Controller Area Network protocol: Attacks, and
Countermeasures
ABSTRACT
Contemporary vehicles are equipped with protocols for their inter-
connected system which can control critical parts of automobiles
including Electronic Control Units(ECUs) are highly relevant to
safety and connection to wireless mobile devices for various pur-
poses while a driver can only focus on driving the car. Although it
provides efficient, comfortable drivability to users, new vulnerabili-
ties follow after. In this paper, we present how CAN protocol works
efficiently, the fundamentals of attacks exploiting its vulnerability,
and the countermeasures against the attacks. In consideration of the
fact that it still has the possibility of unknown attacks, we discuss
available countermeasures. By examining the principle of attacks
and countermeasures, we evaluate them to make progress for the
ideal protocol in the aspect of productivity and security.
CCS CONCEPTS
• Computer systems organization → Embedded systems; • Net-
works → Network protocol design; • Security and privacy → Fire-
walls; Security requirements; Intrusion detection systems; Denial-of-
service attacks.
KEYWORDS
CAN(Control Area Network, In-vehicle Network, Countermeasure,
Bus-off Attack, Automotive IT, Automotive intrusion detection
1 INTRODUCTION
With the recent advance in IT technology, automobiles deploy var-
ious IT techniques for their usability now. The latest car models
utilize not only machinery devices but also a lot of computers that
are referred to as Electronic Control Unit(ECU) inside. Through this,
drivers can control safety devices such as an airbag, and entertain-
ment devices like audio system, and air conditioners electronically.
By installing electronic control on vehicles, the usability of drivers
accomplished rapid progress. However, the network of automobiles
inside which had been designed isolated in the past is opened by
external connection to expand drivers’ usability. Nowadays, mod-
ern vehicles can retrieve data from USB flash memory, wireless
connections such as Bluetooth connection, and even from 3G/4G
communication. Hence, the number of threats by malicious users
is also increased inevitably. While the security techniques of au-
tomobiles were focused on the anti-theft system for the last 30
years, the IT security implements for automotive systems were
not implemented enough. Communication between ECUs located
in vehicles leverages various protocols such as CAN(Controller
Area Network), VAN(Vehicle Area Network), LIN(Local Intercon-
nect Network), FlexRay, MOST(Media Oriented Systems Transport),
etc... This paper will particularly discuss CAN protocol, its threats,
and countermeasures to improve its security level since CAN is the
most widely used in-vehicle protocol by automobile manufacturers.
The CAN protocol has an advantage in that it does not be affected
by noise or electromagnetic waves from outside because of its phys-
ical feature that it normally has a pair of twisted cables. The CAN
protocol mainly works for the control of devices for the operation
of cars such as engines or brake and multimedia devices (e.g. audio
system). However, the design of CAN is focused on its productivity,
not on security. Although the CAN protocol has international stan-
dards classified by ISO and SAE(Society of Automotive Engineers),
a tailored security mechanism for the CAN protocol has not been
established. Recent researches suggest various attack models ex-
ploiting CAN’s weakness including the traditional attacks. We will
focus on attacks that abuse the normal mechanisms of the CAN
protocol in particular. The research for the improvement of weak
points is in progress nonetheless the foundation of complementary
measures is not progressed yet enough. For traditional computers,
the firewall is used to monitor and control the traffic based on
the configured rules and is located between a trusted side and an
untrusted side. The most representative function of a firewall is
packet filtering that inspects incoming packets and compares them
to the access control list to decide them to pass through. Moreover,
Intrusion Detection System(IDS) is commonly used to monitor the
traffic and alert the deviation of the network. We will look it over to
adjust it for an in-vehicle environment. This paper introduces the
structure, messages, and vulnerabilities of the CAN bus in Chapter
2 Then, it describes attacks in Chapter 3 exploiting CAN protocol’s
weaknesses which presented in the former chapter and Chapter 4
explains countermeasures against intrusion. Particularly, this paper
concentrates on the conventional countermeasures that most com-
puters hire and contemplates methods that are capable to adapt to
the CAN protocol too. Finally, Chapter 5 concludes the paper with
the conclusion of this study.
2 WHAT IS CONTROLLER AREA
NETWORK(CAN)?
2.1 Background
According to the progress towards the connected car, which in-
cludes ECUs inside to assist subsystems, communication between
ECUs is required. The Controller Area Network is a multi-master
broadcast serial bus standard designed to enable communication be-
tween embedded devices without requiring a host computer. Robert
Bosch GmbH has developed CAN for automotive applications. The
up-to-date version of the CAN specification is CAN 2.0 published
by Bosch in 1991. It was internationally standardized as ISO11898
which deals with only the physical and data link layers for the CAN
network in 1993. As time goes on, CAN is used for vehicles as well
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
as military, aerospace, and industrial applications and ISO standards
also changed to adapt to various markets. Although many other
protocols such as Local Interconnect Network(LIN), Flexray, Vehicle
Area Network(VAN), Media Oriented Systems Transport(MOST),
etc. have been proposed for the in-vehicle network, CAN have been
established as the de-facto standard by car manufacturers due to its
general-purpose ability to carry data for a great variety of applica-
tions while still preserving its competitive aspects. LIN is a cheap
broadcast serial network composed of one master and 15 slave
nodes but slow. FlexRay is designed to be more reliable and has
better speed than CAN thus it is considered as the protocol for the
next generation, however, it is more expensive. The CAN protocol
is internationally standardised by the following ISO documents[28]:
• ISO11898-1 covers the data link layer.
• ISO11898-2 specifies high-speed medium access unit which
consists of the physical layer of CAN.
• ISO11898-3 covers the CAN physical layer for low-speed,
fault tolerant, medium dependent interface.
However, ISO11898-2 and 11898-3, which were specified for the
physical layer of CAN, are not a part of the recent version of CAN.
SAE(Society of Automotive Engineering) provides a standard J1939
for the vehicle bus used for in-vehicle network communication.
SAE J1939 involves ISO11898 specification stipulating data rate for
those vehicles manufactured for various purposes. The packets of
J1939 contains a standard header with 29-bits of identifier named
as Parameter Group Number(PGN). A PGN identifies a function of
packet[33]. CAN bus can be used for communication of in-vehicle
systems, nevertheless, it is able to dispatch to diagnose a mechanical
fault as well. When the OBD standard connector is connected to an
external diagnose interface, it can check the faults in automobiles.
The faults which can be found by diagnosis is defined in ISO11898.
Once the special interface for diagnosing is connected, the signal
of frames is used to determine the type of fault. The mechanical
defects that can be detected by diagnosis are broken bus wire, faulty
connectors, and damaged terminating resistor.
