Exposing New Vulnerabilities of Error Handling Mechanism in CAN

Authors: 

Khaled Serag and Rohit Bhatia, Purdue University; Vireshwar Kumar, Indian Institute of Technology Delhi; Z. Berkay Celik and Dongyan Xu, Purdue University

Abstract: 

Controller Area Network (CAN) has established itself as the main internal communication medium for vehicles. However, recent works have shown that error handling makes CAN nodes vulnerable to certain attacks. In the light of such a threat, we systematically analyze CAN's error handling and fault confinement mechanism to investigate it for further vulnerabilities. In this paper, we develop CANOX, a testing tool that monitors the behavior of a CAN node under different bus and error conditions, and flags conditions that cause an unexpected node behavior. Using CANOX, we found three major undiscovered vulnerabilities in the CAN standard that could be exploited to launch a variety of attacks. Combining the three vulnerabilities, we construct the Scan-Then-Strike Attack (STS), a multi-staged attack in which an attacker with no previous knowledge of the vehicle's internals maps the vehicle's CAN bus, identifies a safety-critical ECU, swiftly silences it, and persistently prevents it from recovering. We validate the practicality of STS by evaluating it on a CAN bus testbed and a real vehicle.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {272172,
author = {Khaled Serag and Rohit Bhatia and Vireshwar Kumar and Z. Berkay Celik and Dongyan Xu},
title = {Exposing New Vulnerabilities of Error Handling Mechanism in {CAN}},
booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {4241--4258},
url = {https://www.usenix.org/conference/usenixsecurity21/presentation/serag},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video