S2-CAN: Sufficiently Secure Controller Area Network
ConferenceAnnual Computer Security Applications Conference (ACSAC'21), Virtual, December 2021.
As automotive security concerns are rising, the Controller Area Network
(CAN) — the de facto standard of in-vehicle communication
protocol — has come under scrutiny due to its lack of encryption
and authentication. Several vulnerabilities, such as eavesdropping,
spoofing, and replay attacks, have shown that the current implementation
needs to be extended. Both academic and commercial
solutions for a Secure CAN (S-CAN) have been proposed, but OEMs
have not yet integrated them into their products. The main reasons
for this lack of adoption are their heavy use of limited computational
resources in the vehicle, increased latency that can lead to
missed deadlines for safety-critical messages, as well as insufficient
space available in a CAN frame to include a Message Authentication
By making a trade-off between security and performance, we
develop S2-CAN, which overcomes the aforementioned problems
of S-CAN. We leverage protocol-specific properties of CAN instead
of using cryptographic primitives and design a “sufficiently secure”
alternative CAN with minimal overhead on resources and latency.
We evaluate the security of S2-CAN in four real-world vehicles by an
automated vehicular attack tool.We finally show that CAN security
can be guaranteed by the correct choice of a design parameter while
achieving acceptable performance.
SPy: Car Steering Reveals Your Trip Route!
ConferenceThe 20th Privacy Enhancing Technologies Symposium, Virtual, July 2020.
Vehicular data-collection platforms as part of
Original Equipment Manufacturers’ (OEMs’) connected
telematics services are on the rise in order to provide
diverse connected services to the users. They also allow
the collected data to be shared with third-parties upon
users’ permission. Under the current suggested permission
model, we find these platforms leaking users’ location
information without explicitly obtaining users’
permission. We analyze the accuracy of inferring a vehicle’s
location from seemingly benign steering wheel angle
(SWA) traces, and show its impact on the driver’s
location privacy. By collecting and processing real-life
SWA traces, we can infer the users’ exact traveled routes
with up to 71% accuracy, which is much higher than the
Security Analysis of Android Automotive
JournalSAE International Journal of Advances and Current Practices in Mobility, 2(2020-01-1295), pp.2337-2346.
In-vehicle infotainment (IVI) platforms are getting increasingly connected. Besides OEM apps and services, the next generation of IVI platforms are expected to offer integration of third-party apps. Under this anticipated business model, vehicular sensor and event data can be collected and shared with selected third-party apps. To accommodate this trend, Google has been pushing towards standardization among proprietary IVI operating systems with their Android Automotive platform which runs natively on the vehicle’s IVI platform. Unlike Android Auto’s limited functionality of display-projecting certain smartphone apps to the IVI screen, Android Automotive will have access to the in-vehicle network (IVN), and will be able to read and share various vehicular sensor data with third-party apps. This increased connectivity opens new business opportunities for both the car manufacturer as well as third-party businesses, but also introduces a new attack surface on the vehicle. Therefore, Android Automotive must have a secure system architecture to prevent any potential attacks that might compromise the security and privacy of the vehicle and the driver. In particular, malicious third-party entities could remotely compromise a vehicle's functionalities and impact the vehicle safety, causing financial and operational damage to the vehicle, as well as compromise the driver’s privacy and safety.
This paper presents an Android Automotive system architecture and provides guidelines for conducting a high-level security analysis. It also describes what countermeasures have already been taken by Google to prevent potential attacks, and discusses what still needs to be done in order to offer a secure and privacy-preserving Android experience for next-generation IVI platforms.
LibreCAN: Automated CAN Message Translator
Conference2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), London, UK November 2019.
Modern Connected and Autonomous Vehicles (CAVs) are equipped
with an increasing number of Electronic Control Units (ECUs),
many of which produce large amounts of data. Data is exchanged
between ECUs via an in-vehicle network, with the Controller Area
Network (CAN) bus being the de facto standard in contemporary
vehicles. Furthermore, CAVs have not only physical interfaces but
also increased data connectivity to the Internet via their Telematic
Control Units (TCUs), enabling remote access via mobile devices. It
is also possible to tap into, and read/write data from/to the CAN
bus, as data transmitted on the CAN bus is not encrypted. This
naturally generates concerns about automotive cybersecurity. One
commonality among most vehicular security attacks reported to
date is that they ultimately require write access to the CAN bus.
In order to cause targeted and intentional changes in vehicle behavior, malicious CAN injection attacks require knowledge of the
CAN message format. However, since this format is proprietary
to OEMs and can differ even among different models of a single
make of vehicle, one must manually reverse-engineer the CAN
message format of each vehicle they target — a time-consuming
and tedious process that does not scale. To mitigate this difficulty,
we develop LibreCAN, which can translate most CAN messages
with minimal effort. Our extensive evaluation on multiple vehicles
demonstrates LibreCAN’s efficiency in terms of accuracy, coverage,
required manual effort and scalability to any vehicle.
Survey of Automotive Privacy Regulations and Privacy-Related Attacks
ConferenceSAE World Congress Experience 2019, Detroit, MI, USA, April 2019.
Privacy has been a rising concern. The European Union
has established a privacy standard called General Data
Protection Regulation (GDPR) in May 2018.
