This work involves research potential threats online and then populate our database with your research

results and your engineering judgment. Below is the task and instructions. Every candidate goes through
the same example so that we can compare fairly. Look forward to your results!

Here’s the threat:

connected vehicles use 802.11p protocol to communicate with other vehicles, which could be
intercepted/disrupted within 100-200 meters. These messages sent between vehicles are subject to
Black Hole Attack.

Based on your research, I’ll need you to rate this potential threat with the following five factors:

 Elapsed Time
 Expertise
 Knowledge
 Window of Opportunity
 Equipment

Here are the options for each factor (Ignore the numeric value, just use the Enumerate rating):

Elapsed Time Expertise Knowledge Window Equipment

Enumerate Value Enumerate Value Enumerate Value Enumerate Value Enumerate Value

≤ 1 day 0 Layman 0 Public 0 Unlimited 0 Standard 0

≤ 1 week 1 Proficient 3 Restricted 3 Easy 1 Specialized 4

≤ 1 month 4 Expert 6 Confidential 7 Moderate 4 Bespoke 7

Multiple Strictly Difficult / Multiple

≤ 6 months 17 8 11 10 9
Expert Confidential none Bespoke

> 6 months 19
Here are some more instructions for each:

Elapsed Time:
This shall include both preparation time and exploitation time. If a particular
vulnerability is not available, it should include the estimated time to exploit a new
vulnerability.
If preparation takes time x and exploitation takes time y, the elapsed time should
be x+y.

Expertise:

Do not confuse Expertise with Knowledge. Expertise means the attacker’s

background. This is the basis to estimate Elapsed Time. Expertise should also be
consistent with Knowledge: if the particular attack method is bypass an
authentication system, and the Knowledge is the secret key for the authentication,
the expertise shall be Layman and the Knowledge shall be Strictly Confidential,
because with a leaked key even a layman can perform the attack. If the Knowledge
is the authentication system architecture and design data, the expertise shall be
Expert, because only expert can understand the design data and then develop a
dedicated attack.

If this attack requires multiple steps, and some steps require Proficient, and other
steps require Expert, the Expertise of this attack shall be Expert. Proficient and
Expert do not add up to make it Multiple Experts.

Layman:

Unknowledgeable compared to experts or proficient persons, with no particular

expertise.

Example: ordinary person using step-by-step descriptions of an attack that is

publicly available.
Proficient:

Knowledgeable in that they are familiar with the security behaviour of the product
or system type.

Example: experienced owner, ordinary technician knowing simple and popular

attacks like odometer tuning, installation of counterfeit parts
Expert:

Familiar with the underlying algorithms, protocols, hardware, structures,

security behaviour, principles and concepts of security employed, techniques and
tools for the definition of new attacks, cryptography, classical attacks for the
product type, attack methods, etc. implemented in the product or system type.

Example: experienced technician or engineer

Multiple Expert:

Different fields of expertise are required at an expert level for distinct steps of an
attack.

Example: multiple highly experienced engineers who have expertise in different

fields, and which are required at an expert level for distinct steps of an attack

Knowledge:

Knowledge usually means knowledge of the system under attack (design data,
engineering data, vulnerability disclosure, user manual, etc.). The exception is that
if a threat is assuming the password is known to the attacker, the knowledge should
include the password.

If part of the Knowledge is Restricted and another part is Confidential, the

Knowledge rating shall be Confidential. Restricted and Confidential do not add up
to become Strictly Confidential.

Public:

Public information concerning the item or component (e.g. as gained from the
Internet).

Example: information and documents published on the product homepage or on an

internet forum
Restricted:

Restricted information concerning the item or component (e.g. knowledge that is

controlled within the developer organization and shared with other organizations
under a non-disclosure agreement).
Example: internal documentation shared between manufacturer and supplier,
requirements and design specifications
Confidential:

Confidential information about the item or component (e.g. knowledge that is

shared between discrete teams within the developer organization, access to which
is constrained only to members of the specified teams).

