Cyberattacks and Countermeasures For In-Vehicle Networks

04/22/2020
by   Emad Aliwa, et al.
Cardiff University
0

As connectivity between and within vehicles increases, so does concern about safety and security. Various automotive serial protocols are used inside vehicles such as Controller Area Network (CAN), Local Interconnect Network (LIN) and FlexRay. CAN bus is the most used in-vehicle network protocol to support exchange of vehicle parameters between Electronic Control Units (ECUs). This protocol lacks security mechanisms by design and is therefore vulnerable to various attacks. Furthermore, connectivity of vehicles has made the CAN bus not only vulnerable from within the vehicle but also from outside. With the rise of connected cars, more entry points and interfaces have been introduced on board vehicles, thereby also leading to a wider potential attack surface. Existing security mechanisms focus on the use of encryption, authentication and vehicle Intrusion Detection Systems (IDS), which operate under various constrains such as low bandwidth, small frame size (e.g. in the CAN protocol), limited availability of computational resources and real-time sensitivity. We survey In-Vehicle Network (IVN) attacks which have been grouped under: direct interfaces-initiated attacks, telematics and infotainment-initiated attacks, and sensor-initiated attacks. We survey and classify current cryptographic and IDS approaches and compare these approaches based on criteria such as real time constrains, types of hardware used, changes in CAN bus behaviour, types of attack mitigation and software/ hardware used to validate these approaches. We conclude with potential mitigation strategies and research challenges for the future.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 9

page 11

page 12

page 13

page 21

07/17/2019

An Overview of Attacks and Defences on Intelligent Connected Vehicles

Cyber security is one of the most significant challenges in connected ve...
02/05/2018

State-of-the-Art Survey on In-Vehicle Network Communication (CAN-Bus) Security and Vulnerabilities

Nowadays with the help of advanced technology, modern vehicles are not o...
12/15/2021

EXT-TAURUM P2T: an Extended Secure CAN-FD Architecture for Road Vehicles

The automobile industry is no longer relying on pure mechanical systems;...
11/22/2019

On the Robustness of Signal Characteristic-Based Sender Identification

Vehicles become more vulnerable to remote attackers in modern days due t...
02/19/2021

Two-Point Voltage Fingerprinting: Increasing Detectability of ECU Masquerading Attacks

Automotive systems continuously increase their dependency on Electronic ...
06/15/2021

CAN-LOC: Spoofing Detection and Physical Intrusion Localization on an In-Vehicle CAN Bus Based on Deep Features of Voltage Signals

The Controller Area Network (CAN) is used for communication between in-v...
10/07/2019

CAN Radar: Sensing Physical Devices in CAN Networks based on Time Domain Reflectometry

The presence of security vulnerabilities in automotive networks has alre...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In recent years, vehicles have become more connected (to other vehicles – referred to as Vehicle-2-Vehicle (V2V) and external infrastructure – referred to as Vehicle-2-Infrastructure (V2I)) and the cyberattack surface for these vehicles continues to increase. Cyberattacks have also become a real concern for vehicle manufacturers, especially where services need to be supported using networks outside a vehicle. These services can include Global Positioning Systems (GPS), On-Board Diagnostic (OBD-2) based cellular dongles and entertainment services. As a result, vehicles are now more vulnerable to different attacks not only from inside but also from outside the vehicle. For instance, recent report has indicated that two famous connected cars in Europe from Ford and Volkswagen are vulnerable to cyberattacks from infotainment unit [IET2020]. As potential cyberattacks on vehicles have widened, more vulnerabilities and entry points have been discovered – generally grouped under: direct interfaces-initiated attacks, infotainment-initiated attacks, telematics-initiated attacks and sensor-initiated attacks. This raises the need for better security mechanisms. Due to lack of suitable security support in the Controller Area Network (CAN) protocol itself, mechanisms to secure communications between components within a vehicle is also limited. Attacks such as CAN bus Denial of Service (DoS) and bus injection attacks are common [Deng2017]. CAN bus security limitations have been investigated by various researchers over both laboratory-based environments and in real vehicles. The attacks demonstrate how attackers are able to successfully take control of various parts of a vehicle, such as brakes, lights, steering and gears [Currie2015]. Such attacks and malicious data on the CAN bus was generated from both on-board the vehicle and at remote locations.

Serial protocols are used for in-vehicle networks to exchange parameters between Electronic Control Units (ECUs) and sensors. These protocols lack security mechanisms by design and are thus vulnerable to various attacks. Researchers have also shown how to attack vehicles from within a vehicle using direct interfaces and infotainment systems via the On-Board Diagnostics port (OBD-2), USB and CD player and from outside the vehicle using medium and long distance communication such as Wi-Fi, Bluetooth, mobile (phone) networks, and sensors signals such as keyless fob attacks and tyre pressure monitoring system sensors. These attacks have widened the potential attack entry points within a connected vehicle – suggesting the importance of protecting the CAN bus. This survey provides the following contributions:

  • description of in-vehicle serial bus protocols (particularly the CAN bus);

  • evaluation of current cryptographic and IDS approaches used for protecting vehicular data;

  • comparison and assessment of current mitigation strategies to protect vehicles against cyberattacks;

  • challenges and potential future research directions for in-vehicular cybersecurity.

The rest of this paper is structured as follows: an introduction to serial data exchange protocols within a vehicle is provided in Section 2. This material provides the context for the rest of this paper – outlining key concepts and terminology. In Section 3 the CAN bus protocol, bus architecture along with hardware and software used inside vehicles is described. In Section 4 we describe the connected car infrastructure, including various ECUs and sensors that can be used inside a vehicle. In Section 5 attacks initiated using data interfaces, telematics, infotainment and sensor entry points and how such attacks can be generated are described. In Section 6, we review security mechanisms reported in literature to secure the CAN bus, which includes encryption, message authentication and vehicular Intrusion Detection Systems (IDS). We evaluate existing approaches based on criteria such as real time data requirements, the types of network infrastructure required, computational resource constrains, modifications needed for vehicular hardware, change in the protocol behaviour, types of attacks mitigated and software/ hardware used to validate these approaches. Finally, in section 7 we evaluate mitigation strategies mentioned in section 6 and discuss future research challenges.

2 Automotive Serial Bus Protocols

Three key protocols are used inside vehicles for data commuications: CAN, FlexRay and LIN. Figure 1 shows the serial bus protocols used inside a vehicle. The CAN bus protocol is the most widely used to support critical functions such as Powertrain, engine management, anti-brake system and transmission. A vehicular system is divided into four domains, in terms of the function it performs and whether it requires real time data [Navet2005], as outlined below:

  • Power train domain such as engine and transmission functions. This domain is critical and needs real time response;

  • Chassis domain such as braking system, suspension and steering which also provides real time and safety critical functions inside the vehicle;

  • Body domain for functions such as dashboard, wipers, lights, windows and seats. These functions do not generally require real time response;

  • Telematics and infotainment domain which manages the various communications, information and entertainment services inside a vehicle, e.g. in-car navigation, CD/ DVD players, rear seat entertainment systems, driving assistance and wireless interfaces.

Figure 1: Serial bus protocols inside a vehicle – from [Huang2017]. The figure focuses on the three most popular protocols: Controller Area Network (CAN), Local InterConnect Network(LIN) and FlexRay.

These domains differ in terms of the functions they provide and the performance and quality of the network they require. Based on these differences, each domain has different performance and response time requirements. For example, a high speed CAN bus is used for real time and safety related domains inside the vehicle such as transmission sensors. LIN and low speed CAN bus are however used for non-critical functions inside a vehicle, as they are less expensive compared with the high speed CAN and FlexRay buses.

2.1 Controller Area Network (CAN)

CAN is serial communication protocol used for real-time, safety critical functions inside road vehicles and other controlled applications [TheInternationalOrganizationforStandardization2015]. It is a multi-master protocol and most widely used inside vehicles [Kang2018]. Below are the main characteristics of the CAN protocol:

  • the maximum bitrate is 1Mbps in the classical CAN bus;

  • high speed CAN bus bitrate can vary from 125kbps to 1Mbps, while low speed CAN bus bitrate from 5kbps to 125kbps;

  • critical sensors can be connected to high speed CAN bus while less critical sensors can be connected to a low speed CAN bus;

  • in CAN Flexible Data rate (FD), the bitrate is up to 8 Mbps – with a payload size of 8 bytes in Classical CAN and up to 64 bytes in CAN FD;

  • CAN bus protocol provides real time access for critical sensors via the Carrier Sense Multiple Access with Collision Avoidance and Arbitration Priority (CSMA/CA-AP) access/arbitration mechanism;

  • CAN bus is implemented physically using the twisted pair cable;

  • CAN bus is used in real time automotive applications such as engine management, transmission, braking system and steering;

  • CAN bus provides error detection and correction mechanisms;

  • CAN XL is expected to be announced in 2020 [CiA2020], and is the third generation of CAN which provides up to 2048 bytes of data payload and bitrate of up to 10Mbps [RobertBoschGmbH2019]. This generation of the protocols is expected to be used with Internet Protocol (IP) based services.

As the CAN bus is the most widely used protocol inside a vehicle, a more detailed description of this protocol is provided in Section 3.

2.2 Local Interconnect Network (LIN)

The LIN protocol is used for low cost vehicular applications which have a low bit rate, asynchronous data requirement. It is used for non-critical applications such as door module and air condition systems [ISO2016]. LIN is used where the reliability and robustness of the network is not critical [Seung-Han2008]. It is standardised in International Organization for Standardization (ISO) 17987 series, which has been sub-divided into seven sub-standards – describing the protocol functions aligned with the OSI layers such as physical layer, data link frame etc [ISO2016]. The LIN protocol has the following features:

  • a bit rate ranging from 1kbps to 20kbps;

  • single master with multiple slave nodes – with support for up to 16 nodes;

  • a single physical wire to realise the bus;

  • standardised as ISO standard 17987.

2.3 FlexRay

It is a protocol used for high bitrate requirements, with error detection and correction, redundancy and safety [Seung-Han2008]. It is used for high end applications inside vehicles such as power train and safety functions (adaptive cruise control and active suspension) [NationalInstruments2019]. The protocol is standardised under ISO 17458 series which describes the physical layer and data link layer characteristics [ISO10681-1:20102010]. The main features of the protocol are:

  • A bit rate of up to 10 Mbps with half-duplex bus access;

  • standardised as ISO standard 17458;

  • support for fault tolerant mechanisms;

  • designed to work for high speed and safety critical applications (e.g. braking-by-wire and steering-by-wire)

Since the CAN bus protocol is the most widely used, this review paper will focus on this protocol in terms of attacks, vulnerabilities and potential countermeasures.

Protocol Bit-rate Application Domain Standard
High
CAN
125Kbps to 1Mbps
Real time critical applications
e.g engine and braking systems
Powertrain
and Chassis train
ISO 11898
CAN
low
5kbps to 125kbps
Non-critical such as doors   and
windows
Body Domain ISO 11898
CAN
FD
Up to 10Mbps
Critical real time
applications
Powertrain
and Chassis train
ISO 11898
LIN 1kbps to 20 kbps
Non-critical
applications
Body Domain ISO 17987
FlexRay up to 10 Mbps
Critical
applications
Powertrain
and Chassis
ISO 17458
Table 1: Automotive serial communication protocols. The table shows Controller Area Network (CAN and CAN FD), Local Internet Network (LIN) and FlexRay

3 Controller Area Network (CAN)

Initial use of CAN bus within a vehicle did not consider security, as vehicles at that time were not connected to outside networks. The CAN protocol does not have security features and is vulnerable to attacks such as frame injection and denial of service. Nowadays vehicles are more connected, they have internal and external interfaces such as Wi-Fi, Bluetooth and mobile (phone) networks and thus cybersecurity has become a real concern. CAN is a protocol invented in the early 1980s by Bosch GmbH and used widely inside vehicles to send and receive data between ECUs and sensors [Avatefipour2018]. It was standardised in ISO 11898 series and it works as a serial bus, indicating that any node on the network (e.g. an ECU) can use the network bus to send data via a multi-master mechanism using 2 wires [Dubitzky2013]. This reduces the cost of wiring compared to a point to point wiring mechanism and reduces the negative effects of external noise through its CAN-High and CAN-Low (signal differential) transmission [Avatefipour2018] [Jafarnejad2015]. It works on the physical and data link layers, although it does not use Media Access Control addresses (MAC) and MAC tables to send and receive (route) frames. Instead, it uses message ID (does not have sender or receiver addresses compared to Ethernet) and a broadcast half duplex mechanism to transmit data over the bus. Also, it does not verify and use authentic messages as it sends data based on message id does not use a source address. CAN bus controller inside the vehicle connects critical parts of the vehicle such as engine and body control modules, such as gears, speed, brakes and so on. The CAN protocol itself does not provide message authentication and so it is vulnerable to cyberattacks such as CAN frame injections. The protocol consists of two versions: the classical CAN protocol and CAN FD protocol (Flexible Data rate) – both protocols are defined and standardised under ISO 11898 series [CANinAutomation2013].