2.2 Structure of CAN
Each CAN node can transmit and receive messages(frames), how-
ever, it can not do both simultaneously. A microcontroller in the
CAN node decides what the arrived messages mean and which
messages it wants to send. A CAN controller which is considered
an integral part of the microcontroller stores received serial bits
from the bus until it finishes to receive the whole message. The mi-
crocontroller sends a message to the CAN controller, then the CAN
controller transmits it to the bus in order when the bus is in an idle
state. A message arrived at the CAN transceiver is transformed for
the CAN controller to use it. Contrariwise, it converts received data
from the CAN controller uses to the CAN bus level when it sends
data to the bus. The main feature of CAN data transmission is that
it furnishes bitwise arbitration without loss, therefore, all modules
must be synchronized for successful arbitration. When the nodes
are in arbitration, each node must be able to inspect whether other
nodes have a dominant bit or not. To maintain its synchronized
status efficiently and not to lose data, CAN deploys dominant(logic
0) and recessive(logic 1). The way to utilize those bits for synchro-
nization will be discussed again. When the bus is in an idle state,
modules that want to send messages to attempt the transmission
simultaneously which is the reason to occur confliction. The bus
gets their ID fields at first to enter into arbitration. In arbitration,
the frames with the highest priority will be transmitted as they
intended while messages with low priority will wait until the traffic
is alleviated. Since it has to perform a comparison of values, it is
able to check the bits in arbitration concurrently. This operation
helps not to occur delay, hence it is proper for a real-time commu-
nication system. CAN is able to adapt for various applications in
higher layers and simple to configure.
A standard frame of CAN shown in Fig. 1 starts with Start-of-
frame(SOF) and continues with 11 bits of identifier. If a frame has
an extended format, the following Identifier extension bit(IDE) will
be recessive and 18 bits of identifier field will appear. The Remote
Transmission Request(RTR) field which comes next shows whether
this frame is a data frame or remote frame. When it is a remote
frame, this field has recessive bits. Then, the Data Length Code(DLC)
field contains 4 bits of the length of the data field and the Cyclic
Redundancy Check(CRC) field comes after. A recessive bit of CRC
delimiter is inserted after CRC and acknowledge slot and delimiter
follow after them. End-of-frame(EOF) denotes the end of the frame
which must be 7 bits of recessive bits.
Figure 1: The Structure of Standard CAN frame
The CAN protocol synchronizes itself since when the nodes are
in arbitration, the transmitted data and other nodes’ transmitted
data should be able to come in sight by them at the same time. To
maintain its synchronization, an additional bit of opposite value is
inserted after five continuous identical bits. This bit stuffing rule
has specific purposes that provide synchronization, adjusts its tim-
ing, and finds an error. For resynchronization, the CAN controller
expects the transition that the bits are changed to the opposite
polarity to occur at a multiple of the nominal bit time and if the
transition does not occur at the controller’s expected time, the
controller adjusts the nominal bit time. In addition, when there
are consecutive 6 bits, it can be deemed as erroneous(bit stuffing
error) and discard the frame. The bit stuffing error can be found
only between SOF bit and ACK bits. A nominal bit is divided into
four slices to synchronize: synchronization, propagation, phase 1
segment, and phase 2 segment. The bit value sampling occurs after
the phase 1 segment and if it is necessary, phase 1 or 2 segments
will be elongated or shortened.
Controller Area Network protocol: Attacks, and Countermeasures
Figure 2: Four states on CAN node
The nodes in CAN protocol has four legitimate states: idle(Receive),
arbitration, transmit, and error handling. The idle state and receive
state are similar but they have a subtle difference. The idle state
denotes that the node is listening to the bus and prepared for data
transmission while the receive state represents that the node is
listening when another node is transmitting. The arbitration state
implies the transmission of identifier bits of CAN frames. The trans-
mit state stands for the transmission of all other data.
Error handling is built into the protocol and plays an essential
role in the performance of CAN. The purpose of error handling is to
discover the presence of errors in messages on the CAN bus, in order
that the sender can retransmit the message after correction. All
CAN controllers on the bus attempt the detection of errors within
a message. Where an error is found, the node alerted error sends
an Error flag, accordingly the traffic on the bus is destroyed. Error
frame is transmitted by the node which has found the erroneous
frame. The first position of the frame is provided as a superposition
of the error flag and 8 recessive bits of delimiter come after it.
Error flag has two different kinds of flags which are referred to
as active error flag and passive error flag. By using the error flag,
all nodes on the bus can recognize the transmission error and
take an action, i.e. discard the current message. The Active error
flag is transmitted by the node which is detected as "error active"
from the network and it has 6 dominant bits. Passive error flag
which contains 6 recessive bits is sent by active error frame in the
network which detected error passive state. The node will attempt
to retransmit the erroneous message after the error frame is sent
and intermission time. CAN has fault confinement mechanisms to
prevent corrupt nodes from disrupting the whole system. Through
these mechanisms, the protocol can detect malfunctioning parts of
the system and switch off compromised nodes. There are two error
counters to serve this :
• Transmit Error Encounter(TEC) which is incremented when
a fault is detected by the transmitter,
• Receive Error Counter(REC) which is counted by listening
nodes.
Counting TEC is faster than counting REC because there is more
possibility of sending a message by a faulty transmitter. When Error
Counter raises over the defined threshold, the node will encounter
three states defined by CAN :
• Error Active(TEC<128 and REC<128): When the node has
failed to transmit the message, this Error Active node in-
creases TEC by 8 and transmits Active Error Flags. After
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
this work, it attempts to retransmit the message. It partici-
pates fully in bus communication and alerts an error by the
transmission of an active error frame. This is the normal
operating mode and default state at controller initialization,
therefore, the node can work normally.
• Error Passive(TEC>127 or REC>127) and TEC≤255): An
Error Passive node transmits 6 recessive bits of Passive Error
Flags only on errors that do not have an impact on other bus
traffic instead of Active Error Flags. Thus, the other nodes
will not hear it sending about bus errors. The node must
see the bus as being idle for 8 additional bit times after an
intermission before perceiving the bus as available. After
this phase, it will attempt to retransmit.
• Bus-off(TEC>255): Only transmit errors can cause this mode.
In the bus-off state, the station is automatically disconnected
from the bus and it is not able to send or receive messages.
In order to go back to the connection, it requires to execute a
recovery sequence which initialises again and includes con-
figuration of the CAN controller and monitoring of 128×11
correctly reordered recessive bits.
2.3 The messages from CAN
The messages sent from CAN modules are differed by their pur-
pose. First of all, the Data frame includes data for transmission.
Remote Transmission Request(RTR) field in Data frame always
must be dominant, hence in arbitration, data frame solidly win
remote frame with recessive bits in its RTR field. Remote frame
requires transmission to a specific ID. It does not include a data
field whilst its Data Length Code(DLC) field informs of the length
of the required message. A module that needs to receive certain
data can start the data transmission by sending a Remote frame to
the source nodes. The Data frame and Remote frame are separated
by Interframe space. Interframe space includes three recessive bits
of Intermission field and arbitrary length of Bus Idle field for the
nodes which are not in Error Passive state. The stations in the Error
Passive state contain Intermission, Suspend Transmission and Bus
Idle fields. The Overload frame is used to insert an additional delay
between preceding and upcoming data frames or remote frames. It
is transmitted when the inner part requires procrastination of the
following data or remote frame or when a station detects a dom-
inant bit during intermission which was originally recessive bit.
The Overload Frame is consist of an Overload Flag and Overload
delimiter. The Overload Flag destroys the intermission field since it
is requested at the first-bit time of intermission. After the Overload
Flag is transmitted, the node monitors the bus until it detects an
alteration of bit from dominant to recessive.
2.4 The vulnerability of CAN
Since electronic devices were equipped for automobiles, they have
been a very attractive prey to malicious attackers. Even though
CAN is internationally and generally installed for automotive man-
ufacturers, CAN is designed without any concern of security be-
cause it was assumed the car as an isolated environment. Due to its
typical nature of broadcasting, messages on the bus can be easily
observed, collected, and analysed by malicious users which are
transmitted from its nodes in plain form. In addition, it does not
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
require to authenticate, therefore, it is hard to find proof whether
a regular node occurred error or an attacker sent a manipulated
message deliberately and control the access of intruders. A corrupt
node can repudiate its transmission history because a method for
authentication is not feasible.
