research-article

Open access

CANflict: Exploiting Peripheral Conflicts for Data-Link Layer Attacks on Automotive Networks

Authors:

Alvise de Faveri Tron,

Stefano Longari,

Michele Carminati,

Stefano ZaneroAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 711 - 723

https://doi.org/10.1145/3548606.3560618

Published: 07 November 2022 Publication History

Abstract

Current research in the automotive domain has proven the limitations of the Controller Area Network (CAN) protocol from a security standpoint. Application-layer attacks, which involve the creation of malicious packets, are deemed feasible from remote but can be easily detected by modern Intrusion Detection Systems (IDSs). On the other hand, more recent link-layer attacks are stealthier and possibly more disruptive but require physical access to the bus. In this paper, we present CANflict, a software-only approach that allows reliable manipulation of the CAN bus at the data link layer from an unmodified microcontroller, overcoming the limitations of state-of-the-art works. We demonstrate that it is possible to deploy stealthy CAN link-layer attacks from a remotely compromised ECU, targeting another ECU on the same CAN network. To do this, we exploit the presence of pin conflicts between microcontroller peripherals to craft polyglot frames, which allows an attacker to control the CAN traffic at the bit level and bypass the protocol's rules. We experimentally demonstrate the effectiveness of our approach on high-, mid-, and low-end microcontrollers, and we provide the ground for future research by releasing an extensible tool that can be used to implement our approach on different platforms and to build CAN countermeasures at the data link layer.

References

[1]

Omar Y. Al-Jarrah, Carsten Maple, Mehrdad Dianati, David Oxtoby, and Alex Mouzakitis. 2019. Intrusion Detection Systems for Intra-Vehicle Networks: A Review. IEEE Access, Vol. 7 (2019), 21266--21289. https://doi.org/10.1109/ACCESS.2019.2894183

[2]

Ange Albertini. 2014. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats. PoC or GTFO 0x03 (2014).

[3]

Gedare Bloom. 2021. WeepingCAN: A Stealthy CAN Bus-off Attack. Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2021, Vol. 2021 (02 2021). https://doi.org/10.14722/autosec.2021.23002

[4]

Mehmet Bozdal, Mohammad Samie, Sohaib Aslam, and Ian Jennions. 2020. Evaluation of CAN Bus Security Challenges. Sensors, Vol. 20, 8 (2020). https://doi.org/10.3390/s20082364

[5]

Mehmet Bozdal, Mohammad Samie, and Ian Jennions. 2018. A Survey on CAN Bus Protocol: Attacks, Challenges, and Potential Solutions. In 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE). 201--205. https://doi.org/10.1109/iCCECOME.2018.8658720

[6]

Sergey Bratus, Travis Goodspeed, Ange Albertini, and Debanjum S. Solanky. 2016. Fillory of PHY: Toward a Periodic Table of Signal Corruption Exploits and Polyglots in Digital Radio. In 10th USENIX Workshop on Offensive Technologies, WOOT 16, Austin, TX, USA, August 8-9, 2016.

[7]

Tim Brom. 2018. CANT. https://github.com/bitbane/CANT

[8]

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive Experimental Analyses of Automotive Attack Surfaces. In Proceedings of the 20th USENIX Conference on Security (San Francisco, CA) (SEC'11). USA, 6.

Digital Library

[9]

Kyong-Tak Cho and Kang G. Shin. 2016. Error Handling of In-Vehicle Networks Makes Them Vulnerable. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). 1044--1055. https://doi.org/10.1145/2976749.2978302

Digital Library

[10]

Kyong-Tak Cho and Kang G. Shin. 2017. Viden: Attacker Identification on In-Vehicle Networks. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). 1109--1123. https://doi.org/10.1145/3133956.3134001

Digital Library

[11]

Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and Dong Hoon Lee. 2018. VoltageIDS: Low-Level Communication Characteristics for Automotive Intrusion Detection System. IEEE Transactions on Information Forensics and Security, Vol. 13, 8 (2018), 2114--2129. https://doi.org/10.1109/TIFS.2018.2812149

[12]

John Donovan. 2014. What Engineers Need to Know When Selecting an Automotive-Qualified MCU for Vehicle Applications. https://www.digikey.com/en/articles/what-engineers-need-to-know-when-selecting-an-automotive-qualified-mcu-for-vehicle-applications

[13]

Bernd Elend and Tony Adamson. 2017. Cyber security enhancing CAN transceivers. In Proceedings of the 16th International CAN Conference.

[14]

Markus Hanselmann, Thilo Strauss, Katharina Dormann, and Holger Ulmer. 2020. CANet: An Unsupervised Intrusion Detection System for High Dimensional CAN Bus Data. IEEE Access, Vol. 8 (2020), 58194-58205.

[15]

Infineon. 2022. SAK-TC399XP MCU. https://www.infineon.com/cms/en/product/microcontroller/32-bit-tricore-microcontroller/32-bit-tricore-aurix-tc3xx/aurix-family-tc39xxx/sak-tc399xp-256f300s-bd/

[16]

ISO Central Secretary. 2003. Road vehicles - Controller area network (CAN) - Part 2: High-speed medium access unit. Standard ISO 11898--2:2003. International Organization for Standardization, Geneva, CH. https://www.iso.org/standard/33423.html

[17]

KeenLab Security. 2018. Experimental Security Assessment of BMW Cars.

