Nowadays, the technological evolution enables an increasingly more invasive interconnection between automobiles and digital devices. Automotive manufacturers have developed a variety of innovative features such as the smart transportation data assistants by leveraging network connectivity such as the vehicle-to-vehicle communication. While these features greatly improve the customer experience, Electronic Control Units (ECUs) that are externally accessible provide an entry point for an adversary to infiltrate the originally isolated in-vehicle communication network, notably the Controller Area Network (CAN) [19, 3]. Since the CAN bus is a broadcast medium without authentication, a compromised ECU can masquerade as any targeted ECU by transmitting messages with the forged message ID (masquerade attack ). Modern externally accessible ECUs with additional connectivity interfaces such as cellular, Wi-Fi or Bluetooth disrupt the closed in-vehicle network assumption. Consequently, the CAN bus is vulnerable to cyber attacks, such as disabled brakes  and remotely controlled steering . Despite of the well-known security vulnerabilities of the CAN bus, its widespread use imposes an urgent need for security solutions that guarantee the functionality and safety of today’s automobiles and future’s autonomous cars [2, 37].
The use of cryptographic primitives, such as message authentication, represents one possible way to defend against CAN bus attacks (notably the masquerade attack). However, due to the low throughput and tight bit budget of the CAN protocol, it is challenging to deploy cryptographic schemes in practice and current solutions, such as [36, 17, 23, 29], would require protocol modifications or introduce traffic overheads. An alternative is to deploy anomaly-based Intrusion Detection Systems (IDSs) without modifying the CAN protocol [5, 28, 6, 8], including timing-based and voltage-based IDSs. The timing-based IDS in 
exploits CAN message periodicity to estimate clock skew as a unique fingerprint to detect masquerade attacks. Nevertheless, it was later shown to be ineffective against the cloaking attack that modifies the inter-transmission time to emulate the clock skew of the targeted ECU[31, 38]. The voltage-based IDSs [27, 6, 8, 20] attempt to fingerprint the attacker through voltage signal characteristics. However, if the attacker uses IDs that the compromised ECU is allowed to use under normal conditions, the attack will not be detected.
In this work, we present TACAN, a novel security framework that allows a centralized, trusted Monitor Node (MN) to verify the authenticity of a transmitting ECU and detect CAN bus anomalies. Fig. 1 highlights the main idea of our TACAN framework. In TACAN, a master key is shared between an ECU and the MN for generating shared session keys. Consistently with [17, 29, 36], we assume that the keys are stored in the tamper-resistant memory of a security module such as the Trusted Platform Module (TPM) . The ECU embeds unique authentication messages into CAN messages and continuously transmits them through covert channels, which can be received and verified by the MN.
Therefore, if the attacker has no access to the TPM of the targeted ECU, it cannot use the compromised ECU or external device to generate valid authentication messages, thus causing verification failures and triggering the alarm at the MN side. Moreover, CAN bus attacks, such as the suspension and injection attacks, that interrupt the transmission of normal CAN messages with embedded authentication messages will cause continuous authentication message loss or reception failures, and therefore they will be detected by TACAN. The main benefits of using covert channels for TACAN are that they do not introduce protocol modifications or traffic overheads (i.e., extra bits or messages). In addition, by requiring ECUs to transmit authentication messages much less frequently than per-message authentication schemes, TACAN can significantly reduce the computational burden of the resource-constrained ECUs.
Contributions: In this paper, we make the following contributions:
We identify and exploit covert channels to facilitate ECU authentication on the CAN bus. Hence, covert channels are used for security instead of malicious communication.
We propose TACAN and three novel covert channels for authentication message transmission: 1) the IAT (Inter-Arrival Time)-based covert channel that modifies the inter-transmission times (ITTs) of normal CAN messages to affect the IATs observed by the MN; 2) the LSB (Least Significant Bit)-based covert channel that hides the authentication bits in the LSBs of the data payload of normal CAN messages; 3) an hybrid covert channel that combines the first two covert channels.
For the IAT-based covert channel, we analyze and model the bit error probability as a function of covert channel parameters. We also study its impact on the CAN bus schedulability in terms of the worst-case response time.
We validate TACAN and the covert channels on the UW EcoCAR . We also conduct extensive experiments to evaluate the performance of TACAN using the EcoCAR testbed as well as the publicly available Toyota dataset . Our results show that with a properly configured IAT-based covert channel, the experimental bit error probabilities are within 0.3%. As for the LSB-based covert channel, its bit error probability is equal to that of a typical CAN bus, which is %. The hybrid covert channel generally leads to higher channel and authentication throughput. We also show that our TACAN-based detector can detect CAN bus attacks with a very high detection probability, while keeping the false alarm probability less than 0.33% by setting the detection threshold to or higher.
2 Related Work
Recent experimental studies have demonstrated that an attacker is able to infiltrate in-vehicle ECUs physically or remotely and mount cyber attacks that would cause potentially life-threatening consequences by disabling brakes or overriding steering [25, 4]. One way to secure the CAN bus is to deploy anomaly-based IDSs based on traffic analysis (e.g., timing/frequency ), entropy , or physical invariants such as clock skew  and voltage signal characteristics [27, 6, 8, 20]. For clock skew-based IDSs, it has been shown in [31, 38] that the adversary can effectively manipulate the timing of transmitted messages to emulate the clock skew of the targeted ECU and evade the detection. While voltage-based IDSs are effective against ongoing masquerade attackers, they cannot detect a compromised ECU before attacks are launched (e.g., a stealthy attacker may not launch the attack until the car is in drive mode). In addition, it has been recently shown in  that the extra wires required by voltage-based IDSs may introduce new attack surfaces.
Researchers have also proposed to add cryptographic primitives such as Message Authentication Code (MAC) to the CAN bus, including CANAuth , LCAP , CaCAN , and LeiA . Nevertheless, the deployment of the above schemes faces several practical challenges. First, the CAN protocol has a tight bit budget for each CAN frame (up to 8 bytes for payload) and a low bus speed (typically 500 kbps). As a result, authentication information will have to consume space in the CAN message such as the ID or data field or introduce additional CAN messages, which leads to traffic overheads or an increase in the bus load [17, 23, 29]. Second, it is also computationally expensive for resource-constrained ECUs to perform cryptographic calculations for each message. In this work, we focus on transmitter authentication by having each ECU transmit unique authentication messages as its digital fingerprint. The main novelty of this work is the use of covert channels, a well-known malicious technique that is converted into defensive applications for authentication purposes. By leveraging covert channels as out-of-band channels, our scheme can avoid traffic overheads without requiring protocol modifications.