3 CAN ATTACK
Continuous embedment of computing interfaces for connection
with external devices raises the concern of its vulnerabilities. This
section describes the general attacks and the attacks exploiting the
exclusive error handling mechanism of the CAN protocol. The most
usual attacks on the operating system are deemed as a suspension
attack and masquerade attack. The suspension attack such as the
DoS attack became more sophisticated with the specific purpose to
disrupt CAN particularly.
3.1 Traditional attack on computing network
Denial-of-Service A Denial-of-Service is an attack that a large
number of spoofed packets filled with irrelevant values are sent
towards a single location and damage its availability. The main
purpose of the DoS attack is procurance of severe delay or deny
the normal commands. To mount a DoS attack on autonomous
vehicles requires an attacker to compromise a weak ECU to ex-
ploit. Usually, detrimental ECUs can generate and send DoS attack
frames to occupy the CAN bus with high priority IDs in a very short
time interval. The DoS attack can cause a vehicle not to respond
to the driver’s commands on time and this can threaten drivers’
safety. However, it has a disadvantage that can be detected simply
by protective methods such as Intrusion Detection System. The
adversary can inject the frames with high priority(0×0ID) to win
the arbitration, therefore, they can block all other IDs except 0×0ID
transmitted from the bus. As a consequence, the bus is shut down
and not able to function properly. Replay attack may be in the same
context as DoS attack since the malicious user interrupts the com-
munication and repeats legitimate messages which are broadcasted
before involving a valid ID and data payload. The sender of the
packet is verified as a legitimate station since it mimics the original
signal. It can cause the target to be overcrowded and behave in an
unexpected way. Though it seems similar to the aforementioned
DoS attack, it is not easy to detect because it imitates transmissions
of a regular node.
Masquerading attack The intruder may impersonate the reg-
ular stations which are highly relevant to the safety function of
manipulating the packets. Before the execution of the attack, the
perpetrator monitors the bus and learns the frames which have
been sent previously. This attack aims at injecting spoofed messages
through corrupt nodes and inducing the system to operate a specific
action deliberately as well as aggravating the performance of the
protocol. The impersonating stations generate messages more often
to make the system overburden. This may result in a disruption
of the sequence of frames that can cause the misfunctioning of
vehicles. For some data transmission, the automobiles require the
correct order for proper vehicle operations. In contrast with fabri-
cation attack, even though both seem similar, the noteworthy point
of this attack is that the action of it is not departing so far from the
defined behaviour, implying that the disclosure of the presence of
intruders is not as fast. Therefore, the masquerade attack can be
considered more dangerous than simply tweaking the messages on
the bus.
Removal of message Messages can be simply removed from
the bus, therefore, deleted messages will be emitted by the node.
Not just cutting of a node from the bus, inserting a terminator
resistor that wastes a message’s energy from the CAN line is also
able to remove the frames[18]. The removal of a message can cause
malfunctioning of the automobiles such as delay and shutdown of
the system which occur severe accidents. It can be considered as
similar to the usual DoS attack in respect of its ultimate purpose.
3.2 DoS attacks aimed at CAN protocol
exclusively
Fabrication Attack In this attack, the invader is not able to di-
rectly compromise the target. He or she disguises him/herself as a
legitimate node and the imposter fabricates messages with counter-
feit ID, DLC, and data to distract the target or to be inoperable by
spoofed messages from a corrupt node. A defective module occupies
the bus with frames following a legitimate specification of CAN
which was sent by other regular nodes with the highest priority at
a high frequency.
Stealth DoS A general Denial-of-Service attack is already stated
above, nevertheless, it is easily detectable by IDS/IPS approaches
what we will discuss later. Accordingly, the attacker devised a more
subtle, unrecognizable, and destroyable DoS attack. In this attack,
only specific IDs are targeted and denied, hence, other functions
work well as normal. Due to these features, the adversary does
not trigger any error and the anomaly is not detected. Other DoS
attacks are triggered by data transmission, therefore it must occur
any kinds of error inevitably. Since the data transmission in this
attack is executed at the expected time of the controller, which
means it is not considered an anomaly in IDS/IPS, the target can
be reached to a bus-off state in silence. Another reason why this
attack is hard to be perceived is that the frames generated from
corrupt nodes follow the CAN standard and its frequency like other
regular nodes. Besides, it is not expensive to perform. When the
adversary starts the attack, they compromise the microcontroller
for attack execution when it boots, and then check whether the
previous frames included the target ID or not. If it has the target
ID, the algorithm in attack inserts the dominant bit on behalf of
the first recessive bit not to be detected. Unless it updates its buffer
with the sampled bus value that they had collected.
Bus-Off attack The TEC is counted when an error occurs on the
sender side and when the TEC exceeds the limit of 255, misbehaving
ECUs enter into the bus-off mode. Upon entering this mode, the
station is coerced to disconnect from the bus to prevent distraction
during CAN bus communication. If it is a natural bus-off state, the
system operates bus-off recovery and sets the error counter back to
normal, however, if the intruder occurs a bus-off attack on purpose
to stop the bus communication, the adversary forces the victim to
keep increasing the TEC. This allows an adversary to destroy the
availability of the in-vehicle network. The corrupt message that
the attacker has sent entails the ID of the victim and is sent at the
same time when the target message is transmitted. In order to win
the arbitration, it does not require to make up a lot. That is, an
adversary needs to change at least a bit from recessive to dominant.
Controller Area Network protocol: Attacks, and Countermeasures
This attack can be divided into Phase 1 and 2[27]. Consequently,
the fabricated message from an attacker has ID with higher priority
than the message from the target. In phase 1, a target and adversary
nodes are in a normal state, error active state. The attacker sends
his or her spoofed frame at the same time when a victim sends its
packet to invoke an active error flag. Both get an active error flag
and increases 8 more their TEC values. After 11 recessive bits, they
attempt to transmit again, nevertheless, the same errors occur again
and TEC will keep incrementing. Repeating retransmission 16 times,
their TEC values become 128 thus two nodes enter into an error
passive state. A target resends its frame with a passive error flag
from now, however, the attacker transmits manipulated message at
the same time and it will succeed for transmission while a victim
keeps sending a passive error flag. Since a defective node finished its
transmission, it reduces the TEC value and escapes from the error
passive state but a target still failed to finish it, thus the target’s TEC
value increases again. Then, a victim attempts to send a message
again and it finally succeeds in reducing its TEC value. This denotes
that a victim got additional 7 TEC values during this process. After
an adversary comes back to error active mode, and since it keeps
sending a corrupt message at the same time, a target still fails to
finish the transmission and adds its TEC values until it enters into
bus-off mode exceeding TEC values over 255. The worst result of
this attack would be a shutdown of a whole network. Since the bus-
off attack exploits the error handling mechanism which is specified
under CAN standard, there is no distinct difference between regular
errors and an actual malicious encroachment. The following Fig. 2
shows the change of error counter on victim and intruder nodes
during the bus-off attack. After 16 times of increasing counter, the
attacker enters back into the Error Active state as usual while a
regular node keeps incrementing the error counter value.
