a researcher bias into consideration. In order to counteract this, each contributor classified a subset of publications which intersected with a set from another contributor. In a case of any discrepancies, they were thoroughly discussed and re-classified. Finally, this study has a strong focus on the AUTOSAR architecture and it might not be applicable to automotive industries that do not accept AUTOSAR as a de-facto standard.
Generalizability: The results of this study can be generalized solely to the automotive domain and the corresponding attack vectors. Thus, it is not possible to utilize them within any other domain. However, the approach for the development of the taxonomy and the classification scheme can be applied to other domains and we consider it as a future research. In addition, this study has a strong scientific literature focus. Compared to the gray literature, which contains various claims, we only analyze papers that include evaluated work. Nevertheless, papers still discuss the application of identified attack vectors in practice.
Interpretive validity: The classification results were interpreted by all four authors. In this regard, we discussed any disagreement and applied statistical tools to study the results. However, there is a probability that the resulting interpretation was influenced by a researcher bias.
Repeatability: The full procedure of this study was documented in detail. This is described in the methodology section (see Section 4). In addition, the existing guidelines were applied according to [31], [32] and [65]. Therefore, it should be possible to replicate the procedure and perform an equivalent study.

Conclusion
In this paper, we classified and analyzed attack vectors in the automotive domain. In this regard, we conducted a systematic literature review in which 48 different attack vectors were identified. In order to classify them, we developed a taxonomy wherein each attack vector was related to a specific CAPEC attack mechanism. In addition, we built a classification scheme and investigated the following five dimensions: (1) AUTOSAR layers, (2) attack domains, (3) information security attributes, (4) attack surfaces, and (5) attacker profile. As for the next step, we classified the selected attacks according to the aforementioned dimensions. The results showed that the most applied attack vectors are GPS spoofing, message injection, masquerade, sybil, and wormhole attacks, which are mostly applied to the application and services layers of the AUTOSAR architecture. Furthermore, the majority of attacks are applied via close proximity and remote access by affecting utility, and possession and control information security principles. The presented results were obtaining by examining how many times each attack vector appeared in the literature. As a result, it can be seen that there is a significant academic and research interest in this area. Future work comprises of applying and refining the presented taxonomy of attack mechanisms in case studies as well as the development of the taxonomy for attack mitigation approaches

Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment
This work was partially supported by the Austrian Science Fund (FWF): I 4701-N.

Appendix A. Appendix
In the following section, we list all the identified attack vectors according to the Mechanisms of Attack: CAPEC-1000 [15] (see Table A.5). In addition, we provide a brief description of each identified attack vector.

Engage in deceptive interactions
(a) Content spoofing: • Message tampering attack: Delete or alter data content to send false messages; modify data content to send malicious messages as legitimate. • Audio attack: Use inaudible voice commands to control the speech recognition system of a vehicle (e.g., navigation system) • Replay attack: Repeat sending signals which happened in the past and did not expire; relay genuine signal (e.g., LIDAR signal) from one location to create fake echoes at another location. • GPS spoofing: Gradually provide false position information to other vehicles/RSUs by overpowering the authentic and genuine signal, e.g., to lure vehicles to a different location.   [20,35,42,43,57] Man-at-the-end attack [43] Session hijacking [39,76,78] software and disseminate false information, e.g., to mislead vehicles to exit current road, or to create undesirable wave effects (shock waves, traffic jams, stop-and-go traffic, pile-up crashes). • Routing request modification: Modify the routing information or change the number of hops in forwarding routing requests to delay the packet delivery. • Routing cache poisoning: Broadcast spoofed packets containing routes to one or more malicious nodes which are stored to the other nodes' route caches. • Black hole attack: Advertise having the best route to a destination, consume, and never forward arriving packets. • Gray hole attack: Only suppress or modify packets originating from some nodes, while leaving data from other nodes unaffected; variant of Black Hole Attack; • Wormhole attack: Transmit packets received at one region to another region of the network to confuse routing mechanisms, e.g., two or more malicious vehicles make routing protocols prefer communication link between them as the best route to any destination. • Byzantine attack: Create routing loops, forwards packets in a long route instead of the optimal one and drops packets. • Rushing attack: Forward route requests more quickly than legitimate nodes to increase the probability that the routes including the attacker will be discovered rather than other valid routes. (c) Obstruction: • Channel interference attack: Emit an illegitimate interference signal or message to disrupt or occupy the communication channel, e.g., constantly send top-most priority messages. • GPS jamming: Disrupt the GPS signal, e.g., radio noise on GPS frequency. • Camera/Radar/LIDAR jamming: Use reflective material or light sources to interfere with sensors, e.g., blind cameras, block sight of sensors. • Radio signal jamming: Disrupt the radio signal, e.g., generate pulse or random noise. • Key fob jamming: Jam and record key fob rolling codes. 4. Inject unexpected items: (a) Traffic injection: • Message injection attack: Inject arbitrary messages to the network or bus. • Message fabrication attack: Create and send false messages with selfish and/or malicious intent, without any meaning, or untrue reports, e.g., false congestion information. (b) Local code execution: • Malware attack: Employ or install hostile, intrusive, or malicious software (e.g., trojan, ransomware, spyware, worm) or smartphone app (e.g., self-diagnostic app). (c) Code inclusion: • Remote code execution: Exploit vulnerabilities in software components (e.g., web browser, operating system) to remotely access the target system or execute arbitrary code on the target system. 5. Employ probabilistic techniques: • Packet fuzzing: Send invalid data to an ECU to trigger error conditions or faults leading to exploits and other vulnerabilities. • Password/Key attack: Find passcodes, keys, or other secrets to grant access and authorization, e.g., recover keys by performing bruteforce, dictionary, or rainbow table attack. 6. Manipulate timing and state: • Timing attack: Delay transmission of high-priority, emergency, or safety-critical messages. 7. Collect and analyze information: (a) Interception: • Eavesdropping: Steal personal data or network information to gather knowledge about the vehicle, network, and communication patterns between nodes. (b) Reverse engineering: • Side-channel attack: Retrieve useful information through alternative paths by analysing power consumption, electromagnetic leaks, acoustic signals, timing information, transient characteristics, data remanence, etc. (c) Footprinting: • ID disclosure attack: Obtain the identity of a node for tracking.
• Location tracking attack: Illegitimately obtain the location information or track the location of a vehicle or driver. • Trajectory tracking attack: Continuously track a vehicle's trajectory or recover the trajectory from location samples. 8. Subvert access control: (a) Exploiting trust in client: • Man-in-the-middle attack: Eavesdrop and modify the communication between two nodes that assume they directly communicate with each other. (b) Privilege abuse: • Man-at-the-end attack: Abuse privileges to eavesdrop the communication channel and inject new messages but not modify or delete other messages. (c) Exploitation of trusted credentials: • Session hijacking: Sniff necessary information from the communication between two other nodes and take over the established session.