SlideShare a Scribd company logo

20181116.smart can cable_v2

Mocke Tech
Mocke Tech

The document proposes a "Smart CAN Cable" as a new in-vehicle security measure for connected vehicles. The Smart CAN Cable would identify compromised ECUs on the CAN bus network. Each connector on the cable would record frames from the connected ECU and check for illegal frames. When an IDS detects an illegal frame, it asks the connectors if they have a matching frame. The connector receiving from the ECU that sent the illegal frame is then identified as compromised. The Smart CAN Cable could then cut off communication from that ECU to isolate the threat. This allows compromised ECUs to be identified and addressed, which current security measures cannot do.

Related slideshows

When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
 
1 of 39
Download to read offline
© 2018 LAC Co., Ltd. Smart CAN Cable, another IPS for CANBUS network November 16, 2018 Ryoichi KIDA and Kiyotaka ATSUMI IoT Tech. Lab., CYBER GRID JAPAN, LAC Co., Ltd.
© 2018 LAC Co., Ltd. - 3 - Disclaimer This presentation is personal opinions and is not any opinions on behalf of organizations to belong to.
© 2018 LAC Co., Ltd. - 4 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
© 2018 LAC Co., Ltd. - 5 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
© 2018 LAC Co., Ltd. - 6 - Introduction In the future situation of the automobile  OEM will be forced to install connection to cloud and V2X (C2X in Europe) by the governments. We mean almost cars will be connected.  Connection to cloud will provide latest map, latest situation of traffic jam, latest firmware, and it will be used on remote maintenance when your car is broken.  V2X(C2X) will provide a useful information:  Traffic signal will change to red soon,  A motorcycle behind an oncoming car when you are going to make a left turn,  A huge baggage fell from a truck in front 500m ahead  and many other useful information for safety.
© 2018 LAC Co., Ltd. - 7 - Introduction In the future situation of the automobile  OEM will be forced to install connection to cloud and V2X (C2X in Europe) by the governments. We mean almost cars will be connected.  Connection to cloud will provide latest map, latest situation of traffic jam, latest firmware, and it will be used on remote maintenance when your car is broken.  V2X(C2X) will provide a useful information:  Traffic signal will change to red soon,  A motorcycle behind an oncoming car when you are going to make a left turn,  A huge baggage fell by a truck in front 500m ahead  and many other useful information. *1) IOActive: Remote Exploitation of an Unaltered Passenger Vehicle https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf *2) KEEN Security Lab: Experimental Security Assessment of BMW Cars: A Summary Report https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf
© 2018 LAC Co., Ltd. - 8 - Introduction Important facts  Any software has bugs, and some of them will be vulnerabilities.  Malicious actors always search and exploit any vulnerabilities including connected-cars.  Malicious actors plant a malware into computers including ECUs to collect useful information for the next attack.  The malware survives in the computer and in the ECU, and it will do the next attack. How do we prevent this? Observe malicious activities and handle incidents.
© 2018 LAC Co., Ltd. - 9 - Introduction Possibilities of MSS for connected-cars  MSS is a service that security analysts check the logs sent from the customer's FW and IDS, and they call the customer when they find a critical attack.  Does it adapt to connected-cars?
© 2018 LAC Co., Ltd. - 10 - Introduction Possibilities of MSS for connected-cars Malicious Actor Security Operation Center Applying MSS to connected-cars using current in-vehicle security measures (IDS, MAC, and so on) for connected-cars. Attack! Oh my gosh! Your car is compromised by the actor. You must put your car to the edge of the road and stop the engine. I pray for your safety. I cannot control this car! Please help me! Security Operation Center cannot prevent this attack because they do not identify which ECU is compromised.