Figure 3: The change of TEC values on nodes
The message sent from the invader has requirements in order to
mount a bus-off attack successfully. As mentioned above, it must
have at least one different bit from a victim message that can win
the arbitration, keeping the same preceding bits. At the same time,
it has to possess the same ID with the target message thus this bit
change occurs in the control or data field while CRC or ACK field
is not able to be modified because both are decided by the CAN
controller. An adversary can abuse the characteristic of CAN that
the value of the DLC field is always more than 1 and does not have
0, simply by fabricating the DLC or data field as 0. An intruder can
learn the DLC value because it maintains constant value over time
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
for each ID. An attacker exploits the broadcasting of CAN to get the
knowledge of the ID of a target whereas it is not feasible to find all
IDs except for IDs of packets passed through the message filter. The
filtered frames are divided into received and accepted messages and
an invader can read data from accepted messages only, therefore,
obtaining the same ID with a victim becomes different depending
on the message filter. Nonetheless, it is not difficult to ascertain
a victim ID because some ECUs are designed to deploy an empty
message filter to receive, accept, and process almost all packets from
the bus. The widely installed ECUs supporting remote diagnostic
or anti-theft is an example denoting that those may be the broad
vulnerable surface for attackers. Besides, an empty message filter is
more delicate to be damaged than a non-empty message filter. An
adversary is capable to attack the filtered packets by modifying the
message filters directly and common CAN controllers support the
adjustment and disabling of the message filter through software
command when the ECU is in configuration mode. Additionally, an
attacker must have the knowledge of the exact transmission timing
and at the same time, it must be able to transmit and repeatedly
with a target node to increase the TEC. If the attack timing has a
single bit of difference, the attacker can not trigger and win the
arbitration. A regular CAN frame is transmitted periodically and
after an adversary recognizes it, he or she can attempt to send
the fabricated message subsequent to the fixed interval, however,
synchronization of attacker and victim nodes is difficult since jitter
makes the periodicity deviate from the defined value. In order to
overcome the difficulty of synchronization, an adversary leverages
the ID of the preceding packet that is finished in the transmission
before targeted message is sent. Although the packet C has arrived
earlier than other packets A and B, if it has the lower priority, it
has to wait until others which can be the preceding messages of C
possessing higher priorities to finish their transmission. Targeting
benign C, the fabricated message from an attacker is transmitted
when the ID of the preceding message either A or B is sent. After
the preceding message is finished its transmission, the controller
sends the victim message and defective message at the same time
hence the bus-off attack succeeds. If the priority or periodicity of the
CAN frames does not change, the pattern of the message queue may
be discovered when the cycle is either the same or multiple times.
It denotes that the message Q may appear regularly subsequent to
the message P. Then, the transmission schedule is predictable and
restrictive which makes the adversary capable to attack regardless
of jitter. When the target message possesses the unique preceding
ID, the attack is feasible every time the victim packet is transmitted
thus the error counter increases consecutively. The case when the
attacker aims at the message with preceding ID practicing in the
real world requires three conditions:
• Existence: Does the preceding ID exist in the real in-vehicle
network?
• Uniqueness: If it does, how many different IDs are existing?
• Pattern: If there is more than one, is any pattern discovered
between them?
According to [27], 10% of periodic packets have unique preceding
IDs that is verifying the existence and uniqueness. That is, the bus-
off attack exploiting the preceding ID is feasible. Besides, messages
having a regular transmission cycle have fixed priority, denoting
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
that preceding ID is prevalent. The pattern of packets is extractable
even without any obvious unique preceding ID. Even though the
target does not have an inherent preceding ID, the intruder can
manipulate it for the synchronization. An adversary can transmit
the arbitrary preceding packet to attack the target without intrinsic
preceding ID. In this case, the victim message is delayed until the
transmission of the manipulated preceding message is finished thus
the intruder’s node succeeds to be synchronized.
3.3 Indirect Attack exploiting smartphone
connection
Due to contemporary cars’ wireless communication capacities, an
infringer does not need to be plugged directly into cars to attack ve-
hicles. Instead, he or she can simply bypass by pairing to the mobile
devices. S. Woo [2] suggested the attack leveraging a smartphone
app that a self diagnose app which is made with specific intention
tempts the victim to install it on their smartphone. The app shows
the speed of automobiles and ECU error code impersonating a usual
diagnostic app while it is connected to the server of the attacker.
Therefore, it unveils the status of the vehicle that some data does
not appear to the driver. Before the attack, an adversary exploits the
diagnostic message to obtain the data frame related to the critical
components. After the target installed the masquerading app and
finished pairing their vehicle and mobile phone by Bluetooth or
Wi-Fi connection, the adversary performs scanning, collects infor-
mation exploiting the detrimental app, transmits the data frame to
control the ECUs arbitrarily. It does not require the diagnostic to
be attached physically to the target since a scan tool is installed on
the victim and pairs with the mobile phone.
4 CAN COUNTERMEASURE
In order to protect drivers’ safety from intended malfunctioning
of the vehicles such as presented above, the requirements which
countermeasures must meet and several countermeasures have
been proposed to secure the protocol against the foregoing attacks
in this chapter. The countermeasures proposed in this section will
consider automobile manufacturers as well, not to lose extra money
to construct further infrastructures or design again and accept a
new expensive protocol on their products. We will focus on the
firewall and Intrusion Detection System which are the most general
countermeasures for traditional computers as well but become suit-
able for the in-vehicle network. Besides, the counterattack against
the bus-off attack will be discussed that is not able to respond with
the usual countermeasures.
4.1 Security requirements
The most criticized security concerns of CAN protocol are confiden-
tiality, integrity, and availability, thus, the security improvements
for CAN protocol must include those three and not harm or modify
the existing main features of the protocol too much. As providing
confidentiality, critical information can not be revealed to attackers.
Embedding integrity allows the automotive system to be able to
discover compromised ECU nodes and take additional actions to
prevent vehicles from causing unexpected behaviour. In particular,
all implements for security must not interfere with real-time com-
munication in an automobile since it is directly connected to the
driver’s safety. It also does not allow to add any additional hard-
ware module to implement security measures because the most
automotive system has limited resource. Since trivial misbehaviour
of autonomous vehicles can threaten the safety of drivers, security
measures should fulfill the high-precision requirements of the vehi-
cle. Finally, security implements should not interfere with drivers.
This denotes that it must be autonomous and make the driver focus
on driving the car only.
4.2 Encryption
The cryptographical method can be used to authenticate the node
or to protect the content of the frame. In consideration of the fact
that CAN broadcasts messages to all nodes without security setup,
it can secure the protocol effectively, however, strong cryptography
such as asymmetric encryption does not fit automotive systems
since the resource in the vehicles is extremely constraint and should
not be overloaded not to incur any malfunctioning. Thus, a com-
bination of symmetric and asymmetric methods is suggested as a
practical way to secure the performance of automobiles. Shared key
encryption which protects the messages on the bus fits light-weight
requirements which do not disturb the real-time communication
and asymmetric ciphering can be hired for shared key management.
M. Wolf et al. have proposed the usage of the centralized gateway
to perform encryption and suggested its possibility of functioning
for authentication in [22]. Nevertheless, when the protocol only
accepts symmetric encryption on the bus, this approach is not able
to prevent the targeted node from brute-forcing encrypted frames
and injecting random faulty values in the whole CAN traffic. For
authentication, not to add any extra burden or change too many
things that are not considered as practical, D. K. Nilsson et al. did
not adjust the basic structure of frames inordinately in [26]. They
inserted the MAC field on behalf of the CRC field since the MAC
field can also detect transmission errors what is the main role of
the CRC field. In order to perform authentication efficiently with a
new MAC field, they deployed a block cipher which is designed for
embedded devices.
4.3 Firewall
The firewall on the CAN bus can be furnished to ensure authenti-
cation and authorization on gateway nodes. In [23], they generally
proposed the concept of a firewall with two cases that the gateway
can authenticate or authorize the nodes or not. When the gateway
has the ability to verify the controllers, the principles of the firewall
are based on their permission. Unless the rules can be founded
on the authorizations of each node. W. Yan obtained patent [35]
with a CAN bus firewall based on packet filtering. According to the
description of the technique, the firewall is bi-directional to receive
and pass through incoming packets and consists of a vehicle status
logger, message filter, and storage module while supporting various
types of wireless communication. When input packets arrive at
the main processor, the vehicle status logger verifies the status of
the automobile by sending a diagnostic message and the message
filter determines to use a white-list of black-list depending on the
vehicle status. The white-list or black-list in practice contains CAN
ID which is allowed or not and the condition of automobiles. If the
ID is in the white-list, the packet passes through the firewall and
arrive at the CAN bus to operate the vehicle. Otherwise, the packet
Controller Area Network protocol: Attacks, and Countermeasures
is not allowed to proceed and the firewall generates the alert. It
updates firewall event log and blocked messages at regular intervals
to be used for analysis. The white-lists or black-lists are stored in
the storage module and sent to a cloud server.
In [20], G. Kornaros et al. presented a security implementation
that is combined with an authentication hub and firewall. Accord-
ing to his paper, simply adding an entry hub in vehicles may re-
sult in providing a more attackable surface to assailants. Thus, a
hub(gateway node) functions to provide secret AuthenticationID to
the OBD-II port and it enables nodes to connect to the network. It
provides multiple AuthenticationIDs to support access to different
services with different privileges. Moreover, a bootloader requires
bringing AuthenticationID from a hub node and fetch one from
the AuthenticationID register in the firewall which is separated
from the software. After booting, when the address range which is
configured in the firewall is caught on the bridge port, it is denied
to transmit by default filtering of a firewall based on its permission.
Furthermore, the rules are not allowed to change after booting is
finished.
S. Rizvi et al. suggested a Hybrid Security System(HSS) in [25]
that performs a program which functions like a distributed firewall
to prevent DoS attack, replay attack, and the access of the unau-
thorized user. It maintains the existing system as well as performs
the protection at the same time. It contains multiple security layers
referred to as HSS and Hybrid Security Program(HSP) to reduce
the risk of security implementation failure. HSP is located in HSS
supporting communication between the HSS layer and the Firewall
Like Program(FLP). FLP is a program installed on each node to
verify input packets to decide whether to receive them or not based
on white-list. The major difference between HSP and FLP is that
FLP is not located in the HSS layer, whereas it is in a separated
location and focuses on filtering packets. Originally, HSS deployed
stateless firewalls, however, since an attacker is capable to paralyse
it, they presented a statefull firewall installed on modules for the
connection with external devices on behalf of a stateless firewall.
When the packet meets FLP, FLP evaluates that it is trusted or not.
If the packet came from unknown sources or has been requested
over the threshold, it is not allowed to pass through the FLP. FLP
generates two kinds of flags to create a black-list with a broad spec-
trum. A yellow flag is generated when the packets from the same
source have been discarded over the threshold amount. Then, the
Flag Log located in the HSS layer receives the yellow flag. When
the Flag Log receives a fixed number of yellow flags, HSP generates
a black flag to update the filtering rule that the packet source is
included on the block table thus all FLP share the updated list. To
bypass this approach, an intruder must generate more sophisticated
message traffic because each station verifies the legitimacy of the
packet.
In [30], A. Humayed et al. presented a firewall named CANSentry
separating the CAN bus into the internal and external bus shown
in Fig. 4. Based on bus separation, critical nodes that are related
highly to drivers’ safety are protected by a firewall while a few
nodes are connected to the external network. The firewall functions
bi-directional by giving a small variation of the traditional structure
of CAN to monitor the current transmission state of the internal
bus(CAN𝑖𝑛𝑡 ) and decides to forward or discard the frames from the
external bus(CAN𝑒𝑥𝑡 ) which is located inside the firewall. The main
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
role of it is to relay legitimate packets. Since a determination must
be based on a set of rules, they clarify that the nodes connected to
the external bus must operate consistently whenever it is under
attack or not.
Figure 4: The structure of CANSentry[30]
As mentioned in Section 2.2, the CAN node has four legitimate
states while the CAN bus has the four states correspondingly. The
bus has idle, arbitration, transmit, and error flag states. Particularly,
transmit state is distinguished into Transmit𝑖𝑛𝑡 and Transmit𝑒𝑥𝑡
since the external nodes including a high risk is connected to the
main bus through the external bus. For instance, Transmit𝑒𝑥𝑡 im-
plies that the node surrounded by the firewall won the arbitration
and is transmitting to the bus. The firewall of the CANCentry node
configures the rules based on the bus states:
• The firewall always forwards the traffic from CAN𝑖𝑛𝑡 to
CAN𝑒𝑥𝑡 if CAN𝑖𝑛𝑡 is under transmit𝑖𝑛𝑡 or error flag state
regardless of the state of ECU II which entails high risk.
• When CAN𝑖𝑛𝑡 is under idle or arbitration state, the firewall
forwards all traffic from CAN𝑖𝑛𝑡 to CAN𝑒𝑥𝑡 . It allows the traf-
fic having CAN ID in the whitelist from CAN𝑒𝑥𝑡 to CAN𝑖𝑛𝑡
and blocks all other traffic from CAN𝑒𝑥𝑡 to CAN𝑖𝑛𝑡 .
• If CAN𝑖𝑛𝑡 is in Transmit𝑒𝑥𝑡 , the firewall forwards the traffic
from CAN𝑒𝑥𝑡 to CAN𝑖𝑛𝑡 and the traffic from CAN𝑖𝑛𝑡 to
CAN𝑒𝑥𝑡 is blocked except for error flags.
All rules have been established based on an assumption that the
traffic is conformed to CAN specification. Though the first rule
blocks the traffic from external nodes to internal nodes including
error flags, it does not affect the counting error of external nodes.
Internal nodes are still available to receive error flags generated by
internal nodes.
If security mechanisms are designed without concerning the
CAN standard specification, it will be another potentially vulnera-
ble surface for attackers. To overcome apprehension, CANSentry
prevents a corrupt node from transmitting unauthorized frames
by blocking them. The most attractive point of this approach is
that it does not demand extra modification of the original CAN
design, signifying that it is adaptable and based on the standard
specification. It does not require expensive hardware modules as
well. However, defining the rules of the firewall is still as difficult
as defining anomalies on IDS and CANSentry does not support
remote updates. The possibility of the attack is still existing but low.
An adversary can use the ID listed in the white-list and attempt a
message to CAN𝑖𝑛𝑡 with high frequency thus the arbitration denial
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
attack is available for the packets having lower priority. Nonethe-
less, the route of attack is predictable and the high-risk nodes which
are considered as compromisable have lower priority mostly. The
arbitration denial attack exploiting the high-risk nodes is detectable
with IDS. An adversary may attempt injection incurring the form
error to increase the REC value. To make the victim enter into
the error passive mode, the REC value should exceed 127, that is,
the intruder transmits the spoofed message repeatedly, however, a
consecutive injection attempt is able to be detected by simple IDS.