3.1 Standard CAN bus Frame 2.0A

The classical CAN bus was standardised in 1993 in ISO 11898. It consists of two versions based on the message identifier length. The standard CAN bus 2.0A has an 11-bit identifier while the extended CAN bus 2.0B has a 29-bit identifier.

3.2 Extended CAN bus Frame 2.0B

This extended CAN bus provides a 29-bit identifier which gives more message ids, and hence a greater number of potential nodes that can be supported. The data payload is up to 8bytes. CAN frame structure is illustrated in figure 2

Figure 2: Standard and extended Controller Area Network CAN bus frame – showing the Frame header fields, Control fields, Data payload fields and Frame trailer

The CAN protocol frame consists of the fields shown in figure 2. A classical CAN frame [Gmbh1991], [Avatefipour2018] consists of: the arbitration field, the message identifier field and the Remote Transmission Request (RTR) bit.

  1. Frame header: The frame header contains the message identifier (11-bits or 29-bits) which identifies the priority and the content of the message. It is worth noting that a CAN bus does not provide source and destination addresses like IP networks, instead it uses unique CAN identifier numbers in each message.

    • Start of the Frame field (SOF) has a dominant value of 1.

    • 11-bit identifier shows the message id which determines the priority of the message where the lowest value means the highest priority. Also, it is used to represent the content of the message.

    • 29-bit identifier – as part of the extended frame has similar structure as the standard frame except additional fields in the frame header and control field such as the following: The frame header consists of a base identifier (11-bits) and the extended identifier 18-bits which both provide the priority of the frame and its content.

    • Remote Transmission Request (RTR) is used to retrieve information from a node in the network.

  2. Control fields The control field consists of: Identifier Extension Flag (IDE), rO and Data length Control (DLC) flag:

    • IDE Identifier Extension is used to distinguish between standard and extended frame

    • r0field is a 1-bit value and reserved and it always has the recessive value of 0.

    • DLC field is a 4-bit value and indicates the length of the data in the data field

    • SSR Substitute Remote Request

    • IDE Identifier Extension Flag is used to identify the frame as standard (dominant bit) and in the extended frame the value is a recessive bit

    • R1 and r0 are reserved bits and they are always dominant.

  3. Data field:This field contain the payload of up to 8-bytes.

  4. Frame trailer: These fields are used to detect frame errors using checksum and correction mechanisms:

    • CRC (Cyclic Redundancy Code) field consists of 15bits and is used for checksum error detection. [KVASER].

    • ACK or acknowledgement field is used to indicate that messages have been sent without any errors.

    • EOF indicates the End of the Frame and the message sequence.

    • IFS Inter Frame Space is 3bits in size and used to provide frame separation and initiate frame processing.

3.3 Controller Area Network with Flexible Data Rate (CAN FD)

CAN FD is developed to meet the needs of higher speed and more data payload size. It can provide up to 64bytes of data payload along with up to 8Mbps of speed [Cheon2013]. It comes with a standard and an extended version similar to the classical CAN protocol. It is standardised in ISO 11898 series as well. The frame structure of the CAN FD protocol is illustrated in figure 3.

Figure 3: CAN FD 11- and 29-bit identifier frame structure

3.4 Frame Types of CAN bus Protocol

The CAN bus is divided into four types of frames [Gmbh1991]:

  1. Data Frame: contains the data payload.

  2. Remote Frame: used to ask for the transmission of data frame with the same identifier from another node on the bus. The difference between this frame and the data frame is that the RTR field inside the arbitration id is put in recessive and there is no data payload.

  3. Error frame indicates that there is an error in the bus and this frame can be used by any node.

  4. Overload Frame is used when a node on the bus is too busy to receive data from another node. When a CAN node transmits frames on the bus, it will be received by all other nodes connected to the bus due to its broadcast feature. The CAN controller board on a CAN node is responsible for handling the relevant frames. An error frame can be raised if an error occurs when receiving data and the remote frame is raised by the node to ask for a re-transmission of data.

The CAN standard was updated as ISO11898:2015 to include CAN FD [CANinAutomationa]. The 11898 series describes the CAN bus data link and physical layer functions such as described in figure 4.

Figure 4: CAN bus protocol in OSI Model. CAN bus Hardware, Software and Standards in OSI layers

3.5 Cybersecurity and Safety Standards for Vehicle Networks

Various efforts already exist to provide security and safety for vehicles, from design to production and operation. Such efforts originate from standards organisations such as ISO, the Society of Automotive Engineering (SAE) and other organisations. Some of the main standards for automotive cybersecurity include:

  1. ISO / SAE 21448: This standard provides a guide from measurement to design, to enable the verification and validation of services inside vehicles [InternationalOrganizationforStandardization2019]

  2. SAE J3061: Provides a guide for cyber-physical systems within vehicles, and has been provided by the Society of Automotive Engineering [StandardofAutomotiveEngineering2016].

  3. SAE J3101 standard provides the required features to support hardware security protection for vehicular applications [SAEInternational2012]

  4. SAE J3138 (Diagnostic Link Connector Security): A standard used for diagnostics and security purposes for direct interfaces such as the on-board diagnostics (OBD-2) port inside a vehicle [J31382018].

  5. ISO / SAE 21434: This standard is used to support road vehicle cybersecurity engineering – expected to be released in 2020 [Barber2018]. It is a shared effort between ISO and SAE covering security for road vehicles, in-vehicle systems, components, software and communication with external networks and devices. This standard aims to provide guidelines for vehicle manufacturers and suppliers from design to production phases [Barber2018].

Other efforts to secure in-vehicle network infrastructure such as E-safety Vehicle Intrusion protected Applications (EVITA) and vehicle to infrastructure (V2I) such as Secure Vehicular Communication (SEVCOM):

  1. E-safety Vehicle Intrusion Protected Applications (EVITA)(2008-2011): [Seudie2009]: This project focuses on securing in-vehicle network infrastructure from physical and remote attacks.

  2. Secure Vehicular Communication (SEVCOM) (2006-2008): [SevecomSevecom2008] has focused on securing V2I networks, with an emphasis on wireless data communications that is used to transmit vehicle parameters to an outside network or device.

  3. Cooperative Vehicle-Infrastructure Systems (CVIS) (2006-2010): [CVISCVIS2010] a framework to provide V2I security and privacy for drivers and connected vehicles.

3.6 CAN bus Network Infrastructure

The CAN protocol focuses on the physical and data link layers. Extended protocols from industry such as J1939 (for heavy vehicles) and OBD-2 (for vehicular diagnostics) are built on top of the CAN data link and physical layers. The CAN layer functions can be identified [Gmbh1991] as follows and as shown in 5:

CAN Physical Layer (CPL) focuses on transmission of the signal across the CAN bus hardware.

CAN Data Link Layer protocol (CDLL) defines the core protocol (realised using the CAN chipset) such as bit timing, message framing, synchronisation, arbitration logic and error detection (e.g. use of CRC and ACK).

CAN High Layer Protocols (CHLP) (Application layer Protocols) use high speed CAN to provide real time information and diagnostic data exchange between ECUs. There are different high layer protocols in industry such as J1939 by the Society of Automotive Engineers (SAE) and used in heavy duty vehicles [SocietyofAutomotiveEngineers2007]. The J1939 protocol uses the 29bit version of the CAN bus protocol. Other protocols such as the protocol used with the On-Board Diagnostic (OBD-2) port are used for vehicle diagnostic and emissions analysis.

Figure 5: CAN Electronic Control Unit (ECU) hardware and software components, functions and standards

3.7 Automotive Application Layer Protocols

SAE J1939 is an application layer protocol widely used in commercial heavy vehicles such as coaches and agricultural vehicles. It works on top of the CAN 2.0B bus with a 29-bit extended frame providing a bitrate of 250Kbps to 500Kbps [VECTOR]. It also provides a standard message format and specification which allows using components from various manufacturers inside vehicles. Figure 6 illustrates CAN bus application layer.

Figure 6: SAE J1939 CAN Application layer protocol

3.8 Electronic Control Units (ECU)

Modern cars have around 70 ECUs which control various functions of the car, such as breaks, gears and engine status [Seung-Han2008]. An ECU is primarily a microprocessor which contains a CAN controller used to support data link layer functions and a CAN transceiver used for physical layer functions such as frame delivery, error detection and correction and other data link layer tasks [Microchip2003]. Figure 5 shows CAN Electronic Control Unit (ECU) hardware and software components, functions and standards in OSI model. Also, table 2 illustrates some ECUs which are used inside vehicular network systems.

3.9 CAN bus communication

The CAN protocol uses a broadcast based mechanism for message exchange [Wampler2009] and each node can request use of the bus randomly. An arbitration mechanism is used to ensure priority on the bus [Gmbh1991], as ECUs with critical functions such as engine, transmission and braking systems usually have higher priority to access the bus and require least broadcast frequency [Tomlinson2018a]. Priority is based on comparing the arbitration id of requesting nodes, and the node with higher priority is granted access to send data on the bus. Inside the vehicle, ECUs with critical functions (e.g. brakes, steering) can be connected to a high speed CAN bus while ECUs with low importance (e.g. windows) can be connected to low speed CAN bus [Taylor2016a][Deng2017]. Both CAN buses then are connected through a gateway ECU [Deng2017].

Figure 7: Two CAN buses connected to each other through a bridge – based on [Wang2014]

With this structure as outlined in figure 7, any ECU with connection to the bus, using an OBD-2 port or Bluetooth, can sniff and inject data into both buses. These vulnerabilities have led to the development of Intrusion Detection Systems (IDSs) and firewalls to prevent unauthorised access, as well as using cryptography methods to provide confidentiality, integrity and authentication.

3.10 Protocol usage

The CAN bus protocol has been used in many application areas due to its simplicity and offered bitrate. The ease of implementation, low cost and the small number of physical wires need to realise it makes it suitable for use in many embedded system [Gmbh1991]. It is used inside vehicles, built environments (e.g. controlling elevators in buildings, building energy management systems), railway applications, medical devices and aircrafts [Anon1999].

Electronic Control Unit CAN bus Connection Critical
Engine Control Module (ECM) High CAN bus
Electronic Brake Control Module (EBCM) High CAN bus
Transmission Control Module (TCM) High CAN bus
Body Control Module (BCM) High and Low CAN bus
Telematics Module (TM) High and Low CAN bus
Remote Control Door Lock Receiver (RCDLR) High CAN bus
Heating, Ventilation, Air Conditioning High CAN bus
Sensing and Diagnostic Module (SDM) High CAN bus
Instrument Panel Cluster/Driver Information Center High CAN bus
Radio High CAN bus
Theft Deterrent Module (TDM) High CAN bus
Table 2: Some Electronic Control Units inside CAN bus Network – based on [Koscher2010]

4 Connected Car Environment

Connected cars can simply mean a vehicle connected to a network and providing services such as vehicle diagnostic parameters and GPS information to the vehicle owner. According to Juniper research, connected cars are expected to increase to 750 million by 2023 [JuniperResearch]. This connectivity will be through telematics or by in-vehicle applications. Vehicles can be connected with either aftermarket tools such as OBD-2 cellular device, GPS device used in fleet management or hardware and software included from the vehicle Original Equipment Manufacturer (OEM). Components used in connected cars can be classified as:

Telematics Unit: provides connectivity to the car using WiFi, Bluetooth, GPS and mobile data interfaces.

Infotainment Unit: provides the information and entertainment to the driver through a head display unit such as CD, DVD player, USB and mobile applications integration with the head unit.