In literature, a covert channel refers to a type of cyber-attack that maliciously transfers information between two possibly malicious entities by exploiting the communication channels that are not intended for information transfer. It has been widely studied in computer network protocols . Broadly speaking, there are two categories of covert channels: timing-based and storage-based. In timing-based covert channels, only the timing of events or traffic is modified to transfer information but the data contents remain intact. The storage-based covert channels hide data in a shared resource (e.g., a storage location).
Recently, researchers start exploring covert channels in the context of embedded networks. In , Taylor et al. discussed the use of covert channels for integrity check for the Modbus/TCP protocol used by industrial control system applications. In , Groza et al. proposed a time-covert authentication scheme for the CAN protocol, which uses fine-grained timing control to embed authentication information in clock skews. However, timing control in the order of tens of nanoseconds is challenging in practice, and the proposed scheme is very sensitive to message priority and the traffic. In addition, since the clock skew needs to be estimated from arrival times of many CAN messages, it seems to contradict with the proposed scheme that performs authentication for each CAN message.
In this paper, we develop three practical covert channels for transmitter authentication on the legacy CAN bus, based on the periodicity of CAN messages and bit presentation of floating sensor values. We also evaluate the proposed covert channels using CAN traffic data collected from real vehicles.
3 System and Adversary Models
|Master key (MK) for message ID|
|Session key (SK) for message ID|
|Session key counter for message ID|
|Authentication message counter for message ID|
|CAN message period (sec)|
|Clock skew (ppm)|
|Transmit time of the -the CAN message|
|Arrival time of the -the CAN message|
|Noise in the arrival time of the -the CAN message|
|Inter-transmission time (ITT) between the -th|
|and the -th messages|
|Inter-arrival time (IAT) between the -th|
|and the -th messages|
|The -th sample of averaged IATs|
|Deviation (added to ITTs at the transmitter side)|
|Window length or number of least significant bits|
Mean and standard deviation of IATs
3.1 System Model
CAN bus. The CAN bus is a broadcast medium that allows all connected ECUs to communicate with each other and observe all CAN message transmissions. As shown in Fig. 2, each CAN frame or message has a set of predefined fields, including the Start of Frame (SOF) field, the Arbitration field (including a 11-bit message ID for the base frame format or a 29-bit message ID for the extended frame format), the Control field, the Data field (up to 8 bytes), the Cyclic Redundancy Check (CRC) field, the Acknowlegement (ACK) field, and the End of Frame (EOF) field.
When two (or more) ECUs attempt to transmit messages at the same time, a procedure based on priority (a smaller message ID indicates a higher priority) called arbitration is used to determine the winner. Besides, CAN messages do not have transmit timestamps and do not support encryption or authentication.
Clock skew. On automotive CAN buses, the majority of CAN messages are transmitted periodically as per ECUs’ local clocks111In the UW EcoCAR (Chevrolet Camaro 2016) , all of the 89 messages with distinct IDs are periodic with periods ranging from 10 ms to 5 sec. In the Toyota Camry 2010 , 39 of 43 messages can be considered periodic. In the Dodge Ram Pickup 2010 in , all of the 55 distinct messages are periodic. While CAN message periodicity depends on the manufacturer and the model, the above examples suggest that periodic CAN messages are very common and even dominant on the CAN bus of commercial automobiles., and there is no clock synchronization in CAN. Hence, the frequencies of local clocks are different, as captured by the notion of clock skew – a physical property caused by variations in the clock’s hardware crystal.
Let be the time reported by clock and be the true time. According to the Network Time Protocol (NTP) , the clock offset of clock A is defined as , and the clock skew is the first derivative of clock offset, i.e., , which is measured in microseconds per second (s/s) or parts per million (ppm). In the absence of a true clock, the relative clock offset and relative clock skew can be defined with respect to a reference clock. Throughout this paper, we consider the receiving ECU’s clock as the reference clock. Hence, we refer to the relative clock offset and the relative clock skew as clock offset and clock skew, respectively.
Timing model. As shown in Fig. 3, we let be the transmit time of message (assuming ) and be the inter-transmission time (ITT) according to the transmitter’s clock. If messages are periodically transmitted every seconds, we have and . In the ideal case where the transmitter’s clock is synchronized with the receiver’s clock, we have , where is the transmit time according to the receiver’s clock. Nevertheless, in practice, there exists a clock skew in the transmitter’s clock relative to the reference clock, which introduces an offset between the two clocks. Hence, the actual transmit time is according to the reference clock.
While the clock skew may be slowly varying due to factors including the temperature, it is almost constant over a short duration. Given a clock skew , the relationship between the elapsed time in the transmitter’s clock and the elapsed time in the receiver’s clock is . Hence, we have , and . To capture random jitters, we assume , where
’s are i.i.d. zero-mean random variables.
After a random network delay of (due to message transmission, propagation, arbitration, and reception) and the zero-mean quantization noise , the arrival time of message is
where is the total noise in the arrival timestamp. Since periodic CAN messages have the same message ID and data length over time, it is reasonable to assume constant-mean network delays, i.e., . Hence, ’s can be modeled as i.i.d. random variables with a mean of
and a variance of.
Denote the inter-arrival time (IAT) between messages and as , which is given by
where is the noise term. For messages that are transmitted every seconds, we have . Hence, the IATs have a mean of
and a variance of
When the clock skew is small (in the order of 100s of ppm), the impact of clock skew is negligible, and we have .
3.2 Adversary Model
We consider an adversary who attempts to infiltrate the CAN bus and launch stealthy attacks without being detected. We assume that the adversary can passively monitor the CAN bus and observe all ongoing CAN transmissions. It has full knowledge of the deployed covert channels and thus can observe all authentication messages that are being transmitted. In practice, there are usually two ways of gaining unauthorized access to the CAN bus: 1) compromise an in-vehicle ECU physically or remotely , or 2) connect external device (a malicious ECU) to the CAN bus . We assume that the adversary has no access to the keys stored in the TPM of the compromised and other legitimate ECUs.