Moreover, the target does not remain in the error passive mode
permanently. It can perform the error recovery process.
4.4 Intrusion Detection System(IDS)(or IPS)
IDS/IPS approach provides clear visibility on the network traffic and
an additional layer for security. The rate of false-positive and false-
negative determines the accuracy of IDS/IPS. Traditionally, two
types of IDS are representative: one discovers a known attack and
another detects irregularity. First, the Signature-based IDS alerts
when it encounters a known sequence of frames that are already de-
fined as a violation in its database. It is reliable for detecting known
signatures and able to produce a low false-positive rate which is
considered a powerful advantage to deploy it. Nevertheless, the
system requires to be updated patterns regularly to maintain as a
well-defined system. These frequent updates have the possibility
to degrade the performance of automobiles. Besides, with regard
to the fact that the in-vehicle network is fresher than a traditional
computer system, the prediction of all violations is almost impossi-
ble. Anomaly-based IDS informs when it detects the misbehaviour
which is not defined as normal. It allows finding unknown devia-
tions as well as known signatures, thus makes an attacker difficult
to attack since he or she does not know which behaviour triggers
a response of IDS. It requires profiling a represented regular be-
haviour and threshold of a targeted system, however, the difficulty
of this process depends on the systems’ complexity and the explicit
boundary of anomalies. In comparison with the Signature-based
IDS, it involves a higher rate of false positives and false negatives.
The masquerade attack that we mentioned above may be able to
detect deploying IDS due to these features.
S. Tariq et al. proposed the algorithm that can detect infringe-
ments of the same family as DoS in [8]. If the IDS leverages char-
acteristics of the CAN frame for anomaly detection, it monitors
the inter-arrival time of the incoming packets and stores the sus-
picious IDs for further monitoring when the message rate raises
over the threshold. It is regarded as a DoS attack when the sus-
picious attempts are observed continuously. It is not difficult but
is not able to discover more sophisticated attacks such as stealth
DoS. IDS already has the knowledge of the CAN IDs, the similarity
between them, and the message distance. If a new packet has a big
difference from the knowledge, it is considered a suspicious ID and
monitored. Same as DoS detection, it is regarded as the fuzzing
attack that injects arbitrarily generated data with a random ID. This
approach requires more effort to define the similarity and message
distance thus it is more difficult than the first approach. When an
adversary blocks the benign node and replaces it, it attempts to
replay the old packets transmitted from the victim in the past with
high frequency. IDS can doubt the replaying attack when a regular
node performs transmission with high frequency. Moreover, if the
message distance is bigger than the average value, it is held as a
suspect for a replay attack.
According to [13], they presented the expectable patterns for
IDS that can be extracted from proposed attacks. First of all, the
IDS located on a single, central device can detect the message fre-
quency. Injecting malicious messages is easier than removing exist-
ing frames thus most attackers choose to insert corrupt messages
on the bus increasing transmission frequency. When IDS has the
knowledge of message frequency such as an average and deviation
of it, the attempt will be able to be discovered. Since it can be in-
stalled on a central station, it has a great advantage on the cost
aspect, however, it is only applicable for cyclic messages, not for
occasional messages. Secondly, IDS can configure rules based on its
expectation. In this case, the rules involve a sender of a message and
the types of frames from it, thus IDS can alert when the unautho-
rized suspicious sender sends a packet or the frames which were not
designated on the rules attempt to pass. It requires implementing
on different devices which costs higher than the first measurement,
but it is still able to be deemed cost-efficient. It can be adapted
not only for cyclic frames but also for others. Besides, it provides
authentication of a sender. Nevertheless, it is not effective for re-
moval attacks. It is available when legitimate nodes are working.
Lastly, they proposed to detect in the physical layer with features
such as voltage amplitudes. This approach may provide authen-
ticity because all devices have their own characteristics and can
detect various kinds of attacks while they cannot discover corrupt
packets from the same station. This denotes that it is not capable to
discover spoofed messages transmitted from compromised nodes
and differentiate its anomaly. Furthermore, this method costs a lot
than others mentioned above because it requires the installation of
additional hardware modules.
Song et al. presented IDS based on analysing the time interval
of CAN message [32]. The significant standard of this approach
is measuring message rate, which has the drawback that there is
a second gap between the start of attack and detection and its
false-negative error rate is not negligible as well. They proposed a
light-weight IDS that can reduce the delay of detection and has a
high accuracy of its performance. When a new packet appears, IDS
inspects its CAN ID and calculates its time interval. If the measured
time interval is shorter than half of the normal interval, the new
input is considered as an injection. The normal time interval is
defined as 0.5 milliseconds and classified as 0.14 milliseconds at
the minimum. For the DoS attack, IDS counts a score when the
interval is less than 0.2 milliseconds. When the score is over the
threshold, it judges that the system is under DoS attack. Since some
normal messages have very short time intervals, it deploys the
score to determine the status of the network. However, the IDS
designers must consider the possibility that the attacker can delete
legitimate frames to maintain the message frequency on the CAN
bus to deceive the detection system when they design the IDS based
on message rate.
4.5 Active Star Topology
M. Barranco et al. [10] proposed the CANcentrate model which
is based on an active star topology and deploys a new hub of all
nodes that includes fault-treatment mechanisms. When a corrupt
Controller Area Network protocol: Attacks, and Countermeasures
node is discovered, a hub can isolate it from other nodes to prevent
from occurring further problems. As the protocol includes domi-
nant/recessive bits, the hub in the topology has to follow it. In this
case, the logic AND function are leveraged for each transmission.
As mentioned above, when a node adapts its synchronization, it
divides a bit into four quantum slices. It denotes that the proto-
col responds in a bit. Though the hub may incur a delay, it has
to perform logic AND function within a bit of time. Furthermore,
the central hub must include some mechanisms that allow the hub
to distinguish the signal of regular transmission from the signal
generated as a consequence of the hub’s broadcasting in order to
identify permanently faulty nodes. The most effortless way to sep-
arate signals is to use different cables for each station connected to
the hub. Then, the cable that carries the signal from a station to the
hub becomes an uplink and the other cable conveying the outcome
from the hub would be a downlink. Unfortunately, hiring star topol-
ogy for CAN protocol may increment the wiring harness and limit
the flexibility of the network, which was the major power of the
popularity of CAN bus in the past. Traffic partitioning proposed
in [18] is also based on the star topology. This model reduces the
impact on other benign nodes when the network is under attack by
separating traffic with CAN router thus the network has several net-
work segments and frames can be exchanged via CAN router which
is based on trust by thorough verification of packets. The router
allows a message to be transmitted in one direction with specified
direction and connected segments, that it may have a possibility
of observation of a pattern. It can configure the destination of the
packet thus it limits broadcasting messages to all stations ensuring
confidentiality between network partitions. Since it has several
network partitions and packets can enter through segments, the
bus has various entries generated by network partitioning hence
messages need to be checked to pass through the router. The router
plays the role of a central entity that can exclusively possess the
bus and control the message rate and curtail the message collision
to improve availability between network segments. In order to
support traffic partitioning on the star topology, the router multi-
casts the messages selectively by using bandwidth. Moreover, it has
knowledge of valid CAN ID for every segment to prevent a corrupt
message to flow to unsuitable ECUs, and it can verify the content
of the message to ensure message integrity, but the protocol has to
be modified to perform it.
