Non-invasive Spoofing Attacks for Anti-lock Braking Systems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


This work exposes a largely unexplored vector of physical-layer attacks with demonstrated consequences in automobiles. By modifying the physical environment around analog sensors such as Antilock Braking Systems (ABS), we exploit weaknesses in wheel speed sensors so that a malicious attacker can inject arbitrary measurements to the ABS computer which in turn can cause life-threatening situations. In this paper, we describe the development of a prototype ABS spoofer to enable such attacks and the potential consequences of remaining vulnerable to these attacks. The class of sensors sensitive to these attacks depends on the physics of the sensors themselves. ABS relies on magnetic–based wheel speed sensors which are exposed to an external attacker from underneath the body of a vehicle. By placing a thin electromagnetic actuator near the ABS wheel speed sensors, we demonstrate one way in which an attacker can inject magnetic fields to both cancel the true measured signal and inject a malicious signal, thus spoofing the measured wheel speeds. The mounted attack is of a non-invasive nature, requiring no tampering with ABS hardware and making it harder for failure and/or intrusion detection mechanisms to detect the existence of such an attack. This development explores two types of attacks: a disruptive, naive attack aimed to corrupt the measured wheel speed by overwhelming the original signal and a more advanced spoofing attack, designed to inject a counter-signal such that the braking system mistakenly reports a specific velocity. We evaluate the proposed ABS spoofer module using industrial ABS sensors and wheel speed decoders, concluding by outlining the implementation and lifetime considerations of an ABS spoofer with real hardware.


Automotive embedded systems Cyber-physical security Non-invasive sensor attacks Magnetic sensors 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Fawzi, H., Tabuada, P., Diggavi, S.: Secure state-estimation for dynamical systems under active adversaries. In: 2011 49th Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 337–344 (September 2011)Google Scholar
  2. 2.
    Cárdenas, A.A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: Proceedings of the 3rd Conference on Hot Topics in Security, HOTSEC 2008, pp. 6:1–6:6. USENIX Association, Berkeley (2008)Google Scholar
  3. 3.
    Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Computers and Security 25(7), 498–506 (2006)CrossRefGoogle Scholar
  4. 4.
    Dorfler, F., Pasqualetti, F., Bullo, F.: Distributed detection of cyber-physical attacks in power networks: A waveform relaxation approach. In: Allerton, Allerton, IL, USA, September 2011, pp. 1486–1491 (2011)Google Scholar
  5. 5.
    Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., Kohno, T.: Comprehensive experimental analyses of automotive attack surfaces. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, pp. 6–6. USENIX Association, Berkeley (2011)Google Scholar
  6. 6.
    Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462 (May 2010)Google Scholar
  7. 7.
    Fleming, W.: New automotive sensors - a review. IEEE Sensors Journal 8(11), 1900–1921 (2008)CrossRefGoogle Scholar
  8. 8.
    Roosta, T., Shieh, S., Sastry, S.: Taxonomy of security attacks in sensor networks and countermeasures. In: The First IEEE International Conference on System Integration and Reliability Improvements, Hanoi, pp. 13–15 (2006)Google Scholar
  9. 9.
    Hilgenfeld, B., Strahmel, E., Nowak, H., Haueisen, J.: Active magnetic shielding for biomagnetic measurement using spatial gradient fields. Physiological Measurement 24(3), 661 (2003)CrossRefGoogle Scholar
  10. 10.
    Marino, R., Santosuosso, G., Tomei, P.: Robust adaptive compensation of biased sinusoidal disturbances with unknown frequency. Automatica 39(10), 1755–1761 (2003)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Landau, I.D., Constantinescu, A., Rey, D.: Adaptive narrow band disturbance rejection applied to an active suspension-an internal model principle approach. Automatica 41(4), 563–574 (2005)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Isidori, A., Marconi, L., Praly, L.: Robust design of nonlinear internal models without adaptation. Automatica 48(10), 2409–2419 (2012)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Landaue, I.D., Lozano, R., M’Saad, M., Karimi, A.: Adaptive Control: Algorithms, Analysis and Applications. Communications and Control Engineering. Springer (June 2011)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Cyber-Physical Systems Laboratory, Dept. of Electrical EngineeringUniversity of California at Los AngelesUSA
  2. 2.Networked and Embedded Systems Lab., Dept. of Electrical EngineeringUniversity of California at Los AngelesUSA

Personalised recommendations