The adversary can use the compromised or malicious ECU to perform three representative attacks: 1) suspension attack, 2) injection attack, and 3) masquerade attack, as considered in [24, 5, 31]. As illustrated in Fig. 3(a), a suspension attacker prevents the compromised ECU from transmitting certain messages, whereas an injection attacker fabricates and injects CAN messages of arbitrary choices of message ID, content, and timing, as sketched in Fig. 3(b). Injection attacks can lead to more sophisticated attacks such as the DoS attack  and the bus-off attack . In the masquerade attack, the adversary will need to compromise two ECUs – one is weakly compromised and acts as the weak attacker who can only launch suspension attacks, whereas the other one is fully compromised and acts as the strong attacker who can launch both suspension and injection attacks. In the example in Fig. 3(c), the adversary suspends the weakly compromised from transmitting messages with ID=0x22 and uses the fully compromised to inject messages with ID=0x22 claiming to originate from . Compared to the suspension and injection attacks, the masquerade attack is stealthier and thus more difficult to detect.
In this section, we present the architecture (Section 4.1) and the transmitter authentication protocol of TACAN (Section 4.2). We then present three covert channels for transmitting authentication messages: 1) IAT-based (Section 4.3), 2) LSB-based (Section 4.4), and 3) hybrid (Section 4.5).
4.1 TACAN architecture
As illustrated in Fig. 5, TACAN consists of in-vehicle ECUs and a centralized, trusted Monitor Node (MN). The MN is installed by the manufacturer during production and requires direct physical access by authorized parties (e.g., an authorized repairs shop) to prevent potential tampering and compromises. The deployed covert channels are configured during production or re-configured during maintenance to ensure successful establishment of one-way communication of authentication information from ECUs to the MN.
Similar to [17, 29, 36], we assume that a master key (MK) is pre-shared between each ECU and the MN, and it is stored in the TPM. Updating of MKs (e.g., when adding or replacing an ECU) should again require direct physical access by authorized parties to the involved ECUs. The procedure of key updating is outside the scope of this paper. During operation, the ECU and the MN will generate the same session key (SK) from the MK and the synchronized SK counter, and further use it to generate and verify authentication messages, respectively. We now describe the transmitter authentication protocol in more detail.
4.2 Transmitter Authentication Protocol
Inspired by the work in , the MN in TACAN performs unidirectional authentication of ECUs. In this section, we summarize the key protocol parameters and describe the procedures of session key generation as well as authentication message generation and verification.
Authentication protocol parameters. In TACAN, both the ECU that transmits CAN messages with ID or priority equal to 222In our earlier work , we assumed one message ID per ECU. In practice, however, an ECU may transmit CAN messages with different IDs. In this case, TACAN needs to be deployed for each message ID. and the MN store a tuple , where
The master key is a long term pre-shared key that is used to generate the session key;
The session key counter is a counter that is incremented by one at every vehicle start-up or when overflows; it is used to generate the session key;
The session key is a key used to generate authentication messages for CAN messages with ID=;
The authentication message counter is a counter that is incremented by one before being used to generate the next authentication message.
We assume that , and are securely stored in the TPMs of both the ECU and the MN.
Session key generation. The session key generation function takes a master key and a session key counter as input and outputs a session key (Fig. 6).
As we can see, both the ECU and the MN first increment by one, i.e., . Then, they perform the following operation on using ,
where refers to the Hash-based Message Authentication Code (MAC) algorithm . Implementations of the protocol are free to use whichever hashing algorithm for HMAC and sizes of keys that are deemed strong enough. One possible choice would be HMAC-SHA256 and 256 bits for keys. When a new session key is generated, is reset to zero.
In the case of de-synchronized session key counters, a re-synchronization procedure such as the one in  will be needed, which may require message exchange between the ECU and the MN. The detailed design of such procedure is beyond the scope of this work.
Authentication message generation. As shown in Fig. 7, the ECU that uses message ID increments by one and then generates the authentication message as follows:
where “” denotes the concatenation of the counter value and the digest. For the scope of this work, we assume that keys, counter values, and digests for TACAN are represented as bit strings.
The generated authentication message is then transmitted using the covert channel and received by the MN. Next, we will describe the verification procedure that happen on the MN side.
Authentication message verification. Algorithm 1 describes the authentication message verification procedure. For each received authentication message , the MN first extracts the counter value and the corresponding digest (Line 1). Then the MN increments its authentication message counter by one and compares it against (Lines 1-1). If the counter values are the same, the MN computes the expected digest (Line 1) and compares it against (Line 1). If the digests are the same, the algorithm returns True, which indicates successful authentication message verification. On the other hand, the mismatch of either the counter values or the digests means verification failure and indicates a possible CAN bus anomaly.
Authentication frame structure. In TACAN, authentication messages are independent of CAN messages. They are encapsulated in authentication frames and transmitted through the covert channel. Each authentication frame consists of four fields: 1) a SOF field, 2) a Data field, 3) a CRC field, and 4) EOF field. The SOF and EOF fields indicate the start and the end of an authentication frame, and the CRC field is used for error detection and ensures data integrity.
Inspired by the CAN frame structure (Fig. 2), we use a single bit 0 for the SOF and a bit string of 7 consecutive 1’s for the EOF. We use an 8-bit CRC (CRC-8), which is also part of the AUTOSAR specifications , but more bits may be needed if necessary. Compared to the CAN frame, there are no arbitration, control, or ACK fields in the authentication frame, as they are no longer needed. When there are no authentication bits that need to be transmitted, bits of value one will be transmitted to fill the gap between frames.
In order to avoid confusion due to possible appearances of the EOF in the frame, the bit stuffing technique will also be used, which inserts one bit of opposite polarity after five consecutive bits of the same polarity (including the preceding stuffed bit). The stuffed frame can then be destuffed by the receiver. Note that the same bit stuffing technique is also used in the CAN protocol to maintain bit-level timing synchronization.