4.6 Counterattack for Bus-Off attack
Souma et al. presented a novel concept of counterattack for Bus-off
attack in [34]. They attempt counterattack when the nodes turn
from phase 1 to phase 2 by injecting dominant bits after the packet
and error flag of the defective node. It is performed assuming that
a victim is under idle state, however, this attempt sometimes failed
in their experiment making both nodes enter into the bus-off state
because the counterattack was performed on a victim station as
well as attacker station. Besides, this approach needs to reduce
the interval between detection and the start of counterattack to
maintain a valid performance of automobiles. Therefore, Takada
et al. presented an improved counterattack in [31]. This approach
implies detection and counterattack exploiting the attacker’s be-
haviour. The attacker injects the preceding frame before performing
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
the attack in order to synchronize the frames from victim and at-
tacker. At first, they consider it as the bus-off attack when a bit
error occurs consecutively in a short time, indicating that it is in
phase 1 of the bus-off attack. The large number of error frames
generated from bit errors are used to detect this state. In phase 2,
since the preceding frame was sent by the attacker to increase the
success rate of his/her attack, we perform the bus-off attack on
the preceding frame contrariwise. When it succeeds, the corrupt
node will enter into the bus-off state prior to the victim station.
They describe that this approach has a higher success rate than the
counterattack proposed by Souma et al. because it does not impact
all nodes even if it fails to perform a counterattack.
5 CONCLUSION
According to the rapid development of connected automotive sys-
tems, their vulnerability and threats increase as well. The CAN
protocol became a major standard for a network in an automobile
market due to its advantage that it is faster than LIN and cheaper
than FlexRay. However, it needs security implements since it was
initially designed with an assumption that the network is isolated.
This paper examines the various feasible attack scenarios based
on the general understanding of the protocol’s performance and
its structure, and countermeasures to cope with them. Representa-
tively, the DoS attack is a general attack that can mainly threaten
the safety of the driver even though its initial purpose is to make
the system inoperable. After the discovery of the measurements
to detect the DoS attack, the attack became more sophisticated
not to be aware simply by making it selective and stealthy with-
out triggering errors. Moreover, exclusive DoS attacks appeared
that abuse the security mechanism of the CAN. Messages can be
fabricated to congest the victim and make it behave in an unex-
pected way that can threaten the drivability of automobiles. The
Bus-off attack exploits the own characteristics of the protocol that
it stops operating when the node’s TEC raises over 128 following
the standard of CAN completely thus it is not easy to detect. The
TEC values of attacker and victim nodes increments together by
transmitting the attack message but when they exceed 128, only
the victim node maintains to increase the error counter remaining
itself in error passive mode meantime the attacker node reduces
the error counter and returns to operate normally in error active
mode. The manipulated message in this attack should have at least
one dominant bit difference to defeat the victim in arbitration and
the same CAN ID to distract and incur arbitration. Additionally, the
message frequency has to be learned to synchronize to the victim
messages hence the CAN ID of the preceding message is leveraged.
An adversary attempts to transmit the fabricated message right
after the transmission of the preceding packet is finished. If the
transmission of the target occurs periodically, it may have a pattern
that the target follows after the specific preceding frame. The at-
tacker is able to pretend to a regular node and inject spoofed value
on frames, which is not able to be found simply by monitoring
the traffic or nodes. According to the increase of connection with
mobile devices and automobiles, the surface where it is exposed to
malicious users is expanded increasing vulnerabilities as well. It
denotes that pairing a mobile device to automotive systems can be
a new weakness to the in-vehicle network. Through connecting to
a compromised app for car diagnose, a target can be distracted and
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
not able to function as normal. It is also still feasible to remove the
messages on the bus simply which is considered a primitive form
of attack on electronic devices. The target system does not function
according to its expected way when the scheduled frame has not
arrived.
The security requirements and countermeasures for presented
attacks are introduced in Section 4 as well. The countermeasure
must ensure the basic principles of IT security: confidentiality,
integrity, and availability meantime any implements for enhancing
security must consider that only limited resources are allowed
to automobiles, and it has to maintain its capability of real-time
communication while keeping its autonomous performance. When
a severe delay occurs during driving, the drivers are not able to
be assured of their safety in the vehicle. In order to achieve major
principles of security, first of all, encryption is proposed to prevent
frames from observing, analyzing, and spoofing. Authorization and
authentication can be accompanied through this approach, but
strong encryption does not fit our requirements. Additionally, there
is still a possibility of brute-forcing for ciphered messages and we
should always consider tenacious intruders who can invest their
time to ruin the system. The firewall is a common security method
for traditional computers, but it is also able to be used for the in-
vehicle network in practice. It can compare each packet’s CAN ID to
the white- or black-list or verify the permission based on the ID for
authentication. CANSentry what we focused on this paper filters
the incoming packets based on the bus separation. The incoming
packets from risky nodes meet the firewall and are filtered based on
the blocklists. In order to increase the accuracy of the performance,
it monitors the suspicious IDs which behave in a deviated way from
average. It minimizes the probability of attacks bypassing it and
the cost for implementation by deploying the original structure
of the protocol. IDS/IPS detects deviation and alerts to users to
take further action while keeping the low rate of false-positive and
false-negative detection and the most common classifications of
IDS are signature-based and anomaly-based IDS. When it is based
on the signature of the frame, it discovers problematic messages
which are adjusted with random sequence, however, it must define
and update the regular pattern of frames regularly, and it has to
learn about new types of attack. The anomaly-based IDS must set
the boundary of the normal behaviour of the system while it is hard
to be differentiated. We introduced some papers that presented
patterns for IDS/IPS which can be observed when automobiles
are under attack. The IDS in automobiles can detect the message
frequency to classify the malicious attempts in the traffic. This paper
suggested the installation of a central hub to build a star topology
to monitor the frames and isolate the defective nodes. Not to occur
any delay, it performs logic AND function with the same speed as
the protocol. Nonetheless, it still has a suspicion for its application
validity in automobiles. In addition, a counterattack for the bus-off
attack is proposed that detects the attempt of attack and retaliates
the adversary. The later version improves the probability of failure
by leveraging the preceding frame. The ultimate purpose of this
paper is to introduce the importance of securing the automobiles
and practical scenarios in Section 3 and 4 and to be helpful to
enhance vehicle security and safety.
REFERENCES
[1] Kyung-Tak Cho and Kang G. Shin. Fingerprinting Electronic Control Units for Ve-
hicle Intrusion Detection. Proceedings of the 25th USENIX Security Symposium,
p.911-927. Aug, 2016.
[2] Samuel Woo, Hyo Jin Jo, and Dong Hoon Lee. A Practical Wireless Attack on the
Connected Car and Security Protocol for In-Vehicle CAN. IEEE Transactions on
Intelligent Transportation Systems, vol. 16, no. 2, pp.993-1006. Apr, 2015
[3] A-Ram Cho, Hyo Jin Jo, Samuel Woo, Young Dong Son, and Dong Hoon Lee. A
Message Authentication and Key Distribution Mechanism Secure Against CAN
bus Attack. Journal of the Korea Institute of Information Security & Cryptopology,
vol. 22, Issue 5, pp. 1057-1068. 2012.
