7-2016-1011

A Software Only Anti-Spoofing Defense System for In-Car CAN Bus Networks

Modern cars have multiple dedicated computers under the hood called “electronic control units” (ECUs). These ECUs control many aspects of the car’s operation and are connected to each other in a network that typically uses the CAN bus protocol, which bus is a serial protocol with no security components. Replacing CAN bus with another technology may not be an option, due to the huge investment made by manufacturers and the time it typically takes until cars are scrapped. Therefore, it is an important goal to improve the security stance of cars within the limitations of the CAN bus. The researcher has developed an anti-spoofing defense system for the CAN bus that comply with the CAN bus protocol, hence, can be added as a software-only patch to standard ECUs. The system can both detect and possibly block some spoofing attacks.

UNMET NEED
CAN bus is a simple serial protocol, with no security components: it was designed under the assumption that all ECUs are legitimate, trustworthy, and operating according to their specifications. However, over the last few years, researchers have shown that some ECUs are vulnerable to attack. Since CAN bus in itself is so naive, any attack on one ECU can immediately allow lateral movement, to attack other, more critical, ECUs; the subverted ECU can trivially spoof (masquerade as) any other ECU and cause significant damage.
Replacing CAN bus with another technology may be a good idea. However, due to the huge investment made by manufacturers and the time it typically takes until cars are scrapped, it is an important goal to improve the security stance of cars within the limitations of CAN bus.
A new and relatively cheap solution that does not require any special hardware can possibly serve this important goal.

OUR SOLUTION
The researchers have developed a software only anti-spoofing defense system for the CAN bus.
If an attacker compromises one of the car’s electronic control units (ECUs), and from there tries to attack another, more critical, ECU, the designed system can try to block this lateral movement.
Unlike previous firewall or cryptography-based solutions, the spoofed messages are identified and destroyed by the legitimate message ID’s owner, that can always detect a spoofed broadcast of a message that carries one of its IDs. Our technology is not only potentially able to destroy messages that are non-conforming with policy, but also disconnect, even if temporary, the compromised ECU from the bus, by sending it’s CAN controller to a bus-off state.
This is done by launching a counter-attack that consists a short pulse of defending messages, transmitted at maximum speed. The counter-attack aims to collide with the attacker’s second spoofed message, destroy it, and send his CAN controller to a bus-off state.
Unlike previous solutions, that require a modified controller (since they violate the CAN bus protocol), our solution is able to shut down the attacker while obeying the protocol rules. Hence, our solution can be added as a software-only patch to any standard ECU.
The mechanism was tested in a lab using several USB-CAN devices under different scenarios to include some benign CAN traffic. The system was able to block the attack and send the masquerading ECU into a bus-off state in most cases.
Comparison with competing technologies:
Firewall based solutions can contribute a lot to the overall security of a vehicle but typically depend on the network topology. Changes of the network topology may not be possible/be relatively expensive to existing/designed vehicles. In addition, a firewall based solution may not be able to protect ECUs that are “on the same side” of the firewall (e.g., from each other).
Unlike other intrusion detection systems that rely on pattern recognition and possibly depend on some external (e.g., cloud based) server, the attack messages can be immediately identified by the legitimate message ID’s owner. Hence the system has the potential to have 100% of success and no false alarms in the detection phase. Being independent and local can also give the Parrot some advantage and resilience (e.g., against external communication problems).
Other solutions that rely on cryptography for authentication typically require key management that may be complex and/or expensive to implement (e.g., special hardware, serialization).
Our solution is not only able to detect spoofed messages but also potentially destroy consecutive spoofed messages, and disconnect, even if temporary, the compromised ECU from the bus, by sending it’s CAN controller to a bus-off state.
In conclusion:
our solution can work with any network topology, does not rely on any cryptography, and works entirely within the rules of the CAN protocol, so it can be deployed as a software-only update: making it a low-cost method that can be deployed relatively quickly.
Key potential Advantages:
• Software only
• Fast Deployment
• Reduced Cost & Complexity
• No requirement for special hardware
• No modification to current hardware
• No change in Network topology
• No false alarms

Comparison Table:

STATUS
Laboratory proof of concept – The technology was implemented and tested for its “behavior” in detailed experiments. With ‘CAN’ controllers that are able to transmit fast enough it was successful in disabling the attacking ECU in 100% of experiments. For slower controllers, if the combination of benign CAN traffic, this system’s defense, and a helper ECU’s traffic, produces a well-timed pulse of high-enough bus load, the system is able to block the cyber-attack in most cases.

INTELLECTUAL PROPERTY
• ANTI-SPOOFING DEFENSE SYSTEM FOR A CAN BUS, US granted patent, US2018/0025156
• ANTI-SPOOFING DEFENSE SYSTEM FOR A CAN BUS, US granted patent, US-2020-0226252

Sign up for
our events

    Close
    Life Science
    Magazine

      Close
      Hi-Tech
      Magazine

        Close