Example: immobilizer-related information, software source code

Strictly Confidential:

Strictly confidential information about the item or component (e.g. knowledge that
is known by only a few individuals, access to which is very tightly controlled on a
strict need to know basis and individual undertaking).

Example: customer specific calibrations or memory maps documented internally

by the manufacturer and/or supplier

Window:

The window of opportunity parameter is related to the access conditions (time,

type) to successfully perform an attack. It combines access type (e.g. logical and
physical) and access duration (e.g. unlimited and limited). Depending on the type
of attack this might include discovery of possible targets, access to a target, exploit
works on the target, time to perform attack on a target, remaining undiscovered,
circumventing detections and cybersecurity controls, etc.

If one part of the attack has a window Easy, and another part has a window
Moderate, the window for the whole attack might be added up to Difficult.

When ownership of the item is relevant in this case, assume the attacker doesn't
own the item when giving the score. But also provide in the rationale the score if
the attacker owns the item. For example, if the attacker owns the target vehicle, the
attacker has unlimited access to JTAG access to a particular module on the vehicle.
But if the attacker doesn't own the target vehicle, the window of accessing JTAG
of a particular module is Moderate.

Unlimited:

High availability via public/untrusted network without any time limitation

(i.e. asset is always accessible). Remote access without physical presence or time
limitation as well as unlimited physical access to the item or component.

Example: remote attack (e.g. vehicle-to-anything or cellular interfaces) without

any preconditions, unlimited physical access by the owner for chip tuning.
Easy:

High availability and limited access time. Remote access without physical
presence to the item or component.

Example: pairing time of Bluetooth, remote software update, remote attack that
requires the vehicle standing still.
Moderate:

Low availability of the item or component. Limited physical and/or logical access.
Physical access to the vehicle interior or exterior without using any special tools.

Example: attacker enters an unlocked car and got access to exposed physical
interface, e.g., physical access via on-board diagnostic port.
Difficult:

Very low availability of the item or component. Impractical level of access to the
item or component to perform the attack.

Example: decapping an IC to extract information, cracking a cryptographic key by

brute force faster than the key is rotated

Equipment:

The equipment parameter is related to the tools the attacker has available to
discover the vulnerability and/or to execute the attack.

If one part of the attack requires a Specialized tool, and another part of the attack
requires a different Specialized tool, the Equipment for this attack can be Bespoke
- the two different Specialized tools may add up.

Standard:

Equipment is readily available to the attacker. This equipment may be a part of the
product itself (e.g. a debugger in an operating system), or can be readily obtained
(e.g. internet sources, protocol analyser or simple attack scripts).
Example: laptop, CAN adapter, on-board diagnostic dongle, ordinary tools
(screwdriver, soldering iron, pliers)
Specialized:

Equipment is not readily available to the attacker but can be acquired without
undue effort. This can include purchase of moderate amounts of equipment
(e.g. power analysis tools, use of hundreds of PCs linked across the internet would
fall into this category), or development of more extensive attack scripts or
programs. If clearly different test benches consisting of specialized equipment are
required for distinct steps of an attack this would be rated as bespoke.

Example: specialized hardware debugging device, in-vehicle communication

devices (hardware in the loop test rig, high-grade oscilloscope, signal generator),
special chemicals
Bespoke:

Equipment is not readily available to the public (e.g. black market) as it may need
to be specially produced (e.g. very sophisticated software), or because the
equipment is so specialized that its distribution is controlled, possibly even
restricted. Alternatively, the equipment may be very expensive.

Example: manufacturer-restricted tools, electron microscope

Multiple Bespoke:

Is introduced to allow for a situation, where different types of bespoke equipment

are required for distinct steps of an attack.

Your Task is to fill the blanks in this following table (give a rating for each factor, and then explain why
you chose this rating):

Elapsed Rationale
Time
Expertise Rationale
Knowledge Rationale
Window of Rationale
Opportunity
Equipment Rationale