A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)

Abstract

Modern vehicles incorporate tens of electronic control units (ECUs), driven by as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based on the CAN bus standard. Past research showed that, by obtaining physical access to the network or by remotely compromising a vulnerable ECU, an attacker could control even safety-critical inputs such as throttle, steering or brakes. In order to secure current CAN networks from cyberattacks, detection and prevention approaches based on the analysis of transmitted frames have been proposed, and are generally considered the most time- and cost-effective solution, to the point that companies have started promoting aftermarket products for existing vehicles.

In this paper, we present a selective denial-of-service attack against the CAN standard which does not involve the transmission of any complete frames for its execution, and thus would be undetectable via frame-level analysis. As the attack is based on CAN protocol weaknesses, all CAN bus implementations by all manufacturers are vulnerable. In order to precisely investigate the time, money and expertise needed, we implement an experimental proof-of-concept against a modern, unmodified vehicle and prove that the barrier to entry is extremely low. Finally, we present a discussion of our threat analysis, and propose possible countermeasures for detecting and preventing such an attack.

References

  1. 1.
    All bill information (except text) for s.1806 - SPY car act of 2015. https://www.congress.gov/bill/114th-congress/senate-bill/1806/all-info
  2. 2.
    Argussec: ARGUSidps. https://argus-sec.com/solutions/
  3. 3.
    Barranco, M., Rodriguez-Navas, G., Proenza, J., Almeida, L.: CANcentrate: an active star topology for CAN networks, pp. 219–228, September 2004. http://iestcfa.org/bestpaper/wfcs04/WFCS04_Barranco.pdf
  4. 4.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. http://www.autosec.org/pubs/cars-usenixsec2011.pdf
  5. 5.
    Cho, K.T., Shin, K.G.: Error handling of in-vehicle networks makes them vulnerable. In: CCS 2016, USA, pp. 1044–1055 (2016). http://doi.acm.org/10.1145/2976749.2978302
  6. 6.
    Cho, K.T., Shin, K.G.: Fingerprinting electronic control units for vehicle intrusion detection, pp. 911–927. USENIX Association, Austin. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cho
  7. 7.
    Gessner, D., Barranco, M., Ballesteros, A., Proenza, J.: Designing sfiCAN: a star-based physical fault injector for CAN (2011). https://www.researchgate.net/profile/Julian_Proenza/publication/232259902_Designing_sfiCAN_A_star-based_physical_fault_injector_for_CAN/links/00b7d532161b659ee8000000.pdf
  8. 8.
    Hoppe, T., Kiltz, S., Dittmann, J.: Security threats to automotive CAN networks – practical examples and selected short-term countermeasures. In: Harrison, M.D., Sujan, M.-A. (eds.) SAFECOMP 2008. LNCS, vol. 5219, pp. 235–248. Springer, Heidelberg (2008). doi:10.1007/978-3-540-87698-4_21 CrossRefGoogle Scholar
  9. 9.
    Kammerer, R., Frömel, B., Wasicek, A.: Enhancing security in CAN systems using a star coupling router, pp. 237–246, June 2012. http://www.vmars.tuwien.ac.at/documents/extern/3116/canrouter_security.pdf
  10. 10.
    Koscher, K., et al.: Experimental security analysis of a modern automobile, May 2010. http://www.autosec.org/pubs/cars-oakland2010.pdf
  11. 11.
  12. 12.
    Larson, U.E., Nilsson, D.K., Jonsson, E.: An approach to specification-based attack detection for in-vehicle networks, June 2008. http://ieeexplore.ieee.org/document/4621263/
  13. 13.
    Miller, C., Valasek, C.: A survey of remote automotive attack surfaces, August 2014. http://illmatics.com/remote%20attack%20surfaces.pdf
  14. 14.
    Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle, August 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf
  15. 15.
    National Instruments: Controller area network (CAN) overview. http://www.ni.com/white-paper/2732/en/
  16. 16.
    National Instruments: Introduction to the local interconnect network (LIN) bus. http://www.ni.com/white-paper/9733/en/
  17. 17.
    NNG: Arilou cyber security. https://www.nng.com/arilou-cyber-security/
  18. 18.
    ON Semiconductor: Basics of in-vehicle networking (IVN) protocols. http://www.onsemi.com/pub/Collateral/TND6015-D.PDF
  19. 19.
    SAE International: Global OBD legislation update (worldwide requirements). http://www.sae.org/events/training/symposia/obd/presentations/2009/d1daveferris.pdf
  20. 20.
    Song, H.M., Kim, H.R., Kim, H.K.: Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network, January 2016. http://ieeexplore.ieee.org/document/7427089/
  21. 21.
    Taylor, A., Japkowicz, N., Leblanc, S.: Frequency-based anomaly detection for the automotive CAN bus, December 2015. http://ieeexplore.ieee.org/document/7420322/
  22. 22.
    The Verge: Tesla driver killed in crash with autopilot active, NHTSA investigating, June 2016. http://www.theverge.com/2016/6/30/12072408/tesla-autopilot-car-crash-death-autonomous-model-s
  23. 23.
    Towersec: ECUShield. http://tower-sec.com/ecushield/
  24. 24.
    United States Environmental Protection Agency: Control of air pollution from new motor vehicles and new motor vehicle engines. http://www.epa.gov/fedrgstr/EPA-AIR/2005/December/Day-20/a23669.htm
  25. 25.
    United States Government Accountability Office: VEHICLE CYBERSECURITY - DOT and industry have efforts under way, but DOT needs to define its role in responding to a realworld attack, March 2016. http://www.gao.gov/assets/680/676064.pdf
  26. 26.
    Valasek, C., Miller, C.: Adventures in automotive networks and control units, August 2013. http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf
  27. 27.
    Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems, May 2009. http://ieeexplore.ieee.org/document/5168010/
  28. 28.
    Waibel, A.: The art of bit-banging: Gaining full control of (nearly) any bus protocol, June 2016. https://www.youtube.com/watch?v=sMmc0hSi5rs
  29. 29.
    Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems (2004). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep.1&type=pdf

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Dipartimento di Elettronica, Informazione e BioingegneriaPolitecnico di MilanoMilanItaly
  2. 2.Linklayer LabsTorontoCanada
  3. 3.FTRTrend Micro, Inc.MilanItaly

Personalised recommendations