Filter by type:

Sort by year:

S2-CAN: Sufficiently Secure Controller Area Network

Mert D. Pesé, Jay W. Schauer, Junhui Li, and Kang G. Shin
ConferenceAnnual Computer Security Applications Conference (ACSAC'21), Virtual, December 2021.


As automotive security concerns are rising, the Controller Area Network (CAN) — the de facto standard of in-vehicle communication protocol — has come under scrutiny due to its lack of encryption and authentication. Several vulnerabilities, such as eavesdropping, spoofing, and replay attacks, have shown that the current implementation needs to be extended. Both academic and commercial solutions for a Secure CAN (S-CAN) have been proposed, but OEMs have not yet integrated them into their products. The main reasons for this lack of adoption are their heavy use of limited computational resources in the vehicle, increased latency that can lead to missed deadlines for safety-critical messages, as well as insufficient space available in a CAN frame to include a Message Authentication Code (MAC). By making a trade-off between security and performance, we develop S2-CAN, which overcomes the aforementioned problems of S-CAN. We leverage protocol-specific properties of CAN instead of using cryptographic primitives and design a “sufficiently secure” alternative CAN with minimal overhead on resources and latency. We evaluate the security of S2-CAN in four real-world vehicles by an automated vehicular attack tool.We finally show that CAN security can be guaranteed by the correct choice of a design parameter while achieving acceptable performance.

SPy: Car Steering Reveals Your Trip Route!

Mert D. Pesé, Xiaoying Pu, and Kang G. Shin
ConferenceThe 20th Privacy Enhancing Technologies Symposium, Virtual, July 2020.


Vehicular data-collection platforms as part of Original Equipment Manufacturers’ (OEMs’) connected telematics services are on the rise in order to provide diverse connected services to the users. They also allow the collected data to be shared with third-parties upon users’ permission. Under the current suggested permission model, we find these platforms leaking users’ location information without explicitly obtaining users’ permission. We analyze the accuracy of inferring a vehicle’s location from seemingly benign steering wheel angle (SWA) traces, and show its impact on the driver’s location privacy. By collecting and processing real-life SWA traces, we can infer the users’ exact traveled routes with up to 71% accuracy, which is much higher than the state-of-the-art.

Security Analysis of Android Automotive

Mert D. Pesé, Kang G. Shin, Josiah Bruner, and Amy Chu
JournalSAE International Journal of Advances and Current Practices in Mobility, 2(2020-01-1295), pp.2337-2346.


In-vehicle infotainment (IVI) platforms are getting increasingly connected. Besides OEM apps and services, the next generation of IVI platforms are expected to offer integration of third-party apps. Under this anticipated business model, vehicular sensor and event data can be collected and shared with selected third-party apps. To accommodate this trend, Google has been pushing towards standardization among proprietary IVI operating systems with their Android Automotive platform which runs natively on the vehicle’s IVI platform. Unlike Android Auto’s limited functionality of display-projecting certain smartphone apps to the IVI screen, Android Automotive will have access to the in-vehicle network (IVN), and will be able to read and share various vehicular sensor data with third-party apps. This increased connectivity opens new business opportunities for both the car manufacturer as well as third-party businesses, but also introduces a new attack surface on the vehicle. Therefore, Android Automotive must have a secure system architecture to prevent any potential attacks that might compromise the security and privacy of the vehicle and the driver. In particular, malicious third-party entities could remotely compromise a vehicle's functionalities and impact the vehicle safety, causing financial and operational damage to the vehicle, as well as compromise the driver’s privacy and safety. This paper presents an Android Automotive system architecture and provides guidelines for conducting a high-level security analysis. It also describes what countermeasures have already been taken by Google to prevent potential attacks, and discusses what still needs to be done in order to offer a secure and privacy-preserving Android experience for next-generation IVI platforms.