© 2018 LAC Co., Ltd. - 11 - Introduction Possibilities of MSS for connected-cars Malicious Actor Security Operation Center Applying MSS to connected-cars using an in-vehicle security measure of identifying a compromised ECU. Attack! Oh my gosh! An ECU in your car is compromised by the actor. Due to prevent the attack, we stop the compromised ECU. You must put your car to the edge of the road and stop the engine. OK! maybe I can manage it. The behavior of the car is stable because the compromised ECU is identified and stopped.
© 2018 LAC Co., Ltd. - 12 - Introduction Possibilities of MSS for connected-cars That is, MSS for connected-cars needs a measure of identifying a compromised ECU.
© 2018 LAC Co., Ltd. - 13 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
© 2018 LAC Co., Ltd. - 14 - Current security measures Studies of security measures We found some studies on security measures for an in- vehicle network related to our study.  IDS/IPS  Message Authentication Code (MAC).  Identity-Anonymized CAN (IA-CAN).  ... Actually, many researchers engage in security measures for connected-cars.
© 2018 LAC Co., Ltd. - 15 - Current security measures Proposed IDS/IPS Ideas Many ideas are proposed to identify an illegal frame. ECU IDS ECU ECU …  Blacklist / Whitelist  Corrupted frame  Unlikely frame  Irregular frame during cyclic frames  Somehow a suspicious frame... OBD-II ECU
© 2018 LAC Co., Ltd. - 16 - Rare ideas are proposed to intercept the illegal frame. ECU IPS ECU ECU …  Overwrite the illegal frame with an error frame  ...  Does it work well?  How do we get back control from the actor? OBD-II ECU Current security measures Proposed IDS/IPS Ideas
© 2018 LAC Co., Ltd. - 17 - Current security measures Message Authentication Code (MAC)  MAC is value calculated using a cryptographic hash function and freshness value from a frame.  AUTOSAR defines Message Authentication Code (MAC). AUTOSAR: Specification of Secure Onboard Communication https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf SOF CAN ID (11bits) RTR IDE R Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) SOF CAN ID (11bits) RTR IDE R DLC (4bits) Data Field (0-32bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) Original CAN frame CAN frame with MAC Fresh- ness (4bits) MAC (28bits) DLC (4bits)
© 2018 LAC Co., Ltd. - 18 - Current security measures Message Authentication Code (MAC)  Advantage:  Almost illegal frame may be refused by all ECUs because its frame does not have any legal MACs.  Disadvantage:  MAC may not refuse any illegal frames if an actor can control to calculate correctly MAC.  MAC cannot identify which ECU is compromised if MAC uses the same crypt key on all ECUs.  MAC requires a rich computing resources to ECUs.  MAC reduces the length of data field from 64bits to 32bits.  MAC may be weak for a flood attack. AUTOSAR: Specification of Secure Onboard Communication https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf
© 2018 LAC Co., Ltd. - 19 - Current security measures Identity-Anonymized CAN (IA-CAN)  Sender identification is encrypted with freshness value and set the extended CANID field.  All ECUs have the same synchronized freshness value  All ECUs can identify the sender ECU when they receive every frame. Xia, Z., Kawabata, T., Komano, Y., ”A Secure Design for Practical Identity-Anonymized CAN Application,” Embedded Security in Cars (escar) Europe, November 16, 2016 SOF CAN ID (11bits) SRR IDE R1 Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) Original CAN frame with extended ID IA-CAN frame DLC (4bits) Extended ID (18bits) RTR R2 SOF CAN ID (11bits) SRR IDE R1 Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) DLC (4bits) Encrypted Sender ID (18bits) RTR R2
© 2018 LAC Co., Ltd. - 20 - Current security measures Identity-Anonymized CAN (IA-CAN)  Advantage:  Unknown sender ECU may be refused.  Disadvantage:  IA-CAN cannot refuse an illegal frame from a right sender ECU.  IA-CAN needs the extended CANID field (18 bits). We mean we cannot use the extended CANID field.  IA-CAN may be weak for a flood attack. Xia, Z., Kawabata, T., Komano, Y., ”A Secure Design for Practical Identity-Anonymized CAN Application,” Embedded Security in Cars (escar) Europe, November 16, 2016
© 2018 LAC Co., Ltd. - 21 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
© 2018 LAC Co., Ltd. - 22 - Our Proposal Connector … Connector Connector Connector Connector ECU IDS ECU ECU ECU Smart CAN Cable  Smart CAN Cable identifies the compromised ECU that sends an illegal frame.  Smart CAN Cable is independently controllable that each ECU may send a frame or may not. OBD-II Smart CAN Cable The idea of identifying a compromised ECU