Driver assistance Unit: provides the driver and the vehicle with driving assistance hardware such as cameras and LiDAR sensors to provide safety on the road. Also, these sensors are used to support autonomous driving. Also, Adaptive Cruise Control and Park Assist are used for measuring parking space and auto park assistance.

Vehicle 2 X: connected cars can also provide communication to cars (V2V) and roadside infrastructure (V2I) using wireless communication called Dedicated Short Range Communications (DSRC) which allow exchange data such traffic conditions between cars and/or road side unit.

Figure 8: Connected Car environment with four potential entry points for data injection: Telematics, Infotainment, Direct interfaces and Sensors. Also, security countermeasures to detect and prevent physical and remote attacks using Cryptography, Intrusion Detection System (IDS), Firewalls and Access Control Lists.

4.1 Connected Vehicle Interfaces and Sensors

Bluetooth provides connectivity with mobile apps hosted on devices operated by passengers. Such a service involves pairing a mobiles phone(s) with head unit inside the vehicle [Checkoway2011]. This can lead to vulnerabilities from the Bluetooth connection as legacy and vulnerable versions are still used – as described in [Cheah2017][Oka2014] [Checkoway2011].

Wi-Fi: Connected cars provide wireless connectivity for various services, such as providing internet through Wi-Fi on board. Wi-Fi has a number of vulnerabilities, e.g. via a Wi-Fi hotspot on a Jeep [Miller2015] and a Tesla S [Tesla2016].

Cellular/phone network: modern cars can also provide mobile/phone/cellular connection which can be used to retrieve data such as weather conditions and traffic[Miller2015]. Attacks on such networks have also been identified [Checkoway2011]. For example, [Miller2015] have shown how a cellular network interface can be hacked inside a Jeep.

OBD-2 (On-Board Diagnostic) : It is a mandatory port which is used for capturing diagnostic and environmental (e.g. emissions) data. This interface is directly connected to the vehicle’s CAN bus network and by using an aftermarket OBD dongle and attaching it to the OBD port, it is possible to initiate various attacks such as a DoS attach which can affect vehicle operation and driver safety [Fowler2018]. Various attacks have been demonstrated using direct connection to an OBD port and generating remote attacks using wireless OBD dongles [Checkoway2011]. In 2018, a remote attack on a vehicle was initiated using a custom hardware that was connected to a CAN bus over OBD-2 port. This customised board used a SIM card, and the attacker sent malicious SMS messages in order to inject this data into the CAN bus [Zorz2018].

Global Position System (GPS): is used to provide driving assistance and positioning for drivers. Further, it is used by fleet management to monitor vehicle location. This interface can provide an entry point for an attacker – both for injecting and sniffing data [Oruganti2019]. In [Miller2015] GPS information was retrieved from the head unit of a vehicle through unprotected 6667 port.

Compact Disc (CD) player is used in the head unit for entertainment purposes. It has been shown that this unit is directly connected to the internal data network of a vehicle, and also susceptible to cyberattacks, as described in [Checkoway2011].

Sensors: sensors and actuators are used inside vehicles to support various functions such as sensing engine temperature. Physical availability attack can be initiated using signal jamming [Loukas2017] to block data between the sensors and the CAN network. In correct sensor values can also be injected into the CAN bus to modify the behaviour of the ECUs that operate on this data. A particular type of sensors used for Tyre Pressure System Monitoring (TPSM) are connected to each tyre to monitor pressure and send real-time data to an ECU [Miller2015]. Attack on TPSM is described in [FiguerolaGarcia2012], where the authors were able to perform eavesdropping attacks from 40 meters on a passing car.

LiDAR and Camera: Cameras and laser signals are used inside vehicles to provide safety and driving assistance. These components can be manipulated by various attacks such as signal jamming. In [Petit2015a], the authors performed signal jamming attacks on LiDAR and cameras. These components are also widely used inside autonomous vehicles.

Keyless entry : Miller and Valasek [Miller2015] show how Remote Control Door Lock Receiver (RCDL) within a vehicle is directly connected to the internal CAN bus. It receives the signal from the key fob to lock, unlock doors and trunk of the vehicle. Keyless entry attacks were initiated to steal vehicles in many occasions, and it has been shown as the most used attack between 2010–2019 [Upstream2019]. This attack can be initiated by jamming the signal between the key fob and the vehicle to keep the doors open while the owner of the car thinks it is closed. Also, it can be initiated by capturing the key fob signal and redirecting it to the vehicle. For example, in [Eisenbarth2008] researchers were able to hack key fob block cipher and perform relay signal attack, and were able to lock and unlock doors. The attacker needs to be in the range of the key fob to be able to intercept the signal for this type of attack.

5 Vulnerability of In-Vehicle CAN bus

The intention of using a CAN bus inside a vehicle was to reduce cost, simplify installation, and improve efficiency for real time communication. However as mentioned previously, a CAN bus has a number of security vulnerabilities [Currie2015]:

  • The network is not segmented, as all nodes (ECUs) are connected to the same bus. The CAN bus protocol uses a broadcast mechanism to transfer data, which means all nodes on the network can send and receive the same messages.

  • There is no security mechanisms used for authentication and thus the CAN bus is vulnerable to message poisoning and denial of service (DoS) attacks.

  • The traffic on the CAN bus is not encrypted and can be easily read through a data sniffing attack. Every ECU connected to the bus can therefore sniff CAN frames due to the broadcast mechanism.

  • An ECU can make the CAN bus in domination status using the arbitration scheme (Message ID priority scheme) and thus prevent other ECUs from using the bus – which can lead to DoS attack.

  • It is not possible to know whether an ECU has sent or received certain messages (non-repudiation).

  • Access to the CAN bus network via external interfaces and connections such as OBD-2, Wi-Fi and Bluetooth widens the potential attack surface (and entry points) [Wu2019a].

There has been an increase in the number of cyberattacks on vehicles, increasing 7 times in 2019 compared to 2010, and doubling in 2019 compared to 2018 [Upstream2019] as shown in figure 9. The vulnerable points could be classified as direct, indirect, short-range and long-range attacks [Checkoway2011].

(a) No. of physical & remote attacks: 2010–2019 [Upstream2019]
(b) Top attack vectors: 2010–2019 [Upstream2019]
Figure 9: Vehicle Attacks: 2010–2019

The CarShark software was used within a vehicle to sniff, analyse, observe and replay the data on the CAN bus using OBD-2 connector and then control the wheels, brakes and other ECUs and components of the vehicle [Koscher2010]. This work also reports on other entry points to the CAN bus inside the vehicle such as the audio jack, USB and Wi-Fi, and the use of these to perform various attacks. Similarly, other attacks were performed from outside the car identifying potential vulnerabilities [Checkoway2011]. Figure 9 shows potential entry points for attacking a vehicle.

Other examples include attacks on Toyota Prius 2010 [Miller2014] and Ford Escape 2012 vehicles by physically connecting to the OBD-2 port (and CAN bus) and controlling vehicle speed, brakes and steering. Other examples include remote attacks carried out on a Jeep Cherokee [Miller2015]. Another attack is the keyless fob attack used to forcibly unlock the doors of a vehicle [Eisenbarth2008]. A summary of in-vehicle network based attacks includes:

CAN bus
initiated attack
Entry
Points
Physical
remote
Attack
Mechanism
Position of the
attacker
Result of
the attacks
Interfaces
Initiated
attacks
•  OBD-2
•  BT
•  Wi-Fi
•  Physical
•  Remote
•  Remote
•  OBD-2 direct connection
•  BT vulnerabilities
•  WiFi on board access
•  Inside/Outside
•  Outside
•  Outside
•  Full access
•  Sniffing
•  Injection
Infotainment
and telematics
initiated attacks
•  USB
•  CD Player
•  BT
•  Wi-Fi
•  Cellular
•  GPS
•  Physical
•  Physical
•  Remote
•  Remote
•  Remote
•  Remote
•  Direct Connection
•  Direct connection
•  Unauthorised access to BT
•  Wi-Fi unauthorised access
•  Access cellular interface
•  Access GPS information
•  Inside
•  Inside
•  Outside
•  Outside
•  Outside
•  Outside
•  Inject CAN
•  Inject CAN
•  Inject and sniffing
•  Inject and sniffing
•  inject and sniffing
•  inject and sniffing
Sensor
initiated
attacks
•  TPSM
•  Key fob
•  LiDAR
•  Remote
•  Remote
•  Remote
•  Decode and replay
•  Intercept and relay
•  Jamming LiDAR signals
•  Outside
•  Outside
•  Outside
•  Attack TPSM sensors
•  Unlock doors
•  Block driving assistance

OBD-2: On-Board Diagnostics ; BT: Bluetooth; USB: Universal Serial Bus; GPS: Global Positioning System;
TPSM: Tyre Pressure Monitoring System; LiDAR: Light Detection and Ranging.

Table 3: In-Vehicle EntryPoints

Table 4 identifies some of the attacks initiated on real vehicles and simulated environments. The table identifies entry points used, how attacks were initiated, the position of the attacker, the outcome of the attacks and the software/ hardware test environment used.

Authors
Initiated
Attacks
Entry
Points
Position of
the Attackers
Attack
Result
Test
Environment
[Koscher2010]
Interfaces
Infotainment
•  OBD-2
•  USB
•  CD Player
•  Inside (Direct)
•  Inside
•  Inside
•  CAN bus injection
•  Full access
•  Real vehicles
[Miller2015] Interfaces
•  OBD-2
•  Inside
•  Outside
•  Control brakes,
•  Wheels and
•  Get access to the CAN bus
•  Real vehicles
[Hoppe2011] Interfaces
•  OBD-2
•  Inside
•  Control Window car lifting
•  Warning light
•  and airbag
•  Parts of a vehicle
•  such as
•  instrument cluster,
•  window car lifting
•  and head unit ECUs
•  CANoe simulator
[Checkoway2011]
Interfaces
Infotainment
Telematics
•  OBD-2
•  Cellular
•  BT
•  CD Player
•  Radio
•  Inside
•  Outside
•  Outside
•  Inside
•  Outside
•  Get access to CAN bus
•  Disable parts of the vehicle
•  Real vehicles
[Petit2015a] Sensors
•  LiDAR
•  Cameras
•  Outside
•  Outside
•  Signal jamming
•  LiDAR Hardware
•  CAN software
[Rouf2012]
Sensors
•  TPSM
•  Outside
•  Inject with
•  False TPSM values
•  and signal jamming
•  Real vehicles
[Eisenbarth2008] Sensors
•  Keyfob Keyless entry system
•  Outside
•  Lock,unlock door
•  and start the engine
•  Real vehicles
[Miller2015] Telematics
•  WiFi
•  Outside
•  Unauthorised access
•  Inject CAN message
•  to stop the engine
•  Jeep Cherokee
[Tesla2016] Telematics
•  WiFi
•  Outside
•  Full access to CAN bus
•  Tesla model S
[Zorz2018] Interfaces
•  OBD-2 Cellular Dongle
•  Outside
•  CAN bus injection
•  Real vehicle
Table 4: Attacks on In Vehicle Networks

5.1 Attacks against the CAN Bus

The classical CAN and CAN FD buses are vulnerable to various attacks. Once attackers have access from either inside or outside the vehicle, they can generate various attacks on the CAN bus network such as CAN sniffing, CAN fuzzing, CAN replay and DoS attacks. Some of the mechanisms for initiating these attacks include:

Figure 10: Overview of some In Vehicle CAN bus Network (IVN) attacks

CAN bus sniffing: With no authentication mechanisms, encryption and broadcast transmission, it is possible to sniff the data on the CAN bus [Currie2015]. Using off the shelf OBD2 sniffer such as CANdo board, it is possible to read and analyse the data on the bus to manipulate and generate similar messages [Miller2015]. This attack can be avoided by implementing encryption to prevent exposing CAN frames. This attack is difficult to detect due to the passive nature of sniffing traffic. The next step is to reverse engineer the raw CAN messages so that they can be used to target specific parts of the vehicle. This an important step since manufacturers tend not to publish their CAN message specification [Kang2018].

CAN bus fuzzing attack CAN bus protocol lacks authentication and data integrity checking and as a result ECUs accept CAN messages and respond to them. This attack is used to send random CAN data frames, checking the bus and observing changes on the instrument panel of the vehicle. This attack looks at the impact of CAN frames on the ECUs such as observing the change in vehicle speed while injecting CAN frames [Khan2017]. It usually happens after sniffing and analysing captured CAN messages. Also, it can be generated using a black-box, where CAN id and payload values are generated randomly without prior knowledge of the actual CAN id used. It involves sending randomly captured CAN frames and recording the outcome. Encryption is needed to prevent analysis of the captured data, along with authentication to only accept CAN frames from legitimate ECUs.