As shown in Eq. (5), each authentication message contains a counter value and its digest. A 24-bit counter can already last for 46+ hours for 10-ms CAN messages before having an overflow even in per-message authentication. While we assume a 24-bit counter in this work, fewer bits may be used in practice due to two reasons. First, authentication messages in TACAN are transmitted in a much lower frequency, which means that the counter overflow will take a much longer time. Second, since it is a monotonic counter incremented by one for every frame, the transmitter may only transmit the last few bits of the counter value to keep the receiver synchronized in the case of occasionally corrupted frames.
As for the digest, instead of transmitting the entire digest that are usually hundreds of bits long, the transmitter may truncate each digest to several bits to reduce the transmission time (e.g., using the least significant 8 bits or XORing all bytes together to create a condensed 8-bit version of the digest, as in [23, 34]). In practice, the number of bits in the shortened version should be chosen appropriately to achieve a desirable security level.
4.3 IAT-Based Covert Channel
Fig. 8 illustrates the IAT-based covert channel for periodic CAN messages. In this covert channel, the ECU embeds the authentication bits into the ITTs of CAN messages, which can be extracted from the IATs by the MN. By verifying the received authentication message, the MN can authenticate the transmitter.
In the rest of this section, we will first motivate the design of the IAT-based covert channel through observations, and then present the modulation/demodulation schemes. After that, we will discuss the impact of two key parameters, that is, the window length and the added deviation on the bit error probability and the CAN bus schedulability.
Observations. From Eq. (2), we observe that if an amount of deviation is added to (or subtracted from) the ITTs, the receiver will see a corresponding change in the IATs. Hence, one simple scheme is to set for transmitting a bit and for transmitting a bit .
Taking message 0x020 from the 2010 Toyota Camry  as an example, we plot its IAT distributions with added deviations in Fig. 8(a), where ms and ms. While adding a small deviation does lead to a shift in the IAT distribution, the two distributions are still overlapping with each other, indicating possible bit errors due to the noise caused by the CAN traffic.
In order to reduce bit errors, one way is to average the IATs with a window length of at the receiver to smooth out the noise. As we can see in Fig. 8(b), performing running averages can effectively separate the two clusters from each other. To support the computation of running averages at the receiver, the transmitter needs to transmit the same bit over consecutive ITTs. The above observations motivate the design of the IAT-based covert channel.
Note that when the probability of bit errors is reasonably small, one may also consider Error Correction Coding (ECC) techniques that are widely used in communications  to detect and recover occasional bit errors. Nevertheless, the use of ECC techniques will complicate the design of covert channels and introduce overheads. As we will show later in Section 5, since the probability of consecutive corrupted authentication frames is small, it is acceptable to not recover the bit errors in a particular frame.
Modulation. The transmitter uses the following modulation scheme to embed a bit into the ITTs of CAN messages,
where . This is essentially the Binary Phase Shift Keying (BPSK) modulation in the communication theory . While more than two levels may be used to increase the throughput, we consider only two levels in this work to minimize the impact on the CAN bus schedulability.
Demodulation. From Eq. (2), we know that the original IATs are . When is changed to , the receiver will observe
where is the transmitted bit and . In this work, we assume that ’s are i.i.d. Gaussian random variables, i.e., . Hence, we have , where .
In order to demodulate the authentication message from the IATs, the MN needs to perform three steps: 1) computing running averages, 2) sampling, and 3) thresholding. In the first step, the MN computes the running averages of window length as below,
From Eq. (6), we can see that the noise term is reduced by a factor of and the resulting variance of IATs is .
After computing the running averages , the MN needs to sample every values with a correct sampling offset and obtains . From the communication theory , we know that the optimal receiver minimizes the bit error probability by selecting the output that maximizes . If we assume that bits 0 and 1 are transmitted with equal probabilities, then the maximum likelihood decision criterion is
where (Eq. (3)), that is, the decision threshold is the mean of original IATs or the observed message period. Lastly, the MN can decode from the bit string .
Note that it is not necessary for the receiver to be synchronized with the transmitter for the sampling purposes, because the receiver can determine the correct sampling offset by itself as follows,
where . That is, is the integer value that maximizes the total distance between each sample and the decision threshold.
Impact of and on bit error probability. From our previous discussion, we see that and are the two key parameters that affect the bit error performance of the IAT-based covert channel. In this section, we analytically model the bit error probability as a function of and .
First of all, based on our previous assumption of Gaussian noise, we have
where and (Eq. (4)). Let and be the bit error probabilities conditioned on bits 0 and 1 being transmitted, respectively. Then we have
According to Eq. (8), we know that
where is the standard Gaussian random variable and is the Q function. Due to the symmetry, we have .
Assuming equally likely probabilities of bits 0 and 1, i.e., , the total error bit probability is
From Eq. (9), we see that increasing and would have the same effect on . Nevertheless, increasing will reduce the covert channel throughput, whereas increasing could potentially affect the schedulability of the CAN bus, as we will explain in the next section. Therefore, in the case of fixed , it makes full sense to choose the smallest value, while keeping less than or equal to a given limit . From Eq. (9), we have
where is the ceiling function.
Impact of on CAN bus schedulability: Timing on the CAN bus is closely related to its schedulability. A CAN bus is schedulable if and only if all the messages on the bus are schedulable, and a message with ID is schedulable if and only if its worst-case response time (denoted as ) is less than or equal to its deadline (denoted as ).
According to , is defined as the longest time from the initiating event (that puts the message in the transmission queue) occurring to the message being received by the nodes that require it. It consists of three parts: 1) the queuing jitter, 2) the queuing delay, and 3) the transmission time. The queuing delay further consists of the blocking delay (due to ongoing transmissions of lower priority messages) and the interference (due to the arbitration process when competing with higher priority messages).
Since the IAT-based covert channel introduces a deviation of , its effect is equivalent to decreasing the message period (defined as the minimum inter-transmission time) and increasing the queuing jitter. By applying the schedulability analysis in , we can show that the impact of on the worst-case response time is threefold: 1) increase in the queuing jitter by a fixed amount (), 2) increase in the blocking delay by a bounded amount of time, and 3) increase the message transmission time of higher priority messages by a certain percentage (). Therefore, to achieve the effective use of the IAT-based covert channel, TACAN parameters (notably ) need to be experimentally obtained and fine tuned prior to deployment to ensure the schedulability of the CAN bus. A detailed discussion is provided in Appendix A.
