Skip to main content

CAN-SQUARE - Decimeter Level Localization of Electronic Control Units on CAN Buses

  • 1899 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)

Abstract

The CAN bus survived inside cars for more than three decades due to its simplicity and effectiveness while protecting it calls for solutions that are equally simple and effective. In this work we propose an efficient mechanism that achieves decimeter-level precision in localizing Electronic Control Units (ECUs) on the CAN bus. The proposed methodology requires two connections at the ends of the bus and a single rising edge, i.e., the start of a dominant bit. Since several such rising edges are present in every frame, malicious devices may be easily localized with high accuracy from single frame injections. Our methodology requires only elementary computations, e.g., additions and multiplications, which are trivial to perform and implement. We prove the feasibility of the proposed methodology inside a real car and perform more demanding experiments in a laboratory setup where we record modest overlaps only between nodes that are 10 cm apart. We prove resilience against replacement and insertion attacks as well as against temperature variations in the range of 0–60 \({}^\circ \)C.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_32
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.
Fig. 11.
Fig. 12.
Fig. 13.
Fig. 14.
Fig. 15.

References

  1. AUTOSAR: Specification of Secure Onboard Communication, 4.3.1 edn. (2017)

    Google Scholar 

  2. Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium. San Francisco (2011)

    Google Scholar 

  3. Cho, K.T., Shin, K.G.: Viden: attacker identification on in-vehicle networks. In: ACM SIGSAC Conference on Computer and Communications Security, pp. 1109–1123. ACM (2017)

    Google Scholar 

  4. Choi, W., Jo, H.J., Woo, S., Chun, J.Y., Park, J., Lee, D.H.: Identifying ECUs using inimitable characteristics of signals in controller area networks. IEEE Trans. Veh. Technol. 67(6), 4757–4770 (2018)

    CrossRef  Google Scholar 

  5. Choi, W., Joo, K., Jo, H.J., Park, M.C., Lee, D.H.: VoltageIDS: low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Inf. Forensics Secur. 16(8), 2114–2129 (2018)

    CrossRef  Google Scholar 

  6. Dagan, T., Wool, A.: Parrot, a software-only anti-spoofing defense system for the CAN bus. ESCAR EUROPE 34 (2016)

    Google Scholar 

  7. Foruhandeh, M., Man, Y., Gerdes, R., Li, M., Chantem, T.: SIMPLE: single-frame based physical layer identification for intrusion detection and prevention on in-vehicle networks. In: Proceedings of 35th Annual Computer Security Applications Conference, pp. 229–244 (2019)

    Google Scholar 

  8. Fröschle, S., Stühring, A.: Analyzing the capabilities of the CAN attacker. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 464–482. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_27

    CrossRef  Google Scholar 

  9. Groza, B., Popa, L., Murvay, P.S., Yuval, E., Shabtai, A.: CANARY - a reactive defense mechanism for controller area networks based on active RelaYs. In: 30th USENIX Security Symposium (2021)

    Google Scholar 

  10. Humayed, A., Li, F., Lin, J., Luo, B.: CANSentry: securing CAN-based cyber-physical systems against denial and spoofing attacks. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12308, pp. 153–173. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58951-6_8

    CrossRef  Google Scholar 

  11. Humayed, A., Luo, B.: Using ID-hopping to defend against targeted DoS on CAN. In: International Workshop on Safe Control of Connected and Autonomous Vehicles, pp. 19–26. ACM (2017)

    Google Scholar 

  12. ISO: 11898-1-Road vehicles-Controller area network (CAN)-Part 1: Data link layer and physical signalling. Technical report, International Organization for Standardization (2015)

    Google Scholar 

  13. ISO: 11898–2, Road vehicles Controller area network (CAN) Part 2: High-speed medium access unit. Technical report, International Organization for Standardization (2016)

    Google Scholar 

  14. Kneib, M., Huth, C.: Scission: signal characteristic-based sender identification and intrusion detection in automotive networks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 787–800. ACM (2018)

    Google Scholar 

  15. Kneib, M., Schell, O., Huth, C.: On the Robustness of Signal Characteristic-Based Sender Identification. arXiv preprint arXiv:1911.09881 (2019)

  16. Kneib, M., Schell, O., Huth, C.: EASI: edge-based sender identification on resource-constrained platforms for automotive networks. In: Network and Distributed System Security Symposium (NDSS), pp. 1–16 (2020)

    Google Scholar 

  17. Koscher, K., et al.: Experimental security analysis of a modern automobile. In: Security and Privacy (SP), 2010 IEEE Symposium on, pp. 447–462. IEEE (2010)

    Google Scholar 

  18. Miller, C., Valasek, C.: Adventures in automotive networks and control units. DEF CON 21, 260–264 (2013)

    Google Scholar 

  19. Murvay, P.S., Groza, B.: Source identification using signal characteristics in controller area networks. IEEE Signal Process. Lett. 21(4), 395–399 (2014)

    CrossRef  Google Scholar 

  20. Murvay, P.S., Groza, B.: TIDAL-CAN: differential timing based intrusion detection and localization for controller area network. IEEE Access 8, 68895–68912 (2020)

    CrossRef  Google Scholar 

  21. Rumez, M., et al.: CAN Radar: Sensing Physical Devices in CAN Networks based on Time Domain Reflectometry (2019)

    Google Scholar 

  22. SAE: J2284–3 High-Speed CAN (HSC) for Vehicle Applications at 500 KBPS. Standard, SAE International (November 2016)

    Google Scholar 

  23. Schell, O., Kneib, M.: VALID: voltage-based lightweight intrusion detection for the controller area network. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 225–232 (2020)

    Google Scholar 

  24. Wu, W., et al.: IDH-CAN: a hardware-based ID hopping CAN mechanism with enhanced security for automotive real-time applications. IEEE Access 6, 54607–54623 (2018)

    CrossRef  Google Scholar 

  25. Ying, X., Bernieri, G., Conti, M., Poovendran, R.: TACAN: transmitter authentication through covert channels in controller area networks. In: Proceedings of the 10th ACM/IEEE International Conference on Cyber-Physical Systems, pp. 23–34. ACM (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Bogdan Groza .