CAN bus frame falsifying attack This attack is used to modify CAN message payload by inserting incorrect values. For example, the attacker can inject a vehicle with incorrect parameter values. This type of modification attack is used when the CAN id is known, and the intention is to provide incorrect data payload to disrupt vehicle services. This happens due to the lack of data integrity and authentication support in the CAN bus protocol. In order to prevent this attack, CAN bus should provide authentication to verify the source of the data before acting upon it. Usually this attack involves a small amount of data, making it difficult to detect and monitor. To detect this attack, a system should consider checking CAN id and data payload consistency in a time window.

CAN bus injection attack Injecting data into a CAN bus can be used to send messages at an abnormal rate [Marchetti2017a]. The purpose of this attack is to change frequency and amount of CAN frames on the bus, and change the sequence of legitimate CAN frames and data payload. Since CAN bus does not provide authentication to check if the sender is legitimate, this attack will inject the bus with abnormal CAN traffic targeting the vehicle speed. Lack of encryption also enables arbitrary nodes to connect to the bus. The data on the bus can then be monitored to obtain the arbitration and data field, and and generate messages to simulate events [Culling2017]. This could lead to generation of fake events that cause parts of the vehicle to behave as required by the attacker. This attack can be prevented using authentication and integrity mechanisms. The result of the attack can increase the broadcast frequency of certain CAN id which can be detected through abnormal broadcast behaviour.

CAN bus DoS attack: Classical CAN and CAN FD use the same mechanism to access the medium with multi access using the CAN id priority [Huang2017]. The nodes on the CAN bus use the arbitration field to determine the priority of the message and which node can occupy the bus and send data. In this case, a DoS attacked can be lunched using highest attribution id such as 0x000 to occupy the bus and make it busy by using CAN frame priority arbitration scheme and send too many highest priority frames so that other nodes cannot use the bus [Miller2015]. Also, it can use the same CAN message id of an existed ECU and by knowing its transmission rate, a DoS can be performed by incrementing the frequency time. For example, if an ECU sends a message every 200 ms, the attacker can increase the frequency by injecting the same message with higher frequency which can lead to disruption of the sensor part.

ECU impersonation: Once an attacker has access to the CAN bus network, the attacker can receive all the traffic broadcast on the bus. With a focused analysis of the traffic, attackers can learn the behaviour of each ECU such as it’s CAN ID, payload range and transmission rate. In this way, they can simulate ECU behaviour by sending the same data with the same frequency. An increase in the CAN messages rate will occur which generates an attack. However, if the attack was more focused, they could initiate an attack to disable particular ECUs. For example, Iehira et al. [Iehira2018] introduced a sophisticated spoofing ECU attack by first performing an attack on an ECU by taking advantage of the error handling mechanism of the CAN bus protocol. This attack works by mimicking the target ECU behaviour, CAN ID and frequency. Then, the attacker ECU contradicts the target ECU by sending a dominant bit while the original ECU sends a recessive bit. This would raise an error in the ECU controller which leads, at a certain point, to disconnecting the ECU from the bus and dropping all the CAN bus communication. This enables an attacker to perform various attacks, such as an ECU impersonation attack, which is difficult to detect.

6 CAN bus Security Mechanisms

Implementing and testing security of CAN bus traffic has been conducted by many researchers. In this section we identify current countermeasures used and divide them based on the mechanisms they use, and whether these are used from within or outside the vehicle. We also consider factors such as the test environment, security metric being considered, countermeasure used, the type of mitigated attacks, overhead of supporting the countermeasure and utilization.

6.1 In Vehicle Network Cybersecurity

Given the limited capacity of the CAN bus, any countermeasures used to address its vulnerabilities should consider this limitation and not overload the bus. Security solutions for a CAN bus can be divided into encryption, authentication and redesign of the protocol stack by replacing fields in the frame, splitting the message to multiple frames, or by adding nodes and components to the bus to realise additional capability. These approaches can be costly to deploy. Cryptography-based methods have focused on securing the CAN bus from malicious messages, while Intrusion Detection Systems (IDS) focus on the detection of malicious messages. Firewall and Intrusion Prevention Systems (IPS) can be used in external interfaces to block access to the bus. Implementing a dedicated node to realise the IDS and firewall may be required.

6.2 Using Cryptography

Implementing cryptography in the CAN bus requires additional computational resources in the ECUs and the CAN bus controller. Cryptography can be used to provide authentication and data integrity through Message Authentication Code (MAC) and confidentiality through symmetric and asymmetric cryptosystems. For in-vehicle networks, a key challenge is to create a secure method that does not alter the payload size (e.g. splitting the message can lead to more load on the bus) and response time latency which would affect vehicle safety. CAN bus also provides a checksum calculation using Cyclic Redundancy Code (CRC) to check if there is a change in the frame during transmission, but it only provides error detection not the integrity and authentication of the frame. An ACK field is used for error detection and correction purposes. Implementing cryptography in the CAN bus should consider the following [Herrewege2011], [Nurnberger2016], [Radu2016]:

  • Limited frame size and capacity of the bus;

  • limited speed of response and high latency;

  • broadcast nature of the bus – and lack of support for confidentiality, integrity and authentication by design;

  • no backward compatibility;

  • limited computational capacity within ECUs.

Lightweight encryption is needed in such embedded systems, due to limited computational capacity within ECUs inside the vehicle. The approach used in the classical CAN bus protocol involves creating a small MAC tag size, less than 8bytes, and inserting it along with the actual data payload. This tag provides integrity and authentication as it is encrypted by a shared secret key. Session keys are used for authentication and to prevent subsequent re-play attacks. Key distribution is a concern in CAN bus broadcast environments and therefore a pre-loaded key in each ECU can be used to establish key exchange and freshness to tackle data broadcast and to avoid bus loading due to key exchange. Also, to tackle the issue of low computing resources, Hardware Security Module (HSM) can be used in resource-constrained ECUs to provide better encryption/ decryption time. However, these approaches can still be costly to realise within existing vehicles. In summary, the adopted approaches involve:

Figure 11: MAC signature inside CAN frame [Ueda2015]
  • Using lightweight Message Authentication Code (MAC) to overcome resource constraints in ECUs, and making use of a small key size and MAC signature.

  • Implementing changes in the CAN protocol standard by replacing fields such as CRC with MAC signature, or by extending the protocol data field (called CAN+) and extending the data payload to 16 bytes to give more space for the MAC signature. However, this approach leads to compatibility issues.

  • A Hardware Security Accelerator can be used (as an additional hardware) to overcome computational resource limitations – however, it may not be a cost-effective approach.

According to the National Institute of Standard and Technology (NIST), HMAC [FIPS-198-12008] provides authentication and integrity of the data through a hash function and a shared secret key between sender and receiver. Hash algorithms such as SHA-1, SHA-224 and SHA-256 produce message digest or MacTag of 160, 224 and 256 bits according to [Dang2012]. The size of this tag is exceeds the maximum data payload of CAN frame (of 64 bits) and thus a truncated tag is used by deriving a smaller size from the MAC computation.

Figure 12: CAN message authentication and dedicated monitoring ECU. Derived from [Ueda2015]

6.3 CAN Frame Authentication

Authentication mechanisms can be used to provides authentication and integrity of the data for an in-vehicle network. This mechanism is called Message Authentication Code (MAC). However, this approach does not provide confidentiality which means CAN traffic is still exposed to sniffing and reverse engineering attacks. Thus, a combination of MAC and encryption is needed to provide better security. The following approaches can provide authentication and integrity of CAN bus data, but either change the behaviour of the protocol by splitting CAN frames, replace fields, increase CAN frame size or increase bus payload and response time. Some approaches also require additional hardware which can increase the cost of implementation and lead to incompatibility with current vehicles.

-Nilsson et al [Nilsson2008] introduced an approach based on a shared 128-bit key between ECUs and a Cipher-Block Chaining Message Authentication Code (CBC-MAC) using KASUMI encryption algorithm. Their approach provides integrity and authentication through a 64-bit MAC tag. However, it splits a single CAN ID message into multiple messages in order to insert 16-bits inside the CRC field. This means that 4 messages are needed in order to send the 64-bit tag. As a result, their approach increases the bus load by increasing the number of CAN bus messages and it changes the CAN protocol behaviour by replacing the CRC field with MAC tags. Furthermore, it causes more latency through CAN message splitting.

-Wang and Sawhney [Wang2014] proposed a trusted group-based technique to enforce access control while minimizing the distribution of keys through a pre-calculated cryptographic function. Their approach was able to successfully prevent message injection attacks while message processing delay was approx. 50s. They used Freescale’s automotive boards to test their solutions. Trusted group ECUs share a secret symmetric key (K h) – and ECUs in the trusted group can hold keys of other groups if needed. This approach is effective since it separates telematics and OBD-2 ports which are the main entry points for attackers. However, their authentication approach is achieved by sending data and authentication messages for each CAN ID which doubles the bus load.

-Another approach CANAuth used light weight encryption to mitigate sniffing and poisoning attacks [Herrewege2011]. The authors considered the limitations of the CAN bus protocol and used lightweight encryption mechanisms to mitigate attacks, but DoS attacks were not investigated and a CAN+ protocol (16bits) was used which is incompatible with standard CAN bus specifications. The proposed approach uses HMAC function with pre-shared symmetric and group keys for key distribution. It uses 15 bytes for HMAC flag and key transmission while 1 byte is used for the actual data.

-LCAP in [Hazem2012] used a one way function to provide a 2byte magic number. The authors proposed using their approach in the data field (2 bytes out of 8 bytes) in the standard CAN frames 2.0A. In the extended CAN, they used magic number of 16 bit in the header field of the extended header 29 bit CAN frame 2.0B. Their approach provides authentication and integrity through symmetric keys and HMAC magic number. LCAP provides protection against re-play attacks due to the changeable magic number and session keys. A drawback is that it is based on the CAN+ (16 bytes of data) which raises compatibility issues as the CAN transceiver hardware needs modification to handle the 16 bytes of data payload.

-LibrA-CAN is a broadcast authentication protocol using the MD5 Message Digest, compatible with CAN+ specification introduced in [Groza2012]. Multiple receivers can hold keys and provide authentication roles based on monitoring their own message ID usage inside the CAN bus. This approach splits CAN messages into normal CAN messages and authentication tag messages – which increases bus traffic [Bella2019]. For improvement, they suggest using CAN+, but the CAN transceiver hardware should be changed to be able to handle the new CAN+ frame.

-In[Bittl2014], the authors used a combination of SHA3 and HMAC function along with session keys to avoid re-play attacks. This method used the length in the CRC fields to insert a cryptographic checksum. The processing time of sending and receiving a message was not provided in this approach. Also, there is a change in compatibility of the CAN frame specification by replacing CRC field with MAC tag field.

-CaCAN in [Kurachi2014] is used to carry out authentication and validate integrity of CAN messages. This is achieved by using a main “Monitor" ECU that shares keys with other ECUs. Using the broadcast behaviour of the CAN us, it receives all messages and can detect and overwrite unauthorised messages. This approach does not provide confidentiality and additional hardware is needed as a monitoring ECU node.

-LeiA was introduced in [Radu2016] which used 128-bit key, MAC and counter based algorithms to authenticate data and generate counters to mitigate re-play attacks. This algorithm does not require any changes to the hardware and topology of the CAN Bus. However, it is compatible only with CAN 2.0B 29-bit extended frame and changes the CAN header by replacing the 18-bit identifier with a counter – potentially leading to incompatibility issues with current vehicle networks.

-In [Kang2017], the authors introduced a one-way hash chain using HMAC-MD5 and AES-128 to provide authentication. they tested their approach on simulated ECUs using CANoe Vector tool and Freescale S12XF as CAN hardware. Re-play and spoofing attacks were considered in this approach. They used the symmetric key and Authentication Key Exchange Protocol2 (AKEP2), and assume that the symmetric key and the ID of the sender are stored during manufacture. They have demonstrated only a limited overhead (bus load and latency) when using their approach.

