Exploring Attack Surfaces of Voltage-Based Intrusion Detection Systems in Controller Area Networks

Abstract

Electronic Control Units (ECUs) in automobiles exchange information using in-vehicle network protocols such as the Controller Area Network (CAN). Designed for isolation, these protocols do not have security mechanisms such as message authentication or encryption. In order to secure the CAN protocol, anomaly-based Intrusion Detection Systems (IDSs) have been proposed to track physical properties and detect unexpected deviations from their normal behaviors. Voltage-based IDS (VIDS) exploits voltage characteristics for anomaly detection. To measure the voltage of the CAN bus, a VIDS requires additional wires to connect the microcontroller to the CAN bus. As a result, these wires may in turn introduce new attack surfaces to the CAN bus if the VIDS itself is compromised. In this paper, we propose three voltage-based attacks: 1) the overcurrent attack, in which the adversary damages the compromised ECU’s microcontroller by letting the current that flows into an analog pin exceed the maximum amount that the microcontroller can absorb, 2) the denial-of-service attack, in which the adversary prevents any message from being transmitted by setting the CAN bus to an idle state, and 3) the forced retransmission attack, in which the adversary forces an ECU to retransmit by inducing an error during message exchange. To defend against the above attacks, we propose a hardware-based Intrusion Response System (IRS) that disconnects the VIDS from the CAN bus at the onset of the attacks. We demonstrate the proposed attacks on a CAN bus testbed and evaluate the effectiveness of the proposed IRS.

Publication
2018 16th ESCAR Europe (ESCAR’18)