Projects:2020s1-1290 Car Hacking

Abstract

Numerous systems that utilise a shared bus architecture have not been designed with security in mind. Consequently, security is either an afterthought or the system has minimal security features implemented. Three examples of shared bus protocols that were created with minimal security considerations are CAN, FlexRay, and USB. The CAN bus and the FlexRay bus are both vehicle bus standards that enable ECUs (Electronic Control Units) to communicate with each other. Meanwhile, USB is a standard that allows connection, communication, and power supply between computers, peripherals, and other computers. The security of systems that implement these protocols can be critical for the protection of sensitive data, property, and the safety of individuals.

Introduction

The aim of this project is to investigate shared bus protocols and their vulnerabilities to nondestructive attacks. In order to achieve this, the project focuses on aspects of three different protocols:

1. How the security of CAN-based communication in vehicles could be improved (Adam Watts),
2. Investigating the interoperability and mapping of the CAN and FlexRay protocols (Alexis Jennings),
3. Injection attacks on shared USB hubs (Robbie Dumitru).

It has been shown in several previous studies that CAN-based communication is vulnerable to numerous attacks, thus improving the security of CAN-based communication is vital to improving the security of the vehicle. Similarly, a FlexRay-CAN gateway will be developed to allow an investigation into the vulnerabilities of connecting several bus systems that follow different protocols together. In addition, this project will explore the USB protocol and attempt to demonstrate input injection on behalf of another connected USB device. Although none of these protocols prioritise security, severe consequences could occur if attacked by an adversary.

Background and Relevant Work

CAN

Simplified CAN bus transmission

CAN (Controller Area Network) is the most widely used communication protocol in vehicles. The protocol allows the ECUs in vehicles to communicate. ECUs control many of the functions of the vehicle including the engine, transmission, and traction control. An ECU can send messages to another ECU over the CAN bus. The data sent over the CAN bus is broadcast to all other ECUs in the network, and the ECU can determine whether it would like to process the message or ignore it. Benefits of the CAN protocol include it is robust, efficient, fully centralised, simple and low cost.

Security vulnerabilities have been found on CAN systems. The CAN protocol has been found to have a lack of authentication [1], [2]. Therefore, the CAN protocol cannot distinguish between a malicious ECU and a legitimate ECU. Furthermore, as all nodes in the CAN network listen to the bus for messages intended for them, an unauthorised node can join the network and send and receive messages. This makes it possible to perform replay attacks and transmit spoofed messages.

Another vulnerability of the CAN protocol is that ECUs communicate using unencrypted messages [1], [2]. Encrypting CAN messages would result in overhead for a communication protocol that was designed to be light and fast. Furthermore, ECUs have limited computational power to implement robust cryptographic algorithms. This, therefore, makes it possible to sniff the messages sent over the bus by attaching hardware to the bus.

The CAN protocol has also been found to be vulnerable to denial of service attacks [1], [2]. The CAN protocol uses message arbitration when more than one CAN node wants to send data. This means transmitting nodes will monitor the bus. If a higher priority message is being transmitted on the bus, the CAN node will stop transmitting and will listen to the bus. Thus, a denial of service attack can be performed by continuously sending high priority messages over the CAN bus. This prevents other nodes from sending messages.

FlexRay

To continue to improve safety, increase performance, reduce environmental impact and increase the comfort of the vehicle, the reliability and volume of data must increase between the vehicle’s ECUs. The FlexRay protocol can meet these requirements. FlexRay can also meet the error tolerance and time-determinism requirements for X-by-wire systems. X-by-wire refers to the replacement of mechanical systems with electronic ones. These replaced systems can include braking and steering.

FlexRay provides some protection for data availability and data integrity, although this was intended for safety rather than security [3]. The FlexRay protocol does not provide assurance of confidentiality, authentication or freshness of data. It was found that reading and spoofing can be performed on any ECU in the FlexRay network.

It has also been found that a full denial of service is possible in the dynamic segment, while a partial denial of service can be performed in the static segment. Spoofing could not be performed in the static segment as message collision could cause an unpredictable bus state. However, spoofing can be used in the dynamic segment, although message collisions could still occur.

There has also been an attack on a FlexRay network using a CAN network. This attack involved creating a gateway that would convert CAN packets to FlexRay. This attack then sent CAN messages to override specific bits on a FlexRay bus to control the EPS (Electric Power Steering) [4].

USB injection

USB is the de facto standard for peripheral-computer interconnection. Ease of use has always been at the forefront of the technology's design principles, leaving security largely overlooked. This makes USB compelling for malicious actors to leverage for violating the confidentiality, integrity and availability of data.

Project Aims and Method

Aim 1

A FlexRay Evaluation Board

One stream of the project aims to investigate the interoperability and mapping of the CAN and FlexRay protocols. This includes studying the use of FlexRay-CAN gateways in vehicles. Gateways allow FlexRay messages to be converted to CAN messages before being sent across a CAN network and vice versa. This research will allow the vulnerabilities of FlexRay-CAN gateways to be investigated.

Approach: Initially, a simulation was designed to investigate the timings of a FlexRay network connected to a CAN network. A FlexRay Evaluation Board that is capable of acting as a FlexRay-CAN gateway was also studied.

