CASE STUDY, RESEARCH | July 14, 2025

Accelerating Threat Assessment in Vehicle ECUs

By IOActive

A global automaker required a thorough, but time-constrained, threat assessment and remediation plan for its critical Gateway Electronic Control Unit (ECU). The assessment needed to cover not only the main ECU but also its networked interaction with all of the vehicle’s numerous ECUs.

Having attempted to perform the assessment on its own, the manufacturer found its initial results lacked sufficient technical depth and were taking too long to report, threatening other key project timelines. They turned to IOActive to not only improve but also to accelerate the assessment process for this product.

The Challenge

An automotive Gateway ECU acts as a hub, routing and securing communication between ECUs and back-end services, such as the engine, transmission, brakes, steering, and infotainment. However, because it sits atop the vehicle’s digital nervous system, any compromise of the Gateway ECU can cascade to other subsystems through the entire in-vehicle network, including the Controller Area Network (CAN) bus and newer technologies like vehicular Ethernet. This widespread connectivity amplifies the potential for catastrophic results if vulnerabilities are exploited. Ensuring that any conceivable threats are accounted for and prioritized for remediation is a critical step in overall vehicle safety in the modern era.

In this case, the automaker was looking to certify the reliability and security posture of its Gateway ECU in accordance with ISO/SAE 21434, the international standard that specifies requirements for cybersecurity risk management in the design and development of automotive systems. The purpose of ISO 21434 is to establish a comprehensive framework for managing cybersecurity risks throughout the entire lifecycle of a vehicle, and ensure that automotive systems are designed with cybersecurity in mind from the outset, continually addressing potential vulnerabilities and threats.

ISO 21434 applies to all stages of a vehicle’s lifecycle, including concept, development, production, operation, maintenance, and decommissioning. It covers all electronic and electrical systems within the vehicle, including software, hardware, and communication interfaces.

Enter TARA

A critical component of ISO 21434 is a risk assessment process known as Threat Analysis and Risk Assessment (TARA). A TARA’s risk-based approach involves systematically identifying potential damage scenarios, threat scenarios, and attack paths, evaluating their impact and attack feasibility, and determining the risk to decide appropriate mitigation strategies.

Given their tight project timelines, what the automaker needed was a specialized consulting service with core competencies focused on the use of TARA in an automotive system. That’s where IOActive comes in, as a research-driven security services company with a history of automotive testing and ethical hacking that dates to the earliest days of digital vehicle control systems.

In the context of automobile control systems, a meaningful TARA program is structured to ensure all potential security risks are identified, assessed, and prioritized for mitigation. Potential vectors include physical threats (when a malicious actor has hands-on access to a vehicle, for example) and wireless threats (for hacking attempts leveraging the vehicle’s on-board cellular and WiFi connectivity).

For this automaker client, IOActive organized the highly technical TARA to include the following tasks.

Initiation and Planning

  • Defining scope: Clearly outlining the scope of the TARA, specifying which systems, components, and interfaces related to the vehicle Gateway ECU are to be included.
  • Establishing objectives: Setting the goals for the TARA, such as agreeing on impact rating, attack feasibility, and risk calculation details, understanding the client’s concerns or key areas of focus, and establishing initial assumptions about the item along with the process for confirming and documenting any assumptions needed during the execution of the TARA.
  • Assembling the team: Forming a multidisciplinary team with expertise in cybersecurity, automotive systems, threat modeling, TARAs, software, hardware, and relevant regulatory standards (e.g., ISO 21434).

Asset Identification (Section 15.3)

  • Discovery: Determining and defining critical assets within the item, by reviewing the software modules, hardware components, data flows, dependencies, and communication interfaces.
  • Damage scenarios: Determining if a compromise of a cybersecurity property of any asset would cause some form of harm to the road user.

Threat Scenario Identification (Section 15.4)

  • Identifying threat sources: Cataloging potential sources of threats, such as external attackers, malicious insiders, and natural events.
  • Enumerating threat scenarios: Developing threat scenarios to describe how each identified damage scenario can be exploited in the item.

