skip to main content
10.1145/3098954.3103174acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

DoS Attacks on Controller Area Networks by Fault Injections from the Software Layer

Published: 29 August 2017 Publication History

Abstract

The Controller Area Network (CAN) is still the most widely employed bus in the automotive sector. Its lack of security mechanisms led to a high number of attacks and consequently several security countermeasures were proposed, i.e., authentication protocols or intrusion detection mechanisms. We discuss vulnerabilities of the CAN data link layer that can be triggered from the application level with the use of an off the shelf CAN transceiver. Namely, due to the wired-AND design of the CAN bus, dominant bits will always overwrite recessive ones, a functionality normally used to assure priority for frames with low value identifiers. We exploit this characteristic and show Denial of Service attacks both on senders and receivers based on bit injections by using bit banging to maliciously control the CAN transceiver. We demonstrate the effects and limitations of such attacks through experimental analysis and discuss possible countermeasures. In particular, these attacks may have high impact on centralized authentication mechanisms that were frequently proposed in the literature since these attacks can place monitoring nodes in a bus-off state for certain periods of time.

References

[1]
Manuel Barranco, Julián Proenza, Guillermo Rodríguez-Navas, and Luís Almeida. 2006. An active star topology for improving fault confinement in CAN networks. IEEE transactions on industrial informatics 2, 2 (2006), 78--85.
[2]
Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno, and others. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In USENIX Security Symposium.
[3]
D Di Calafiori, P Adzic, G Dissertori, Oliver Holme, Dragoslav Jovanovic, W Lustermann, and S Zelepoukine. 2012. Maintaining and improving the control and safety systems for the Electromagnetic Calorimeter of the CMS experiment. In Journal of Physics: Conference Series, Vol. 396. IOP Publishing, 012016.
[4]
Bruno Gaujal and Nicolas Navet. 2005. Fault confinement mechanisms on CAN: analysis and improvements. IEEE transactions on vehicular technology 54, 3 (2005), 1103--1113.
[5]
Vector Informatik GmbH. 2006. User Manual CANstress, Version 2.1.
[6]
Bogdan Groza and Stefan Murvay. 2013. Efficient protocols for secure broadcast in controller area networks. IEEE Transactions on Industrial Informatics 9, 4 (2013), 2034--2042.
[7]
Bogdan Groza, Stefan Murvay, Anthony Van Herrewege, and Ingrid Verbauwhede. 2012. Libra-can: a lightweight broadcast authentication protocol for controller area networks. In International Conference on Cryptology and Network Security. Springer, 185--200.
[8]
Tobias Hoppe and Jana Dittman. 2007. Sniffing/Replay Attacks on CAN Buses: A simulated attack on the electric window lift classified using an adapted CERT taxonomy. In Proceedings of the 2nd workshop on embedded systems security (WESS). 1--6.
[9]
ISO. 2003. 11898-1--Road vehicles--Controller area network (CAN)--Part 1: Data link layer and physical signalling. Technical Report. International Organization for Standardization.
[10]
ISO. 2003. 11898-2, Road vehicles Controller area network (CAN) Part 2: High-speed medium access unit. Technical Report. International Organization for Standardization.
[11]
ISO. 2006. 11898-3, Road vehicles Controller area network (CAN) Part 3: Part 3: Low-speed, fault-tolerant, medium-dependent interface. Technical Report. International Organization for Standardization.
[12]
Shalabh Jain and Jorge Guajardo. 2016. Physical Layer Group Key Agreement for Automotive Controller Area Networks. In Conference on Cryptographic Hardware and Embedded Systems.
[13]
Min-Joo Kang and Je-Won Kang. 2016. Intrusion Detection System Using Deep Neural Network for In-Vehicle Network Security. PloS one 11, 6 (2016), e0155781.
[14]
Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and others. 2010. Experimental security analysis of a modern automobile. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 447--462.
[15]
R. Kurachi, Y. Matsubara, H. Takada, N. Adachi, Y. Miyashita, and S. Horihata. 2014. CaCAN - Centralized Authentication System in CAN (Controller Area Network). In 14th Int. Conf on Embedded Security in Cars (ESCAR 2014).
[16]
Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. DEFCON 21 (2013), 260--264.
[17]
Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015 (2015).
[18]
Andreas Mueller and Timo Lothspeich. 2015. Plug-and-secure communication for CAN. CAN Newsletter (2015), 10--14.
[19]
Pal-Stefan Murvay and Bogdan Groza. 2014. Source identification using signal characteristics in controller area networks. IEEE Signal Processing Letters 21, 4 (2014), 395--399.
[20]
Andrea Palanca. 2016. A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks. diploma thesis. Politecnico di Milano.
[21]
SAE. 2002. High-Speed CAN (HSC) for Vehicle Applications at 500 KBPS. Standard. SAE International.
[22]
H. M. Song, H. R. Kim, and H. K. Kim. 2016. Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network. In 2016 International Conference on Information Networking (ICOIN). 63--68.
[23]
CAN Specification. 1991. Version 2.0. Technical Report. Robert Bosch GmbH.
[24]
Chris Szilagyi and Philip Koopman. 2010. Low cost multicast authentication via validity voting in time-triggered embedded control networks. In Proceedings of the 5th Workshop on Embedded Systems Security. ACM, 10.
[25]
Anthony Van Herrewege, Dave Singelee, and Ingrid Verbauwhede. 2011. CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus. In ECRYPT Workshop on Lightweight Cryptography, Vol. 2011.
[26]
Marko Wolf, André Weimerskirch, and Christof Paar. 2004. Security in automotive bus systems. In Workshop on Embedded Security in Cars.
[27]
Tobias Ziermann, Stefan Wildermann, and Jurgen Teich. 2009. CAN+: A new backward-compatible Controller Area Network (CAN) protocol with up to 16X higher data rates. In Design, Automation & Test in Europe Conference & Exhibition, 2009. DATE'09. IEEE, 1088--1093.

