SECURITY ANALYSIS OF THE CAN PROTOCOL USED IN CARS
DOI:
https://doi.org/10.24867/29BE35FilipovicKeywords:
automotive security, CAN protocol, threat modelAbstract
This paper analyzes vehicle security with a particular focus on the CAN protocol and its components. Potential attackers have been identified, and their objectives are thoroughly described. The vehicle's architecture is outlined, with an emphasis on electronic control units, the communication network, and the CAN protocol. As a result of this research, a threat model has been developed that encompasses the identified and analyzed threats and attacks on the CAN protocol, with the STRIDE framework used for threat categorization. Mitigation mechanisms have also been identified, classified into reactive and preventive measures, and these mechanisms are described in detail.
References
[1] Lawrenz, W. (2013b). Can system engineering: From theory to practical applications (Corr. Edition ed). New York: Springer.
[2] Ibrahim, D. (2016). Controller Area Network projects with arm and Arduino Dogan Ibrahim. London: Elektor International Media BV.
[3] Di Natale, M. (2012). Understanding and using the Controller Area Network Communication Protocol Theory and Practice. New York, NY: Springer New York.
[4] McAfee. (2017). Automotive Security Best Practices: Recommendations for security and privacy in the era of the next-generation car. https://motordna.io/static/stickerlook/images/wp-automotive-security.pdf [датум приступа јул 2024]
[5] Smith, C. (2016). The car hacker’s Handbook: A guide for the penetration tester. San Francisco, CA: No Starch Press.
[6] Studnia, I., Nicomette, V., Alata, E., Deswarte, Y., Kaâniche, M., & Laarouchi, Y. (2013, June). Survey on security threats and protection mechanisms in embedded automotive networks. In 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W) (pp. 1-12). IEEE.
[7] Charette, R. N. (2009). This car runs on code. IEEE spectrum, 46(3), 3.
[8] Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., ... & Savage, S. (2010, May). Experimental security analysis of a modern automobile. In 2010 IEEE symposium on security and privacy (pp. 447-462). IEEE.
[9] Bozdal, M., Samie, M., & Jennions, I. (2018, August). A survey on can bus protocol: Attacks, challenges, and potential solutions. In 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE) (pp. 201-205). IEEE.
[10] Carsten, P., Andel, T. R., Yampolskiy, M., & McDonald, J. T. (2015, April). In-vehicle networks: Attacks, vulnerabilities, and proposed solutions. In Proceedings of the 10th Annual Cyber and Information Security Research Conference (pp. 1-8).
[11] M. Howard and S. Lipner, The Security Development Lifecycle. Redmond, WA, USA: Microsoft Press, 2006
[12] Luo, F., Jiang, Y., Wang, J., Li, Z., & Zhang, X. (2023). A Framework for Cybersecurity Requirements Management in the Automotive Domain. Sensors, 23(10), 4979.
[13] Aliwa, E., Rana, O., Perera, C., & Burnap, P. (2021). Cyberattacks and countermeasures for in-vehicle networks. ACM computing surveys (CSUR), 54(1), 1-37.
[14] Rathore, R. S., Hewage, C., Kaiwartya, O., & Lloret, J. (2022). In-vehicle communication cyber security: challenges and solutions. Sensors, 22(17), 6679.
[15] Hossain, M. D., Inoue, H., Ochiai, H., Fall, D., & Kadobayashi, Y. (2020). LSTM-based intrusion detection system for in-vehicle can bus communications. Ieee Access, 8, 185489-185502.
[16] Gmiden, M., Gmiden, M. H., & Trabelsi, H. (2019, March). Cryptographic and Intrusion Detection System for automotive CAN bus: Survey and contributions. In 2019 16th International Multi-Conference on Systems, Signals & Devices (SSD) (pp. 158-163). IEEE
[17] Woo, S., Jo, H. J., & Lee, D. H. (2014). A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Transactions on intelligent transportation systems, 16(2), 993-1006.
[18] Hoppe, T., Kiltz, S., & Dittmann, J. (2008). Security threats to automotive CAN networks–practical examples and selected short-term countermeasures. In Computer Safety, Reliability, and Security: 27th International Conference, SAFECOMP 2008 Newcastle upon Tyne, UK, September 22-25, 2008 Proceedings 27 (pp. 235-248). Springer Berlin Heidelberg.
[19] Young, C., Zambreno, J., Olufowobi, H., & Bloom, G. (2019). Survey of automotive controller area network intrusion detection systems. IEEE Design & Test, 36(6), 48-55.