Impact Rating (Section 15.5)

  • Impact analysis: Evaluating the potential impact of each damage scenario on the vehicle’s safety, as well as financial, operational, and privacy impacts. This includes both direct and indirect consequences.   

Attack Path Analysis and Attack Feasibility Rating (Section 15.6 and 15.7)

  • Attack path generation: Building a series of steps that could be used to realize a threat scenario that would result in damage. The standard doesn’t specify how this is done, but IOActive breaks attack paths into the following steps:
    • Primary Attack (Intrusion Vector)
    • Secondary Attack (Escalation Vector)
    • Tertiary Attack (Lateral Movement Vector)
    • Final Attack (Exploitation Phase)
  • Attack Feasibility Rating: Assessing the likelihood of each attack path occurring based on factors such as existing security measures, ease of exploitation, and known attacker capabilities

Risk Value Determination (Section 15.8)

  • Risk scoring: Assigning risk scores to each valid attack path based on the combined assessment of impact and attack feasibility. This helps prioritize the threats.
  • Risk categorization: Categorizing the risks into different to help facilitate the client’s risk treatment decision-making.

Risk Treatment Decision (Section 15.9)

  • Developing mitigation strategies: Proposing specific measures to mitigate the identified risks. This can include technical controls (e.g., encryption or authentication), process changes (e.g., regular security updates), and organizational measures (e.g., training or policy changes).
  • Residual risk assessment: Guidance on assessing the residual risk after implementing the mitigation measures to ensure that risk is reduced to acceptable levels.

Documentation and Reporting

  • Comprehensive documentation: Maintaining detailed documentation of the TARA process, including all damage scenarios, threat scenarios, and steps that form attack paths.
  • Reporting: Preparing reports for key stakeholders that summarize the findings, any actions taken, proposed future actions for the client, and the item’s current security posture.

The Assessment in Depth

Adhering to this systematic implementation of the TARA methodology, IOActive’s security consultants began with the detailed documentation review required to expose potential attack vectors that malicious actors could exploit. This process is much like a threat model, in which. our team identified potential risks and lack of controls, ranging from weak encryption practices to inadequate access controls and insecure communication protocols. Each weakness was examined in depth to help identify areas of potential risk to vehicle functionality, safety, and privacy.

Over the course of the two-month TARA process, IOActive’s automotive security team discovered multiple high-impact risks:

  • The automaker’s control systems did not currently support intra-ECU authentication and authorization. These missing controls could allow an attacker to wreak havoc across multiple vehicle systems based on a single compromise of a lower-value component.
  • The vehicle’s communications and control networks also lacked appropriate segmentation, which, like the authentication and authorization issue, could facilitate an attack on multiple ECUs from a single point of compromise.
  •  Access to the cryptographic material used by the ECU was poorly understood and documented. This has the potential to complicate the assessment of system impact and identification of compromised keys in the event of an attack.

Throughout the course of the TARA engagement, IOActive’s expert consultants kept in constant contact with the client, asking probing questions about development and architecture that spurred the automaker’s own technical team to revisit core component security questions — and consider strategic changes to its products — with company decision makers.

The Results

IOActive completed the TARA within an impressive two-month timeframe, delivering results that surpassed those typically achieved by internal teams or other vendors. Leveraging our extensive experience across a diverse range of vendors and OEMs, IOActive provided the automaker with a detailed, realistic, and actionable roster of risks, each analyzed with significant technical depth and prioritized by practical risk level. Our experts’ broad spectrum of exposure enables a more thorough and insightful threat assessment, helping to ensure that potential security gaps are not overlooked.

The findings included not only proposed mitigation strategies but also an evaluation of their expected effectiveness in addressing each identified security gap. This comprehensive report offered the client a robust set of risks specific to their gateway ECU and a clear roadmap for mitigating them efficiently. Additionally, the TARA conducted by IOActive was a crucial step towards achieving ISO 21434 compliance, reinforcing the vehicle’s overall security posture with unmatched precision and speed.