Projects:2020s1-1290 Car Hacking
Contents
Abstract
Numerous systems that utilise a shared bus architecture have not been designed with security in mind. Consequently, security is either an afterthought or the system has minimal security features implemented. Three examples of shared bus protocols that were created with minimal security considerations are CAN, FlexRay, and USB. The CAN bus and the FlexRay bus are both vehicle bus standards that enable electronic control units to communicate with each other. Meanwhile, the USB is a standard that allows connection, communication, and power supply between computers, peripherals, and other computers. The security of systems that implement these protocols can be critical for the protection of sensitive data, property, and the safety of individuals.
Introduction
The aim of this project is to investigate shared bus protocols and their vulnerabilities to nondestructive attacks. In order to achieve this, the project will focus on aspects of three different protocols. Adam Watts will focus on how the security of CAN-based communication in vehicles could be improved, Alexis Jennings will create a FlexRay and CAN gateway, and Robbie will investigate an aspect of USB security. It has been shown in several previous studies that CAN-based communication is vulnerable to numerous attacks, thus improving the security of CAN-based communication is vital to improving the security of the vehicle. Similarly, a FlexRay and CAN gateway will be developed to allow an investigation into the vulnerabilities of connecting several bus systems that follow different protocols together. In addition, this project will explore the USB protocol and attempt to demonstrate input injection on behalf of another connected USB device. Although none of these protocols prioritise security, severe consequences could occur if attacked by an adversary.
Background and Relevant Work
CAN
CAN (Controller Area Network) is the most widely used communication protocol used in vehicles between ECUs (Electronic Control Units). ECU’s in a vehicle control many of the functions of the vehicle including the engine, transmission, and traction control. An ECU can send messages to another ECU over the CAN bus. The data sent over the CAN bus is broadcast to all other ECUs in the network, and the ECU can determine whether it would like to process the message or ignore it. Benefits of the CAN protocol include it is robust, efficient, fully centralised and simple and low cost.
Security vulnerabilities have been found on CAN systems. The CAN protocol has been found to have a lack of authentication [24], [9]. Therefore, the CAN protocol cannot distinguish between a malicious ECU and a legitimate ECU. Furthermore, as all nodes in CAN network listen to the bus for messages intended for them, an unauthorised node can join the network and send and receive messages. This makes it possible to perform replay attacks and transmit spoofed messages.
Another vulnerability of the CAN protocol is that ECUs communicate using unencrypted messages [24], [9]. Encrypting CAN messages would result in overhead for the communication protocol that was designed to be light and fast. Furthermore, ECU’s have limited computational power to implement robust cryptographic algorithms. This, therefore, makes it possible to sniff the messages sent over the bus by attaching hardware to the bus.
The CAN protocol has also been found to be vulnerable to denial of service attacks [24], [9]. The CAN protocol uses message arbitration when more than one CAN node wants to send data. This means transmitting nodes will monitor the bus. If a higher priority message is being transmitted on the bus, the CAN node will stop transmitting and will listen to the bus. Thus, a denial of service attack can be performed by continuously sending high priority messages over the bus. This prevents other nodes from sending messages on the bus.
FlexRay
To continue to improve safety, increase performance, reduce environmental impact and increase the comfort of the vehicle, the reliability and volume of data must increase between the vehicle’s ECUs. The FlexRay protocol can meet these requirements. FlexRay can also meet the error tolerance and time-determinism requirements for X-by-wire systems. X-by-wire refers to the replacement of mechanical systems with electronic ones. These replaced systems can include braking and steering.
FlexRay provides some protection for data availability and data integrity, although this was intended for safety rather than security [26]. The FlexRay protocol does not provide assurance of confidentiality, authentication or freshness of data. It was found that reading and spoofing can be performed on any ECU in the FlexRay network.
It has also been found that a full denial of service is possible in the dynamic segment, while a partial denial of service can be performed in the static segment. Spoofing could not be performed in the static segment as message collision could cause an unpredictable bus state. However, spoofing can be used in the dynamic segment, although message collisions could still occur.
There has also been an attack on a FlexRay network using a CAN network. This attack involved creating a gateway that would convert CAN packets to FlexRay. This attack then sent CAN messages to override specific bits on a FlexRay bus to control the EPS (Electric Power Steering) [4].
USB injection
Project Aims and Method
Aim 1
One stream of the project aims to investigate the interoperability and mapping of the CAN and FlexRay protocols. This includes studying the use of FlexRay-CAN gateways in vehicles. The gateway allows FlexRay messages to be sent across a CAN network and vice versa. This research will allow the vulnerabilities of FlexRay-CAN gateways to be investigated.
Initially, a simulation was designed to investigate the timings of a FlexRay network connected to a CAN network. A FlexRay Evaluation Board that is capable of acting as a FlexRay-CAN gateway was also studied.
Aim 2
Aim 3
Outcomes
Interoperability and mapping of the CAN and FlexRay protocol
From the simulation and investigation of a FlexRay-CAN gateway, it was found that the vulnerabilities of one network can be used to exploit the other. Gateways are designed to be fast and lightweight, with messages sent across the gateway with minimal latency. Furthermore, the simulation can be used for planning future network designs and the gateway design can be used to further investigate CAN and FlexRay vulnerabilities and vulnerabilities that result from connecting CAN and FlexRay networks.
CANflex
USB exploit successful
Conclusion and Future Work
Conclusion
With widespread reliance on CAN and USB, rolling out effective vulnerability countermeasures to all existing instances is infeasible. However, vulnerabilities and practices explored in our research are worth taking into consideration in the design of critical systems that may need to depend on these technologies.
Future Work
References
Project Team:
Student Researchers:
Alexis Jennings
Robert Dumitru
Adam Watts
Supervisors:
Dr. Matthew Sorell
Yuval Yarom
Aaron Frishling (DSTG)
Bradley Cooney (DSTG)
Daniel Coscia (DSTG)