INCANTA - INtrusion Detection in Controller Area Networks with Time-Covert Authentication

  • Bogdan GrozaEmail author
  • Lucian Popa
  • Pal-Stefan Murvay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11552)


We explore the use of delays to create a time-covert cryptographic authentication channel on the CAN bus. The use of clock skews has been recently proposed for detecting intrusions on CAN, using similar mechanisms that were previously exploited in computer or mobile networks in the past decade. However, the fine-grained control of timers easily allows controllers to adjust their clock potentially making such mechanisms ineffective as we argue here and was also proved by a recent research work. We exploit this potential shortcoming in a constructive sense, i.e., the accuracy of arrival times on in-vehicle buses and the fine-grained control of timer/counter circuits on automotive controllers allows us to use time as a covert channel to carry cryptographic authentication. Based on this procedure we propose an effective authentication and intrusion detection mechanism that is fully back-ward compatible with legacy implementations on CAN. Our proposal directly applies to any modern in-vehicle bus, e.g., CAN-FD, FlexRay, etc.



We thank the reviewers for their comments which have helped us to improve our work. This work was supported by a grant of the Romanian National Authority for Scientific Research and Innovation, CNCS-UEFISCDI, project number PN-II-RU-TE-2014-4-1501 (2015–2017)


  1. 1.
    AUTOSAR: Specification of Secure Onboard Communication, 4.3.1 edn (2017)Google Scholar
  2. 2.
    Boudguiga, A., Klaudel, W., Boulanger, A., Chiron, P.: A simple intrusion detection method for controller area network. In: 2016 IEEE International Conference on Communications (ICC), pp. 1–7. IEEE (2016)Google Scholar
  3. 3.
    Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: USENIX Security Symposium, San Francisco (2011)Google Scholar
  4. 4.
    Cho, K.-T., Shin, K. G.: Fingerprinting electronic control units for vehicle intrusion detection. In: 25th USENIX Security Symposium (2016)Google Scholar
  5. 5.
    Choi, W., Joo, K., Jo, H.J., Park, M.C., Lee, D.H.: VoltageIDS: low-level communication characteristics for automotive intrusion detection system. IEEE Trans. Inf. Forensics Secur. 13(8), 2114–2129 (2018)CrossRefGoogle Scholar
  6. 6.
    Cristea, M., Groza, B.: Fingerprinting smartphones remotely via ICMP timestamps. IEEE Commun. Lett. 17(6), 1081–1083 (2013)CrossRefGoogle Scholar
  7. 7.
    Giannopoulos, H., Wyglinski, A.M., Chapman, J.: Securing vehicular controller area networks: an approach to active bus-level countermeasures. IEEE Veh. Technol. Mag. 12(4), 60–68 (2017)CrossRefGoogle Scholar
  8. 8.
    Groza, B., Murvay, S., van Herrewege, A., Verbauwhede, I.: LiBrA-CAN: a lightweight broadcast authentication protocol for controller area networks. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 185–200. Springer, Heidelberg (2012). Scholar
  9. 9.
    Groza, B., Murvay, S.: Efficient protocols for secure broadcast in controller area networks. IEEE Trans. Industr. Inf. 9(4), 2034–2042 (2013)CrossRefGoogle Scholar
  10. 10.
    Hartkopp, O., Reuber, C., Schilling, R.: MaCAN-message authenticated CAN. In: 10th International Conference on Embedded Security in Cars (ESCAR 2012) (2012)Google Scholar
  11. 11.
    Hoppe, T., Dittman, J.: Sniffing/replay attacks on can buses: a simulated attack on the electric window lift classified using an adapted cert taxonomy. In: Proceedings of the 2nd Workshop on Embedded Systems Security (WESS), pp. 1–6 (2007)Google Scholar
  12. 12.
    Jain, S., Guajardo, J.: Physical layer group key agreement for automotive controller area networks. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 85–105. Springer, Heidelberg (2016). Scholar
  13. 13.
    Kang, M.-J., Kang, J.-W.: Intrusion detection system using deep neural network for in-vehicle network security. PLoS One 11(6), e0155781 (2016)CrossRefGoogle Scholar
  14. 14.
    Kang, M.-J., Kang, J.-W.: A novel intrusion detection method using deep neural network for in-vehicle network security. In: 2016 IEEE 83rd Vehicular Technology Conference (VTC Spring), pp. 1–5. IEEE (2016)Google Scholar
  15. 15.
    Kohno, T., Broido, A., Claffy, K.C.: Remote physical device fingerprinting. IEEE Trans. Dependable Secure Comput. 2(2), 93–108 (2005)CrossRefGoogle Scholar
  16. 16.
    Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 447–462. IEEE (2010)Google Scholar
  17. 17.
    Kurachi, R., Matsubara, Y., Takada, H., Adachi, N., Miyashita, Y., Horihata, S.: CaCAN - centralized authentication system in CAN (controller area network). In: 14th International Conference on Embedded Security in Cars (ESCAR 2014) (2014)Google Scholar