[20] F. M. Tabrizi and K. Pattabiraman, “Flexible intrusion detection systems for memory-constrained embedded systems,” in Proc. of Dependable Computing Conference (EDCC). IEEE, 2015, pp. 1–12.
[2] Ibrahim, D. (2016). Controller Area Network projects with arm and Arduino Dogan Ibrahim. London: Elektor International Media BV.
[3] Di Natale, M. (2012). Understanding and using the Controller Area Network Communication Protocol Theory and Practice. New York, NY: Springer New York.
[4] McAfee. (2017). Automotive Security Best Practices: Recommendations for security and privacy in the era of the next-generation car. https://motordna.io/static/stickerlook/images/wp-automotive-security.pdf [датум приступа јул 2024]
[5] Smith, C. (2016). The car hacker’s Handbook: A guide for the penetration tester. San Francisco, CA: No Starch Press.
[6] Studnia, I., Nicomette, V., Alata, E., Deswarte, Y., Kaâniche, M., & Laarouchi, Y. (2013, June). Survey on security threats and protection mechanisms in embedded automotive networks. In 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W) (pp. 1-12). IEEE.
[7] Charette, R. N. (2009). This car runs on code. IEEE spectrum, 46(3), 3.
[8] Koscher, K., Czeskis, A., Roesner, F., Patel, S., Kohno, T., Checkoway, S., ... & Savage, S. (2010, May). Experimental security analysis of a modern automobile. In 2010 IEEE symposium on security and privacy (pp. 447-462). IEEE.
[9] Bozdal, M., Samie, M., & Jennions, I. (2018, August). A survey on can bus protocol: Attacks, challenges, and potential solutions. In 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE) (pp. 201-205). IEEE.
[10] Carsten, P., Andel, T. R., Yampolskiy, M., & McDonald, J. T. (2015, April). In-vehicle networks: Attacks, vulnerabilities, and proposed solutions. In Proceedings of the 10th Annual Cyber and Information Security Research Conference (pp. 1-8).
[11] M. Howard and S. Lipner, The Security Development Lifecycle. Redmond, WA, USA: Microsoft Press, 2006
[12] Luo, F., Jiang, Y., Wang, J., Li, Z., & Zhang, X. (2023). A Framework for Cybersecurity Requirements Management in the Automotive Domain. Sensors, 23(10), 4979.
[13] Aliwa, E., Rana, O., Perera, C., & Burnap, P. (2021). Cyberattacks and countermeasures for in-vehicle networks. ACM computing surveys (CSUR), 54(1), 1-37.
[14] Rathore, R. S., Hewage, C., Kaiwartya, O., & Lloret, J. (2022). In-vehicle communication cyber security: challenges and solutions. Sensors, 22(17), 6679.
[15] Hossain, M. D., Inoue, H., Ochiai, H., Fall, D., & Kadobayashi, Y. (2020). LSTM-based intrusion detection system for in-vehicle can bus communications. Ieee Access, 8, 185489-185502.
[16] Gmiden, M., Gmiden, M. H., & Trabelsi, H. (2019, March). Cryptographic and Intrusion Detection System for automotive CAN bus: Survey and contributions. In 2019 16th International Multi-Conference on Systems, Signals & Devices (SSD) (pp. 158-163). IEEE
[17] Woo, S., Jo, H. J., & Lee, D. H. (2014). A practical wireless attack on the connected car and security protocol for in-vehicle CAN. IEEE Transactions on intelligent transportation systems, 16(2), 993-1006.
[18] Hoppe, T., Kiltz, S., & Dittmann, J. (2008). Security threats to automotive CAN networks–practical examples and selected short-term countermeasures. In Computer Safety, Reliability, and Security: 27th International Conference, SAFECOMP 2008 Newcastle upon Tyne, UK, September 22-25, 2008 Proceedings 27 (pp. 235-248). Springer Berlin Heidelberg.
[19] Young, C., Zambreno, J., Olufowobi, H., & Bloom, G. (2019). Survey of automotive controller area network intrusion detection systems. IEEE Design & Test, 36(6), 48-55.
[20] F. M. Tabrizi and K. Pattabiraman, “Flexible intrusion detection systems for memory-constrained embedded systems,” in Proc. of Dependable Computing Conference (EDCC). IEEE, 2015, pp. 1–12.
Downloads
Published
2024-11-06
Issue
Section
Electrotechnical and Computer Engineering