4.4 LSB-Based Covert Channel
In this section, we present the LSB-based covert channel, which embeds the authentication messages inside the LSBs of the data payload of normal CAN messages transmitted by an ECU, as illustrated in Fig. 10. Unlike the IAT-based covert channel, the LSB-based covert channel is also applicable to aperiodic CAN messages. For the scope of this work, we use the CAN data frames to develop our methodology.
Observations. In order to transmit authentication messages over the CAN bus, it is common to leverage the existing fields of a CAN message, such as the data field (at least one byte) and the extended ID field, or simply introduce additional CAN messages [23, 17, 15]. In practice, however, there may not be any unused bytes in the CAN message or the CAN bus is already heavily loaded, which makes the above approaches difficult to deploy. In TACAN, the objective is to authenticate the transmitter instead of each CAN message, and thus authentication messages are transmitted much less frequently. If we can spread the bits of an authentication message across multiple CAN messages, each of which carries only a few authentication bits (e.g., one or two bits), we can then alleviate the payload shortage and avoid traffic overheads.
On the other hand, we also observe that CAN messages are often used to convey sensor values, most of which are floating values represented in bits. Therefore, the LSBs (e.g., or ) of each such CAN message may be used for transmitting authentication bits without causing significant degradation in accuracy.
Taking the 2010 Toyota Camry  as an example, there are at least messages out of that carry sensor values (e.g., wheel speeds, engine speed, vehicle speed, odometer, brake pressure, steering angle) . We would expect more CAN messages that carry sensor values in newer automobiles. The above observations motivate our design of LSB-based covert channels.
Embedding to LSBs. The embedding procedure is considered as a sub-layer between the Application and the Data Link layers. The basic idea is as follows: for each message , the transmitter substitutes the least significant bits of the CAN message with the next bits in . No modification is needed if the bits happen to be the same.
As provided in Algorithm 2, an authentication frame is first constructed from (Line 2). When the new data field content is received from the upper (Application) layer, the least significant bits of the selected byte in , denoted as , are compared with the next bits of : if the bits of interest are different, then the substitution occurs; otherwise, is not modified (Lines 2-2). The same process is repeated for each new authentication message.
Extracting from LSBs. On the receiver side, the MN extracts the LSBs from every received CAN message and reconstructs the authentication message. If the MN fails to verify the authentication message, it will raise an alert that indicates possible compromise of the transmitting ECU or malicious exploitation of the CAN bus.
The extracting procedure is described in Algorithm 3. Once the MN detects the SOF flag, it will start extracting the LSBs from the designated byte and appending them to (Lines 3-3). When the EOF flag is detected in , the MN will perform bit destuffing on and extract the authentication message (Line 3). Then it will listen for the SOF of the next incoming frame.
4.5 Hybrid Covert Channel
Since the IAT-based and LSB-based covert channels are orthogonal to each other, it leads to a natural question whether the two covert channels can be combined to construct a hybrid channel to achieve a larger throughput. In this hybrid covert channel, the transmitter will split the authentication message into two parts and transmit them through the two covert channels separately. Then the receiver will receive and reassemble the two parts into one piece. In this work, we are interested in answering the following question: how to choose the splitting ratio () such that the two parts will be transmitted roughly over the same duration.
Given bits for the authentication message and bits for other fields (SOF, CRC, and EOF), if we ignore bit stuffing, then there are a total of bits and bits transmitted over the IAT-based and LSB-based covert channels, respectively.
If the IAT-based covert channel is using a window length of and the LSB-based covert channel is using LSBs, then requiring the same transmission duration means
Ignoring the ceiling function, we have
While computed in in Eq. (11) is not the optimal value that leads to two partitions of equal length after bit stuffing, it will be close to , which provides a reasonable starting point for further iteration. Note that is less than or equal to , it means that only the LSB-based covert channel should be used.
As an example, suppose , , and . In this case, the two covert channels have similar throughput and we have . Nevertheless, if is increased from to , quickly drops to . With , becomes , which means that it is not advantageous to deploy the hybrid covert channel.
In this section, we conduct extensive experiments to evaluate the performance of the proposed covert channels and TACAN using real-world datasets. We first describe our real vehicle CAN bus testbed based on the UW EcoCAR (a Chevrolet Camaro 2016) and demonstrate the proposed IAT-based and LSB-based covert channels (Section 5.1). We then evaluate the bit error performance (Section 5.2), throughput (Section 5.3), detection performance (Section 5.4), and accuracy loss (Section 5.5) of TACAN using the EcoCAR datatset as well as the publicly available Toyota dataset collected from the Toyota Camry 2010 .
5.1 Testbed Validation
Fig. 11 illustrates our EcoCAR testbed that consists of the UW EcoCAR and testbed ECUs, which are connected via the On-Board Diagnostics (OBD-II) port The EcoCAR hosts 8 stock ECUs and two experimental ECUs. A total of 2500+ messages with 89 different IDs are exchanged on the CAN bus every second. All messages are periodic with periods ranging from 10 ms to 5 sec.
Each testbed ECU consists of a Raspberry Pi 3 and a PiCAN 2 board (using a MCP2515 CAN controller and a MCP2551 CAN transceiver). The Raspberry Pi-based ECU is programmed to be a receive-only device that records CAN messages using SocketCAN . During data collection, the EcoCAR is in the park mode in an isolated and controlled environment for safety purposes, but all in-vehicle ECUs are functional and actively exchange CAN messages.
To demonstrate the proposed IAT-based and LSB-based covert channels, we use the testbed ECU to record the timestamps of 100-ms message 0x22A from the EcoCAR testbed and replay them in our experiments. In the ideal case, the TACAN transmitter will add to the ITTs, which correspond to changes of at the receiver side. Since both and are very small, we approximate as and program the TACAN transmitter to directly modify the recorded IATs.
