Electronic Control Units (ECUs) in a vehicle exchange data via in-vehicle network protocols such as Controller Area Network (CAN) , Local Interconnect Network (LIN) , and FlexRay . These in-vehicle network protocols do not have cryptographic primitives such as data encryption or message authentication because in-vehicle networks were designed to be isolated from external networks [2, 3, 4]. Modern vehicles, however, are equipped with many ECUs that have outward-facing interfaces such as auxiliary port (AUX), Wi-Fi, cellular network, and Bluetooth. These ECUs may introduce attack surfaces to the CAN bus as well as ECUs [5, 6, 7, 8, 9]. It is difficult to upgrade the existing in-vehicle network protocols to encrypt data or authenticate messages due to the lack of backward compatibility with legacy systems and the resource constraints of ECUs such as memory size . Hence, Intrusion Detection Systems (IDSs) have been developed to detect attacks on the CAN bus by tracking abnormal deviations in physical properties of the CAN bus or ECUs [11, 12]. Commonly exploited physical properties are message frequency 
, clock skew of an ECU[11, 14], entropy of the CAN bus , and voltage levels of the CAN bus [16, 10, 17].
It is difficult for an adversary to mimic voltage characteristics of an ECU because they depend on the CAN transceiver’s hardware such as transistors and diodes. As a result, using voltage characteristics as a fingerprint of an ECU is more effective and reliable than other physical properties, such as clock skew, in detecting attacks on the CAN bus [16, 10, 17]. A voltage-based IDS (VIDS) is implemented as software in the microcontroller of an ECU. A CAN transceiver measures the voltage difference between the CAN bus lines (i.e., CANH and CANL), which is not sufficient to establish voltage characteristics. Also, the microcontroller cannot access measured voltage values since a CAN controller only provides the decoded bit information to the microcontroller. In order to measure voltages of the CAN bus lines, the microcontroller is directly connected to CANH and CANL using extra wires, respectively, as illustrated in Fig. 1. These two extra wires introduce new attack surfaces on the CAN bus and ECUs. If an ECU installed with VIDS is compromised, the adversary may manipulate voltage levels of CANH and CANL using these wires in order to disable VIDS or impede CAN transceivers’ operations.
In this paper, we propose four voltage-based attacks using the extra wires: 1) an overcurrent attack, 2) a denial-of-service (DoS) attack, 3) a forced retransmission attack, and 4) a pulse attack. In the overcurrent attack, the adversary makes the current that flows into the microcontroller with VIDS exceed the hardware limit of the microcontroller (i.e., the current absolute maximum rating), which may damage the microcontroller. In the DoS attack, the adversary keeps the CAN bus in an idle state by holding the voltages of the CAN bus lines at one level, by which messages cannot be transmitted. In the forced retransmission attack, the adversary violates the bit timing requirement of the CAN protocol to make an error, which makes a message be retransmitted. In the pulse attack, the adversary arbitrarily changes the voltages of the CAN bus lines by applying a pulse signal, which blocks message transmission.
We make the following contributions in this paper:
We propose four voltage-based attacks that are an overcurrent attack, a DoS attack, a forced retransmission attack, and a pulse attack by manipulating the voltage levels of the CAN bus lines using the extra wires.
We propose a fuse-based Intrusion Response System (IRS) and a heat-based IRS that detect and mitigate the voltage-based attacks by isolating the compromised ECU from the CAN bus.
We demonstrate the proposed voltage-based attacks and evaluate the effectiveness of the proposed IRSs using a CAN bus testbed. Our evaluation shows that the voltage-based attacks can be implemented in practice. We also demonstrate that the proposed IRSs mitigate the voltage-based attacks.
The rest of the paper is organized as follows. The related work on the IDSs for the CAN protocol is reviewed in Section II. Section III summarizes a brief background on the CAN protocol and explains a CAN transceiver’s operation. Section IV presents the adversary model, and Section V describes the voltage-based attacks. The hardware-based IRSs are proposed in Section VI. The experimental results are presented in Section VII. Section VIII concludes the paper.
Ii Related Work
Many works have proposed various IDSs that detect cyber attacks using abnormal deviations in the traffic through the CAN bus. Based on the fact that most of the messages in the CAN protocol are transmitted with a fixed length and frequency, an IDS that detects the existence of spoofed messages using a frequency of message occurrence is proposed . Also, the authors of  proposed the entropy-based IDS that exploits coincidence among a set of messages. The entropy-based IDS, however, can be bypassed if an adversary replicates structure and pattern of the legitimate traffic . Hence, IDSs that fingerprint each ECU by exploiting ECU’s physical properties are developed [11, 16, 17]. For instance, the authors of  proposed the clock-based IDS (CIDS) that uses the clock skew of ECUs to fingerprint each ECU. It is demonstrated that the CIDS can be bypassed by the cloaking attack that matches the interarrival time of the spoofed messages to that of the legitimate messages [14, 18].
The voltage characteristics are determined by the CAN transceiver’s hardware and cannot be modified by the microcontroller’s software, which makes mimicking the voltage characteristics through cyber attacks difficult for an adversary . Although connecting the microcontroller’s analog pins to the CAN bus lines has a potential risk, many works have proposed VIDSs [16, 17, 10]. In , the proposed VIDS exploits the mean squared error between the measured voltage and each ECU’s reference voltage that has been collected before an attack. The VIDS proposed in 
measures the voltages of each CAN bus line and extracts features from the distribution of the measured voltage samples. The voltage difference between the CAN bus lines and transition time between bits 0 and 1 are exploited to detect abnormal deviations in the voltage characteristics by using machine learning algorithms in.