-In [Ueda2015], the authors have used HMAC-SHA256 to provide ECU authentication and data integrity. Their MAC tag size is 1byte and it is inserted along with the actual data payload and a counter size of 4-bit to prevent re-play attacks. They include a ‘Monitor’ ECU that receives all the messages on the bus and checks if they are legitimate, by holding all the keys of the ECUs. In case of an illegitimate message, they send a remote frame to overwrite the malicious message.

Authors Method
Attacks
mitigated
Hardware
Security
Module
Real
time
Bus
load
Change
CAN bus
Test
bed
environment
[Nilsson2008] CBC-MAC
•  Injection
•  spoofing
No
Delayed
authentication
Multiple
CAN
frames
Splitting
CAN frame
for authentication
purposes
Theoretical
[Wang2014]
Trusted Group
HMAC
Symmetric key
•  Sniffing,
•  Spoofing
•  Injection
Pre-load keys
During
manufacturing
Yes
Message
Splitting
Split CAN frames
for authentication
purposes
Freescale’s
automotive
boards
[Herrewege2011]
HMAC
Symmetric key
Counters
•  Sniffing,
•  Spoofing
•  Injection
•  Replay
No Yes
16 bytes of
data payload
CAN+ 16 Bytes
All nodes must
Know pre-shared key
Theoretical
[Hazem2012]
One way function
Magic number
of 2 bytes
Session keys
•  Replay
•  Injection
No
-Yes, but
Consume time
during key
 distribution
Add extra
2 Bytes in
the payload
HMAC tag
in the 2.0B CAN
frame header
Starter-TRAK
TRK-MPC5604B
 board
[Kurachi2014]
HMAC
Symmetric keys
Counter
•  Replay
•  Spoofing
•  Injection
ECU
server
Yes No
Special ECU
server
hardware
Altera FPGA
board
CAN
transceiver board
[Bittl2014]
SAH3
HMAC
•  Replay
•  Injection
No Yes No
Replace CRC
field
Theoretical
[Groza2012]
MD5
LMAC
•  Replay
•  Injection
No No Yes
Split CAN messages
Using CAN+
Theoretical
[Radu2016]
128-bit key
MAC
Counter
•  Replay
•  Injection
•  Spoofing
No
No
No
16-bit counter
in the CAN 2.0b
frame header
FreescaleS12X
and Infineon TriCore
[Kang2017]
HMAC
MD5
AES-128
•  Spoofing
•  Replay
No Yes No
Insert MAC tag
in 18-bit filed
in CAN 2.0B header
CANoeVector tool
Freescale
S12XF board
[Ueda2015]
HMAC
SHA 256
•  Replay
•  Spoofing
Dedicated
ECU-FPGA
board
with built-in
HMAC
Yes No
Insert 8-bit
MAC tag
4-bit counter
Altera FPGA
development
 board and CAN
 transceiver board

HMAC, Hash Message Authentication Code; CBC-MAC, Cipher Block Chaining Message Authentication Code;
LM-MAC, Linearly Mixed MAC; MD5, Message Digest; SHA3, Secure Hash Algorithm3.

Table 5: Frames Authentication for Controller Area Network

While the above approaches provide authentication and integrity for the CAN bus protocol, they suffer from other limitations such as backward incompatibility, real time constrains (delayed authentication) or cost of implementations by using dedicated hardware. Therefore, a software-based approach should focus on providing authentication and integrity without failing in these shortcomings.

-The approach proposed by Fassak et al. [Fassak2017] made use of an asymmetric key. HMAC is then used with changeable session keys. The authors assume that both public and private keys are pre-installed in the ECUs during manufacture. Also, the performance of their approach was validated analytically using a commercial bus load calculator by OptimumG. The security of the algorithm was validated using the AVISPA software. However, their approach was not tested in a realistic test environment, and it is not compatible with current vehicles – as their assumption is to embed the key during manufacture.

- Groza and Murvay [Groza2013] provide a secure broadcast protocol for the CAN bus. It uses a central ECU to manage and distribute the keys between the sender and the receiver. They validated their approach using Freescale and S12X (16-bit) and TriCore (32bit) microcontrollers. However, their approach is based on a delayed authentication approach which is difficult to support in real time for a CAN bus [Woo2015].

- In [Bella2019], the authors introduced “TOUCAN” which provides authentication, integrity and encryption for a CAN bus. They use AES 128bit and Chaskey hashing for MAC authentication without the need for ECU upgrade or additional hardware on the bus. They tested their approach on STM32F407 CAN boards. The actual data in the payload is 40bits while the remaining 24bits are used for the hashing value. In their approach, (using AES 128 and Chaskey hashing) the overall execution times are approx. 12ms.

-In [Wu2016], the authors used AES 128 encryption and HMAC for authentication. They also use a compression algorithm to improve the efficiency of their approach by reducing the delay time and bus load. They have used Vector CANoe software to validate their approach, showing that the average message delay is 0.13ms.

-In [Lin2012], the authors focus on preventing re-play and spoofing attacks by using various approaches such as message counters, CAN ID tables to look up the ID of each ECU and which MAC to use for each ECU ID. Pair-wise symmetric key is used as each ECU stores the shared key with other ECUs. Also, the MAC tag is previously generated and stored in the look up ID table where the ECU uses this ID table to link the receiving ECU with the correspondent MAC tag. Their approach does not need any hardware modification and has a low message latency and bus load. However, it does not provide confidentiality.

Authors Method
Attacks
mitigated
Hardware
Security
Module
Real
time
Bus
load
Change
CAN bus
Test
bed
environment
[Fassak2017]
•  Asymmetric key
•  HMAC
•  Changeable keys
•  Replay
•  Spoofing
No Yes
Load during
key exchange
Assume
pre-installed
keys
Analytical evaluation
[Groza2017]
•  Symmetric key
•  HMAC
•  Replay
•  Spoofing
No
Delayed
authentication
No
Delayed
authentication
S12 equipped with
an XGATE
coprocessor
and Infineon TriCore
[Bella2019]
•  AES-128
•  Chasekey HMAC
•  Spoofing
•  Replay
No Yes No
24-bit MAC tag
and 40-bits
for the actual data
STM32F407
CAN boards
[Wu2016]
•  AES-128
•  HMAC
•  Compression algorithm
•  Replay
•  Injection
No Yes No
No
CANoe
simulator
[Lin2012]
•  MAC tables
•  Pairwise key
•  Symmetric key
•  Replay
•  Spoofing
ECU server No Yes No No
Table 6: Message Authentication for CAN frames

6.4 CAN Frame Encryption

-In [Dariz2017] the authors used a combination of encryption and authentication mechanisms to provide data confidentiality, integrity and authenticity. This approach provides prevention against sniffing and injection attacks. However, it sends more than one frame for a single CAN ID message which can lead to latency and increased bus load [Bella2019] .

-In [Siddiqui2017] the authors used a hardware-based approach to provide authentication and encryption for a CAN bus. A dedicated hardware (ECU Server) was used to manage all the ECUs in the CAN bus to authenticate ECUs and distribute keys. A Xilinx Kintex KC705 FPGA Evaluation board and an embedded Physical Unlockable Function (PUF) was used in the testbed. This approach assumes that keys are registered for ECUs during manufacture, and assembling and CAN controller boards need to support the physical PUF function. This is likely to lead to less overhead, but it is infeasible to implement in current vehicle network due to the hardware modifications required.

-CANTrack algorithm by Farag et al. [Farag2017] uses a dynamic symmetric key to encrypt the 8byte data payload, but does not modify the Msg ID as it is used to access the bus during the arbitration mechanism. They have tested their approach with CANoe software, and it has shown to prevent sniffing, replay and spoofing attacks.

Authors Method
Attacks
mitigated
Hardware
Security
Module
Real
time
Bus
load
Change
CAN bus
Test
bed
environment
[Dariz2017]
•  HMAC
•  SHA1
•  AES
•  DES
•  Sniffing
•  Replay
•  Spoofing
No Yes Yes
Split CAN
Frames
Simulator
[Siddiqui2017]
•  AES-128
•  Asymmetric key
•  Sniffing
•  Replay
•  spoofing
Hardware PUF
ECU server
Yes
During
initialisation
and session
Change CAN
transceiver
Xilinx Kintex KC705 FPGA
hardware embedded~ PUF
[Farag2017]
•  Dynamic symmetric key
•  Key generator
•  Spoofing
•  Replay
•  Sniffing
No Yes No No CANoe software
Table 7: CAN Frame Encryption methods

CAN FD was introduced to tackle the needs of higher speed and larger data payload size. The following approaches are focused on CAN FD.

- In [Woo2016], the authors introduced an architecture supporting key management, encryption and authentication for a CAN FD bus. They used symmetric key and Authenticated Key Exchange Protocol 2 (AKEP2) to ensure distribution of keys and key freshness. They provided 16 bytes of HMAC-SHA256 tags and AES-128 to encrypt the rest of the data (47 bytes). Also, they provided an access control gateway ECU to limit the number of nodes that can access the bus. They validated their approach using three types of CAN-FD boards and CANoe software.

-Agrawal et al. [Agrawal2019] introduced a secure CAN FD bus which uses public, private keys and groups of ECUs connected through a Gateway ECU (GECU). The GECU is used to verify session keys and key freshness for each ECU, and to forward frames between different CAN sub-buses, e.g. the high and low speed CAN buses. This approach uses 36bytes for the data payload and 28bytes for the cryptographic tag. They used CANoe software and the LPC54618 microcontroller to validate their approach.

-Groza et al. [Groza2017] introduced an approach for supporting CAN FD authentication. They used CANoe software to validate their approach. Their approach makes use of a group-based key sharing and generation key algorithm, a MAC algorithm to produce tags and a verification algorithm to validate received messages.

-Carel et al. [Carel2018] used the lightweight Chaskey MAC algorithm over limited capacity computational resources such as a 32-bit microcontroller. They used this algorithm with a 128bit key and compared it with the HMAC-SHA1 algorithm. They found Chaskey has a lower latency comparing with HMAC-SHA1. They used 4bytes as message counters, 16 bytes for Chaskey MAC tag and 43 bytes of actual data payload. Their approach has focused on message authentication and ignores issues of data confidentiality.

Authors Method
Attacks
mitigated
Hardware
Security
Module
Real
time
Bus
load
Change
CAN bus
Test
bed
environment
[Woo2016]
•  AES-128
•  HMAC
•  SHA256
•  Sniffing
•  Replay
•  Spoofing
No Yes No No
Threetypes of CAN-FD
boards and
CANoe software
[Agrawal2019]
•  Gateway ECU
•  Public and
•  Private keys
•  Sniffing
•  Replay
•  spoofing
No Yes No
Gateway ECU
needed
CANoeVector
and LPC54618
micro-controller
[Groza2017]
•  ECU Group
•  Sharing keys
•  Spoofing
•  Replay
•  Sniffing
No Yes NO
Group based key
sharing
neonTriCore controllers
contrasted with low-end
Freescale S12X cores
[Carel2018]
•  ChaskeyMAC
•  Pre-shared
•  128 bit key
•  Replay
•  Spoofing
No Yes No
4 bytes counters
16 bytes MAC tag 43 bytes actual data
ArduinoUno Rev3
Arduino MPro
Table 8: CAN FD encryption and authentication. Improved datapayload 64-bytes, allow more space for MAC signature along with Actual data

6.5 In-Vehicle Intrusion Detection Systems

Using IDS to detect malicious attacks is a key approach implemented inside vehicle networks. IDS can be signature based or anomaly-based systems [Hoppe2009]. The location of the IDS is also a key decision: Host-IDS (HIDS) based and Network-IDS (NIDS) based [Wu2019a]. HIDS to detect attacks [Larson2008] may not be applicable for current vehicle networks and not cost effective, as this would require a change in ECUs. Therefore, installing a NIDS, as an additional node on the CAN bus, such as an OBD-2 dongle can be more feasible and practical and does not need CAN bus modification [Young2019].

An IDS can be passive i.e. only reporting attacks, or active i.e. performing actions to prevent attacks. ECUs inside the vehicle have a fixed interval to generate CAN messages even if no change occurs [Miller2016]. Thus the implementation of an IDS relies on deviations from a constant CAN traffic behaviour. Another approach uses the characteristics of the physical layer of each ECU, such as its signal and voltage profile, and compares the changes in these characteristics to detect anomalies. Müter et al. [Muter2010] have categorised the features that an IDS can use to detect attacks on the bus using the following sensors:

  • Format sensor: looks at different fields in the CAN frame such the correct size of the CAN message and the value of the check sum field.

