CANflict: Exploiting Peripheral Conflicts for Data-Link Layer Attacks on Automotive Networks

Current research in the automotive domain has proven the limitations of the CAN protocol from a security standpoint. Application-layer attacks, which involve the creation of malicious packets, are deemed feasible from remote but can be easily detected by modern IDS. On the other hand, more recent link-layer attacks are stealthier and possibly more disruptive but require physical access to the bus. In this paper, we present CANflict, a software-only approach that allows reliable manipulation of the CAN bus at the data link layer from an unmodified microcontroller, overcoming the limitations of state-of-the-art works. We demonstrate that it is possible to deploy stealthy CAN link-layer attacks from a remotely compromised ECU, targeting another ECU on the same CAN network. To do this, we exploit the presence of pin conflicts between microcontroller peripherals to craft polyglot frames, which allows an attacker to control the CAN traffic at the bit level and bypass the protocol's rules. We experimentally demonstrate the effectiveness of our approach on high-, mid-, and low-end microcontrollers, and we provide the ground for future research by releasing an extensible tool that can be used to implement our approach on different platforms and to build CAN countermeasures at the data link layer.Comment: To appear in CCS'2

CANnolo: An Anomaly Detection System based on LSTM Autoencoders for Controller Area Network

Automotive security has gained significant traction in the last decade thanks to the development of new connectivity features that have brought the vehicle from an isolated environment to an externally facing domain. Researchers have shown that modern vehicles are vulnerable to multiple types of attacks leveraging remote, direct and indirect physical access, which allow attackers to gain control and affect safety-critical systems. Conversely, Intrusion Detection Systems (IDSs) have been proposed by both industry and academia to identify attacks and anomalous behaviours. In this paper, we propose CANnolo, an IDS based on Long Short-Term Memory (LSTM)-autoencoders to identify anomalies in Controller Area Networks (CANs). During a training phase, CANnolo automatically analyzes the CAN streams and builds a model of the legitimate data sequences. Then, it detects anomalies by computing the difference between the reconstructed and the respective real sequences. We experimentally evaluated CANnolo on a set of simulated attacks applied over a real-world dataset. We show that our approach outperforms the state-of-the-art model by improving the detection rate and precision

A Secure-by-Design Framework for Automotive On-board Network Risk Analysis

Vehicles have evolved from isolated and mechanical systems, into complex ecosystems of on-board networks composed of Electronic Control Units (ECUs), sensors and actuators, which govern their functionalities. These networks have been traditionally designed as trusted, closed systems, but modern needs have opened them to remote and local connections. Researchers have shown that modern vehicles are vulnerable to multiple types of attacks leveraging remote and physical access, which allow attackers to gain control and affect safety-critical systems. Therefore, the interest of manufacturers for embedding security into the design phase of new vehicles is rising. In this paper, we propose a semi-automated and topology based risk analysis framework that helps in designing and assessing the security of automotive on-board networks. The tool receives the network topology as an input and evaluates its security using state-of-the-art risk metrics. Then, it provides the analyst with security-hardened network topologies, as a countermeasure against the most dangerous attacks. We evaluate our approach on known topologies and demonstrate its effectiveness

CopyCAN: An Error-Handling Protocol based Intrusion Detection System for Controller Area Network

In the last years, the automotive industry has incorporated more and more electronic components in vehicles, leading to complex on-board networks of Electronic Control Units (ECUs) that com- municate with each other to control all vehicle functions, making it safer and easier to drive. This communication often relies on Controller Area Network (CAN), a bus communication protocol that defines a standard for real-time reliable and efficient trans- mission. However, CAN does not provide any security measure against cyber attacks. In particular, it lacks message authentication, leading to the possibility of transmitting spoofed CAN messages for malicious purposes. Nowadays, Intrusion Detection Systems (IDSs) detect such attacks by identifying inconsistencies in the stream of information allegedly transmitted by a single ECU, hence assuming the existence of a second malicious node generating these messages. However, attackers can bypass this defense technique by discon- necting from the network the ECU of which they want to spoof the messages, therefore removing the authentic source of information. To contrast this attack, we present CopyCAN, an Intrusion De- tection System (IDS) that detects whether a node has been discon- nected by monitoring the traffic and deriving the error counters of ECUs on CAN. Through this process, it flags subsequent spoofed messages as attacks and reacts accordingly even if there is no incon- sistency in the stream of information. Our system, differently from many previous works, does not require any modification to the protocol or to already installed ECUs. Instead, it only requires the installation of a monitoring unit to the existing network, making it easily deployable in current systems and compliant with required CAN standards