Skip to main content

EVITA E-safety vehicle intrusion protected applications

Background & Objectives

Future automotive safety applications based on vehicle-to-vehicle and vehicle-to-infrastructure communication have been identified as a means for decreasing the number of fatal traffic accidents. Examples of such applications are local danger warnings and electronic emergency brakes. While these functionalities inspire a new era of traffic safety, new security requirements need to be considered in order to prevent attacks on these systems. Examples of such threats are forced malfunctioning of safety-critical components or the interference with the traffic flow by means of fake messages.

Secure and trustworthy intra-vehicular communication is the basis for trustworthy communication among cars or between cars and the infrastructure. Therefore, the objective of the EVITA project is to design, verify, and prototype an architecture for automotive on-board networks where security-relevant components are protected against tampering and sensitive data are protected against compromise when transferred inside a vehicle.

By focusing on the protection of the intra-vehicle communication EVITA complements other e-safety related projects that focus on the protection of the vehicle-to-X communication.

Work Plan

Security requirements analysis

Starting from relevant use cases and security threat scenarios, security requirements for on-board networks will be specified. Also legal requirements on privacy, data protection, and liability issues will be considered.

Secure on-board architecture design

Based on the security requirements and the automotive constraints, a secure on-board architecture and secure on-board communications protocols will be designed. The security functions will be partitioned between software and hardware. The root of trust will be placed in hardware security modules that may be realised as extensions to automotive controllers or as dedicated security controller chips.

In order to ensure that the identified requirements are satisfied, selected parts of the secure on-board architecture and the communications protocols will be modelled using UML and automata and verified using a set of different but complementary model-based verification tools.


For prototyping, FPGA’s will be used to extend standard automotive controllers with the functionality of cryptographic coprocessors. The low-level drivers for interacting with the hardware will be partially generated from UML models.

For even faster prototyping, the security functionality will also be implemented purely in software. An API will be defined so that applications on top of this API can use the cryptographic functions regardless of whether they are provided in hardware or software. All developed code will be validated to ensure its correctness.

Prototype-based demonstration

The secure on-board communication will be deployed inside a lab car demonstrating e-safety applications based on vehicle-to-X communication. Cryptographic methods will ensure the integrity and authenticity of information exchanged within the vehicle and will protect the electronic control units against theft, tampering, and unauthorised cloning.

Releasing the automotive hardware security modules for deployment in cars on public roads requires further implementation and testing efforts, which are out of scope of this project.

Dissemination and external interfaces

In order that the entire automotive industry may benefit from the project results, the secure on-board architecture and communications protocol specifications will be published as open specifications.

The EVITA project partners will liaise with related initiatives in the fields of e-safety and embedded security to achieve multilateral synergies.

Project duration

July 2008 – December 2011

Project Partners

Fraunhofer SIT BMW Group Robert Bosch GmbHContinental Teves AG & Co. OHG escrypt GmbH EURECOMFraunhofer ISI Fujitsu Semiconductor Europe Infineon Technologies AGKatholieke Universiteit Leuven MIRA Ltd Institut TELECOMTrialog


Public reports

No. Deliverable name Date
D0 Project summary Apr. 2012
D1.2.5.1 Presentation slides from the EVITA Workshop on 1 July 2010 Jul. 2010
D1.2.5.2 Presentation slides from the Final EVITA Workshop on 23 November 2011 Nov. 2011
D1.2.6 Final liaisons documentation Mar. 2012
D1.2.7 Final dissemination strategy Apr. 2012
D2.1 Specification and evaluation of e-security relevant use cases Dec. 2009
D2.3 Security requirements for automotive on-board networks based on dark-side scenarios Dec. 2009
D2.4 Legal framework and requirements of automotive on-board networks Sept. 2011
D3.1 Security and trust model Nov. 2009
D3.2 Secure on-board architecture specification Aug. 2011
D3.3 Secure on-board protocols specification Jul. 2011
D3.4.3 On-board architecture and protocols verification Dec. 2010
D3.4.4 On-board architecture and protocols attack analysis Dec. 2010
D4.0.3 Security architecture implementation – Progress report Jul. 2011
D4.2.3 LLD modelling, verification, and automatic C-code generation Jan. 2012
D4.4.2 Test results Feb. 2012

SysML models

Requirement diagrams for automotive on-board networks

These models are to be viewed with the open source UML toolkit TTool.