Furthermore, the Facebook-Cambridge Analytica data incident
made headlines in March 2018. Data collection from vehicles
by OEM platforms is increasingly popular and may offer OEMs
new business models but it comes with the risk of privacy
leakages. Vehicular sensor data shared with third-parties can
lead to misuse of the requested data for other purposes than
stated/intended. There exists a relevant regulation document
introduced by the Alliance of Automobile Manufacturers
(“Auto Alliance”), which classifies the vehicular sensors used
for data collection as covered and non-sensitive parameters.
This paper reviews existing privacy standards as well as
ongoing efforts in the automotive domain, and surveys the
landscape of automotive privacy-related attacks which can
be classified into three categories: driver fingerprinting,
location inferencing and driving-behavior analysis. These three
categories are derived from the aforementioned guidelines of
covered information. Based on this survey, we define a Privacy
Score (PS), quantifying the risk associated with each vehicular
sensor. Sensors contributing to multiple privacy attacks will
be assigned a higher PS. Furthermore, combinations of sensors
used in privacy attacks must be considered and assessed in
the PS metric as some attacks cannot be mounted using a
single independent sensor alone.
CarLab: Framework for Vehicular Data Collection and Processing
Conference ACM CarSys 2017, Snowbird, UT, USA, October 2017.
Due to the growth of intelligent and self-driving vehicles, there are a multitude of data-driven applications such as user monitoring or traffic modeling and control. Each application often uses its own data-collection platform, leading to a scattered landscape of solutions for vehicular data-driven research and app development. We propose CarLab, a flexible and open vehicular data-collection platform which unifies this landscape of vehicular data-driven research and app development.
In this paper, we survey the field of vehicular data collection, describe the system architecture of CarLab and related research issues.
Context-aware Intrusion Detection in Automotive Control Systems
Conference5th escar 2017, Ypsilanti, MI, June 2017.
This paper describes a method and framework to detect manipulations in automotive control systems. As the automotive industry is shifting towards employing software-based solutions, the incentives for attackers to manipulate automotive systems. The boundary where the cyber and physical world interface is particularly sensitive for security and safety. Manipulations in the computer system might have an uncontrollable impact in the physical environment and could lead to potentially dangerous situations.
This paper presents a context-aware intrusion detection system (CAID) framework capable to recognize manipulations of the physical system using cyber means. CAID uses sensor information to establish reference models of the physical system and then checks correctness of current sensor data against the reference models. Thereby, it establishes the notion of plausibility of a controller’s operation. CAID augments today’s cyber physical intrusion detection systems (IDS) by adding a physical model to the detection engine. The CAID framework has been evaluated in a vehicular setup using test vehicle. Telemetry data has been collected from a test vehicle that has then been chip-tuned with a commercially available chip-tuning tool to obtain manipulated data. CAID was able to recognize the chip tuning with a very high probability using an unsupervised Artificial Neural Network (ANN). This proof-of-concept could be the starting point to enhance current automotive IDS using the CAID framework in order to detect future automotive attacks to safety-critical systems.
HW/SW Co-Design of an Automotive Embedded Firewall
ConferenceSAE World Congress Experience 2017, Detroit, MI, USA, April 2017.
The automotive industry experiences a major change as vehicles are gradually becoming a part of the Internet. Security concepts based on the closed-world assumption cannot be deployed anymore due to a constantly changing adversary model. Automotive Ethernet as future in-vehicle network and a new E/E Architecture have different security requirements than Ethernet known from traditional IT and legacy systems. In order to achieve a high level of security, a new multi-layer approach in the vehicle which responds to special automotive requirements has to be introduced. One essential layer of this holistic security concept is to restrict non-authorized access by the deployment of embedded firewalls.
This paper addresses the introduction of automotive firewalls into the next-generation domain architecture with a focus on partitioning of its features in hardware and software. Based on the deployment of the firewall in the in-vehicle network, the corresponding adversary model and automotive requirements such as latency, jitter, CPU load and memory consumption are going to be discussed. Drivers behind these metrics are primarily safety concerns and cost and thus are relevant for both OEMs and hardware manufacturers. As a result, a reasonable implementation of an automotive firewall system has to be a trade-off between hardware and software in order to meet the above-named automotive requirements. We implemented the firewall on an Infineon AURIX TriCore and Altera Cyclone V FPGA to analyze these metrics. The paper shows the options and decision points to find an optimal partitioning between hardware and software for an automotive embedded firewall system.
Systems and Methods for Preserving the Privacy of Collected Vehicular Data
Patent US Patent 11,126,744 B2; Granted: Sep. 21, 2021.
Methods and apparatus are provided for preserving privacy of data collected from a vehicle. In one embodiment, a method includes: receiving, by a processor, privacy preferences entered by a user of the vehicle; receiving, by the processor, the data collected from the vehicle; distorting, by the processor, the data; downsampling, by the processor, the distorted data based on the privacy preferences; and communicating, by the processor, the downsampled, distorted vehicle data to a third-party entity.
Automated CAN Message Translator
Patent WIPO (PCT) WO2021062328A1; Published: Apr. 1, 2021.
One commonality among most vehicular security attacks reported to date is that they ultimately require write access to the CAN bus. In order to cause targeted and intentional changes in the vehicle behavior, malicious CAN injection attacks require knowledge of the CAN message format. However, since this format is proprietary to OEMs and can differ even among different models of a single make of vehicle, one must manually reverse-engineer the CAN message format of each vehicle they target. To mitigate this difficulty, an automated CAN message translator is presented.