LibreCAN: Automated CAN Message Translator

Mert D. Pesé, Troy Stacer, C. Andrés Campos, Eric Newberry, Dongyao Chen, and Kang G. Shin
Conference2019 ACM SIGSAC Conference on Computer and Communications Security (CCS), London, UK November 2019.


Modern Connected and Autonomous Vehicles (CAVs) are equipped with an increasing number of Electronic Control Units (ECUs), many of which produce large amounts of data. Data is exchanged between ECUs via an in-vehicle network, with the Controller Area Network (CAN) bus being the de facto standard in contemporary vehicles. Furthermore, CAVs have not only physical interfaces but also increased data connectivity to the Internet via their Telematic Control Units (TCUs), enabling remote access via mobile devices. It is also possible to tap into, and read/write data from/to the CAN bus, as data transmitted on the CAN bus is not encrypted. This naturally generates concerns about automotive cybersecurity. One commonality among most vehicular security attacks reported to date is that they ultimately require write access to the CAN bus. In order to cause targeted and intentional changes in vehicle behavior, malicious CAN injection attacks require knowledge of the CAN message format. However, since this format is proprietary to OEMs and can differ even among different models of a single make of vehicle, one must manually reverse-engineer the CAN message format of each vehicle they target — a time-consuming and tedious process that does not scale. To mitigate this difficulty, we develop LibreCAN, which can translate most CAN messages with minimal effort. Our extensive evaluation on multiple vehicles demonstrates LibreCAN’s efficiency in terms of accuracy, coverage, required manual effort and scalability to any vehicle.

Survey of Automotive Privacy Regulations and Privacy-Related Attacks

Mert D. Pesé, and Kang G. Shin
ConferenceSAE World Congress Experience 2019, Detroit, MI, USA, April 2019.


Privacy has been a rising concern. The European Union has established a privacy standard called General Data Protection Regulation (GDPR) in May 2018. Furthermore, the Facebook-Cambridge Analytica data incident made headlines in March 2018. Data collection from vehicles by OEM platforms is increasingly popular and may offer OEMs new business models but it comes with the risk of privacy leakages. Vehicular sensor data shared with third-parties can lead to misuse of the requested data for other purposes than stated/intended. There exists a relevant regulation document introduced by the Alliance of Automobile Manufacturers (“Auto Alliance”), which classifies the vehicular sensors used for data collection as covered and non-sensitive parameters.
This paper reviews existing privacy standards as well as ongoing efforts in the automotive domain, and surveys the landscape of automotive privacy-related attacks which can be classified into three categories: driver fingerprinting, location inferencing and driving-behavior analysis. These three categories are derived from the aforementioned guidelines of covered information. Based on this survey, we define a Privacy Score (PS), quantifying the risk associated with each vehicular sensor. Sensors contributing to multiple privacy attacks will be assigned a higher PS. Furthermore, combinations of sensors used in privacy attacks must be considered and assessed in the PS metric as some attacks cannot be mounted using a single independent sensor alone.

CarLab: Framework for Vehicular Data Collection and Processing

Mert D. Pesé, Arun Ganesan and Kang G. Shin
Conference ACM CarSys 2017, Snowbird, UT, USA, October 2017.


Due to the growth of intelligent and self-driving vehicles, there are a multitude of data-driven applications such as user monitoring or traffic modeling and control. Each application often uses its own data-collection platform, leading to a scattered landscape of solutions for vehicular data-driven research and app development. We propose CarLab, a flexible and open vehicular data-collection platform which unifies this landscape of vehicular data-driven research and app development.
In this paper, we survey the field of vehicular data collection, describe the system architecture of CarLab and related research issues.

Context-aware Intrusion Detection in Automotive Control Systems

Armin Wasicek, Mert D. Pesé, Andre Weimerskirch, Yelizaveta Burakova and Karan Singh
Conference5th escar 2017, Ypsilanti, MI, June 2017.


