The adversary is trying to get into your network.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
| ID | Name | Description | |
| T2001 | Deliver Malicious App via Authorized App Store | Adversaries may take advantage of authorized app stores to deliver malicious apps to target vehicle systems. This technique allows them to gain access to the vehicle's network. | |
| T2002 | Exploit via backend service | Adversaries may exploit vulnerabilities in backend services to gain unauthorized access and potentially compromise vehicles in the context of vehicle cybersecurity. Backend services, such as those provided by platforms like Mercedes Me, enable drivers to remotely manage their vehicles through backend servers. However, these services can become attractive targets for attackers when weaknesses are present in the backend server infrastructure.Exploiting vulnerabilities in backend services involves leveraging security flaws or weaknesses in the server-side components that manage vehicle connectivity and control. Attackers may exploit these vulnerabilities to gain unauthorized access to vehicle systems and potentially manipulate various functionalities. For instance, they could remotely unlock doors, disable security features, or even manipulate critical vehicle systems.By infiltrating backend services, adversaries may compromise the integrity and security of vehicles, posing significant risks to both drivers and manufacturers. It is crucial for organizations in the automotive industry to proactively address these vulnerabilities and implement robust security measures to protect against such threats. | |
| T2003 | Exploit via Charging Station | Adversaries may exploit vulnerabilities associated with charging stations to gain unauthorized access to vehicles and potentially compromise their systems. While charging stations offer the convenience of "plug and charge" for electric vehicles, the underlying protocols and communication channels between the station and the vehicle can often be insecure. In this context, attackers can employ various tactics, including Man-in-the-Middle (MITM) attacks, to intercept and manipulate the data exchanged during the charging process.These vulnerabilities open doors for adversaries to intercept sensitive vehicle data, inject malicious code or commands into the communication between the charging station and the vehicle's Controller Area Network (CAN) bus, and potentially compromise the vehicle's systems. By exploiting weaknesses in the charging station's security mechanisms, adversaries can disrupt the charging process, manipulate the vehicle's behavior, or even gain unauthorized control over critical vehicle functions. | |
| T2004 | Exploit via ODB port | Adversaries may exploit vehicle cybersecurity vulnerabilities by targeting the On-Board Diagnostics (ODB) port, enabling unauthorized access to a vehicle's internal systems. The ODB port is a critical interface used for vehicle diagnostics and maintenance, and it provides a gateway to the vehicle's electronic control units (ECUs).To execute this attack, adversaries might utilize specialized hardware or software tools to interact with the ODB port, sending malicious commands or manipulating the communication between the ODB port and the vehicle's ECUs. Such actions could lead to dangerous consequences, including unauthorized access to a vehicle's firmware, data exfiltration, or even remote control of the vehicle.The exploitation of the ODB port highlights the importance of securing vehicle interfaces against malicious access, emphasizing the need for robust cybersecurity measures to protect both the vehicle and its occupants from potential threats. | |
| T2005 | Exploit via radio interface | Adversaries may exploit vulnerabilities in vehicle radio interfaces to gain unauthorized access to vehicle systems. These interfaces, including Bluetooth, modem, and WiFi chips, provide a means for adversaries to remotely execute code and compromise the vehicle's security. This technique allows attackers to infiltrate the vehicle's network and potentially take control of critical systems, posing a significant threat to the safety and privacy of vehicle occupants.By leveraging remote code execution on radio interfaces, adversaries can inject malicious code into the vehicle's systems, leading to a range of potential attacks. For example, attackers could exploit a memory issue on the driver of the Bluetooth interface to execute arbitrary commands and gain unauthorized access to the vehicle's network. Once inside, adversaries could manipulate vehicle functions, intercept sensitive data, or even take control of steering, braking, or acceleration systems, posing a serious risk to the safety and security of the vehicle and its occupants. | |
| T2006 | External Remote Services | Adversaries may gain unauthorized access to in-vehicle systems by exploiting external remote services. These services, such as SSH servers or RPC servers, are exposed on the internet or intranet, providing a potential entry point for attackers to compromise vehicle networks.By abusing these external remote services, adversaries can execute commands, scripts, or binaries on the in-vehicle device. For example, they may manipulate accounts to maintain access or elevate their privileges within the vehicle's system. Additionally, adversaries can create new accounts to establish secondary access, allowing them to maintain a persistent presence without the need for continuous deployment of remote access tools on the vehicle. | |
| T2007 | Hardware Additions | Adversaries may gain initial access to vehicle systems by exploiting hardware additions. This could involve manipulating or adding physical components to the vehicle's systems in order to gain unauthorized access. | |
| T2008 | Phishing | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules). Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools.Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer (i.e., User Execution). | |
| T2009 | Replication Through Removable Media | Adversaries may exploit the use of removable media in vehicle systems to gain initial access and spread malicious content. In the context of vehicle cybersecurity, removable media such as USB drives are commonly used for updating in-vehicle infotainment (IVI) systems or transferring data. Adversaries may take advantage of this functionality to introduce malicious code or malware into the vehicle's network, potentially leading to system compromise and unauthorized access.By inserting a compromised USB drive into a vehicle's IVI system, adversaries can introduce malicious files or code that can be automatically executed by the vehicle's software. For example, adversaries may load a Virtual Contact File from the USB drive, which contains malicious content designed to exploit vulnerabilities in the IVI system. Additionally, adversaries may disguise malware as a legitimate software update and trick the IVI system into executing the malicious code from the USB drive, thereby gaining unauthorized access and compromising the vehicle's network. This technique allows adversaries to replicate and spread their malicious content across multiple vehicles by using removable media as a delivery mechanism for their attacks. | |
| T2010 | Supply Chain Compromise | Adversaries may gain access to vehicle systems through supply chain compromises, where they exploit vulnerabilities in the software or hardware provided by third-party suppliers. These compromises can have far-reaching consequences, as the supplier's products are used by multiple OEMs, potentially allowing adversaries to impact a wide range of vehicles. | |
| T2011 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.In some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. | |