[18]

Kaveh Bakhsh Kelarestaghi, Mahsa Foruhandeh, Kevin Heaslip, and Ryan Gerdes. 2021. Intelligent Transportation System Security: Impact-Oriented Risk Assessment of in-Vehicle Networks. IEEE Intelligent Transportation Systems Magazine, Vol. 13, 2 (2021), 91--104. https://doi.org/10.1109/MITS.2018.2889714

[19]

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, et al. 2010. Experimental security analysis of a modern automobile. In 2010 IEEE Symposium on Security and Privacy. IEEE, 447--462.

Digital Library

[20]

Sekar Kulandaivel, Tushar Goyal, Arnav Kumar Agrawal, and Vyas Sekar. 2019. CANvas: Fast and Inexpensive Automotive Network Mapping. In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14--16, 2019. 389--405.

[21]

Sekar Kulandaivel, Shalabh Jain, Jorge Guajardo, and Vyas Sekar. 2021. CANNON: Reliable and Stealthy Remote Shutdown Attacks via Unaltered Automotive Microcontrollers. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021. IEEE, 195--210. https://doi.org/10.1109/SP40001.2021.00122

[22]

Stefano Longari, Andrea Cannizzo, Michele Carminati, and Stefano Zanero. 2019a. A secure-by-design framework for automotive on-board network risk analysis. In 2019 IEEE Vehicular Networking Conference (VNC). IEEE, 1--8.

[23]

Stefano Longari, Matteo Penco, Michele Carminati, and Stefano Zanero. 2019b. CopyCAN: An Error-Handling Protocol based Intrusion Detection System for Controller Area Network. In Proceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy. 39--50.

Digital Library

[24]

Stefano Longari, Daniel Humberto Nova Valcarcel, Mattia Zago, Michele Carminati, and Stefano Zanero. 2020. CANnolo: An Anomaly Detection System based on LSTM Autoencoders for Controller Area Network. IEEE Transactions on Network and Service Management (2020).

[25]

ST Microelectronics. 2022. STM32L5x2. https://www.st.com/en/microcontrollers-microprocessors/stm32l5x2.html

[26]

Charlie Miller and Chris Valasek. 2013. Adventures in automotive networks and control units. DEF CON, Vol. 21 (2013), 260--264.

[27]

Charlie Miller and Chris Valasek. 2014. A survey of remote automotive attack surfaces. Black Hat USA 2014 (2014).

[28]

Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. Black Hat USA 2015 (2015).

[29]

Pal-Stefan Murvay and Bogdan Groza. 2017. DoS Attacks on Controller Area Networks by Fault Injections from the Software Layer. In Proceedings of the 12th International Conference on Availability, Reliability and Security (Reggio Calabria, Italy) (ARES '17). Article 71, 10 pages. https://doi.org/10.1145/3098954.3103174

Digital Library

[30]

NXP. 2016. LPC11C00 microcontroller family. https://www.nxp.com/products/processors-and-microcontrollers/arm-microcontrollers/general-purpose-mcus/lpc1100-cortex-m0-plus-m0/scalable-entry-level-32-bit-microcontroller-mcu-based-on-arm-cortex-m0-cores:LPC11C00

[31]

oshaw 2022. A Resolution to Redefine SPI Signal Names. https://www.oshwa.org/ a-resolution-to-redefine-spi-signal-names/.

[32]

Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero. 2017. A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks. In Detection of Intrusions and Malware, and Vulnerability Assessment - 14th International Conference, DIMVA 2017 (Lecture Notes in Computer Science, Vol. 10327). Springer, 185--206. https://doi.org/10.1007/978-3-319-60876-1_9

[33]

olyglots 2013. Polyglots PoCs. https://github.com/corkami/pocs.

[34]

NXP Semiconductors. 2019. NXP TJA115x Secure CAN Transceiver Family. https://www.nxp.com/docs/en/fact-sheet/SECURCANTRLFUS.pdf

[35]

Yuefend Du Sen Nie, Ling Lie. 2017. Free-Fall: Hacking Tesla from Wireless to CAN Bus. In Black Hat USA 2017.

[36]

IEEE Spectrum. 2020. How Software Is Eating the Car. https://spectrum.ieee.org/software-eating-car

[37]

Ken Tindell. 2020. CANhack. https://github.com/kentindell/canhack

[38]

Ken Tindell. 2021. The Janus Attack. https://kentindell.github.io/2021/07/15/janus-attack/

[39]

Li Yue, Zheming Li, Tingting Yin, and Chao Zhang. 2021. CANCloak: Deceiving Two ECUs with One Frame. Workshop on Automotive and Autonomous Vehicle Security (AutoSec) 2021, Vol. 2021 (02 2021). https://doi.org/10.14722/autosec.2021.23024

[40]

Mattia Zago, Stefano Longari, Andrea Tricarico, Michele Carminati, Manuel Gil Pérez, Gregorio Martínez Pérez, and Stefano Zanero. 2020. ReCAN--Dataset for reverse engineering of Controller Area Networks. Data in brief, Vol. 29 (2020), 105149.

