Exposing New Vulnerabilities of Error Handling Mechanism in CAN

Controller Area Network (CAN) has established itself as the main internal communication medium for vehicles. However, recent works have shown that error handling makes CAN nodes vulnerable to certain attacks. In the light of such a threat, we systematically analyze CAN’s error handling and fault confinement mechanism to investigate it for further vulnerabilities. In this paper, we develop CANOX, a testing tool that monitors the behavior of a CAN node under different bus and error conditions, and flags conditions that cause an unexpected node behavior. Using CANOX, we found three major undiscovered vulnerabilities in the CAN standard that could be exploited to launch a variety of attacks. Combining the three vulnerabilities, we construct the Scan-Then-Strike Attack (STS), a multi-staged attack in which an attacker with no previous knowledge of the vehicle’s internals maps the vehicle’s CAN bus, identifies a safety-critical ECU, swiftly silences it, and persistently prevents it from recovering. We validate the practicality of STS by evaluating it on a CAN bus testbed and a real vehicle.

[1]  Kang G. Shin,et al.  Error Handling of In-vehicle Networks Makes Them Vulnerable , 2016, CCS.

[2]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.

[3]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[4]  Mathias Payer,et al.  Evading Voltage-Based Intrusion Detection on Automotive CAN , 2021, NDSS.

[5]  Masakatu Morii,et al.  Counter Attack Against the Bus-Off Attack on CAN , 2019, 2019 14th Asia Joint Conference on Information Security (AsiaJCIS).

[6]  Vyas Sekar,et al.  CANvas: Fast and Inexpensive Automotive Network Mapping , 2019, USENIX Security Symposium.

[7]  Stefano Zanero,et al.  A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks , 2017, DIMVA.

[8]  Hideki Yamamoto,et al.  Counter Attacks for Bus-off Attacks , 2018, SAFECOMP Workshops.

[9]  Christopher Huth,et al.  EASI: Edge-Based Sender Identification on Resource-Constrained Platforms for Automotive Networks , 2020, NDSS.

[10]  Bogdan Groza,et al.  Security Solutions for the Controller Area Network: Bringing Authentication to In-Vehicle Networks , 2018, IEEE Vehicular Technology Magazine.

[11]  Ming Li,et al.  SIMPLE: single-frame based physical layer identification for intrusion detection and prevention on in-vehicle networks , 2019, ACSAC.

[12]  T. Dagan Parrot , a software-only anti-spoofing defense system for the CAN bus , 2016 .

[13]  Kang G. Shin,et al.  Viden: Attacker Identification on In-Vehicle Networks , 2017, CCS.

[14]  Qiang Hu,et al.  Review of Secure Communication Approaches for In-Vehicle Network , 2018, International Journal of Automotive Technology.

[15]  Dong Hoon Lee,et al.  A Practical Wireless Attack on the Connected Car and Security Protocol for In-Vehicle CAN , 2015, IEEE Transactions on Intelligent Transportation Systems.

[16]  Radha Poovendran,et al.  Cloaking the Clock: Emulating Clock Skew in Controller Area Networks , 2017, 2018 ACM/IEEE 9th International Conference on Cyber-Physical Systems (ICCPS).

[17]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[18]  Qi Alfred Chen,et al.  Plug-N-Pwned: Comprehensive Vulnerability Analysis of OBD-II Dongles as A New Over-the-Air Attack Surface in Automotive IoT , 2020, USENIX Security Symposium.

[19]  Kenji Ishida,et al.  Spoofing attack using bus-off attacks against a specific ECU of the CAN bus , 2018, 2018 15th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[20]  Christopher Huth,et al.  Scission: Signal Characteristic-Based Sender Identification and Intrusion Detection in Automotive Networks , 2018, CCS.

[21]  Bogdan Groza,et al.  DoS Attacks on Controller Area Networks by Fault Injections from the Software Layer , 2017, ARES.

[22]  Michael Felderer,et al.  Applying Security Testing Techniques to Automotive Engineering , 2019, ARES.

[23]  Kang G. Shin,et al.  Fingerprinting Electronic Control Units for Vehicle Intrusion Detection , 2016, USENIX Security Symposium.