This paper describes a method and framework to detect manipulations in automotive control systems. As the automotive industry is shifting towards employing software-based solutions, the incentives for attackers to manipulate automotive systems. The boundary where the cyber and physical world interface is particularly sensitive for security and safety. Manipulations in the computer system might have an uncontrollable impact in the physical environment and could lead to potentially dangerous situations.
This paper presents a context-aware intrusion detection system (CAID) framework capable to recognize manipulations of the physical system using cyber means. CAID uses sensor information to establish reference models of the physical system and then checks correctness of current sensor data against the reference models. Thereby, it establishes the notion of plausibility of a controller’s operation. CAID augments today’s cyber physical intrusion detection systems (IDS) by adding a physical model to the detection engine. The CAID framework has been evaluated in a vehicular setup using test vehicle. Telemetry data has been collected from a test vehicle that has then been chip-tuned with a commercially available chip-tuning tool to obtain manipulated data. CAID was able to recognize the chip tuning with a very high probability using an unsupervised Artificial Neural Network (ANN). This proof-of-concept could be the starting point to enhance current automotive IDS using the CAID framework in order to detect future automotive attacks to safety-critical systems.

HW/SW Co-Design of an Automotive Embedded Firewall

Mert D. Pesé, Karsten Schmidt and Udo Dannebaum
ConferenceSAE World Congress Experience 2017, Detroit, MI, USA, April 2017.


The automotive industry experiences a major change as vehicles are gradually becoming a part of the Internet. Security concepts based on the closed-world assumption cannot be deployed anymore due to a constantly changing adversary model. Automotive Ethernet as future in-vehicle network and a new E/E Architecture have different security requirements than Ethernet known from traditional IT and legacy systems. In order to achieve a high level of security, a new multi-layer approach in the vehicle which responds to special automotive requirements has to be introduced. One essential layer of this holistic security concept is to restrict non-authorized access by the deployment of embedded firewalls.
This paper addresses the introduction of automotive firewalls into the next-generation domain architecture with a focus on partitioning of its features in hardware and software. Based on the deployment of the firewall in the in-vehicle network, the corresponding adversary model and automotive requirements such as latency, jitter, CPU load and memory consumption are going to be discussed. Drivers behind these metrics are primarily safety concerns and cost and thus are relevant for both OEMs and hardware manufacturers. As a result, a reasonable implementation of an automotive firewall system has to be a trade-off between hardware and software in order to meet the above-named automotive requirements. We implemented the firewall on an Infineon AURIX TriCore and Altera Cyclone V FPGA to analyze these metrics. The paper shows the options and decision points to find an optimal partitioning between hardware and software for an automotive embedded firewall system.

Systems and Methods for Preserving the Privacy of Collected Vehicular Data

Mert Dieter Pesé, Evripidis Paraskevas, Fan Bai, Massimo Osella and Soheil Samii
Patent US Patent 11,126,744 B2; Granted: Sep. 21, 2021.


Methods and apparatus are provided for preserving privacy of data collected from a vehicle. In one embodiment, a method includes: receiving, by a processor, privacy preferences entered by a user of the vehicle; receiving, by the processor, the data collected from the vehicle; distorting, by the processor, the data; downsampling, by the processor, the distorted data based on the privacy preferences; and communicating, by the processor, the downsampled, distorted vehicle data to a third-party entity.

Automated CAN Message Translator

Kang G. Shin and Mert Dieter Pesé
Patent WIPO (PCT) WO2021062328A1; Published: Apr. 1, 2021.


One commonality among most vehicular security attacks reported to date is that they ultimately require write access to the CAN bus. In order to cause targeted and intentional changes in the vehicle behavior, malicious CAN injection attacks require knowledge of the CAN message format. However, since this format is proprietary to OEMs and can differ even among different models of a single make of vehicle, one must manually reverse-engineer the CAN message format of each vehicle they target. To mitigate this difficulty, an automated CAN message translator is presented.


This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.