  • Location sensor: indicates whether the message comes from the right CAN subsystems.

  • Payload range sensor: It looks at the legitimate range of values (data payload) inside the payload field.

  • Frequency sensor: considers the timing of the CAN message, as ECUs have a fixed frequency of data exchange/ operation.

  • Correlation sensor: considers messages exchanged between multiple sub-domains within a vehicular networks. The gateway sensor is used to connect different sub-networks such as a high and low CAN domain. Thus, this sensor can use this feature to verify the legitimacy of the message that is transferred from one domain to another.

  • Protocol sensor: is used to monitor CAN traffic and detect changes in the protocol specification, such as the order of the messages and validity of the start and end time.

  • Plausibility sensor: checks if payload values are in the pre-defined range, and if there is no sudden, anomalous increase in the payload.

  • Consistency sensor: looks at the consistency of the values in the payload field. This sensor operates in contrast to the Plausibility, looking at additional sensors to verify the consistency of the messages transferred on the CAN bus. For instance, the rotation of a tyre would indicate that the vehicle is stopped, while the GPS sensor indicates that the vehicle is moving. This approach therefore checks for consistency across multiple sensor values.

Below is a figure 13 illustrates the position of an IDS inside a CAN network. The IDS can use different features in data link layer CAN frames such as:

  • CAN identifier: 11-bit or 29-bit value which determines the priority of the message on the bus and the content of the message. For example, CAN ID 0x000 is a malicious message since it can be used to occupy the bus and perform DoS attacks. Also, monitoring the broadcast intervals can be through the CAN ID frequency as it is unique across the network.

  • DLC: Data Length Code is a 4-bit field and used to identify the length of the data payload. This also has a fixed value and range, as each ECU uses fixed byte size in the data payload.

  • Data field: It is 8 bytes maximum and it also has a fixed length and range which should not be exceeded. Anomalies can be detected if abnormal values and changes occur in the data field. The authorised identifier, the payload range and consistency, fixed DLC length and fixed rate are features that can be used to detect malicious and anomalous traffic.

  • Timestamp: Each CAN frame has a timestamp which can be either hardware or software based. Through this timestamp, an IDS can monitor the time intervals of CAN messages and observe any unusual behaviour. This approach is based on the observation that that ECUs have fixed broadcast intervals and thus an anomaly can be detected.

Figure 13: Positions of IDS inside automotive CAN network
Figure 14: IDS as ECU inside a vehicle – based on [Song2020]

6.6 IDS based on signature

This IDS is based on detecting a pre-defined list of attack signatures. Although it has low false positive in the detection process, it needs to update its database signatures when new attacks emerge [S.SyedNavaz2013]. Also, the signature-based IDS needs to maintain a potentially large database of known attacks on in-vehicle networks (including potential variants of these) [Stabili2017a]. Extracting attack signatures in real time for a moving can also be a challenge and suffer from high latency.

Studnia et al. [Studnia2018] introduced a signature-based IDS which uses a list of signature derived from a CAN data set. However, this approach has limited benefit as the length of CAN bus words may not be known apriori. Furthermore, this approach may fail to detect an attack if it does not sense the first part of the data exchanged as malicious packets [Avatefipour2019]. Larson et al. [Larson2008] introduced a Host IDS (HIDS) installed on each ECU and compares messages on the bus based on the CAN bus specification. This IDS monitors all incoming and outgoing traffic and compares them against the protocol specification. This approach requires changing the network topology and is not usable for real time applications. In [Dagan2016], the authors introduced an anti-spoofing system that detects malicious messages using each ECU – by detecting CAN message ID that were not sent by the ECU itself. The ECU informs the IDS and an interrupt pulse is sent to the CAN bus to overwrite the spoofed message.

Authors Type Layer
CAN ID /
Data Payload
Detection
mechanism
Attacks
Detected
Prevention
[Studnia2018]
Signature
based
DataLink Layer
(Controller layer)
CAN frame ID
and dataflow
Derive
signature and
rules match
Malicious CAN ID
and false payload
No
[Larson2008] Specification DataLink
Extract signature
from CAN Open protocol
specifications
Detect attack based
on rules
Specification
based attacks
No
[Dagan2016]
Access
list
Data link CAN ID HIDS in each ECU
Malicious
CAN ID
No
Table 9: IDS using signatures & rules

6.7 IDS based on Anomaly Detection

This method is implemented using statistical, machine learning, rule-based and physical fingerprint methods. It builds a learning model able to identify

abnormal traffic, identify new patterns and predict attacks that have not been observed before.

6.8 IDS using statistical approaches

This IDS learns normal behaviour of the system based on conditional statistical relationship analysis – as outlined in figure 15. A baseline pattern is then developed as a threshold, in case changes are detected from the norm. In CAN bus networks, statistical analysis uses CAN features such as CAN ID frequency and payload consistency. In general, ECUs have fixed intervals of time to send CAN frames. These CAN messages have a unique CAN identifier and used as a feature along with the time interval between frames, and the number of frames in each time unit [Tomlinson2018c]. Furthermore, the payloads inside CAN frames usually have consistent sequential values. A broader approach involves linking relationships between vehicular parameters such as the speed and RPM signals (under normal operation, there is a statistical correlation between RPM and speed). Finally, transmission frequency of messages, identification (ID) of messages, the number of packets received over a pre-determined time frame, message received sequence, and semantics of data fields can be used [Ji2018].

Figure 15: IDS based on Statistical Techniques

Hence, this IDS can detect manipulated and incorrect payload values along with inconsistent use of CAN ID. The following statistical approaches have been reported in literature:

  • number of packets exchanged within a particular time period;

  • time interval between CAN frames;

  • frequency of transmission using a particular CAN ID;

  • throughput observed;

  • response time using remote frame requests and message replay;

  • Hamming distance to compare messages;

  • analysis approach used, e.g. Entropy, Anova, Z-score, ARIMA (time wondow based moving average), Heretical Temporal Memory etc.

CAN ID Frequency: -Ling and Feng [Ling2012] measure anomalies observed in traffic frequency – to detect DoS and message injection attacks. However using their approach it is difficult to detect small volume attacks, payload manipulation attacks and impersonated ECU attacks where legitimate CAN ID messages are generated from the attacker ECU.

Intervals between CAN frames: -Cho and Shin [Cho2016a] introduced a clock-based IDS to fingerprint each ECU based on its message exchange interval. Their approach uses a least square cost function and sequential analysis technique called Cumulative Sum algorithm to detect anomalies. Similar to the previous approach, it is difficult to detect low volume injected messages and impersonated disabled ECUs. The testbed consists of an Arduino UNO board and a SeedStudio CAN shield.

Other approaches identified in [Song2016] have used an algorithm to analyse and detect unusual time interval for specific CAN ID message transmissions. Their approach focused on CAN injection attacks.

CAN ID frequency: -In [Gmiden2017], the authors have introduced an IDS that can monitor CAN message frequency for each CAN message ID used by ECUs. This approach can also detect CAN injection and DoS attacks, but small forged messages are difficult to detect since they might not alter the broadcast frequency of CAN ID. Furthermore, their approach does not consider data payload manipulation attack.

CAN traffic behaviour over a time window: In [Taylor2015]

, the author developed an IDS based on an analysis of anomalies in data flow. This work involves comparing statistical values of current CAN traffic, over a one second time window, with historical values. However, this anomaly detection over a time window cannot precisely detect small sized malicious messages.

[Stabili2017a].

Remote Frame Request and Reply intervals: Lee et al  [Lee2018] used remote frames to detect anomalies based on the request and response intervals between frames. Since each ECU replies to a remote frame which has its CAN message id (and where the data payload field is empty), the authors calculated the average time between the request and reply to each ECU, and were able to detect anomalies based on time interval variation against a calculated average response time. They were able to detect CAN bus injection and ECU impersonation, as this would change the average response to a remote frame and in case of an impersonated ECU in the network, this would get response from both the legitimate and illegitimate ECU.

Entropy of CAN ID and data payload behaviour: In [Muter2011], the authors consider the CAN id and the payload as features for their approach. They measured the entropy associated with variation in CAN traffic compared to a baseline of normal CAN traffic. They have tested their approach against frame injection attacks, and they found that their approach cannot detect a small number of injected CAN messages.

Entropy of CAN ID and data payload behaviour: In [Marchetti2016], the authors evaluated an entropy-based anomaly detection IDS for in-vehicle networks, and they found that dividing CAN messages into classes and feeding them to an entropy-based anomaly detection algorithm would lead to a more accurate detection (compared to considering one class). Their anomaly detection approach calculates entropy of all CAN bus traffic (message ids) over a time window, compared to a baseline (normal) traffic over the same time window. Also, they calculated the entropy for each message id separately over a time window with a fixed number of messages. They found that measuring the entropy for each message id gives better performance in detecting smaller forged attacks, whereas considering all CAN traffic together would detect only larger sized attacks.

Entropy of CAN ID and data payload behaviour: Wu et al. [Wu2018] used an entropy-based IDS, with a fixed number of CAN frames over a sliding window as a baseline for their IDS. They improved the detection accuracy of the IDS based on the use of entropy calculation, by using the optimal sliding window size with a fixed number of messages. They were able to achieve a better accuracy compared to previous entropy based IDS.

One-way ANOVA Function: In [Hsu2015], the authors used a one-way ANOVA function to statistically determine the pattern within a data set and created a set of normal patterns to detect anomalies. They grouped CAN data set using vehicle parameters such as: fuel usage, gear ratio, engine parameters, etc to detect abnormal events for each group.

Hamming Distance: Anomaly detection based on Hamming distance algorithms have also been considered by other authors, e.g. in [Stabili2017a] the authors analysed CAN payload and recorded each bit in the data field. They calculate Hamming distance for each payload to each message id, and attacks were identified based on significant deviation from the calculated Hamming distance function.

Quantized interval and the absolute Differences: In [Koyama2019], the authors used an anomaly detection system based on quantized intervals for periodic CAN ID, and determined the absolute difference of the CAN payload values. Their approach was validated against message injection attacks and it showed positive results (using metrics such as True Positive/Negative Rates and False Positive/Negative Rates). However, they acknowledged that low volume injection attacks were difficult to detect using their approach.

Cumulative Sum algorithm: In [Olufowobi2019], the authors used an anomaly detection system based on the statistical cumulative sum algorithm. This is a sequential analysis technique used to support change detection.

ARIMA and Z-SCORE in Defined Time Window: In [Tomlinson2018a], the authors used an average value for the number of times a CAN ID was broadcast mean over a time window. This was used to determine changes in the CAN ID broadcast intervals over different time windows. The authors used a Z-Score and ARIMA, along with a supervised method, to compare the mean broadcast intervals of CAN ID. They were able to detect CAN injections and dropped packet attacks.

Heretical Temporal Memory (HTM): In [Wang2018]

, the authors used a distributed IDS based on Heretical Temporal Memory (HTM), a technique (similar to recurrent neural networks) widely used in time series forecasting and analysis.