Fig. 11(a) provides an example of the received authentication frame in the IAT-based covert channel. In this example, the 24-bit counter has a value of 1, , and . We observe that without the running average, the received IATs can be very noisy, which leads to possible bit errors, whereas computing running averages can effectively smooth out the noise. We also observe that the actual length of the transmitted frame can exceed the original length due to the inserted stuffed bits.
Fig. 11(b) provides an example of the received authentication frame in the LSB-based covert channel when a single LSB is used (). Compared to the IAT-based covert channel in Fig. 11(a), the LSB-based covert channel is noise-free, and each authentication frame can be transmitted in a shorter duration.
5.2 Bit Error Performance
In this section, we discuss the bit error performance of the IAT-based and LSB-based covert channels. In addition to the EcoCAR dataset, we also use the Camry Toyota 2010 dataset . It consists of 43 distinct messages, and the majority of them are periodic with periods ranging from 10 ms to 5 sec.
IAT-based covert channel. In this experiment, we select a subset of 9 representative messages from the Toyota dataset and the EcoCAR testbed with different message ID levels, periods, and noise levels, as listed in Table II. Our objective is to compare the analytical bit error probabilities () in Eq. (9) against the experimental values and study the impact of . We set to minimize the impact on the CAN bus. Since is a function of the standard deviation of IATs (Eq. (9)), we only consider IATs within of the average when computing
to minimize the adverse impact of outliers. To obtain the experimental, we add to the IATs and compute the running averages of window length . We then compute the percentage of the averaged IATs that lead to bit errors as the experimental .
|Msg ID||Period (sec)||Standard deviation (Norm. by period)||Source|
As shown in Fig. 13, the bit error performance of the IAT-based covert channel varies a lot among different messages. In general, is very high with , but it quickly drops to as increases for all messages, which demonstrates the effectiveness of the running average. For the four Toyota messages, the experimental is less than with , and the experimental is less than with for the five EcoCAR messages. In addition, since the EcoCAR has significantly more traffic than the Toyota Camry, we observe larger for EcoCAR messages than those for the Toyota messages for the same . We also observe that since we set to a fixed percentage of the message period, messages with larger periods tend to be more advantageous and usually have a smaller with the same .
In order to further understand the minimum values required by different messages, we choose 85 EcoCAR messages and determine such that the experimental bit error probability is less than or equal to with . Note that we exclude four noisy messages, each of which has a standard deviation of IATs that is larger than its mean IAT. As shown in Fig. 14, a total of 19 messages can use . With , a total of 46 messages are eligible, accounting for of EcoCAR messages. If we set , a total of 59 messages become eligible, which corresponds to of all messages.
LSB-based covert channel. Since the authentication message is hidden in a few bits of the data payload of normal CAN messages in the LSB-based covert channel, the bit error probability will be as low as that of the CAN bus itself. According to , the bit error probability of the CAN bus in normal environments (factory production line) and aggressive environments (two meters away from a high-frequency arc-welding machine) are and , respectively. In other words, the LSB-based covert channel is very reliable and is not affected by the noise caused by the CAN traffic.
5.3 Throughput Performance
In this section, we compute and compare the throughput of the proposed covert channels. For ease of discussion, we let the number of bits in the authentication message () be , and the number of bits in other fields (SOF, CRC, and EOF) be . Hence, each authentication frame (denoted as ) has bits. However, the number of actually transmitted bits may be more than due to bit stuffing. Since the stuffed bit itself may be the first of the five consecutive identical bits, there is at most one stuffing bit every four original bits after the first one. Therefore, the actual length of each frame is bounded by
where is the floor function. Note that we need the in the numerator because the EOF is not subject to bit stuffing, and the is because the worst-case bit stuffing happens right after the first original bit.
To quantify the throughput performance, we define two metrics: 1) channel throughput (), i.e., the number of bits transmitted per second, and 2) authentication throughput (), i.e., the number of authentication bits transmitted per second. Since the clock skew is very small and its effect is usually negligible, it is omitted to simplify calculations.
IAT-based covert channel. Since every bit is embedded into consecutive ITTs of sec, it takes time to transmit one bit, which means . The best-case authentication throughput (without bit stuffing) is . With bit stuffing, may be as low as .
LSB-based covert channel. Since up to authentication bits can be hidden in one CAN message, we have . Each frame requires normal CAN messages and a duration of to transmit. Hence, we have in the best case and in the worst case.
Hybrid covert channel. As presented in Section 4.5, the hybrid covert channel splits into two parts with a suitable splitting ratio of (Eq. (11)) and transmits them through the IAT-based and LSB-based covert channels separately. Let be the time it takes to transmit a single frame. Hence, the channel throughput is . The best-case authentication throughput is .
Throughput comparison. In this experiment, we consider a 10-ms CAN message and set and . The average throughput is computed for each covert channel for transmitting authentication frames. Results are provided in Table III. We can see that of the hybrid covert channel is close to the sum of of individual covert channels, but they are not exactly equal due to bit stuffing. When , the hybrid covert channel has a gain of in over individual covert channels. As either or increases, the throughput of the IAT-based covert channel becomes smaller than that of the LSB-based covert channel, and it is less beneficial to deploy the hybrid covert channel. With , the hybrid covert channel reduces to the LSB-based covert channel, because no authentication bits are transmitted over the IAT-based covert channel.
5.4 Detection of CAN Bus Attacks
As described in Section 4, TACAN extracts and verifies the authentication message embedded in the IATs or LSBs of normal CAN messages to authenticate the transmitting ECU and also serves the purpose of intrusion detection. In this section, we consider a TACAN-based detector and evaluate its detection performance against CAN bus attacks. While we focus on the IAT-based covert channel, similar results can be found in the other two covert channels.
Detection scheme. The TACAN-based detection scheme works as follows: the MN counts the number of consecutive authentication failures. An authentication failure is either a message reception failure (e.g., lost message, CRC error) or a message verification failure (e.g., invalid counter or digest). If the counter is larger than or equal to a preset threshold (e.g., ), then the MN raises an alert for a CAN bus attack. A successfully received and verified authentication message will reset the detection counter to zero.
False alarm probability. We first discuss the false alarm probability (denoted as ) of the TACAN-based detector, which is defined as the probability of raising an alarm when there is no attack present. We experimentally evaluate the IAT-based covert channel in the normal situation using the five CAN messages from the EcoCAR testbed (see Table II). An example of the normal IAT-based covert channel transmission is provided in Fig. 14(a). In order to minimize bit errors, we set and set for the first three messages and set for the last two messages.
As shown in Table IV, with a properly configured IAT-based covert channel, we have with . When , we have for all messages. Since none of the messages has three consecutive message reception failures (either a lost message or a CRC error), we have with . Note that since the LSB-based covert channel has a very low bit error probability, the probability of a message reception failure in the normal situation is negligible and thus we have .
Detecting suspension and injection attacks. As illustrated in Fig. 14(b), when the suspension attack happens, the transmission of CAN messages is interrupted, which causes authentication message loss and thus message reception failures. Similarly, as shown in Fig. 14(c), the injection attack also interrupts the transmission of authentication messages, which causes either message loss or CRC errors. In this example, we use the 100-ms message with ID=0x139 from the EcoCAR as the attack message. Since a CAN bus attack like the suspension or injection attack will need to last for a sufficient amount of time to cause enough damage to the CAN bus, it will cause more than consecutive message reception failures and thus can be detected by the TACAN-based detector with a detection probability of .
Detecting forgery attacks. In the forgery attack, the attacker has already compromised an in-vehicle ECU and transmits authentication messages, which can be successfully received by the MN (i.e., CRC check is passed). The attacker attempts to generate valid authentication messages which can be verified by the MN to evade the detection of TACAN.
Since TACAN securely stores both master and session keys in the ECU’s TPM to prevent being compromised by the adversary, the attacker has to forge a valid digest for each local counter value without the session key. With a condensed digest of bits, the probability of a successful random forgery is . For example, when , this probability is . In other words, the forgery attack will be detected with a probability of with . In general, the probability of consecutive message verification failures is , which decreases as increases. Hence, to guarantee a desired detection probability for a given , a suitable value of should be chosen. Repeated forgeries will be prevented due to the use of monotonic counters.
Detecting replay attacks. A replay attacker has infiltrated the CAN bus and attempts to replay previously transmitted authentication messages of the targeted ECU with the hope of passing the verification process at the MN. It is easy to see that such attempts will be detected by TACAN with a probability of due to the use of monotonic counters.
Detecting masquerade attacks. As mentioned in Section 3.2, a masquerade attack (including the more sophisticated cloaking attack ) requires in-vehicle ECUs to be weakly and/or fully compromised. As a result, TACAN will force the attacker to perform a forgery or replay attack, not only for the compromised ECU itself, but also for the ECU the attacker attempts to masquerade as. Therefore, a masquerade attack will also be detected by TACAN.
In summary, our proposed TACAN-based detector can identify attacks that interrupt the transmission of normal CAN messages (e.g., suspension and injection attacks), as well as attacks in which attackers fail to generate valid authentication messages (e.g., forgery, replay, and masquerade attacks) with a very high detection probability, while keeping the false alarm probability very low.
5.5 Accuracy Loss
In this section, we study the impact of LSB-based covert channel on the accuracy of sensor values. We first notice that with changes of a single bit (), the accuracy loss has the same scale with the discretization error (resolution) of that sensor value. As increases, the overall throughput will increase (Section 5.3), and the accuracy loss will also be larger. Hence, manufacturers will need to assess the impact of accuracy loss in CAN data on the functionality and safety, and trade off the accuracy loss against the throughput gain when deploying the LSB-based covert channel. It is important to highlight that for periodic messages that cannot tolerate accuracy loss, manufacturers may deploy the IAT-based covert channel instead.
In order to gain a better understanding of the accuracy loss of the LSB-based covert channel, we consider two CAN messages: 1) one that carries wheel velocity values from the Toyota dataset  and 2) the one carries engine coolant temperature values that we identified through reverse engineering from the EcoCAR dataset . In our experiments, we set to or and quantify the accuracy loss in terms of the maximum error, i.e., the maximum deviation from the original values (which are considered as ground truth). Note that we intentionally keep in order to avoid significant distortions to the underlying sensor values or jeopardize the functionality of the receiving ECU.
As illustrated in Fig. 15(a) and highlighted in the magnified box, the maximum error introduced to wheel velocity is km/h for and km/h for , which is considered as insignificant. As for the engine coolant temperature in Fig. 15(b), the maximum error is for and for , which are still moderate. As compared to the median value of , the errors of and translate into and deviations, respectively.
In this paper, we presented TACAN, a covert channel-based transmitter authentication scheme that allows a MN to verify the authenticity of the transmitting ECU. We developed IAT-based, LSB-based, and hybrid covert channels to communicate the authentication information between ECUs and the MN without introducing protocol modifications or traffic overheads. We analytically modeled the bit error probability of the IAT-based covert channel as a function of covert channel parameters, and studied its impact on the CAN bus schedulability. We experimentally validated and evaluated TACAN and the proposed channels using the EcoCAR testbed and the publicly available Toyota dataset. Our results show that properly configured IAT-based covert channels have an experimental bit error probabilities of less than 0.3%. We also show that our TACAN-based detector can detect CAN bus attacks with a high detection probability, while keeping the false alarm probability less than 0.33% by setting the detection threshold to or higher. In addition, we studied the impact of the LSB-based covert channel on sensor values and observed moderate accuracy loss.
-  (2017) Specification of crc routines autosar cp release 4.3.1. Technical report Cited by: §4.2.
-  (2016) End to end learning for self-driving cars. arXiv preprint arXiv:1604.07316. Cited by: §1.
-  (1991) CAN Specification Version 2.0. Note: Cited by: §1.
-  (2011) Comprehensive experimental analyses of automotive attack surfaces. In Proc. of the 20th USENIX Conf. on Security, SEC’11, Berkeley, CA, USA, pp. 77–92. Cited by: §1, §2, §3.2.
-  (2016) Fingerprinting electronic control units for vehicle intrusion detection. In Proc. of 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, pp. 911–927. Cited by: §1, §2, §3.2, footnote 1.