Cited By

View all
  • (2024)ERACAN: Defending Against an Emerging CAN Threat ModelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690267(1894-1908)Online publication date: 2-Dec-2024
  • (2024)PE-Detector: Intrusion Detection of Periodic and Event Message Attacks on Controller Area NetworksIEEE Transactions on Vehicular Technology10.1109/TVT.2024.343892973:12(19374-19388)Online publication date: Dec-2024
  • (2024)From Weeping to Wailing: A Transitive Stealthy Bus-Off AttackIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.337717925:9(12066-12080)Online publication date: Sep-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security
August 2017
853 pages
ISBN:9781450352574
DOI:10.1145/3098954
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Controller Area Network
  2. DoS
  3. bit banging
  4. fault injection

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • CNCS-UEFISCDI

Conference

ARES '17
ARES '17: International Conference on Availability, Reliability and Security
August 29 - September 1, 2017
Reggio Calabria, Italy

Acceptance Rates

ARES '17 Paper Acceptance Rate 100 of 191 submissions, 52%;
Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)28
  • Downloads (Last 6 weeks)4
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)ERACAN: Defending Against an Emerging CAN Threat ModelProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690267(1894-1908)Online publication date: 2-Dec-2024
  • (2024)PE-Detector: Intrusion Detection of Periodic and Event Message Attacks on Controller Area NetworksIEEE Transactions on Vehicular Technology10.1109/TVT.2024.343892973:12(19374-19388)Online publication date: Dec-2024
  • (2024)From Weeping to Wailing: A Transitive Stealthy Bus-Off AttackIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.337717925:9(12066-12080)Online publication date: Sep-2024
  • (2024)In-vehicle communication cyber securityVehicular Communications10.1016/j.vehcom.2024.10084650:COnline publication date: 1-Dec-2024
  • (2024)Application layer security for Internet communicationsComputers and Electrical Engineering10.1016/j.compeleceng.2024.109498119:PAOnline publication date: 1-Oct-2024
  • (2023)ZBCANProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620623(6893-6910)Online publication date: 9-Aug-2023
  • (2023)Enhancing In-Vehicle Network Security Through Bitstream Feature Extraction-Based Intrusion DetectionProceedings of the 2023 Fifteenth International Conference on Contemporary Computing10.1145/3607947.3607989(224-229)Online publication date: 3-Aug-2023
  • (2023)CAD Support for Security and Robustness Analysis of Safety-critical Automotive SoftwareACM Transactions on Cyber-Physical Systems10.1145/35712877:1(1-26)Online publication date: 20-Feb-2023
  • (2023)Real Time Perfect Bit Modification Attack on In-Vehicle CANIEEE Transactions on Vehicular Technology10.1109/TVT.2023.329569572:12(15154-15171)Online publication date: Dec-2023
  • (2023)Security assessment of in-vehicle communication protocolsVehicular Communications10.1016/j.vehcom.2023.10063944(100639)Online publication date: Dec-2023
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media