Security Analysis on Blockchain-Powered Mobile APPs Connected with In-Vehicle Networks by Context-Based Reverse Engineering

The controller area network (CAN) bus for interconnection of electronic control units (ECUs) plays a highly important role in modern intelligent vehicles. To facilitate the CAN Bus accessing to vehicle control or diagnosis, a number of mobile APPs are designed and published by automobile manufacturers to support driving and vehicle-based social network, and some are realized through the in-vehicle infotainment (IVI) middleware. Blockchain technologies are also mature for automobiles to interact service information with the whole industry. Unfortunately, there is a serious threat of command leakage from these mobile APPs, and the reverse engineering (RE) can be exploited by hackers. Previous work has researched this threat by an automatic reverse engineering tool on both automotive android and IOS APPs. However, in such common tool, APP itself-related contexts, including the feature information of CAN Bus commands, vehicle application functions, and control diagnostic protocols, are overlooked, which might be utilized to promote the reverse engineering recall. In this paper, we propose a context-based reverse engineering approach to find deep hidden commands for further revealing security threats for blockchain-powered mobile automotive APPs. For the reverse engineering, we design a context model of four-order tensor to organize multidimensional contexts and establish a continuous updating mechanism. Based on the context model, we further develop two basic analysis algorithms, max-compute (A) and clustering (A), to perform the analysis of CAN Bus commands. Extensive experiments are conducted, and we evaluate it by two metrics, recovered ratio and correctness ratio. Experimental results and the case studied on the familiar APP Carly validate the effectiveness of our approach and reveal the threat of command leakage.