  • M. Wolf, T. Gendrullis: Design, implementation, and evaluation of a vehicular hardware security module. In 14th International Conference on Information Security and Cryptology, Seoul, South Korea, November/December 2011 – Paper
  • H. Schweppe, B. Weyl, Y. Roudier, M.S. Idrees, T. Gendrullis, M. Wolf: Securing car2X applications with effective hardware-software co-design for vehicular on-board networks. In 27th Joint VDI/VW Automotive Security Conference, Berlin, Germany, October 2011. VDI Berichte 2131 – Paper
  • G. Pedroza, M.S. Idrees, L. Apvrille, Y. Roudier: A formal methodology applied to secure over-the-air automotive applications. In 74th IEEE Vehicular Technology Conference (VTC2011-Fall), San Francisco, CA, USA, September 2011 – Paper
  • H. Schweppe, Y. Roudier, B. Weyl, L. Apvrille, D. Scheuermann: Car2X communication – Securing the last meter. In 4th International Symposium on Wireless Vehicular Communications (WIVEC 2011), San Francisco, CA, USA, September 2011 – Paper
  • G. Pedroza, L. Apvrille, D. Knorreck: AVATAR: A SysML environment for the formal verification of safety and security properties. In 11th International Conference on New Technologies of Distributed Systems (NOTERE), Paris, France, May 2011 – Paper
  • M.S. Idrees, H. Schweppe, Y. Roudier, M. Wolf, D. Scheuermann, and O. Henniger: Secure automotive on-board protocols: A case of over-the-air firmware updates. In T. Strang, A. Festag, A. Vinel, R. Mehmood, C. Rico Garcia und M. Röckl, eds., 3rd International Nets4Cars/Nets4Trains Workshop, Oberpfaffenhofen, Germany, March 2011. Springer (LNCS vol. 6596) – Paper
  • A. Fuchs, S. Gürgens, and C. Rudolph: A formal notion of trust and confidentiality – Enabling reasoning about system security. In Journal of Information Processing, vol. 19 (2011), pp. 274–291 –Paper


  • O. Henniger: Secure automotive on-board networks – Basis for secure vehicle-to-X communication. In Workshop “Staufrei von Holland nach Hessen” (From Holland to Hesse without traffic jam), Frankfurt/Main, Germany, December 2010 – Slides
  • G. Pedroza, L. Apvrille, and R. Pacalet: A formal security model for verification of automotive embedded applications. In 3rd Sophia-Antipolis Formal Analysis Workshop (SAFA 2010), Sophia-Antipolis, France, October 2010 – Paper
  • D. Knorreck, L. Apvrille, and R. Pacalet: Partitioning of in-vehicle systems-on-chip: a methodology based on DIPLODOCUS. In 13th Sophia-Antipolis Microelectronics Forum (SAME 2010), Sophia-Antipolis, France, October 2010 – Paper
  • L. Apvrille, R. El Khayari, O. Henniger, Y. Roudier, H. Schweppe, H. Seudié, B. Weyl, M. Wolf: Secure automotive on-board electronics network architecture. In FISITA 2010 World Automotive Congress, Budapest, Hungary, May/June 2010 – Paper
  • M.S. Idrees, Y. Roudier, and L. Apvrille: A framework towards the efficient identification and modelling of security requirements. In 5th Conference on Security in Network Architectures and Information Systems (SAR-SSI 2010), Menton, France, May 2010
  • H. Schweppe, Y. Roudier: Security issues in vehicular systems: Threats, emerging solutions and standards. In 5th Conference on Security in Network Architectures and Information Systems (SAR-SSI 2010), Menton, France, May 2010 – Paper
  • A. Ruddle: Security risk analysis approach for on-board vehicle networks. In “The Fully Networked Car” Workshop at the Geneva International Motor Show, Geneva, Switzerland, March 2010 – Slides