Authors Type Layer
CANID /
Data Payload
Detection
mechanism
Attacks
Detected
CAN ID
Frequency
[Ling2012]
Statistics
Data Link
(Controller layer)
CAN ID behaviour
Detect malicious CAN ID
Detect Unusual CAN frequency
•  Injection
•  DoS
Entropy based
anomaly
Detection
[Marchetti2016]
Statistics Data Link
CAN ID frequency
changed
Provide independent
variables
for entropy-based anomaly
detector
for each group or class of
CAN messages
•  Malicious CAN ID
•  Manipulated payload
Detecting attacks
based on identifying
Packet timing Anomalies
in Time Windows
[Tomlinson2018a]
Statistics Data link
CAN ID broadcast mean
in defined time window
Detect attack based
on specification rules
•  Injections
•  DoS attacks
Detecting attacks
 through
Hamming distance
[Stabili2017a]
Statistics Data link
Consecutive data payloads
in certain CAN message ids
Compare the changes in
Hamming distance
values in sequential data
payloads of CAN message ID
•  Injection
•  Spoofing
Anomaly detection
 based
on ID sequence
[Marchetti2017a]
Statistics Data link
Sequence between
CAN ID messages
Compare the sequence
of CAN ID
with the knowledge
acquired from real time model
•  Replay
•  injection
Entropy IDS based
on CAN ID
[Wang2019]
Statistics Data link Entropy of each CAN ID
Detect the changes
on each bit of the CAN ID
•  Flooding
•  injection
Time series algorithm.
ARIMA and Z-Score
[Tomlinson2018a]
Statistics Data link
Broadcast intervals
in time window
Check the change
in broadcast
intervals of CAN ID
•  Drop
•  injection
offset ratio and
remote frame IDS
[Lee2018]
Statistics Data link
CAN request and response
intervals using remote frame
 Time interval changes
and the derived change in
response to a remote frame
•   Injection
•  ECU impersonation
One-Way ANOVA
[Hsu2015]
Statistics Data link
Data payload consistency
across multiple CAN signals
Compare the mean
of related CAN
frames according to
the normal
statistical observation
eg. speed and engine
•  Data payload
•  manipulation
Cumulative Sum
algorithm
in defined time
window
[Olufowobi2019]
Statistics Data link CAN ID sequence CAN ID sequence behaviour
•  Injection
•  DoS attack
•  Frame Fuzz. Attack
Table 10: IDS based on Statistical methods

6.9 Machine Learning-based Approaches

IDS based on Machine Learning (ML) can be a good choice in extracting and learning normal vs. anomalous behaviour and then providing a model to detect and predict attacks. ML-IDS is widely used to handle large data volumes of CAN traffic with multiple features. It is useful to have a method to extract raw CAN data and pre-process it. This is particularly important as vehicle manufacturers tend not to publish detailed specification and provide guidance on how to decode raw data features. Supervised ML algorithms can be time consuming, as raw CAN data needs to be labelled, CAN attacks need to be identified and then the data needs to be labelled and classified as well. Whereas unsupervised ML approaches do not require labelled data sets, and the algorithms can find common patterns directly from data, and can use these patterns to classify traffic and identify anomalous behaviour.

Figure 16: Machine learning based IDS

Hidden Markov Models: this approach works on time series data to detect anomalous behaviour. Narayanan et al. [Narayanan2016]

used an IDS based on a Hidden Markov Model to build a model able to detect anomalies and raise alarms. They investigated the use of each ID separately and using multiple vehicle variables together, such as vehicle speed and RPM CAN ID messages. They evaluated their model using instant observations, against sudden changes in speed and RPM by injecting malicious message for the parameters separately. They evaluated multiple attacks by injecting malicious speed and RPM messages together. Similarly, in

[Levi2018]

the authors used a Hidden Markov Model to learn normal vehicle behaviour and used a regression model to build a threshold for the probability of occurrence of events to identify anomalies. This is a hybrid IDS approach which the authors in 

[Levi2018] trained online during driving and stationary vehicle behaviour through captured data from the CAN bus. They tested the model with noise attacks to mimic a real environment.

Support Vector Machines (SVM): In [Theissler2014]

, the authors enhanced one-class Support Vector Machines (SVM) to work with multiple variables to classify CAN data using an unsupervised ML technique. Their technique used unlabelled time series data from a vehicle to learn normal behaviour and detect anomalies based on deviations. Their approach used a training set from real vehicles with error free logs. They then used a model with noisy data to detect errors and anomalies in the recorded data. In

[Avatefipour2019]

, the authors used one-class SVM, comparing their approach with a Random Forest and classical One-class SVM (leading to better detection accuracy using the True Positive Rate metric).

Neural Networks (NN): In [Kang2016a] the authors used deep neural networks to learn normal patterns using unsupervised data sets, and to detect deviation from normal as anomalies. They have used an unsupervised Deep Believe Network (DBN) to pre-process the data and identify a normal pattern. To validate their approach, they inserted noise to their test data set to mimic real vehicle data. They simulated and generated CAN frames using a real world vehicle test bed and network experiments software [Borazjani2014].

In [Taylor2016a]

, the authors used a Recurrent Neural Network (RNN) with Long Short-Term Memory (LSTM) to detect attacks on the CAN bus. Their approach works with raw CAN bus data without the need to reduce and abstract data during the pre-processing phase of analysis.

In [Seo2018], the authors used Generative Advertorial Nets (GANs) to identify patterns of CAN data without classification. Their approach was able to detect anomalies based on the normal data provided. They tested their approach against Denial of Service (DoS), frame fuzzification and Spoofing attacks. Their work demonstrates that this technique is able to detect attacks with high accuracy.

In [Song2020]

, the authors have used Convolutional Neural Networks (CNNs) to build an IDS able to detect sequential patterns of vehicle traffic to detect Spoofing and DoS attacks. Their approach is based on the idea that CAN traffic is fed directly to their model without the need for pre-processing. They tested their approach offline, and they acknowledged that it is difficult to use it online in current vehicles.

In [Pawelec2019], the authors have used a Recurrent Neural Network (RNN) with three LSTM layers: a dropout layer and two dense layers. The former layer is used to prevent over fitting and the latter dense layer consists of 64 nodes to predict data payload for each CAN ID. Their approach uses an unsupervised technique where it does not need labelled free attack data, and trained on labelled attack data set. They argue that an ideal IDS should be able to plug inside existing vehicles to detect anomalies without the need for either reverse engineering CAN traffic or contacting the vehicle manufacturer to get CAN messages specification.

In [Hanselmann2020], the authors used a neural network model which consists of LSTM for CAN bus time series behaviour, auto-encoder to learn the normal behaviour of unlabelled data in unsupervised manner. Also, Exponential Linear Unit (ELU) is used for better classification as part of their neural network model. This approach benefit from the LSTM ability to learn from previous events of CAN bus traffic as it is it is suitable for time series data and the auto-encoder ability to extract normal behaviour from unsupervised datasets. This is suitable for CAN bus data as the CAN bus data representation is not published and considered as confidential and private for car makers.

In [Lokman2019a]

, the authors used unsupervised deep learning method known as Deep Contractive Autoencoders (DCAE). Furthermore, they have evaluated their approach against DoS, frame fuzzification to impersonate attacks while they have used metrics such as Mean Square Error and Mean Absolute Error to compare between actual and predicted data.

In [Lokman2018], the authors also used unsupervised deep learning method using multiple layers of Stacked Sparse Autoencoders (SSAEs). This SSAE finds meaningful data representation of CAN, which enables their model to classify attacks from normal CAN data points. Finally, their approach has shown better performance compared to basic Sparsed and Stacked Autoencoders.

In a different approach, authors in [Loukas2017] have used a deep learning IDS models using Cloud computing to detect cyber-attacks on the CAN bus. This approach can benefit from the large number of computational resources in the cloud, while it can be limited to provide offline detection.

In [Sharma2018], Sharma and Moller have introduced an architecture for using IDS based on neural networks to detect attacks for in-vehicle networks, alert a manufacturer, surrounded connected cars and push updates to mitigate the attacks. However, this is a theoretical framework that the authors have not validated on real scenarios.

In [Suda2018], the authors have used CAN ID, data payload and intervals between CAN messages using an RNN algorithm. They tested their approach in a simulated environment using CAN data extracted from a real vehicle. They considered malfunction attack (false CAN ID and data payload) and flooding attack.

Another hybrid IDS is introduced in [Weber2018], based on a specification based IDS used to detect data payload consistency as a first stage. The authors then use an ML algorithms such as RNN, SVM and Lightweight online Detector to detect anomalies.

Decision trees (DT):Decision tree-based approaches classify CAN data into two classes (normal, anomalous). DT needs a supervised labelled data set during the training stage to be able to make decisions. In [Tian2018]

, authors have used a regression Decision Tree with Gradient Boosting (GBDT) technique to make a better classifier. They have used entropy to construct the decision algorithm in which they calculated the entropy of the CAN ID and the data payload time. Also, Gradient Boosting is a technique of using multiple trees and training them to get the optimal DT model. They validated their approach using real captured CAN data containing 750,000 messages. They changed the test data set by inserting random abnormal values as anomalies.

Nearest Neighbour Classifier: In [Martinelli2017], the authors used fuzzy classification algorithms based on Nearest Neighbour classifiers (NNC) to discriminate attacks targeting the CAN bus. They used a data set available online which contains CAN attacks to validate their approach. They used the data payload, actual data (8bytes), as features to classify CAN traffic. They tested their approach on different attacks such as DoS, frame injection and frame fuzzification provided in the data set. They achieved a precision value between 0.85 to 1 using a neural network algorithm. However, this detector may fail to detect small forged injected messages and impersonated ECU attacks. In [Tomlinson2018b], the authors used a combination of Euclidean distance and nearest neighbour algorithms. They improved the method of distance based nearest neighbour technique by categorising CAN data into four domains – improving potential prediction accuracy by limiting to these four domains. They tested their approach against frame fuzzification attacks where they randomly change the data payload of the logged CAN messages. They considered CAN ID frequency, time between packets and data payload values as features.

Bayesian Networks

: Bayesian networks is a graphical model that uses probabilistic relations between related variables. IDS based on this approach can utilise a variety of features such as the ability of Bayesian networks, e.g.: (1) to predict the sequence (time evolution) of an event; (2) to integrate previous knowledge with probabilistic techniques, and (3) to handle missing data by encoding inter-dependencies between variables

[Patcha2007]

In [Al-Khateeb2018]

, authors have used a collection of sensor data e.g speed, geo-location and routes from a connected car. Their approach then makes use of a detection system using probabilistic Recursive Bayesian Estimation IDS. They have used three models in their approach: filtering (estimating the current event value), smoothing (estimating past event value) and prediction (estimation the likelihood of a future event).

In [Bezemskij2018], the authors looked at various attack vectors on autonomous vehicles using a Bayesian network to detect and classify the type and source of the attack e.g cyber-physical attacks using sensor data from autonomous vehicle. They have used Hill-Climbing algorithm to construct a Direct Acyclic Graph (DAG) to learn the behaviour of all data sources, classify these sources and detect cyber-attacks (remote) and physical attacks based on the source of the data.

In [Casillo2019], the authors used a series of probabilistic approaches based on a Bayesian network to detect attacks. They implemented a test bed based on the CARLA simulator along with support for accelerator, steer, brake sensors and IDS connected to the simulator as ECUs. Furthermore, they evaluated their IDS based on various metrics such as true positive and true negative rates, precision, recall and F1 score.

Authors Type
Detecting
threshold
Detection
mechanism
Attacks
Detected
[Narayanan2016]
Hidden Markov Model
Univariante CAN signal
Multivariant CAN signals
e.g RPM and speed
Deviation from the
sequence behaviour
•  Single injection
•  Multiple injection
[Levi2018]
Hidden Markov Model
Regression Model
 HMM and regression
model to build
a threshold for
the log probabilities
Offline learning from
dataset and online
learning
•  Noise Attack
[Theissler2014]
Enhaced SVM
CAN ID and data payload
Multivarinete CAN signals
Deviation from
ESVM Enhanced one-class
Support Vector Machine
•  Error and
•  Signal faults
[Chockalingam2017]
O-SVM
CAN message intervals
and frequencies
One Class support Vector
based Anomaly IDS
Anomaly based on
One SVM
class detection
•  Fuzzing
[Avatefipour2019]
 O-SVM with modified
BAT alogrithm
One-class SVM
algorithm
•  Injection
•  DoS
[Taylor2016a]
Recurrent Neural Network
(RNN)with
long short-term memory
CAN ID and data payload
behaviour
Devaition from the RRN
model and observations
learned in LSTM mechanism
•  Injection
•  DoS
[Kang2016a]
Deep Believe
Neural Network
with Probability feature
CAN ID and data payload
behaviour
Change from the
NN model patteren
•  Injection
[Martinelli2017]
Fuzzy classification
Nearest Neighbor
Classification
CAN ID and data payload
Checking each byte of the
datapayload as features
to detect anomalies
•  DoS
•  Injection
•  Fuzzy
[Tomlinson2018b]
Euclidean distance
and nearest
neighbor algorithms
CAN ID frequency in time window
Change in CAN ID
broadcast
data payload
•  Fuzzy
[Tian2018]
Regression Decision Tree
with Gradient Boosting
(GBDT) Entropy
CAN ID and data payload
entropy change
Entropy change
of CAN traffic
•  Injection
•  DoS
[Weber2018]
MLHybrid-IDS
CAN messages
payload sequence in
static check module.
RNN based IDS
OCSVM and Online
Algorithm LODA
Detection in time window
and payload consistency
•  Injection
•  DoS
[Wang2018]
Multiple
Anomaly IDS
based on HMS
Data sequence
anomaly based
on HMS
Multiple HMS-IDS
for each CAN signal
 learn from online stream
•  Injection
•  DoS
Table 11: Machine Learning based IDS

6.10 IDS based on Physical Characteristics

This approach works at the physical layer of the CAN bus, as it builds a profile of signals and voltage signature for each ECU. It then compares the traffic with the profile for abnormal traffic. In [Sagong2019], the authors introduced a hardware-based Intrusion Response System (IRS). This is a signal and voltage based physical layer (transceiver layer) IDS which detects attacks based on changes in characteristics for each ECU. This approach can be used to detect unusual signals at the physical layer to overcome attacks such as over current, DoS and error frame re-transmission. In [Cho2017], the authors proposed a clock-based IDS to detect anomalies. They build a fingerprint for each ECU based on measuring and extracting the periodic frequency of messages sent by ECUs. They have used the fingerprint of each ECU to build a baseline behaviour of the ECU clock using Recursive Least Square (RLS) algorithm. Their approach uses a Cumulative Sum (CUSUM) to detect any significant deviation from the normal fingerprint baseline. In [Choi2018], the authors introduced a Voltage-IDS which is based on the use of electrical CAN signals as a fingerprint for ECUs. Their approach was also used to detect an off-bus attack where an ECU is blocked and the attacker mimics a disabled ECU.