VIDSs measure the voltages of CANH and CANL to extract the voltage characteristics of each ECU. An oscilloscope is used to measure the voltage in  and , which may not be possible in a car due to limitations in power and space. Alternatively, a VIDS may be implemented in a microcontroller, which requires 12V that can be supplied from a car battery . If the microcontroller or oscilloscope is compromised, the adversary may exploit the wires connected to the CAN bus lines to launch attacks. The recent works on the VIDSs, however, did not discuss any potential cyber attacks in which these wires are maliciously used, nor did the works propose a protection mechanism to mitigate the attacks [16, 17, 10]. We consider such attacks in this paper.
Despite the effectiveness of an IDS in protecting the CAN bus, the IDS is limited to detecting cyber attacks and alerting an operator of the automobile. The reaction to the detected attacks remains to the operator of the automobile . An IRS, however, can detect an attack and promptly mitigate the attack [19, 13].
The contributions of this paper differ from our previous work  in that we investigate more attack surfaces of VIDS and improve a state-of-the-art IRS against the voltage-based attacks. We develop a pulse attack that may block message transmission using pulse signals. We also develop a heat-based IRS that can be reusable without replacing a fuse or resetting a circuit breaker after mitigating a voltage-based attack.
In this section, the CAN protocol is reviewed, and the operation of a CAN transceiver is discussed. We explain analog pin modes of a microcontroller, which are used for measuring the voltage and generating electrical signals.
Iii-a CAN Protocol Background
The CAN protocol is a multi-master broadcast bus network in which any ECU can transmit messages and receive all ongoing messages through the CAN bus. An ECU that accesses the CAN bus first can transmit a message. If two or more ECUs attempt to send messages simultaneously, the message with the smallest ID is first transmitted through a content-based collision detection process called arbitration. For example, consider two ECUs A and B that try to send their messages with IDs 0x010 and 0x001, respectively. ECU A recognizes that a higher priority message is being transmitted and stops transmitting its message through an arbitration. Bits 0 and 1 are also called dominant and recessive bits, respectively.
A data frame in the CAN protocol consists of 7 fields as illustrated in Fig. 2, and the length of the data field can be varied from 1 to 8 bytes. As shown in the structure of the data frame, the data field is not encrypted, and there does not exist a field for message authentication. If a message is not transmitted and received correctly because of external electromagnetic interference or malfunction of CAN transceivers, the ECU retransmits that message after an error frame is transmitted.
Iii-B Operation of CAN Transceivers
The CAN bus consists of two bus lines terminated by two 120 resistors. In order to make the CAN bus more robust to the external electromagnetic interference, the CAN protocol uses the differential voltage between CANH and CANL to represent a bit. When transmitting a recessive bit, both CANH and CANL are set to the same value, which makes the differential voltage be 0.0V. When transmitting a dominant bit, CANH and CANL are set to different voltages to make the differential voltage larger than a predetermined threshold, typically 0.9V. Fig. 3 illustrates the voltage levels of CANH and CANL when transmitting dominant and recessive bits using a CAN transceiver whose supply voltage is 5.0V. For a recessive bit, both CANH and CANL are set to nominal 2.5V to make the differential voltage be 0.0V. When transmitting a dominant bit, the differential voltage is 2.0V since CANH and CANL are set to nominal 3.5V and 1.5V, respectively.111For a recessive bit, the voltage levels of CANH and CANL are 2.3V when we use a CAN transceiver whose supply voltage is 3.3V, in which the differential voltage is still 0.0V. For a dominant bit, the CAN transceiver sets CANH and CANL to 3.0V and 1.0V, respectively. Hence, the differential voltage becomes 2.0V [20, 21]. Although the supply voltage of the CAN transceivers might be different, the CAN transceivers exploit the differential voltage between CANH and CANL to represent a bit [22, 23, 20, 21, 24, 25].
The two transistors in a CAN transceiver control the voltage levels of CANH and CANL to transmit bits as illustrated in Fig. 4. When transmitting a recessive bit, the transistors are in the off-state in which current cannot flow from the supply voltage to the ground. Due to the reference voltage (i.e., nominal 2.5V) applied to both CANH and CANL, the voltage levels of the CAN bus lines are set to the reference voltage. As a result, the differential voltage becomes 0.0V that represents the recessive bit.
When transmitting a dominant bit, the driver control lets the transistors be in the on-state in which an electric path is created between the emitter and the collector in bipolar junction transistors (BJTs) or the source and the drain in field effect transistors (FETs). Then, current flows from to the ground. Due to this current flowing through the termination resistors, the voltage is dropped from CANH to CANL, and the differential voltage becomes non-zero. Since the operation of BJT and FET as a switch is identical, the analysis on the operation of a Microchip MCP2551 CAN transceiver that is composed of BJTs can be applied to any types of CAN transceivers that consist of FETs . A Microchip MCP2551 CAN transceiver sets the voltages of CANH and CANL to 3.5V and 1.5V, respectively. The voltage is dropped by 0.7V between the base and the emitter of the BJT when the BJT is in the on-state. Since is 5.0V, the voltage at the collector of the BJT connected to CANH becomes 4.3V. The voltage is again dropped by 0.7V after the diode, which makes the voltage of CANH be 3.5-3.6V. Similarly, the voltage of CANL becomes 1.4-1.5V because the voltage is increased by 0.7V at the BJT and the diode, respectively.