  • O. Henniger and H. Seudié: E-safety vehicle intrusion protected applications. In 7thescar (Embedded Security in Cars) Conference, Düsseldorf, Germany, November 2009, invited talk –Slides
  • H. Seudié: Vehicular on-board security: EVITA project. In C2C-CC Liaison Security Workshop, Wolfsburg, Germany, November 2009, invited talk – Slides
  • O. Henniger, L. Apvrille, A. Fuchs, Y. Roudier, A. Ruddle, and B. Weyl: Security requirements for automotive on-board networks. In 9th International Conference on Intelligent Transport System Telecommunications (ITST 2009), Lille, France, October 2009 – Paper
  • B. Weyl, O. Henniger, A. Ruddle, H. Seudié, M. Wolf, and T. Wollinger: Securing vehicular on-board IT systems: The EVITA Project. In 25th Joint VDI/VW Automotive Security Conference, Ingolstadt, Germany, October 2009 – Paper
  • F. Stumpf, B. Weyl, C. Meves, M. Wolf: A security architecture for multipurpose ECUs in vehicles. In 25th Joint VDI/VW Automotive Security Conference, Ingolstadt, Germany, October 2009 – Paper
  • T. Kosch: Privacy and data protection for drivers – A contribution from the EVITA project. In 16th ITS World Congress, Stockholm, Sweden, September 2009, invited talk – Slides
  • M. Wolf: Designing secure automotive hardware for enhancing traffic safety. In CAST Workshop “Mobile Security for Intelligent Cars”, Darmstadt, Germany, August 2009, invited talk – Slides
  • A. Fuchs and R. Rieke: Identification of authenticity requirements in systems of systems by functional security analysis. In Workshop on Architecting Dependable Systems at the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN-2009), Estoril, Portugal, June 2009 – Paper


  • M. Wolf: Vehicular security hardware. In 6th escar (Embedded Security in Cars) Conference, Hamburg, Germany, November 2008, invited talk – Slides

E-safety Vehicle Intrusion proTected Application (EVITA)

Car to car and car to infrastructure communication has a great potential to further decrease road fatalities. But this implies a massive deployment of a communication infrastructure comprising the car, and consequently opens the door to vehicle intrusion threats, which will in turn create substantial threats to the overall car safety functions. Consequences may range from irritating malfunction of on-board commodity devices to dangerous failures, e.g. missing support for braking and/or steering which can create life threatening situations.It is the distinct objective of EVITA to address these threats by preventing unauthorised manipulation of on-board systems in order to successfully prevent the intrusion into the in-vehicular systems and the transmission of corrupted data to the outside. By focusing on vehicle intrusion projection EVITA complements SeVeCOM and NoW which focus on communication protection.Starting from identifying the necessary industrial use cases regarding assembly and field maintenance and compiling profound scenarios of possible threats, the overall security requirements are defined. On this basis a secure trust model will be compiled and a secure on-board architecture and protocol will be specified, verified, validated and, lastly, demonstrated. EVITA will release the architecture and protocol specification as an open standard.The consortium brings together all relevant expertise to successfully take the challenge: a car manufacturer, tier-one suppliers, security, hardware, software and legal experts. In order to guarantee a broad uptake of the open standard, EVITA will cooperate with the Car 2 Car Communication Consortium.


Finished  (07/2008-12/2011)


7th Framework Programme, European Commission, DG Information Society, Unit G4


  • Fraunhofer Institute for Secure Information Technology (SIT), DE
  • Robert Bosch GmbH, DE
  • Continental Teves AG & Co. oHG, DE
  • Infineon, DE
  • Fujitsu Services AB, SE
  • MIRA Ltd, UK
  • Trialog, FR
  • KU Leuven, BE
  • BMW Forschung und Technik GmbH, DE

Deliverables with ISI contributions

  • Dumortier, Jos, Christophe Geuens, Alastair Ruddle, Lester Low, and Michael Friedewald, “Legal framework and requirements of automotive on-board networks”, EVITA Deliverable 2.4, EVITA Project, 2011.
  • Ruddle, Alastair, David Ward, Benjamin Weyl, Sabir Idrees, Yves Roudier, Michael Friedewald, Timo Leimbach, Andreas Fuchs, Sigrid Gürgens, Olaf Henniger, Roland Rieke, Matthias Ritscher, Henrik Broberg, Ludovic Apvrille, Renaud Pacalet, and Gabriel Pedroza, “Security requirements for automotive on-board networks based on dark-side scenarios”, EVITA Deliverable 2.3, 2009.
  • Kelling, Enno, Michael Friedewald, Timo Leimbach, Marc Menzel, Peter Säger, Hervé Seudié, and Benjamin Weyl, “E-safety vehicle intrusion protected applications: Specification and Evaluation of e-Security relevant use cases “, EVITA Deliverable 2.1, 2009.