Authors Type Layer
Detecting
threshold
Detection
mechanism
Attacks
Detected
Prevention
[Sagong2019]
Signal and
Voltage based
Physical
layer
(Transceiver
layer)
Detect attacks based
on changes on
(signal and voltage)
characteristics
measure the unique
signal for
each ECU and detect
unusual behaviour
physical layer attacks such as
over-current
DoS bus idle and error frame
re-transmission. Will not work in
ECU impersonation attack
Yes
[Cho2017]
Voltage Profile
for each ECU
Physical
layer
The changes
of voltage
on the line
each ECU has its own
unique voltage profile
Any data generated
from unfamiliar
ECU voltage will
be detected
Yes
[Choi2018]
Electrical CAN
signals
as a fingerprint
for ECUs
Physical
layer
Change in the electric
signal of each ECU
Change in the electrical signals
on the bus and comparing
the fingerprint of the ECU
Off bus attack Yes
Table 12: IDS based on Physical Characteristics

Comparing IDS: as mentioned previously, an IDS is used to detect malicious CAN attacks. Signature based IDS has been shown to detect attacks with low false positives however an attack signature needs to be extracted from the CAN bus. Therefore new CAN attacks can be difficult to identify. It is also difficult to detect attacks on a moving car to extract attack signature and CAN messages. Anomaly or behavior-based IDS has the advantage that it can detect and predict attacks based on the training and learning process and can in some cases be used without the need for more training. IDS based on machine learning can benefit from raw data directly extracted from vehicles. Machine learning (ML) approaches can also handle multiple variable instances as vehicles generate large amounts of data which needs to be pre-processed in order to be meaningful. This problem can be overcome using unsupervised ML which can classify patterns and detect anomalies in unlabeled raw data.

7 Limitations with Current Approaches

Based on the survey in previous sections, we now describe limitations with current approaches for securing in-vehicle systems (particularly focusing on the CAN bus). The implementation of a CAN cryptographic algorithm should consider the unique nature of the protocol, the limited network infrastructure (with support for limited data payload) and computationally constrained ECU specification. The algorithms should also consider the broadcast nature of the CAN bus, key distribution and freshness to avoid replay attacks. Real time sensitivity is a concern inside vehicles since critical services and functions are sensitive to latency. Therefore, any countermeasure should consider these criteria.

Figure 17: Research Challenges: Cryptography and IDS based approaches

7.1 Cryptography

Hardware based cryptography: hardware mechanisms can be used to speed up the process of generating cryptographic functions for in-vehicle networks. Depending on the number of ECUs (typically 70), each ECU would need to be updated to include hardware-based cryptography. While this approach can increase and speed up the process of cryptographic mechanisms to meet real time needs, it is not compatible with current vehicles and the cost of implementation can be significant. Future CAN FD boards are expected to be embedded with hardware supported security mechanisms such as AES and embedded authentication [Pfeiffer2018]. Also, better computational resources are expected in the next generation of CAN FD ECUs to handle the higher bit rate and data payload size needed.

Software based cryptography: the main approaches to provide security for a CAN bus is using encryption and authentication mechanisms without the need for additional hardware or modification to existing ECUs. Authentication approaches are less computationally expensive, as they add additional information within an existing data payload. However, with the large number of ECUs inside vehicles, current approaches have not validated their approach using this large number. In [Nowdehi2018], the authors evaluated 10 CAN MAC approaches against industrial criteria and they indicated that some of these approaches are applicable to a subset of the network with a very limited number of ECUs.

Message latency: vehicles utilise several real time functions for which latency can threaten safety on the road. Therefore, encryption mechanisms should provide security and reduce message latency to a minimum. This process overcomes the limited computational resources inside current vehicle ECUs. Further, the payload size of a classical CAN bus makes it difficult to add secure tags and signatures along with actual data. Therefore authentication and encryption focus on lightweight mechanisms using MAC tags without encrypting the whole payload. The CAN bus should not be loaded with extra security related messages, e.g. by splitting CAN bus messages, one message for the actual data and the other for authentication of the message. This can increase bus load two folds, and therefore affect the quality of the network.

Changing CAN bus behaviour: some approaches change the CAN protocol by either changing the payload size or splitting a message into data and authentication messages. Furthermore, other approaches have changed CAN frame structure by replacing and inserting MAC tags and signatures inside CRC fields and CAN identifier fields. This can lead to incompatibility issues with ECUs and add additional complexity to the current CAN bus. Other approaches extended CAN payload size to 16 byte CAN+ which also causes incompatibility, as ECU controller and transceiver needs to be changed in order to support this extended frame size.

7.2 Intrusion Detection System

Complexity: since there is no global attack signature database, an IDS needs to collect and analyse CAN network data in order to build an attacks signature database. Furthermore, it is dangerous to perform attacks on moving vehicle to extract attack signatures and maintain them.

Computational resources: very few approaches have validated their approach in a testbed that contains resources with representative computational capabilities to a vehicular network. ML based IDS may have high computational resource requirements, however ECU resources which exist inside vehicles may not be able to handle this workload. In [Wu2018] and [Koyama2019] the authors suggest that dedicated hardware is needed to deploy such approaches. Furthermore, their idea is that a statistical based IDS can be a lighter approach that can be applicable in current vehicle networks. Similarly, in [Jichici2019] authors have examined the use of IDS based on neural networks and they recommend that it is difficult to use them in current vehicle networks due to the large memory and computational time needed and they have suggested a dedicated hardware. In other approach [Narayanan2016], authors have inserted an IDS in OBD-2 port using raspberry pi board and they said that this approach can be used in current vehicles and embed in future vehicles. This can be a good approach to avoid the constrained power in current vehicles.

Modify CAN bus behaviour: IDS approaches work in a passive manner where they don’t require to change the CAN bus protocol behaviour. They only monitor, detect malicious attacks and report them, for example, to the driver and fleet management centre.

Detection latency: In current vehicle networks, ECUs have low computational power, thereby limiting the potential to implement IDS based on deep learning. In [Loukas2017], authors indicate that an IDS based on deep learning incurs a high latency due to increased processing time. They therefore located their deep learning model in the cloud and provide offline detection for vehicles from a central point. However, they acknowledged that offloading data from a vehicle to a cloud platform requires a stable network connection. Also, real time detection is needed for passenger safety, for which an IDS based on the cloud may not be able to offer. Alternatively, authors in [Guo2019] have suggested to put Edge E-IDS in OBD-2 port as a plug in dongle to detect attacks and process data at the network edge before utilising a cloud platform.

Cost of implementation: It is worth noting that an IDS can be installed in each ECU, as a Host-IDS, to detect attacks [Larson2008] – however, this can lead to incompatibility and high deployment cost. Therefore, installing an IDS as a network node such as an IDS-OBD-2 dongle can be more feasible and practical and does not need CAN bus modification [Young2019].

Positive and Negative Rate detection: IDS should work and detect attacks at runtime with the intention to minimise false positives. According to [Tomlinson2018c], a false positive rate of 0.0001 percent can cause 5 false positives every 1 hour in a CAN network broadcasts 1500 frames per second. Therefore, an IDS should carefully verify their decisions. In [Ji2018], authors evaluated four types of IDS, information entropy, CAN ID sequence, message frequency and throughput based IDSs. They evaluated these IDSs based on the positive and negative detection rate. They tested them offline against four known attacks, packet dropping, spoofing, replay and flooding attacks. They found different negative and positive rates for each attack in each type of IDS they evaluated.

Training data: IDS need either a database of CAN attacks (signatures) to be able to detect malicious attacks or by analysing a CAN data set offline to extract normal behaviour. While there is no global signature database of attacks, a signature database should be built by analysing normal CAN traffic along with generating various CAN attacks. However, attacks on vehicles continue to emerge and signatures of all known attacks are difficult to be maintained and updated to detect new attacks.

Prevention: Some approaches focus on preventing attacks rather than passively detecting them. A combination of hardware and software-based IDS techniques are needed to be more effective to prevent attacks.

8 Conclusion

Cryptographic mechanisms have been used to secure the CAN bus from attacks that originate from inside the vehicle, or when an external attacker can get access to the CAN bus. However, it may be difficult to use encryption because of the lack of computational resources in current ECUs, and the small data payload size and low data bit rate of the CAN bus network. Additionally, decision making within vehicles requires real time data analysis, and any delay due to data encryption can lead to safety issues on the road. In contrast, IDS operates as a countermeasure inside a vehicles and works in a passive manner. An IDS does not require a change in the network and protocol specifications compared to some cryptographic methods. However, some IDS based on deep learning, for instance, requires significant computational resources not available within a vehicle.

For the current classical CAN bus vehicle networks, edge ECU devices can be used to manage countermeasures e.g (1) monitoring and management of message authentication and encryption mechanisms, while in (2) IDS approaches, edge ECU devices can be used as a plug in edge device e.g inside OBD-2, telematics and infotainment interfaces to support edge IDS mechanisms, detect attacks, process vehicular data and push it for further analysis (e.g OEM and fleet management clouds) such as diagnostics and attack analysis. These edge ECUs devices can provide suitable resources to support countermeasures and can be used in current vehicles with limited CAN bus modifications. If ECU modification are needed, for example to support authentication and contact with edge ECU monitoring devices, OEMs and car makers should consider update ECU capabilities, e.g. over-the-air updates.

As CAN FD is the improved version of the classical CAN bus, it is already implemented inside many new vehicles. Many OEMs are expected to use CAN FD by 2022 in the US and Europe [ReinerZitzmann2020]. The next generation CAN FD is expected to provide better resources e.g. higher data bit rate, payload size and support for embedded encryption methods. As a result, vehicles based on CAN FD can overcome current ECU shortcomings. Other additional capabilities incude: (1) Better ECUs to handle higher data payload, (2) embedded cryptographic algorithms such as Advanced Encryption Standard (AES) and better data bit rate. Therefore, suppliers, car makers and OEMs can embed countermeasures e.g IDS, encryption and message authentication along with firewall and access control lists for external CAN bus connections.

Communication outside CAN bus such as telematics, infotainment and wireless sensor interfaces along with Dedicated Short-Range Communications (DSRC) for Vehicle-2-Vehicle (V2V) and Vehicle-2-Infrastructure (V2I) should be protected, as they are entry points for data injection to the internal vehicle CAN bus network.

Although a number of bus architectures have been introduced – e.g. FlexRay and LIN, it is important to highlight that the CAN bus remains the most widely used standard in the automotive industry. As outlined in this paper, a number of improvements have been made by vehicle manufacturers to the CAN bus over the years –e.g. to support higher data rates for connected and autonomous cars – such as in CAN FD and CAN XL. Also, since CAN bus protocol is used inside both electric and autonomous cars [Horton2019], and due to the significant interest in these types of vehicles, interest in cybersecurity of the CAN bus protocol will continue to grow.

References