  18. 18.
    Li, H., Zhao, L., Juliato, M., Ahmed, S., Sastry, M.R., Yang, L.L.: POSTER: intrusion detection system for in-vehicle networks using sensor correlation and integration. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2531–2533. ACM (2017)Google Scholar
  19. 19.
    Lin, C.-W., Zhu, Q., Sangiovanni-Vincentelli, A.: Security-aware modeling and efficient mapping for CAN-based real-time distributed automotive systems. IEEE Embed. Syst. Lett. 7(1), 11–14 (2015)CrossRefGoogle Scholar
  20. 20.
    Marchetti, M., Stabili, D., Guido, A., Colajanni, M.: Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms. In: Research and Technologies for Society and Industry Leveraging a better Tomorrow (RTSI), pp. 1–6. IEEE (2016)Google Scholar
  21. 21.
    Miller, C., Valasek, C.: Adventures in automotive networks and control units. DEF CON 21, 260–264 (2013)Google Scholar
  22. 22.
    Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle. Black Hat USA (2015)Google Scholar
  23. 23.
    Moon, S.B., Skelly, P., Towsley, D.: Estimation and removal of clock skew from network delay measurements. In: INFOCOM 1999, Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies, Proceedings, vol. 1, pp. 227–234. IEEE (1999)Google Scholar
  24. 24.
    Moore, M.R., Bridges, R.A., Combs, F.L., Starr, M.S., Prowell, S.J.: Modeling inter-signal arrival times for accurate detection of can bus signal injection attacks: a data-driven approach to in-vehicle intrusion detection. In: Proceedings of the 12th Annual Conference on Cyber and Information Security Research, pp. 11. ACM (2017)Google Scholar
  25. 25.
    Mueller, A., Lothspeich, T.: Plug-and-secure communication for CAN. CAN Newsl. 4, 10–14 (2015)Google Scholar
  26. 26.
    Murvay, P.-S., Groza, B.: Source identification using signal characteristics in controller area networks. IEEE Signal Process. Lett. 21(4), 395–399 (2014)CrossRefGoogle Scholar
  27. 27.
    Müter, M., Asaj, N.: Entropy-based anomaly detection for in-vehicle networks. In: 2011 IEEE of the Intelligent Vehicles Symposium (IV), po. 1110–1115. IEEE (2011)Google Scholar
  28. 28.
    Müter, M., Groll, A., Freiling, F.C.: A structured approach to anomaly detection for in-vehicle networks. In: 2010 Sixth International Conference on Information Assurance and Security (IAS), pp. 92–98. IEEE (2010)Google Scholar
  29. 29.
    Narayanan, S.N., Mittal, S., Joshi, A.: \(\text{OBD}\_\text{ SecureAlert }\): an anomaly detection system for vehicles. In: 2016 IEEE International Conference on Smart Computing (SMARTCOMP), pp. 1–6. IEEE (2016)Google Scholar
  30. 30.
    Radu, A.-I., Garcia, F.D.: LeiA: a \(\underline{{\rm L}}\)ightweight auth\(\underline{{\rm e}}\)nticat\(\underline{{\rm i}}\)on protocol for C\(\underline{{\rm A}}\)N. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 283–300. Springer, Cham (2016). Scholar
  31. 31.
    Sagong, S.U., Ying, X., Clark, A., Bushnell, L., Poovendran, R.: Cloaking the clock: emulating clock skew in controller area networks. In: Proceedings of the 9th ACM/IEEE International Conference on Cyber-Physical Systems, pp. 32–42. IEEE Press (2018)Google Scholar
  32. 32.
    Song, H.M., Kim, H.R., Kim, H.K.: Intrusion detection system based on the analysis of time intervals of can messages for in-vehicle network. In: 2016 International Conference on Information Networking (ICOIN), pp. 63–68. IEEE (2016)Google Scholar
  33. 33.
    Studnia, I., Alata, E., Nicomette, V., Kaâniche, M., Laarouchi, Y.: A language-based intrusion detection approach for automotive embedded networks. Int. J. Embed. Syst. 10(1), 1–12 (2018)CrossRefGoogle Scholar
  34. 34.
    Taylor, A., Leblanc, S., Japkowicz, N.: Anomaly detection in automobile control network data with long short-term memory networks. In: 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pp. 130–139. IEEE (2016)Google Scholar
  35. 35.
    Theissler, A.: Detecting known and unknown faults in automotive systems using ensemble-based anomaly detection. Knowl.-Based Syst. 123, 163–173 (2017)CrossRefGoogle Scholar
  36. 36.
    Tian, D., et al.: An intrusion detection system based on machine learning for CAN-Bus. In: Chen, Y., Duong, T.Q. (eds.) INISCOM 2017. LNICST, vol. 221, pp. 285–294. Springer, Cham (2018). Scholar
  37. 37.
    Van Herrewege, A., Singelee, D., Verbauwhede, I.: CANAuth-a simple, backward compatible broadcast authentication protocol for CAN bus. In: ECRYPT Workshop on Lightweight Cryptography, vol. 2011 (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Faculty of Automatics and ComputersPolitehnica University of TimisoaraTimişoaraRomania

Personalised recommendations