Aim 2

Improving the security of CAN-based communication in existing vehicles.

Approach: Identify CAN bus shortcomings. Consider flow control, TDMA, and “allowed paths” to design and implement a retrofittable solution to critical CAN systems.

Aim 3

Input Injection Sequence Diagram

Investigating an “input injection” exploit of USB 2.0 systems whereby a device connected to a PC is able to spoof the input of another concurrently connected device. The vulnerability exploited is USB’s means of attributing device input data to its source.

Approach: Determine necessary conditions for achieving input injection. Create proof-of-concept for exploit evaluation.

Outcomes

Interoperability and mapping of the CAN and FlexRay protocol

From the simulation and investigation of a FlexRay-CAN gateway, it was found that the vulnerabilities of one network can be used to exploit the other. Gateways are designed to be fast and lightweight, with messages sent across the gateway with minimal latency. Furthermore, the simulation can be used for planning future network designs and the gateway design can be used to further investigate CAN and FlexRay vulnerabilities and vulnerabilities that result from connecting CAN and FlexRay networks.

A simulation demonstrating CAN packets being converted to FlexRay packets and sent over a FlexRay network

A simulation demonstrating FlexRay packets being converted to CAN packets and sent over a CAN network

CANflex

Transforming a CAN network to CANflex

“CANflex” is a tunnelling type protocol that sits on top of existing CAN bus hardware. Inspired by elements of FlexRay that improved network security, it has the ability to tunnel CAN messages onto a scheduled timing format. The significance of this is that it improves transmission speed, reduces the effectiveness of DOS attacks, and allows for packet control that does not exist in CAN.

Simplified transmission of frames on CANflex

When implemented, a CANflex gateway is attached to every ECU on the CAN network. Functionally, CAN frames from an ECU are converted to CANflex frames, buffered and transmitted according to a TDMA schedule, converted back to CAN for the receiving ECU(s). Flow control ensures only “allowed” paths are permitted to traverse past the CANflex gateways.

CANflex takes transmission strategies from both CAN and FlexRay and enforces flow control of "allowed paths" to improve CAN bus throughput and resilience to attacks while still utilising the existing CAN bus wiring loops. The end result is that previous successful CAN bus attacks do not hold up once CANflex tunnelling protocol is applied (depicted in the animations below).

The end result is that the attacks are not allowed to transmit outside of a valid time slot or to paths that are restricted and will simply be blocked at the gateway. Thus, in the past where a bad actor may have been able to gain control of car, now, at best can cause transmission losses through packet collisions on the network.

MOTS attack on CAN 'vs' CANflex networks	MOTS attack on CAN 'vs' CANflex networks
MOTS attack on CAN bus network	MITM attack on CAN bus network
MOTS attack with CANflex tunnelling	MITM attack with CANflex tunnelling

USB exploit successful

USB injection platform implementation

Delivered proof-of-concept hardware-based USB device emulation platform modified to operate as an injection platform. Ported to a FPGA development board, the emulator is configured to pose as a mouse and can inject keystrokes on behalf of a connected keyboard. All tested USB 2.0 hubs were found susceptible.

Conclusion and Future Work

Conclusion

FlexRay is often used to communicate between safety-critical aspects of vehicles including steering and brakes. With the increasing number of autonomous systems and the interconnectivity of networks in vehicles increasing, the security of FlexRay becomes even more important.

With widespread reliance on CAN and USB, rolling out effective vulnerability countermeasures to all existing instances is infeasible. However, vulnerabilities and practices explored in our research are worth taking into consideration in the design of critical systems that may need to depend on these technologies.

Future Work

The work on FlexRay-CAN gateways aims to be used to further investigate the vulnerabilities of these networks and the implications of connecting them together. We leave investigation of similar exploits on USB 3.0 systems as an open problem.

References

[1] Robert Buttigieg, Mario Farrugia, and Clyde Meli. “Security Issues in ControllerArea Networks in Automobiles”. In: (Nov. 2017).

[2] Omid Avatefipour and Hafiz Malik.State-of-the-Art Survey on In-Vehicle NetworkCommunication (CAN-Bus) Security and Vulnerabilities. 2018. arXiv:1802.01725[cs.CR].

[3] Dennis Oka et al. “A First Simulation of Attacks in the Automotive Network CommunicationsProtocol FlexRay”. In: Jan. 2008, pp. 84–91.doi:10.1007/978-3-540-88181-0_11.

[4] Melching W. Hogan G. Derks R.Hacking an Audi: performing a man-in-the-middleattack on FlexRay. Available:https://medium.com/@comma_ai/hacking-an - audi - performing - a - man - in - the - middle - attack - on - flexray -2710b1d29f3f. 2020. [Online] [Accessed: Feb. 27, 2020].

Project Team

Student Researchers

Alexis Jennings
Robert Dumitru
Adam Watts

Supervisors

Dr. Matthew Sorell
Dr. Richard Matthews
Yuval Yarom
Aaron Frishling (DSTG)
Bradley Cooney (DSTG)
Daniel Coscia (DSTG)