Iii-C Analog Pin Modes in Microcontroller
A microprocessor measures voltage via its analog pin set to the input mode by using an Analog-to-Digital Converter (ADC) that is embedded in the microprocessor [26, 27, 28, 29, 30]. Also, a microprocessor may generate electric signals such as a Pulse Width Modulation (PWM) signal using an analog pin if that analog pin is set to the output mode [26, 27, 28]. For example, Microchip ATmega328P used in an Arduino UNO Rev3 board, NXP MPC563 used in an ECU of Hyundai Sonata, and Renesas V850 used in an Engine Control Module of Toyota Camry provide analog pins that can be used to measure voltage or generate PWM signals [29, 30, 27].
Iv Adversary Model
In this section, we describe an adversary model for voltage-based attacks on the CAN bus and VIDS. Consider first how an ECU with VIDS can be compromised. If an adversary accesses the CAN bus physically via an On-Board Diagnostics (OBD)-II port that is mandated for all cars in the US and EU, the adversary may upload its malicious code to the ECU with VIDS using a pass-thru device such as Hyundai Global Diagnostic System , Ford Vehicle Communication Module , Volkswagen VAG-COM Diagnostic System , or Toyota Technical Information System . The adversary may also remotely compromise an ECU without physical access to the CAN bus if that ECU is equipped with a telematics unit [5, 9, 37]. Then, any ECU on the CAN bus including the ECU with VIDS can be compromised using the compromised ECU .
Although an adversary may compromise an ECU with VIDS, the firmware of the CAN controller cannot be modified without a special equipment . Hence, the adversary cannot manipulate the output voltage of the CAN transceiver in order to violate the CAN protocol. The adversary, however, can manipulate the analog pin modes of the microcontroller once the ECU with VIDS is compromised. As a result, the adversary may apply electric signals to the CAN bus by controlling the analog pin modes as explained in Section III.
V Voltage-based Attacks
|mode||mode||Type of attack|
|Input||Input||Not an attack, setting for measuring voltage|
|Input||Low||Passive overcurrent attack|
|High||Input||Forced retransmission attack|
|High||Low||Active overcurrent attack|
|Low||Input||DoS attack or passive overcurrent attack|
|Low||High||DoS attack or active overcurrent attack|
|Low||Low||DoS attack or passive overcurrent attack|
In this section, we introduce four proposed voltage-based attacks that are an overcurrent attack, a DoS attack, a forced retransmission attack, and a pulse attack. Let us denote two analog pins of the microcontroller with VIDS that are connected to CANH and CANL as and , respectively. We discuss combinations of and for the normal operation of a VIDS and voltage-based attacks. An analog pin can be in either 1) input for measuring the voltage, 2) high voltage output, 3) low voltage output, or 4) pulse output. We consider two levels of the voltage output, and a PWM signal can be generated by switching low and high voltage output modes in the pulse output mode.222Depending on microcontrollers, an analog pin may generate multiple levels of the output voltage. In this paper, we consider the binary levels of the output voltage .
In the normal operation of a VIDS, both and are in the input mode to measure the voltage levels of CANH and CANL, respectively. If the adversary compromises an ECU with VIDS, the adversary may change the pin modes of and by uploading its malicious code. Some combinations of the analog pin modes may damage the microcontroller with VIDS, block message transmission, or cause message retransmission as listed in Table I.
V-a Overcurrent Attack
A microcontroller may absorb current below a threshold through an analog pin due to its hardware limitation, which is called the current absolute maximum rating, . If current larger than this limit flows into the analog pin, the microcontroller can be damaged by an electric shock. The idea of the overcurrent attack is that the adversary makes the current larger than flow into . For instance, values of are 40mA for Microchip ATmega328P  and Renesas V850  and 20mA for NXP MPC563 .333The datasheet of Renesas V850 does not provide the current absolute maximum rating. Since the voltage absolute maximum rating of Renesas V850 and operating condition such as temperature are similar to that of Microchip ATmega328P, it is reasonable to assume that the current absolute maximum rating of Renesas V850 is similar to Microchip ATmega328P, which is 40mA.
A small current flows through the analog pin of the microcontroller when measuring voltage. Due to the high impedance at the microcontroller, current drawn by the microcontroller is negligible, which is in the order of nA. The current flowing through an analog pin during the voltage measurement is much smaller than and does not damage the microcontroller.
The adversary, however, may make the microcontroller absorb current through by manipulating the analog pin mode. Let and be the voltages of CANH and CANL when bit is transmitted, respectively, where is either 0 or 1. For instance, the voltage of CANL when a recessive bit is transmitted is denoted as . In order to let the current larger than flow into the microcontroller, must meet the following condition.
where is 60 and depends on a hardware limit of the microcontroller, typically 40mA.
We propose two types of the overcurrent attacks, namely passive and active overcurrent attacks, by changing the pin modes of and as illustrated in Fig. 5. The adversary only changes from the input mode to the low voltage output mode to launch the passive overcurrent attack. Since is 3.5V as shown in Fig. (a)a, the current absorbed through can be computed as =58.3mA, which satisfies Eq. (1). In the passive overcurrent attack, the current is supplied from a car battery that can provide the current in the order of Ampere as illustrated in Fig. (a)a. In order to launch the active overcurrent attack, the adversary changes and to the high voltage output mode and the low voltage output mode, respectively. and become 5.0V and 0.0V, respectively, as shown in Fig. (b)b. Then, the current flowing through is computed as =83.3mA that is also larger than . In the active overcurrent attack, the current is supplied from the microcontroller as illustrated in Fig. (b)b.
