학술논문
커넥티드 카 서비스의 보안 위협 분석에 관한 연구 : -원격 모니터링과 원격 제어 기능을 중심으로- / A Study on Security Threat Analysis for Connected Car Services: Focusing on Remote Monitoring and Remote Control Function
Document Type
Dissertation/ Thesis
Source
Subject
Language
Korean
Abstract
커넥티드 카 서비스는 IoT 환경에서 널리 사용되는 서비스로 기존의 차량에 차량 내부 및 외부와의 네트워크를 통한 연결로 다양한 서비스를 제공한다. 하지만 차량 제조사들이 커넥티드 카 서비스를 보호하기 위한 수단을 고려하여 서비스를 개발하고 있으나 커넥티드 카 서비스에 관한 공격 사례가 발표되면서 커넥티드 카 서비스의 보안성에 대한 우려가 커지고 있다.본 연구에서 지금까지 발표된 커넥티드 카 서비스 관련 연구를 살펴보고, 커넥티드 카 서비스에 대한 근본적인 보안성 향상을 위해 보안 위협 모델링을 통해 커넥티드 카 서비스에 존재할 수 있는 위협을 식별하였다. 이후 식별된 위협을 제거하기 위한 점검항목을 도출하였다. 또한 이를 활용하여 커넥티드 카 서비스에 대한 보안 취약점을 분석하였다.4개의 제조사에서 개발한 앱을 분석한 결과 4개사 모두 APP 동작에 불필요한 권한을 과도하게 요청하였고 소스코드 난독화를 수행하지 않았으며 오류 메시지와 디버깅 정보를 노출하는 등 어플리케이션 항목에 대한 취약점이 존재하였다. 또한 일부 제조사의 앱에서는 루팅 여부를 확인하지 않아서 공격의 대상이 될 가능성이 크다는 것을 확인하였다.본 연구를 통해 커넥티드 카 서비스에 대한 보안성을 강화하게 된다면 단순히 커넥티드 카 서비스 자체에 대한 보안성 향상뿐만 아니라 차량 환경에 대한 안전을 확보할 수 있게 될 것이다.
The Connected Car Services is one of the most widely used services in the IoT environment, and it provides various services to existing vehicles by connecting them through networks inside and outside the vehicle. However, although vehicle manufacturers are developing services considering the means to secure the Connected Car Services, concerns about the security of the Connected Car Services are growing as attack cases against the Connected Car Services have been announced.In this study, I reviewed the researches related to the Connected Car Services announced so far, and I identified the threats that may exist in the Connected Car Services through security threat modeling to improve the fundamental security level of the Connected Car Services. Afterwards, I derived the check list to remove the identified threats. In addition, using the check list, I took a penetration test to find the security vulnerabilities of the Connected Car Services.As a result of performing the test to the Apps for Connected Car Services developed by four manufacturers, the Apps of all four companies excessively requested unnecessary permissions for App operation, the Apps did not obfuscate the source code, and there were vulnerabilities in application items such as exposing error messages and debugging information. In addition, it was confirmed that there is a high possibility of being a target of an attack because some manufacturers' Apps do not check whether or not they are rooted.Through this study, if the security of Connected Car Services is improved, it will be possible not only to improve the security of the Connected Car Services itself, but also to secure the safety of the vehicle environment.
The Connected Car Services is one of the most widely used services in the IoT environment, and it provides various services to existing vehicles by connecting them through networks inside and outside the vehicle. However, although vehicle manufacturers are developing services considering the means to secure the Connected Car Services, concerns about the security of the Connected Car Services are growing as attack cases against the Connected Car Services have been announced.In this study, I reviewed the researches related to the Connected Car Services announced so far, and I identified the threats that may exist in the Connected Car Services through security threat modeling to improve the fundamental security level of the Connected Car Services. Afterwards, I derived the check list to remove the identified threats. In addition, using the check list, I took a penetration test to find the security vulnerabilities of the Connected Car Services.As a result of performing the test to the Apps for Connected Car Services developed by four manufacturers, the Apps of all four companies excessively requested unnecessary permissions for App operation, the Apps did not obfuscate the source code, and there were vulnerabilities in application items such as exposing error messages and debugging information. In addition, it was confirmed that there is a high possibility of being a target of an attack because some manufacturers' Apps do not check whether or not they are rooted.Through this study, if the security of Connected Car Services is improved, it will be possible not only to improve the security of the Connected Car Services itself, but also to secure the safety of the vehicle environment.