-  (2017) Viden: attacker identification on in-vehicle networks. In Proc. of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pp. 1109–1123. External Links: Cited by: §1, §2.
-  (2016) Error handling of in-vehicle networks makes them vulnerable. In Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security, pp. 1044–1055. Cited by: §3.2.
-  (2018) VoltageIDS: low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Inf. Forensics Security. Cited by: §1, §2.
-  (2010) Interpreting the CAN data for a 2010 Toyota Camry. Note: http://tucrrc.utulsa.edu/ToyotaCAN.htmlAccessed: 2019-1-22 Cited by: 4th item, §4.3, §4.4, §5.2, §5.5, §5, footnote 1.
-  (2007) Controller area network (can) schedulability analysis: refuted, revisited and revised. Real-Time Systems 35 (3), pp. 239–272. Cited by: §4.3, §4.3.
-  (2019) University of Washington EcoCAR 3. Note: http://ecocar3.org/washington/about-us/Accessed: 2019-1-22 Cited by: 4th item, §5.5, footnote 1.
-  (2004) An experiment to assess bit error rate in CAN. In Proc. of 3rd Int. Workshop of Real-Time Networks (RTN2004), pp. 15–18. Cited by: §5.2.
-  (2005) Wireless communications. Cambridge university press. Cited by: §4.3, §4.3, §4.3.
-  (2018) TCG tpm 2.0 automotive thin profile. specification version 1.01. revision 15. Technical report Cited by: §1.
-  (2012) Libra-can: a lightweight broadcast authentication protocol for controller area networks. In Proc. of Int. Conf. on Cryptography and Network Security, pp. 185–200. Cited by: §4.4.
-  (2018) INCANTA-intrusion detection in controller area networks with time-covert authentication. In Security and Safety Interplay of Intelligent Software Systems, pp. 94–110. Cited by: §2.
-  (2012) LCAP – a lightweight CAN authentication protocol for securing in-vehicle networks. In Proc. of 10th Embedded Security in Cars Conference (ESCAR), Berlin, Germany, Vol. 6. Cited by: §1, §1, §2, §4.1, §4.4.
-  (2008) Security threats to automotive CAN networks – practical examples and selected short-term countermeasures. In Proc. of the 27th Int. Conf. on Computer Safety, Reliability, and Security, SAFECOMP ’08, pp. 235–248. External Links: Cited by: §2, §3.2.
-  (2015) International standard iso 11898-1 road vehicles-controller area network (can), part 1 data link layer and physical signaling. Note: Cited by: §1.
-  (2018) Scission: signal characteristic-based sender identification and intrusion detection in automotive networks. In Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security, pp. 787–800. Cited by: §1, §2.
-  (2010) Experimental security analysis of a modern automobile. In Proc. of the 2010 IEEE Security Privacy, SP ’10, pp. 447–462. External Links: Cited by: §3.2.
-  (1997) HMAC: keyed-hashing for message authentication. Technical report Cited by: §4.2.
-  (2014) CaCAN-centralized authentication system in CAN (Controller Area Network). In Proc. of Embedded Security in Cars (ESCAR 2014), Cited by: §1, §2, §4.2, §4.4.
-  (2012) Cyber-security for the controller area network (can) communication protocol. In Proc. of 2012 Int. Conf. on Cyber Security, Cited by: §3.2.
-  (2015) Remote exploitation of an unaltered passenger vehicle. In Black Hat USA, Cited by: §2.
-  (1992) Network time protocol (version 3): Specification, Implementation and Analysis. Technical report RFC 1305. Cited by: §3.1.
-  (2014-04) Source identification using signal characteristics in controller area networks. In IEEE Signal Processing Letters, Vol. 21, pp. 395–399. External Links: Cited by: §1, §2.
Entropy-based anomaly detection for in-vehicle networks. In 2011 IEEE Intelligent Vehicles Symposium (IV), Vol. , pp. 1110–1115. External Links: Cited by: §1, §2.
-  (2016) LeiA: a lightweight authentication protocol for can. In European Symp. on Research in Computer Security, pp. 283–300. Cited by: §1, §1, §2, §4.1, §4.2, §4.2.
-  (2018) Exploring attack surfaces of voltage-based intrusion detection systems in controller area networks. In ESCAR Europe 2018, Cited by: §2.
-  (2018) Cloaking the clock: emulating clock skew in controller area networks. In Proc. of the 9th ACM/IEEE Int. Conf. on Cyber-Physical Systems, ICCPS’18, pp. 32–42. Cited by: §1, §2, §3.2, §5.4.
-  (2018) Linux-CAN/SocketCAN user space applictions. Note: https://github.com/linux-can/can-utilsAccessed: 2018-10-13 Cited by: §5.1.
-  (2016) Team of hackers take remote control of Tesla model S from 12 miles away. The Guardian. Note: https://www.theguardian.comAccessed: 2018-10-06 Cited by: §1.
-  (2008) A flexible approach to embedded network multicast authentication. Cited by: §4.2.
-  (2017) Enhancing integrity of modbus tcp through covert channels. In Proc. of Inf. Conf. on Signal Process. and Commun. Syst. (ICSPCS), Cited by: §2.
-  (2011) CANAuth – a simple, backward compatible broadcast authentication protocol for CAN bus. In ECRYPT Workshop on Lightweight Cryptography, Cited by: §1, §1, §2, §4.1.
-  (2013) Security of autonomous systems employing embedded computing and sensors. IEEE micro 33 (1), pp. 80–86. Cited by: §1.
-  (2019) Shape of the cloak: formal analysis of clock skew-based intrusion detection system in controller area networks. IEEE Trans. Inf. Forensics Security. Cited by: §1, §2.
-  (2019) TACAN: transmitter authentication through covert channels in controller area networks. In Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS), Cited by: Covert Channel-Based Transmitter Authentication in Controller Area Networks, footnote 2.
-  (2007) A survey of covert channels and countermeasures in computer network protocols. IEEE commun. Surveys Tut. 9 (3), pp. 44–57. Cited by: §2.
-  (2008) An improved clock-skew measurement technique for revealing hidden services. In Proc. of the 17th Conf. on Security Symp., pp. 211–225. Cited by: §3.1.