V-B Denial-of-Service (DoS) Attack
In order to transmit a bit on the CAN bus, the differential voltage between CANH and CANL, , must satisfy the CAN protocol. The idea of the DoS attack is that the adversary increases the voltage level of CANL such that is always smaller than the decision threshold for determining a dominant bit. As a result, a recessive bit can only be transmitted, which means that the CAN bus is in the idle state. Also, messages cannot be transmitted. The adversary sets from the input mode to the high voltage output mode. Let denote the voltage applied to CANL by the adversary using . Then, can be computed as follows
When a recessive bit is transmitted, both CANH and CANL are set to under the DoS attack because current does not flow through the termination resistors. Using Eq. (2), becomes 0.0V, which represents a recessive bit. Although the voltages of CANH and CANL are manipulated as illustrated in Fig. 7, the recessive bit can be transmitted under the attack. A CAN transceiver determines a dominant bit if VV with the differential input hysteresis between 100-200mV as shown in Fig. 8. When transmitting a dominant bit, the adversary may thwart the transmission of the dominant bit by setting to make smaller than 0.9V. If is larger than 3.5V, also becomes because current cannot flow through the termination resistors due to the diode in the CAN transceivers. Hence, again becomes 0.0V, which indicates that the DoS attack is successfully launched. Also, the adversary may launch the DoS attack by setting in the low voltage output mode since is always equal to or less than 0.0V.
V-C Forced Retransmission Attack
The duration of one bit must satisfy the timing requirement of the CAN protocol according to the CAN bus speed. The idea of the forced retransmission attack is that the adversary makes the transition time from a dominant bit to a recessive bit longer than the nominal value, typically 70-130ns . As a result, an error occurs while receiving a message, especially at the ACK delimiter position of a data frame as shown in Fig 2. The adversary increases the transition time, thus making a dominant bit at the ACK delimiter position that has to be a recessive bit. The adversary changes from the input mode to the high voltage output mode to launch the forced retransmission attack.
In order to analyze the transition time from a dominant bit to a recessive bit quantitatively, we define the bit length time as follows
where and denote the time at which a dominant bit starts and the time at which the voltage of CANL reaches 90% of , respectively, as illustrated in Fig. 9. also indicates the sum of the duration of the dominant bit and the transition time. For instance, if the CAN bus speed is set to 500kbps, without the attack is nominal 2s.
Let denote the voltage applied to CANH by the adversary via , and we consider 2.5V. Fig. 10 illustrates the voltages of CANH and CANL under the forced retransmission attack when is 5.0V. When transmitting a recessive bit, both CANH and CANL become since current does not flow through the termination resistors. A recessive bit can be transmitted under the attack. A dominant bit can also be transmitted because is greater than 0.9V where increases as increasing . If becomes greater than 3.5V, the adversary forcefully sets CANL higher than the normal operating range of the CAN transceiver. As a result, the voltage of CANL switches from 1.5V to when a recessive bit is transmitted right after a dominant bit, which increases the transition time as illustrated in Fig. 9. Using its local clock, an ECU decodes a bit by sampling the voltage levels of CANH and CANL with the fixed period that is determined by the CAN bus speed. If the duration of a bit is longer than the nominal value, the ECU cannot decode the bit correctly. Hence, an error occurs while receiving a message, and that message is retransmitted.
V-D Pulse Attack
The idea of the pulse attack is blocking message transmission using a PWM signal. Consider that the PWM signal is applied to CANL using . Then, there are four possible cases for the voltage behavior of the CAN bus because the PWM signal could be in either the high voltage output mode or the low voltage output mode when a dominant or recessive bit is transmitted, respectively. If the PWM signal is in the high voltage output mode while a dominant bit is transmitted, both CANH and CANL become the same voltage, which represents a recessive bit. Hence, the dominant bit cannot be transmitted through the CAN bus, and message transmission is blocked. A bit can be transmitted correctly in the other three cases because satisfies the CAN protocol.
A PWM signal and the start of the message are not perfectly synchronized in most of the time because the PWM signal is applied in arbitrary time without considering message transmission. As a result, the case in which a dominant bit is tried to be transmitted when the PWM signal is in the high voltage output always occurs. If the PWM signal is applied to CANH, a dominant bit cannot be transmitted if the PWM signal is in the low voltage output. The pulse attack occurs when a PWM signal is applied to either or where the other analog pin is in the input mode.
A CAN controller determines a received bit using the voltage signal from the CAN transceiver. In order to determine the bit, this voltage signal has to stay constant longer than a predetermined threshold, typically 300-350ns . Otherwise, the CAN controller cannot decode the received bit. The impact of the PWM signal during message transmission can be negligible if the duration of blocking the transmission of a dominant bit is shorter than this predetermined threshold. For example, when the duty cycle is fixed at 50%, the period of the PWM signal has to be longer than 700ns to thwart the transmission of a dominant bit, which launches the pulse attack successfully. If the period of the PWM signal is twice longer than the message transmission time for the fixed duty cycle 50%, the PWM signal changes the voltage levels of the CAN bus lines for the entire message transmission time, which is identical to the DoS attack and forced retransmission attack. Hence, we only consider the period less than the message transmission time in this paper.
Vi Hardware-based Intrusion Response Systems
In this section, we propose two hardware-based IRSs, namely fuse-based IRS and heat-based IRS, and explain how these IRSs may mitigate the voltage-based attacks. As shown in Fig. (a)a, the fuse-based IRS consists of fuses or circuit breakers that are attached between the microcontroller’s analog pins and the CAN bus lines, while the heat-based IRS consists of heating coil and thermostats as illustrated in Fig. (b)b. The current flowing through the analog pins can be used as an indicator of the voltage-based attacks because the current flows through these analog pins under the voltage-based attacks. The hardware-based IRSs physically isolate a VIDS from the CAN bus as soon as any one of the voltage-based attacks is detected. The hardware components such as fuses, circuit breakers, heating coil, or thermostats operate independently of the microcontroller. Hence, the cyber attack on an automobile cannot disable the proposed IRSs. In the rest of this section, we explain how each proposed IRS can mitigate the voltage-based attacks.
Vi-a IRSs for Overcurrent Attack
The overcurrent attack can be mitigated by limiting the current that flows into the microcontroller to be less than the current absolute maximum rating, . A fuse may limit the current since it disconnects two parts of a circuit when current larger than its current rating flows longer than its opening time. The typical opening time of very fast-acting fuses is in the order of s to ms [41, 42]. Since it takes a longer time to damage a microcontroller by the overcurrent than to open a fuse , the fuse disconnects the wire before the microcontroller is burned. The microcontrollers may be damaged by the overcurrent within a short amount of time in the order of ns and s. Micro-electro-mechanical system (MEMS)-based fuses or thin film-based fuses can be used for the fuse-based IRS because their opening times are in the order of s for the MEMS-based fuse  and in the order of ns for the thin-film based fuse . A fuse does not thwart the voltage measurement at the microcontroller when the fuse is attached to an analog pin as illustrated in Fig. (a)a since the fuse is a wire that does not induce any voltage drop ideally. A fuse with the current rating smaller than can be used for the fuse-based IRS because 58.3mA and 83.3mA flow through under the passive and active overcurrent attacks, respectively, as computed in Section V. A fuse has to be replaced every time after it blows out. Though replacing a fuse is simple, a circuit breaker is reusable after it isolates a VIDS during the overcurrent attack. A system operator, however, still has to reset the circuit breaker manually.
A thermostat also disconnects two parts of a circuit if it is heated above its temperature limiting threshold and connects them again if it is cooled down below the temperature limiting threshold. A heating coil is made of a metal composite such as nichrome that generates heat when current flows through it. Under the passive overcurrent attack, heat is generated from the heating coil connected to CANL due to the current flowing through . Both heating coils generate heat under the active overcurrent attack because the current flows from to . The thermostat is heated and isolates a VIDS from the CAN bus. Consider that the malicious code is removed from the microcontroller. The current does not flow through the heating coil, thus cooling down the thermostat below the temperature limiting threshold. Then, the wires from the microcontroller to the CAN bus lines are connected again without replacing any hardware components. The heating coil and thermostat are a wire if the thermostat is closed. Hence, the heating coil and thermostat do not thwart the voltage measurement at the microcontroller when they are attached to an analog pin as illustrated in Fig. (b)b.
One might argue that a resettable fuse can be used instead of a thermostat because a system operator also does not need to replace the resettable fuse. Different from fuses or thermostats that completely disconnect a wire, the resettable fuse, however, allows a leakage current in the order of a hundred mA, which is large enough to damage the microcontroller when the resettable fuse is open . Hence, the resettable fuse should not be used in the proposed hardware-based IRSs.
Vi-B IRSs for DoS Attack, Forced Retransmission Attack, and Pulse Attack
The output voltage from an analog pin has to be limited in order to mitigate the DoS attack, forced retransmission attack, and pulse attack since an abnormal voltage is applied to either CANH or CANL under these attacks. Due to this voltage, current flows through the analog pins under these attacks. Under the DoS attack, current flows from to the ground of the CAN transceiver when a dominant bit is transmitted. Also, current flows from to the ground of the CAN transceiver under the forced retransmission attack. Under the pulse attack, current flows through either or if the PWM signal is applied to CANL or CANH, respectively. Hence, fuses or circuit breakers can be used to mitigate these attacks.
In order to determine the current rating of the fuse, the current flowing through and under the DoS attack, forced retransmission attack, and pulse attack is analyzed, respectively. Fig. 12 illustrates a test circuit that emulates the voltage levels of the transistor inside the CAN transceiver under the DoS attack using a Motorola Solutions 2N2905A PNP BJT. When the BJT is in the on-state, we measure that 281mA flows into the ground using the test circuit. For the forced retransmission attack, we compute the current that flows through as 58.3mA. Since the voltage levels under the pulse attack via CANL is the same as that under the DoS attack, the current flowing through becomes 281mA. For the pulse attack via CANH, the current flowing through becomes 58.3mA as the forced retransmission attack. Hence, fuses or circuit breakers with current rating less than 58.3mA mitigate these attacks.
We analyze that current flows through the analog pins under the DoS attack, forced retransmission attack, and pulse attack. By exploiting this fact, the heating coil may heat the thermostat during these attacks, and the thermostat disconnects the extra wires. As a result, the heat-based IRS can also mitigate these attacks by isolating a VIDS from the CAN bus.
In this section, we analyze the overcurrent attack, DoS attack, forced retransmission attack, and pulse attack on a CAN bus testbed. We demonstrate that the proposed hardware-based IRSs may mitigate the voltage-based attacks.
Vii-a Testbed and Equipment
We implement a CAN bus testbed that consists of three ECUs as shown in Fig. 13. Each testbed ECU is composed of an Arduino UNO Rev3 board and a Sparkfun CAN bus shield. The CAN bus shield uses a Microchip MCP2515 CAN controller and a Microchip MCP2551 CAN transceiver. We set the CAN bus speed to 500kbps, which is widely used in many modern cars . Since a VIDS is assumed to be installed on the microcontroller of ECU A, two analog pins A0 and A5 of the Arduino board in ECU A are connected to CANH and CANL, respectively. ECU A is compromised and launches the proposed voltage-based attacks by changing the modes of these analog pins. ECU C transmits messages every 1s, and ECU B logs all the received messages.
We use a Tektronix TDS2004B oscilloscope to measure voltages of the CAN bus lines and bit duration in the normal message transmission and under the voltage-based attacks. A Keysight 34461A digital multimeter is used to measure voltage and current. The minimum period of a PWM signal that an Arduino board can generate is 1.02ms, and the Arduino board cannot generate various voltage levels from an analog pin . We use a Tektronix AFG3021 function generator to apply PWM signals with various periods in order to determine the minimum period for a successful pulse attack. A Keysight U8031A power supply is used to apply various constant voltages to CANH and CANL to determine the minimum voltage levels for successful DoS attack and forced retransmission attack, respectively.
We use Littelfuse 0326 fuses with current rating 10mA to implement the fuse-based IRS. For the heat-based IRS, we use Sparkfun heating pad and Sensata Airpax 67L040 thermostats with temperature limiting threshold 40C. In the test circuit as illustrated in Fig. 14, is 5.0V, and the analog pins are in the input mode. The microcontroller can correctly measure the voltages of CANH and CANL (i.e., 5.0V and 0.0V at A0 and A5, respectively), which indicates that the fuse does not thwart the voltage measurement at the microcontroller. By repeating the same experiments after replacing the fuses with circuit breakers and thermostats with heating coils, respectively, we verify that our proposed IRSs do not thwart the voltage measurement.
Fig. 15 shows the voltage levels of CANH and CANL in the normal message transmission when the message ID is 0x01 and data is 0x01. Due to hardware characteristics of the CAN transceiver, the actual voltages of CANH and CANL are 2.4V when a recessive bit is transmitted. When transmitting a dominant bit, the actual voltages of CANH and CANL become 3.4V and 1.5V, respectively. The voltage levels for both dominant and recessive bits, however, meet the CAN protocol . Since the CAN bus speed is set to 500kbps, one bit is 2s long.
Vii-B Voltage-based Attacks
In this section, we present the experimental results of the voltage-based attacks using our CAN bus testbed.
Vii-B1 Overcurrent Attack
Since we do not want to damage our testbed ECUs, we implement a test circuit as illustrated in Fig. 16 to emulate the CAN bus under the overcurrent attack. In the test circuit, let the ground and represent of the microcontroller and the voltage of CANH, respectively. To emulate the passive overcurrent attack, is set to 3.5V using the power supply, and the current flowing into the ground is measured to be 58mA. When emulating the active overcurrent attack, is set to 5.0V, and 83mA flows into the ground. These experimental values closely match with the theoretical values computed in Section V. Since the current is supplied from the microcontroller in the active overcurrent attack, the Arduino board may not generate 83mA due to its hardware limitation. We measure that the maximum 52mA can be provided from an analog pin of the Arduino board, which is still large enough to damage many microprocessors including Microchip ATmega328P, Renesas V850, and NXP MPC563 [26, 39, 30].
Fig. 17 demonstrates the current flowing into the ground in the test circuit under the overcurrent attacks. Both passive and active overcurrent attacks occur at 20s, which is indicated by the black dashed line. The red dashed line represents (i.e., 40mA) of the Arduino board. The current does not flow through the analog pins before the overcurrent attacks occur. After the attacks, however, the current larger than flows through , which may damage the microcontroller.
Vii-B2 DoS Attack
Fig. 18 shows that the voltages of CANH and CANL become 5.0V when is set to 5.0V. Since is always 0.0V, a dominant bit cannot be transmitted, which demonstrates that the DoS attack is successfully launched using ECU A. In order to determine the minimum voltage that successfully launches the DoS attack, we connect the power supply to CANL. is increased from 0.1V to 5.0V to cover the output voltage range of many microprocessors [29, 30]. The attack indicator is 0 if the attack fails and 1 if the attack is successful. As shown in Fig. 19, the DoS attack is successful if is between 2.2V and 5.0V since is always less than the decision threshold for determining a dominant bit (i.e., 0.9V for Microchip MCP2551).
Vii-B3 Forced Retransmission Attack
Fig. 20 shows the voltages of the CAN bus lines under the forced retransmission attack by applying 5.0V to CANH. Two consecutive messages are spaced by about 30s, which indicates that the message is retransmitted because the period of the message is 1s. The voltage of CANH could not be maintained at 5.0V since the Arduino board cannot generate current large enough to make greater than 3.5V. In order to determine the minimum voltage for the successful forced retransmission attack, we increase from 2.5V to 5.0V using the power supply. The forced retransmission attack becomes successful from =4.5V. Fig. 21 shows the bit length time in the normal message transmission and under the forced retransmission attack if =5.0V. While is 2s in the normal message transmission, becomes 3.16s under the forced retransmission attack. As a result, the duration of a recessive bit violates the CAN protocol, which causes an error. Since there are 7 transitions from a dominant bit to a recessive bit in a message with the ID 0x01 and data 0x01, Table II shows the average of when is varied from 2.5V to 5.0V.
