Defending CAN bus Part 1: Attacks and intrusion detection

CAN bus is a wildly successful fieldbus protocol that is perfectly designed for vehicle applications (even including spacecraft that have gone to Mars). But that success in handling sensors and actuators means it's going to be attacked by anyone wanting to compromise a vehicle. So there has been lots of activity in how to improve the security of CAN bus. I have produced a four part video series that covers the topic of CAN security, going over the types of attack on CAN and the four major techniques for defending a CAN bus against those attacks.

Each episode in the series covers one mitigation technique, and this first episode gives a taxonomy of attacks and shows how the less commonly understood CAN protocols attacks work and why they are particularly insidious. Also covered is the first of the four defensive techniques: the intrusion detection system (IDS).

Defending CAN bus Part 2: Cryptography

Each episode in the series covers one technique for defending the CAN bus, and this second episode describes cryptography. It discusses how the needs of a distributed real-time control system impact on the requirements for a cryptographic system. The implementation issues are covered, including a case study of the CryptoCAN system from Canis Labs, and a description of the SHE standard for automotive hardware security modules (HSMs).

Defending CAN bus Part 3: Security gateways

This third episode describes security gateways, using as a case study the Canis Labs security gateway. Covered is the things that security gateways must do, particularly the buffering and real-time handling of frames.

Defending CAN bus Part 4: CAN-HG

This fourth episode describes hardware protection of CAN using the new CAN-HG protocol. The episode describes how CAN-HG augments the CAN protocol and provides both authentication and protection against denial-of-service attacks directly in hardware. There is a demonstration of this plus CAN-HG carrying a hundred byte payload hidden inside 8 byte classic CAN frame.

Getting started with CryptoCAN

This video gives a quick introduction to CryptoCAN and how to get started with it on the CANPico with MicroPython. It covers key provisioning with the HSM, how to send encrypted messages over CAN and how to decode them at receivers.

How software uses an I/O pin mux to get direct access to a CAN transceiver.

CAN protocol attacks are mounted by software getting direct access to the RX and TX pins of a CAN transceiver, bypassing the on-chip CAN module. This short video gives an example of how the pin mux on the STM32F405 microcontroller is set up for CAN and how it is altered to give software access to the pins. Watch to the end for a tip on how to make CAN protocols attacks much harder!

Priority inversion on CAN

Shows an example of how priority inversion happens on CAN bus, and how the transmission of the most urgent frame in a CAN bus can be delayed for an arbitrarily long time.

An intro to the CANPico board

A short introduction to the Canis Labs CANPico CAN hardware for the Raspberry Pi Pico. Demonstrates sending CAN frames with the MicroPython CAN API and a logic analyzer with a CAN protocol decoder.

The CANHack toolkit

A demonstration of the CANHack CAN protocol hacking software, including three new protocol attacks.

Inspiration for CAN-HG

The inspiration for putting high-speed data inside classic CAN frames? Movie film. The movie industry had a similar problem: how to get lots of new digital sound data into old film format, retaining compatibility with old projectors. Their solution was really neat…

Demonstration of attacks on the CAN protocol

In this presentation we describe the concept of attacks on the CAN protocol itself and then demonstrate several different attacks on a small benchtop CAN network of open source CANPico boards from Canis Labs, using the open-source CANHack toolkit to mount the attacks and the Canis Labs open source Sigrok CAN logic analyzer to see how these attacks look. We will also discuss ways to mitigate these attacks.

Securing CAN bus: augmenting the CAN protocol Dr. Ken Tindell Webinar

CAN is an old protocol, dating back to the late 1980s when few had heard of the Internet let alone the idea of connecting cars to it. It remains ubiquitous because it’s almost perfectly designed to fit the needs of the automotive industry. But now it is time to directly address the security of CAN. This talk describes how the CAN protocol can be augmented with hardware to provide security features such as anti-spoofing and protection against denial-of-service attacks.

CAN Quiz

What happens when two CAN controllers on an otherwise empty bus each at the same time transmit frames with same ID of 0x123 and payloads of 66 69 72 73 74 and 73 65 63 6f 6e 64 respectively? To find out, watch the video.

CANPico Wireshark

Showing a Canis Labs CANPico board used as a USB CAN adapter for Wireshark.

The Janus Attack

The Janus Attack is a low-level attack on CAN protocol itself, where a CAN frame contains two different payloads, with a targeted CAN controller seeing a different payload to other CAN controllers.

PulseView and CAN decoder demo

Shows Sigrok PulseView with the can2 CAN protocol decoder being used to decode CAN signals from a bus. Also shows how the low-level view of the protocol can show attacks on the CAN bus that are invisible at the higher frame level.

Demonstration of priority inversion on CAN bus

Shows a real system suffering priority inversion due to FIFO queueing of CAN frames, and how switching to priority queueing fixes this.

The MIN protocol

An overview of the MIN protocol and how it can be used to control an embedded device from host PC software via a Python API.

© 2022 Canis Automotive Labs Ltd Contact Us