7-2016-1011

A Software Only Anti-Spoofing Defense System For In-Car CAN Bus Networks

Modern cars have multiple dedicated computers under the hood called “electronic control units” (ECUs). These ECUs control all aspects of the car’s operation and are connected to each other in a network that typically uses the CAN bus protocol, which bus is a simple serial protocol, with absolutely no security components. Replacing CAN bus with a more robust technology is not an option, due to the huge investment that will be needed by car manufacturers, and the decades it will take until old cars are scrapped. Therefore, it is an important goal to improve the security stance of cars within the limitations of CAN bus. The researcher has developed a software only anti-spoofing defense system for in-car CAN bus networks. If an attacker compromises one of the car’s electronic control units (ECUs), and from there tries to attack another, more critical, ECU, the system blocks this lateral movement. Hence, it can be added as a software-only patch to any standard ECU.

UNMET NEED
CAN bus protocol, is a simple serial protocol, with absolutely no security components and therefore is exposed and vulnerable. Replacing CAN bus with a more robust technology is probably a good idea. However, due to the huge investment needed by manufacturers, and the decades it takes until old cars are scrapped, it is an important goal meanwhile to improve the security stance of cars within the limitations of CAN bus. Thus, there is a need to find and implement a new, cheap and simple method to block these attacks that are Improved compared to existing solutions in the market.

OUR SOLUTION
Modern cars have ECUs that control all aspects of the car’s operation: from the engine, breaking and steering controls to the car’s entertainment systems. The ECUs are connected to each other in a network that typically uses the CAN bus protocol. CAN bus is a simple serial protocol, with absolutely no security components: it was designed under the assumption that all ECUs are legitimate, trustworthy, and operating according to their specifications. However, over the last few years, researchers have shown that many ECUs are vulnerable to attack. Since CAN bus in itself is so naive, any attack on one ECU can immediately allow lateral movement, to attack other, more critical, ECUs; the subverted ECU can trivially spoof (masquerade as) any other ECU and cause significant damage. Replacing CAN bus with a more robust technology is probably a good idea. However, due to the huge investment that needs to be made by manufacturers, and the decades it takes until old cars are scrapped, it is an important goal to improve the security stance of cars within the limitations of CAN bus. Thus, finding methods to block the lateral movement, from the originally compromised ECU to others is of utmost importance.
The researcher has developed a software only anti-spoofing defense system for in-car CAN bus networks. If an attacker compromises one of the car’s electronic control units (ECUs), and from there tries to attack another, more critical, ECU, the designed system blocks this lateral movement. Hence, this defense system can be added as a software-only patch to any standard ECU. The system was implemented and tested for its “behavior” in detailed experiments. With ‘CAN’ controllers that are able to transmit fast enough it was successful in disabling the attacking ECU in 100% of experiments. For slower controllers, if the combination of benign CAN traffic, this system’s defense, and a helper ECU’s traffic, produces a well-timed pulse of high-enough bus load, the system is able to block the cyber-attack.

Comparison with competing technologies:
Some existing technologies to defend the CAN bus require a specific topology (so a “firewall” can be placed in the path of the CAN traffic. This is a major change to the car’s network which can be expensive and does not protect ECUs that are “on the same side” of the firewall, from each other.
Unlike previous firewall-based solutions or cryptography-based solutions, the attack messages are identified and destroyed by the legitimate message ID’s owner. This method doesn’t merely drop messages that are non-conforming with policy: the defense system typically disconnects the compromised ECU from the bus.
Other technologies rely on cryptography with a central management system combined with the ability to destroy unwanted packets. However, the cryptography requires complex key management, and the ability to destroy messages requires violating the CAN protocol rules, which implies using a custom CAN controller (hardware).
Unlike previous solutions, that require a modified controller (since they violate the CAN bus protocol), our novel approach is able to shut down the attacker while obeying the protocol rules.

In conclusion: our solution can work with any network topology, does not rely on any cryptography, and works entirely within the rules of the CAN protocol, so it can be deployed as a software-only update: making it a low-cost method that can be deployed relatively quickly.

Key Advantages:
• Software only
• Fast Deployment
o Reduced Cost & Complexity
o No requirement for special hardware
o No modification to current hardware
o No change in Network topology
o CAN bus type intolerant
o Improved efficiency

Comparison Table:

STATUS
Laboratory proof of concept – The technology was implemented and tested for its “behavior” in detailed experiments. With ‘CAN’ controllers that are able to transmit fast enough it was successful in disabling the attacking ECU in 100% of experiments. For slower controllers, if the combination of benign CAN traffic, this system’s defense, and a helper ECU’s traffic, produces a well-timed pulse of high-enough bus load, the system is able to block the cyber-attack.

INTELLECTUAL PROPERTY
• ANTI-SPOOFING DEFENSE SYSTEM FOR A CAN BUS, US granted patent, US2018/0025156
• ANTI-SPOOFING DEFENSE SYSTEM FOR A CAN BUS, US granted patent, US-2020-0226252

Sign up for
our events

    Close
    Life Science
    Magazine

      Close
      Hi-Tech
      Magazine

        Close