[41]

Haichun Zhang, Xu Meng, Xiong Zhang, and Zhenglin Liu. 2020. CANsec: A Practical in-Vehicle Controller Area Network Security Evaluation Tool. Sensors, Vol. 20, 17 (2020). https://doi.org/10.3390/s20174900

Cited By

Verma MBridges RIannacone MHollifield SMoriano PHespeler SKay BCombs F(2024)A comprehensive guide to CAN IDS data and introduction of the ROAD datasetPLOS ONE10.1371/journal.pone.029687919:1(e0296879)Online publication date: 22-Jan-2024
https://doi.org/10.1371/journal.pone.0296879
Varadharajan VTupakula UKarmakar K(2024)Techniques for Enhancing Security in Industrial Control SystemsACM Transactions on Cyber-Physical Systems10.1145/36301038:1(1-36)Online publication date: 15-Jan-2024
https://dl.acm.org/doi/10.1145/3630103
Longari SPozone ALeoni JPolino MCarminati MTanelli MZanero S(2024)CyFence: Securing Cyber-Physical Controllers via Trusted Execution EnvironmentIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2023.326841212:2(521-531)Online publication date: Apr-2024
https://doi.org/10.1109/TETC.2023.3268412
Show More Cited By

Index Terms

CANflict: Exploiting Peripheral Conflicts for Data-Link Layer Attacks on Automotive Networks
1. Networks
  1. Network types
    1. Cyber-physical networks
2. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures

Recommendations

SPARTA: Signal Propagation-based Attack Recognition and Threat Avoidance for Automotive Networks
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

With wider availability of wireless interfaces and a rising integration of software, it becomes easier for attackers to access vehicular communication networks and exploit vulnerabilities in Electronic Control Units (ECUs). Once having compromised an ...
BTMonitor: Bit-time-based Intrusion Detection and Attacker Identification in Controller Area Network

With the rapid growth of connectivity and autonomy for today’s automobiles, their security vulnerabilities are becoming one of the most urgent concerns in the automotive industry. The lack of message authentication in Controller Area Network (CAN), ...
CANova: A hybrid intrusion detection framework based on automatic signal classification for CAN
Abstract
Over the years, vehicles have become increasingly complex and an attractive target for malicious adversaries. This raised the need for effective and efficient Intrusion Detection Systemss (IDSs) for onboard networks able to work with the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,372
Total Downloads

Downloads (Last 12 months)519
Downloads (Last 6 weeks)53

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Verma MBridges RIannacone MHollifield SMoriano PHespeler SKay BCombs F(2024)A comprehensive guide to CAN IDS data and introduction of the ROAD datasetPLOS ONE10.1371/journal.pone.029687919:1(e0296879)Online publication date: 22-Jan-2024
https://doi.org/10.1371/journal.pone.0296879
Varadharajan VTupakula UKarmakar K(2024)Techniques for Enhancing Security in Industrial Control SystemsACM Transactions on Cyber-Physical Systems10.1145/36301038:1(1-36)Online publication date: 15-Jan-2024
https://dl.acm.org/doi/10.1145/3630103
Longari SPozone ALeoni JPolino MCarminati MTanelli MZanero S(2024)CyFence: Securing Cyber-Physical Controllers via Trusted Execution EnvironmentIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2023.326841212:2(521-531)Online publication date: Apr-2024
https://doi.org/10.1109/TETC.2023.3268412
Hellemans WRabbani MPreneel BMentens NBartolini ARietveld KSchuman CMoreira J(2023)Yes we CAN!Proceedings of the 20th ACM International Conference on Computing Frontiers10.1145/3587135.3592818(352-357)Online publication date: 9-May-2023
https://dl.acm.org/doi/10.1145/3587135.3592818
Zhang JGong BWaqas MTu SChen S(2023)Many-Objective Optimization Based Intrusion Detection for in-Vehicle Network SecurityIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2023.329600224:12(15051-15065)Online publication date: 25-Jul-2023
https://dl.acm.org/doi/10.1109/TITS.2023.3296002
Shahriar MXiao YMoriano PLou WHou Y(2023)CANShield: Deep-Learning-Based Intrusion Detection Framework for Controller Area Networks at the Signal LevelIEEE Internet of Things Journal10.1109/JIOT.2023.330327110:24(22111-22127)Online publication date: 15-Dec-2023
https://doi.org/10.1109/JIOT.2023.3303271
Nichelini APozzoli CLongari SCarminati MZanero S(2023)CANovaComputers and Security10.1016/j.cose.2023.103166128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103166
Longari SNoseda FCarminati MZanero S(2023)Evaluating the Robustness of Automotive Intrusion Detection Systems Against Evasion AttacksCyber Security, Cryptology, and Machine Learning10.1007/978-3-031-34671-2_24(337-352)Online publication date: 29-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-34671-2_24

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents