Hardware Fingerprinting for the ARINC 429 Avionic Bus

ARINC 429 is the most common data bus in use today in civil avionics. However, the protocol lacks any form of source authentication. A technician with physical access to the bus is able to replace a transmitter by a rogue device, and the receivers will accept its malicious data as they have no method of verifying the authenticity of messages. Updating the protocol would close off security loopholes in new aircraft but would require thousands of airplanes to be modified. For the interim, until the protocol is replaced, we propose the first intrusion detection system that utilizes a hardware fingerprinting approach for sender identification for the ARINC 429 data bus. Our approach relies on the observation that changes in hardware, such as replacing a transmitter or a receiver with a rogue one, modify the electric signal of the transmission. Because we rely on the analog properties, and not on the digital content of the transmissions, we are able to detect a hardware switch as soon as it occurs, even if the data that is being transmitted is completely normal. Thus, we are able to preempt the attack before any damage is caused. In this paper we describe the design of our intrusion detection system and evaluate its performance against different adversary models. Our analysis includes both a theoretical Markov-chain model and an extensive empirical evaluation. For this purpose, we collected a data corpus of ARINC 429 data traces, which may be of independent interest since, to the best of our knowledge, no public corpus is available. We find that our intrusion detection system is quite realistic: e.g., it achieves near-zero false alarms per second, while detecting a rogue transmitter in under 50ms, and detecting a rogue receiver in under 3 seconds. In other words, technician attacks can be reliably detected during the pre-flight checks, well before the aircraft takes off.

[1]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[2]  Dong Hoon Lee,et al.  VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System , 2018, IEEE Transactions on Information Forensics and Security.

[3]  Gert Cauwenberghs,et al.  SVM incremental learning, adaptation and optimization , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[4]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[5]  Bogdan Groza,et al.  Source Identification Using Signal Characteristics in Controller Area Networks , 2014, IEEE Signal Processing Letters.

[6]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.

[7]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[8]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[9]  Wenyuan Xu,et al.  AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable , 2014, NDSS.

[10]  Raheem A. Beyah,et al.  A passive technique for fingerprinting wireless devices with Wired-side Observations , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[11]  David A. Clifton,et al.  A review of novelty detection , 2014, Signal Process..

[12]  Joni-Kristian Kämäräinen,et al.  Feature representation and discrimination based on Gaussian mixture model probability densities - Practices and algorithms , 2006, Pattern Recognit..

[13]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[14]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Naim Asaj,et al.  Entropy-based anomaly detection for in-vehicle networks , 2011, 2011 IEEE Intelligent Vehicles Symposium (IV).

[16]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD '00.

[17]  Christopher Huth,et al.  Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks , 2018, CCS.

[18]  Ian Moir,et al.  Data Bus Networks , 2013 .

[19]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[20]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[21]  N. Serinken,et al.  Characteristics of radio transmitter fingerprints , 2001 .

[22]  Walid Saad,et al.  Device Fingerprinting in Wireless Networks: Challenges and Opportunities , 2015, IEEE Communications Surveys & Tutorials.

[23]  Daniel A. Martinec,et al.  ARINC Specification 429 Mark 33 Digital Information Transfer System , 2014 .

[24]  Pasi Fränti,et al.  Outlier Detection Using k-Nearest Neighbour Graph , 2004, ICPR.

[25]  Karl Pearson F.R.S. LIII. On lines and planes of closest fit to systems of points in space , 1901 .

[26]  Alexander Klein,et al.  The Evolution of Avionics Networks From ARINC 429 to AFDX , 2012 .

[27]  Radha Poovendran,et al.  Cloaking the Clock: Emulating Clock Skew in Controller Area Networks , 2017, 2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS).

[28]  Ivan Martinovic,et al.  A View from the Cockpit: Exploring Pilot Reactions to Attacks on Avionic Systems , 2020, NDSS.

[29]  Dong Hoon Lee,et al.  Identifying ECUs Using Inimitable Characteristics of Signals in Controller Area Networks , 2016, IEEE Transactions on Vehicular Technology.

[30]  N. Thanthry,et al.  Aviation data networks: security issues and network architecture , 2004, 38th Annual 2004 International Carnahan Conference on Security Technology, 2004..

[31]  Mani Mina,et al.  Physical-Layer Identification of Wired Ethernet Devices , 2012, IEEE Transactions on Information Forensics and Security.

[32]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[33]  Andrei Costin,et al.  Ghost in the Air(Traffic): On insecurity of ADS-B protocol and practical attacks on ADS-B devices , 2012 .