[4] Wufei Wu, Renfa Li, Guoqi Xie, Jiyao An, Yang Bai, Jia Zhou, Keqin Li. Survey on
Security Threats and Protection Mechanisms in Embedded Automotive Networks.
IEEE Transactions on Intelligent Transportation Systems, vol. 21, no. 3, pp.919-
933. Mar, 2020.
[5] Wonsuk Choi, Kyungho Joo, Hyo Jin Jo, Moon Chan Park, and Dong Hoon Lee.
VoltageIDS:Low-level Communication Characteristics for Automotive Intrusion
Detection System. IEEE Transactions on Information Forensics and Security, vol.
13, No. 8. Aug, 2018.
[6] N. Nowdehi, W. Aoudi, M. Almgren, and T. Olovsson. CASAD: CAN-Aware
Stealthy-Attack Detection for In-Vehicle Networks. 2019.
[7] Pal-Stefan Murvay and B. Groza. DoS attacks on Controller Area Network by Fault
injections from the Software layer. ARES’17:Proceedings of the 12th International
Conference on Availability, Reliability and Security, no.71, pp.1-10. Aug, 2017.
[8] Shahroz Tariq, Sangyup Lee, Huy Kang Kim, and Simon S. Woo. CAN-ADF: The
Controller Area Network Attack Detection Framework. May, 2020.
[9] Wikipedia contributors. CAN bus - Wikipedia, the free encyclopedia. https:
//en.wikipedia.org/wiki/CAN_bus, 2020.
[10] M. Barranco, J. Proenza, G. Rodrigez-Navas, and L. Almeida. An Active Star
Topology for Improving Fault Confinement in CAN Networks. IEEE Transactions
on Industrial Informatics. Jun, 2006.
[11] Bruno Gaujal and Nicolas Navet. Fault Confinement Mechanisms of the CAN
Protocol: Analysis and Improvements [Research Report] RR-4603, INRIA. 2002.
inria-00071982
[12] Kyong-Tak Cho and Kang G. Shin. Error Handling of In-vehicle Networks Makes
Them Vulnerable. Proceedings of the 2016 ACM SIGSAC Conference on Computer
and Communications Security, pp. 1044-1055. Oct, 2016.
[13] T. Hoppe, S. Kiltz, and J. Dittmann. Security Threats to Automotive CAN Net-
works - Practical Examples and Selected Short-Term Countermeasures. In: Harri-
son M.D., Sujan MA. (eds) Computer Safety, Reliability, and Security. SAFECOMP
2008. Lecture Notes in Computer Science, vol 5219. Springer, Berlin, Heidelberg.
[14] Steve Corrigan.
Introduction to the Controller Area Network(CAN).
Application Report SLOA101B.
Aug, 2002.
[15] Palanca A., Evenchick E., Maggi F., and Zanero S. A Stealth, Selective, Link-layer
Denial-of-Service Attack Against Automotive Networks. In: Polychronakis M.,
Meier M. (eds) Detection of Intrusions and Malware, and Vulnerability Assesment.
DIMVA 2017. Lecture Notes in Computer Science, vol 10327. Springer, Cham.
[16] The CAN Protocol Tour.
KVASER.[online]
http://www.kvaser.com/about-can/the-can-protocol/
[17] J. A. Cook, J. S. Freudenberg. Controller Area Network(CAN). Fall, 2008.
[18] R. Kammerer, B. Froemel, and A. Wasicek. Enhancing Security in CAN Systems
using a Star Coupling Router. 7th IEEE International Symposium on Industrial
Embedded Systems(SIES’12). 2012.
[19] Sunghyuck Hong. Research on Countermeasures of Controller Area Network
Vulnerability. Journal of Convergence for Information Technology, vol. 8, Issue
5, pp. 115-120. 2018.
[20] G. Kornaros, O. Tomoutzoglou and M. Coppola. Hardware-Assisted Security
in Electronic Control Units: Secure Automotive Communications by Utilizing
One-Time-Programmable Network on Chip and Firewalls. IEEE Micro, vol. 38,
no. 5, pp. 63-74. Sep./Oct., 2018.
[21] A. Dardanelli, F. Maggi, M. Tanelli, S. Zanero, S. M. Savaresi, R. Kochanek, and T.
Holz. A Security Layer for Smartphone-to-Vehicle Communication Over Blue-
tooth. IEEE Embedded Systems Letters, vol. 5, no. 3. Sep, 2013.
[22] M. Wolf, A. Weimerskirch, and C. Paar. Security in Automotive Bus Systems.
2004.
[23] Wolf M., Weimerskirch A., Paar C. Secure In-Vehicle Communication In:Lemke
K., Paar C., Wolf M. (eds) Embedded Security in Cars. Springer, Berlin, Heidelberg.
2006.
[24] A. Tomlinson, J. Bryans, and S. A. Shaikh. Towards Viable Intrusion Detection
Methods For The Automotive Controller Area Network. 2nd Computer Science
in Cars Symposium - Future Challenges in Artificial Intelligence Security for
Autonomous Vehicles (CSCS 2018) Sep, 2018.
[25] S. Rizvi, J. Willet, D. Perino, S. Marasco, and C. Condo. A Threat to Vehicular
Cyber Security and the Urgency for Correction Procedia Computer Science, vol.
114, pp. 100-105. 2017.
Controller Area Network protocol: Attacks, and Countermeasures
[26] D. K. Nilsson, U. E. Larson, and E. Jonsson. Efficient In-Vehicle Delayed Data
Authentication Based on Compound Message Authentication Codes. IEEE 68th
Vehicular Technology Conference, Calgary, BC, pp. 1-5. 2008.
[27] Kyong-Tak Cho, Kang G. Shin. Error Handling of In-vehicle Networks Makes
Them Vulnerable CCS’16: Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security, pp. 1044-1055. Oct, 2016.
[28] ISO11898-2 Road vehicles — Controller area network(CAN) — Part 2: High-speed
medium access unit ISO.
[29] Jarosław Jajczyk, Krzysztof Matwiejczyk. CAN bus diagnostics. Computer Appli-
cations in Electrical Engineering, vol. 12, pp. 376-385. 2014.
[30] Humayed A., Li F., Lin J., Luo B.. CANSentry: Securing CAN-Based Cyber-
Physical Systems against Denial and Spoofing Attacks. Computer Security –
ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science, vol 12308.
Springer, Cham. Sep, 2020.
Advanced Topics in Network and System Security, Winter term 2020/2021, Cottbus
[31] Masaru Takada, Yuki Osada, Masakatu Morii. Counter Attack against the Bus-Off
Attack on CAN. 14th Asia Joint Conference on Information Security(AsiaJCIS),
pp. 96-102. 2019.
[32] Hyun Min Song, Ha Rang Kim, and Huy Kang Kim. Intrusion Detection System
Based on the Analysis of Time intervals of CAN Messages for In-Vehicle Network.
2016 International Conference on Information Networking(ICOIN), pp. 63-69,
Kota Kinabalu. 2016.
[33] Wikipedia contributors. SAE J1939 - Wikipedia, the free encyclopedia. https:
//en.wikipedia.org/wiki/SAE_J1939, 2020.
[34] Daisuke Souma, Akira Mori, Hideki Yamamoto, and Yoichi Hata. Improvement
of the counter bus-off attack, pp. 448-453. Computer Security Symposium. Oct,
2018.
[35] W. Yan. Vehicle communication system based on controller-area network bus
firewall. US Patent 10,291,583. May 14, 2019.