Vii-B4 Pulse Attack
In order to determine the minimum period of the PWM signal that launches the pulse attack successfully, we apply the PWM signal with the duty cycle 50%, amplitude 5.0V, and offset 2.5V (i.e., the low output voltage is 0.0V, and the high output voltage is 5.0V) to CANL using the function generator while is in the input mode. We increase the period of the PWM signal from 500ns to 700ns. Then, we repeat the same experiment after connecting the function generator to CANH where is set to the input mode. Fig. 22 demonstrates that the pulse attack becomes successful if the period is longer than 680ns and 570ns when the PWM signal is applied to CANL and CANH, respectively. The pulse attack via CANH becomes successful with a shorter period than that via CANL because the transition time increases when the voltage is applied to CANH.
Vii-C Hardware-based IRSs
In this section, we demonstrate that the fuse-based IRS can mitigate all four voltage-based attacks. Also, the proof-of-concept of the heat-based IRS is verified using a test circuit.
Vii-C1 Fuse-based IRS
We implement the fuse-based IRS as illustrated in Fig. (a)a. 58mA and 83mA flow through under the passive and active overcurrent attacks, respectively. By using the fuse with current rating 10mA, both overcurrent attacks can be mitigated since is disconnected from CANL. In order to verify that the fuse-based IRS can mitigate the DoS attack, forced retransmission attack, and pulse attack, we design an attack scenario in which ECU A launches an attack from 10s to 30s, while ECU C transmits messages every 1s. We repeat this experiment for each of the three attacks. For the DoS attack and forced retransmission attack, 5.0V is applied to CANL and CANH, respectively. The period of the PWM signal is set to 100s with the duty cycle 50%, amplitude 5.0V, and offset 2.5V for the pulse attack. The message indicator is 1 if the message is received at ECU B and 0 if the message transmission fails. For all three voltage-based attacks, ECU B receives the messages every 1s as normal under each attack as shown in Fig. 23. Hence, the fuse-based IRS may mitigate the voltage-based attacks.
Vii-C2 Heat-based IRS
The maximum current that the Arduino board can supply is 52mA, by which the heat may not be generated high enough to let the thermostat disconnect the wires . We implement a test circuit that emulates operations of the heat-based IRS where the current to the heating coil is provided by the power supply instead of the Arduino board as shown in Fig. 24. Current does not flow through the heating coil when emulating the normal operation of a VIDS. Since current flows through either or under all four voltage-based attacks, we launch an attack by letting the current of 1A flow the heating coil from the power supply under the controlled laboratory setting for the safety. In the test circuit, A0 and A5 are in the input mode while is set to 5.0V. Before emulating an attack, the microcontroller measures 5.0V via A0, which means the analog pin is connected to . After launching an emulated attack, however, the microcontroller cannot measure at A0, which indicates that the thermostat disconnects the wire. These experimental results demonstrate that the heat-based IRS may mitigate the voltage-based attacks.
In this paper, we investigated new vulnerabilities of VIDS when an adversary maliciously exploits the extra wires given to VIDS. We proposed four voltage-based attacks that may damage the microcontroller with VIDS, block message transmission, or make a message be retransmitted by manipulating the voltage levels of the CAN bus lines. In order to mitigate the voltage-based attacks, we developed two hardware-based IRSs that isolate VIDS from the CAN bus once the voltage-based attacks are detected. We demonstrated the voltage-based attacks and hardware-based IRSs using our CAN bus testbed. Our work implies that a new attack surface might be introduced to the CAN bus by the wires that directly connect the CAN bus lines and VIDS if VIDS is compromised. Hence, in order to provide security assurance to an automobile, defense systems based on hardware must be implemented together with VIDS if the voltage characteristics are exploited as a fingerprint of ECUs. Although the idea of isolating a compromised VIDS using thermostats is demonstrated, implementation of the heat-based IRS in a more practical environment will be studied as future work.
-  S. Sagong, X. Ying, R. Poovendran, and L. Bushnell, “Exploring Attack Surfaces of Voltage-Based Intrusion Detection Systems in Controller Area Networks,” in Embedded Security in Cars Europe, 2018.
-  ISO, “International Standard ISO 11898-1 Road Vehicles-Controller Area Network (CAN), Part 1 Data Link Layer and Physical Signaling,” 2015.
-  ——, “International Standard ISO 17987 Road Vehicles-Local Interconnect Network (LIN), Part 1 General Information and Use Case Definition,” 2016.
-  ——, “International Standard ISO 17458 Road Vehicles-FlexRay Communication System, Part 1 General Information and Use Case Definition,” 2013.
-  C. Miller and C. Valasek, “Remote Exploitation of An Unaltered Passenger Vehicle,” in Black Hat USA, 2015.
-  ——, “Adventures in Automotive Networks and Control Units,” in DEF CON21, 2013.
-  ——, “A Survey of Remote Automotive Attack Surfaces,” in Black Hat USA, 2014.
-  K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, and S. Savage, “Experimental Security Analysis of a Modern Automobile,” in IEEE Symposium on Security and Privacy, 2010, pp. 447–462.
-  S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno, “Comprehensive Experimental Analyses of Automotive Attack Surfaces,” in USENIX Conference on Security, 2011, pp. 77–92.
-  P. S. Murvay and B. Groza, “Source Identification Using Signal Characteristics in Controller Area Networks,” IEEE Signal Processing Letters, vol. 21, no. 4, pp. 395–399, April 2014.
-  K.-T. Cho and K. G. Shin, “Fingerprinting Electronic Control Units for Vehicle Intrusion Detection,” in USENIX Conference on Security Symposium, 2016, pp. 911–927.
-  ——, “Error Handling of In-vehicle Networks Makes Them Vulnerable,” in ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1044–1055.
-  T. Hoppe, S. Kiltz, and J. Dittmann, “Security Threats to Automotive CAN Networks - Practical Examples and Selected Short-Term Countermeasures,” in International Conference on Computer Safety, Reliability, and Security, 2008, pp. 235–248.
-  S. Sagong, X. Ying, A. Clark, L. Bushnell, and R. Poovendran, “Cloaking the Clock: Emulating Clock Skew in Controller Area Networks,” in ACM/IEEE International Conference on Cyber-Physical Systems, 2018, pp. 32–42.
M. Müter and N. Asaj, “Entropy-based Anomaly Detection for In-vehicle Networks,” inIEEE Intelligent Vehicles Symposium, June 2011, pp. 1110–1115.
-  K.-T. Cho and K. G. Shin, “Viden: Attacker Identification on In-Vehicle Networks,” in ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1109–1123.
-  W. Choi, K. Joo, H. J. Jo, M. C. Park, and D. H. Lee, “VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 8, pp. 2114–2129, August 2018.
-  X. Ying, S. Sagong, A. Clark, L. Bushnell, and R. Poovendran, “Shape of the cloak: Formal analysis of clock skew-based intrusion detection system in controller area networks,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2019.
-  C. Carver, J. Hill, J. Surdu, and U. Pooch, “A Methodology for Using Intelligent Agents to Provide Automated Intrusion Response,” in IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, 2000, pp. 110–116.
-  Texas Instruments, “Overview of 3.3V CAN (Controller Area Network) Transceiver,” 2013.
-  ——, “SN65HVD23x 3.3-V CAN Bus Transceivers,” 2015.
-  Microchip, “MCP2551 CAN Transceiver Datasheet,” 2016.
-  NXP, “TJA1043 CAN Transceiver Datasheet,” 2017.
-  Texas Instruments, “Introduction to the Controller Area Network (CAN),” 2016.
-  ——, “Controller Area Network Physical Layer Requirements,” 2008.
-  Arduino, “Arduino UNO Rev3 Technical Specification,” https://store.arduino.cc/usa/arduino-uno-rev3, accessed: 2018-05-07.
-  Renesas, “V850/SA1 Application Note,” 2000.
-  Texas Instruments, “Am335x Sitara Processors Datasheet,” 2016.
-  Microchip, “ATmega 328P Automotive Datasheet,” 2015.
-  NXP, “MPC561/MPC563 Reference Manual,” 2005.
-  California Air Resource Board, “HD OBD Regulatory Documents,” 2012.
-  The European Union, “Directive 98/69/EC of the European Parliament and of the Council,” 1998.
-  Hyundai, “Hyundai Global Diagnostic System,” https://hyundai.service-solutions.com/en-US/Pages/ItemDetail.aspx?SKU=GDSM-LTKITH, accessed: 2018-06-25.
-  Ford, “Ford Vehicle Communication Module,” https://www.fordtechservice.dealerconnection.com/VDIRS/wds/vcm_retail_renewal_Latest.asp, June 2018, accessed: 2018-06-25.
-  Ross Tech, “Volkswagen VAG-COM Diagnostic System,” http://www.ross-tech.com/vag-com/index.html, accessed: 2018-06-25.
-  Toyota, “Toyota Technical Information System,” https://techinfo.toyota.com/techInfoPortal, June 2018, accessed: 2018-06-25.
-  R. Rieke, M. Seidemann, E. K. Talla, D. Zelle, and B. Seeger, “Behavior Analysis for Safety and Security in Automotive Systems,” in Euromicro International Conference on Parallel, Distributed and Network-based Processing, March 2017, pp. 381–385.
-  Atmel, “The Atmel-ICE Debugger User Guide,” 2016.
-  Renesas, “V850E2/FF4-G,” 2014.
-  Microchip, “MCP2515 Stand-Alone CAN Controller with SPI Interface,” 2016.
-  LittelFuse, “Radial Lead Fuses 272/273/274/278/279 Series Very Fast-Acting Fuses Datasheet,” 2018.
-  ——, “Fuse Characteristics, Terms and Condition Factors,” 2014.
-  Y.-S. Chiu, K.-S. Chang, R. Johnstone, and M. Parameswaran, “Fuse-Tethers in MEMS: Theory and Operation,” in Canadian Conference on Electrical and Computer Engineering, May 2005, pp. 1517–1520.
-  X. Dinga, W. Loub, and Y. Feng, “A Controllable IC-compatible Thin-Film Fuse Realized using Electro-Explosion,” AIP Advances, vol. 6, 2016.
-  “LittelFuse Fuses vs. PTCs,” https://www.littelfuse.com/about-us/education-center/fuses-vs-ptcs.aspx/, accessed: 2019-01-31.