Editor information

Editors and Affiliations

Appendices

Appendix A - Experimental Setup

Figure 16 (i) provides a depiction of our newly built experimental setup which uses an industry grade CAN bus cable. The bus is terminated at each end by a split termination as commonly employed in industry applications with two \(60\,\Omega \) resistors in series (totaling \(120\,\Omega \)) and a capacitor of 10 nF to remove noise.

Fig. 16.
figure 16

The clean network (i) and the network dropped inside a refrigerator at 0 \({}^\circ \)C (ii)

To avoid overloading the picture, only 5 devices are connected to the bus which corresponds to the clean network in Scenario B. Figure 16 (ii) shows the network placed inside the refrigerator where it was kept for 1 h. We intentionally placed the cable and devices in the refrigerator with no attempt to preserve the bus geometry as in the original setup. Somewhat surprising for us, even if the geometry of the bus was changed drastically and the temperature dropped from room temperature 24 \({}^\circ \)C to 0 \({}^\circ \)C, the impact on the reported lengths was insignificant (variations in the order of several centimeters at most). To record data at higher temperature, the clean setup was placed inside a sealed box to avoid heat dissipation and 4 hair-driers were used to heat it for 30 min at 50 \({}^\circ \)C and 60 \({}^\circ \)C.

Appendix B - BCW and FWD-SQUARE Algorithms

Algorithm 1 presents the bus monitor which reads voltage samples on CAN-H to the left and right sides of the bus \(v_l, v_r\) and appends them to the buffers \(\widetilde{v}_l, \widetilde{v}_r\) (lines 2–3) until a threshold \(\tau \) is exceeded on both side (line 5). The threshold \(\tau \) was set to 2.75 V which is the minimum acceptable dominant voltage on CAN-H according to ISO specifications. When this threshold is met, the FWD or BCW functions extract the time of the rising edge to the left and right of the bus, i.e., \(t_l, t_r\), and the position \(\pi \) is computed (lines 6–8).

Algorithms 2, 3 present the FWD and BCW functions. The FWD-SQUARE function proceeds from the left to the end of the array (indexes 0 to \(b-1\)) until the slope exceeds the value of \(\alpha \) (lines 3–4). The BCW-SQUARE function first proceeds from the left to right until the voltage reaches the threshold \(\tau \) to avoid a start on a bit plateau (line 3). Then the index is decremented until the slope drops below the value of \(\alpha \) (line 5).

figure a

Appendix C - Complementary Data Regarding Distances

In Fig. 17 we also present the raw distances and their histogram distributions as computed for Scenario A for the 10 ECUs. Note that there are overlaps between the first three and the last two devices, but these are separated by only 10 cm and respectively 20 cm of wire. This is an extremely small distance and even so, the devices can be distinguished over multiple samples.

Figure 18 shows the convergence of the mean values in contrast to the median values with the number of samples. It can be easily seen that the median value converges faster, generally a dozen samples being sufficient to establish the location and these can be extracted from a single frame. The plots are for the BCW-SQUARE method applied on the nodes in Scenario B. The FWD-SQUARE method has lesser accuracy as previously discussed.

Fig. 17.
figure 17

Reported distances for the 10 devices in Scenario A and their histogram distributions

Fig. 18.
figure 18

Convergence of mean (i) and median (ii) values toward the real distance

Appendix D - Additional Numerical Data for Scenario B

Tables 3 and 4 give the numerical values as medians \(\mathbf {M}\) and means \(\mu \) over all the collected samples for each node with the forward and backward square methods. The backward square method is more accurate.

Tables 5 and 6 provide the true distances along with the resulting errors. Again, note that since no cable has exactly the \(5\,\text {ns}/\text {m}\) propagation speed, small variations are expected. The results clearly indicate that the professional CAN bus cable has lower propagation delays and the distances appear smaller than in the previous experiments. The FWD-SQUARE provided less accuracy and we have attempted a software interpolation to increase the sampling rate by 2x–8x but the benefits were little, the BCW-SQUARE remaining still more accurate.

Interestingly, the distances are almost unaffected by temperature variations. The effects of 2 adversaries are similarly low, only when 3 adversaries are connected to the bus the distances are more visibly affected. Such a scenario with 3 adversaries would be less likely on an in-vehicle bus.

Table 3. Scenario B.2 - single insertions FWD-SQUARE \(\alpha =2, w=100\)
Table 4. Scenario B.2 - single insertions BCW-SQUARE \(\alpha =1, w=25\)
Table 5. Scenarios B.1 and B.3 temperature variations and multiple insertions FWD SQUARE \(\alpha =2, w=200\) (8x)
Table 6. Scenario B.1 and B.3 temperature variations and multiple insertions BCW SQUARE \(\alpha =0.25, w=25\)

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Groza, B., Murvay, PS., Popa, L., Jichici, C. (2021). CAN-SQUARE - Decimeter Level Localization of Electronic Control Units on CAN Buses. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88418-5_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)