Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2017: Detection of Intrusions and Malware, and Vulnerability Assessment pp 185–206Cite as

A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

Modern vehicles incorporate tens of electronic control units (ECUs), driven by as much as 100,000,000 lines of code. They are tightly interconnected via internal networks, mostly based on the CAN bus standard. Past research showed that, by obtaining physical access to the network or by remotely compromising a vulnerable ECU, an attacker could control even safety-critical inputs such as throttle, steering or brakes. In order to secure current CAN networks from cyberattacks, detection and prevention approaches based on the analysis of transmitted frames have been proposed, and are generally considered the most time- and cost-effective solution, to the point that companies have started promoting aftermarket products for existing vehicles.

In this paper, we present a selective denial-of-service attack against the CAN standard which does not involve the transmission of any complete frames for its execution, and thus would be undetectable via frame-level analysis. As the attack is based on CAN protocol weaknesses, all CAN bus implementations by all manufacturers are vulnerable. In order to precisely investigate the time, money and expertise needed, we implement an experimental proof-of-concept against a modern, unmodified vehicle and prove that the barrier to entry is extremely low. Finally, we present a discussion of our threat analysis, and propose possible countermeasures for detecting and preventing such an attack.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The reason is that spoofed frames will be sent at the same time as legitimate frames. Thus, in order to trick the receiving ECU into considering only the maliciously crafted messages, these must be sent at a much faster rate with respect to the rightful ones.

  2. 2.

    With the exception of the Arbitration Field and the ACK Field, in which a bus value different than the transmitted one is an expected condition in regular CAN protocol operations.

References

  1. All bill information (except text) for s.1806 - SPY car act of 2015. https://www.congress.gov/bill/114th-congress/senate-bill/1806/all-info

  2. Argussec: ARGUSidps. https://argus-sec.com/solutions/

  3. Barranco, M., Rodriguez-Navas, G., Proenza, J., Almeida, L.: CANcentrate: an active star topology for CAN networks, pp. 219–228, September 2004. http://iestcfa.org/bestpaper/wfcs04/WFCS04_Barranco.pdf

  4. Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. http://www.autosec.org/pubs/cars-usenixsec2011.pdf

  5. Cho, K.T., Shin, K.G.: Error handling of in-vehicle networks makes them vulnerable. In: CCS 2016, USA, pp. 1044–1055 (2016). http://doi.acm.org/10.1145/2976749.2978302

  6. Cho, K.T., Shin, K.G.: Fingerprinting electronic control units for vehicle intrusion detection, pp. 911–927. USENIX Association, Austin. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cho

  7. Gessner, D., Barranco, M., Ballesteros, A., Proenza, J.: Designing sfiCAN: a star-based physical fault injector for CAN (2011). https://www.researchgate.net/profile/Julian_Proenza/publication/232259902_Designing_sfiCAN_A_star-based_physical_fault_injector_for_CAN/links/00b7d532161b659ee8000000.pdf

  8. Hoppe, T., Kiltz, S., Dittmann, J.: Security threats to automotive CAN networks – practical examples and selected short-term countermeasures. In: Harrison, M.D., Sujan, M.-A. (eds.) SAFECOMP 2008. LNCS, vol. 5219, pp. 235–248. Springer, Heidelberg (2008). doi:10.1007/978-3-540-87698-4_21

    Chapter  Google Scholar 

  9. Kammerer, R., Frömel, B., Wasicek, A.: Enhancing security in CAN systems using a star coupling router, pp. 237–246, June 2012. http://www.vmars.tuwien.ac.at/documents/extern/3116/canrouter_security.pdf

  10. Koscher, K., et al.: Experimental security analysis of a modern automobile, May 2010. http://www.autosec.org/pubs/cars-oakland2010.pdf

  11. Kvaser: Microcontrollers with CAN (2016). https://www.kvaser.com/about-can/can-education/can-controllers-transceivers/microcontrollers-with-can/

  12. Larson, U.E., Nilsson, D.K., Jonsson, E.: An approach to specification-based attack detection for in-vehicle networks, June 2008. http://ieeexplore.ieee.org/document/4621263/

  13. Miller, C., Valasek, C.: A survey of remote automotive attack surfaces, August 2014. http://illmatics.com/remote%20attack%20surfaces.pdf

  14. Miller, C., Valasek, C.: Remote exploitation of an unaltered passenger vehicle, August 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf

  15. National Instruments: Controller area network (CAN) overview. http://www.ni.com/white-paper/2732/en/

  16. National Instruments: Introduction to the local interconnect network (LIN) bus. http://www.ni.com/white-paper/9733/en/

  17. NNG: Arilou cyber security. https://www.nng.com/arilou-cyber-security/

  18. ON Semiconductor: Basics of in-vehicle networking (IVN) protocols. http://www.onsemi.com/pub/Collateral/TND6015-D.PDF

  19. SAE International: Global OBD legislation update (worldwide requirements). http://www.sae.org/events/training/symposia/obd/presentations/2009/d1daveferris.pdf

  20. Song, H.M., Kim, H.R., Kim, H.K.: Intrusion detection system based on the analysis of time intervals of CAN messages for in-vehicle network, January 2016. http://ieeexplore.ieee.org/document/7427089/

  21. Taylor, A., Japkowicz, N., Leblanc, S.: Frequency-based anomaly detection for the automotive CAN bus, December 2015. http://ieeexplore.ieee.org/document/7420322/

  22. The Verge: Tesla driver killed in crash with autopilot active, NHTSA investigating, June 2016. http://www.theverge.com/2016/6/30/12072408/tesla-autopilot-car-crash-death-autonomous-model-s

  23. Towersec: ECUShield. http://tower-sec.com/ecushield/

  24. United States Environmental Protection Agency: Control of air pollution from new motor vehicles and new motor vehicle engines. http://www.epa.gov/fedrgstr/EPA-AIR/2005/December/Day-20/a23669.htm

  25. United States Government Accountability Office: VEHICLE CYBERSECURITY - DOT and industry have efforts under way, but DOT needs to define its role in responding to a realworld attack, March 2016. http://www.gao.gov/assets/680/676064.pdf

  26. Valasek, C., Miller, C.: Adventures in automotive networks and control units, August 2013. http://www.ioactive.com/pdfs/IOActive_Adventures_in_Automotive_Networks_and_Control_Units.pdf

  27. Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems, May 2009. http://ieeexplore.ieee.org/document/5168010/

  28. Waibel, A.: The art of bit-banging: Gaining full control of (nearly) any bus protocol, June 2016. https://www.youtube.com/watch?v=sMmc0hSi5rs

  29. Wolf, M., Weimerskirch, A., Paar, C.: Security in automotive bus systems (2004). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.92.728&rep=rep.1&type=pdf

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Elettronica, Informazione e Bioingegneria, Politecnico di Milano, Milan, Italy

    Andrea Palanca & Stefano Zanero

  2. Linklayer Labs, Toronto, Canada

    Eric Evenchick

  3. FTR, Trend Micro, Inc., Milan, Italy

    Federico Maggi

Authors
  1. Andrea Palanca
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Evenchick
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Federico Maggi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefano Zanero
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Andrea Palanca , Eric Evenchick , Federico Maggi or Stefano Zanero .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Palanca, A., Evenchick, E., Maggi, F., Zanero, S. (2017). A Stealth, Selective, Link-Layer Denial-of-Service Attack Against Automotive Networks. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation