Team 45 – What We Did and How We Did It
For the Threat Modeling Hackathon 2025, Team 45 developed a comprehensive threat model for the TMC-Drive Autonomous Electric Vehicle System. Our goal was to proactively identify and mitigate cybersecurity and privacy threats in a complex, multi-component system integrating embedded hardware, cloud infrastructure, and mobile connectivity.
### What We Did:
We focused on three core subsystems:
- Embedded Device Subsystem (ECUs, sensors, connectivity modules)
- Cloud Subsystem (APIs, OTA updates, data storage)
- Mobile App Subsystem (user interface, vehicle control, and telemetry)
We conducted a detailed threat analysis across these components, identifying 30 technological threats, with special attention to 17 high-priority issues, including risks such as unauthorized vehicle control, sensor spoofing, API exploitation, and supply chain compromise.
### How We Did It:
- Frameworks Used: We applied a hybrid methodology leveraging STRIDE, LINDDUN, NIST, and Canada AV Safety Standards.
- Modeling Tools: A detailed Data Flow Diagram (DFD) was created to map system interactions and sensitive data flows.
- Risk Scoring: Each threat was assessed using a Likelihood × Impact matrix, resulting in prioritized risk levels (Critical, High, Medium).
- Mitigations: We proposed concrete mitigations like OAuth 2.0-protected APIs, secure CAN bus communication, OTA code signing, sensor anomaly detection, and supply chain SBOM enforcement.
- Collaboration: We worked collaboratively using shared docs and visual modeling tools (Mural, Google Sheets) to document threats, scores, and controls.
### Outcome:
Our threat model provides a robust foundation for hardening the TMC-Drive platform against both known and emerging threats. It balances system security with privacy compliance, scalability, and vendor transparency.
You can read our full threat model report in PDF format at the following link: HERE