© 2018 LAC Co., Ltd. - 23 - How to identify the compromised ECU Connector … Connector Connector Connector Connector ECU IDS ECU ECU ECU Smart CAN Cable OBD-II 1. All connectors have a ring buffer to record frames from ECU directly connected to itself. 2. IDS asks all connectors whether they have an illegal frame in their own ring buffer if IDS identifies the illegal frame. 3. That is the compromised ECU directly connected to the connector having the illegal frame. Smart CAN Cable The idea of identifying a compromised ECU
© 2018 LAC Co., Ltd. - 24 - Example: ECU2 sends an illegal frame. Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised Illegal frame Hash value of the illegal frame Information of compromised ECU Smart CAN Cable The idea of identifying a compromised ECU
© 2018 LAC Co., Ltd. - 25 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised The hash value of the frame is recorded into the connector's ring buffer and broadcasts on CANBUS Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
© 2018 LAC Co., Ltd. - 26 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised IDS decides the frame is illegal. Illegal! Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
© 2018 LAC Co., Ltd. - 27 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised IDS asks all connectors whether they have the illegal frame. Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
© 2018 LAC Co., Ltd. - 28 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised Only the connector connected to ECU2 has the same frame. That is, ECU2 is compromised. = Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
© 2018 LAC Co., Ltd. - 29 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised The connector broadcasts the information of compromised ECU, and cut the compromised ECU. = × Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
© 2018 LAC Co., Ltd. - 30 - Requires of Smart CAN Cable's connectors  Due to record the frame from a ECU, each connector must identify the direction of a frame from CANBUS or from the ECU directly connected to itself.  Each connector scans a frame in its own ring buffer when the IDS asks to find the message.  All connectors must not lose any frame.  All connectors must not delay any frame. Smart CAN Cable The idea of identifying a compromised ECU
© 2018 LAC Co., Ltd. - 31 - Smart CAN Cable Structure of each connector (Previous ver.) Inside of Connector ECU Transceiver Repeater CAN BUS Controller Ring Buffer Transceiver  Record a hash value of a message from ECU into its own ring buffer.  Search the hash value in its own ring buffer when IPS sends the hash value.  Order to stop to relay any messages to repeater after it finds the hash value. Controller role
© 2018 LAC Co., Ltd. - 32 - CANH CANL Circuit Breaker ECU R R Current Direction Detector CANL CANB CANID Timing Filter MCU Ring Buffer DIRM CANT CANH DIRS CANL CANH Inside of the connector Smart CAN Cable Structure of each connector (Current ver.) We can identify the direction of a message using voltage drop with a sense resister. Sense resister
© 2018 LAC Co., Ltd. - 33 - Receiver ECU Sender ECU has voltage drop Receiver ECU has no voltage drop 120Ω 120Ω ∞Ω 1Ω 1Ω ∞Ω 1Ω 1Ω 1Ω 1Ω ~ 0~2v Calculation: Whole resistance value R = 1 / ( 1 / 120 + 1 / 120 + 1 / ( 1 + ∞ + 1) + 1 / ( 1 + ∞ + 1)) = 60 [Ω] VA VS VR Voltage Drop : VS, VR VS = 1 / ( 1 + R + 1) × 2[v] = 0.0323[v] VR = 1 / ( 1 + ∞ + 1) × VA = 0 [v] Voltage Drop : VA, VA = R / ( 1 + R + 1) ×2[v] = 60 / ( 1 + 60 + 1) ×2 = 1.94[v] Only while sending period, the sense resister has voltage drop Smart CAN Cable Abstract of the electric circuit
© 2018 LAC Co., Ltd. - 34 - Smart CAN Cable Signal timing chart  The resister with a sender ECU has voltage drop while sending ID, and we can know the direction of the frame.  The resister with a receiver ECU has no voltage drop except ACK bit in the frame. But ACK bit is not in CANID timing filter, so Signal Direction outputs always "Low".
© 2018 LAC Co., Ltd. - 35 - Smart CAN Cable Other Implementations  Black list: a set of CANIDs that is never received by the ECU.  White list: a set of CANIDs that is sent by the ECU. It will be an illegal frame if the ECU sends a frame using a CANID not including white list. (The ECU never sends IDS's frame, for example)  Each connector has each black list and white list adapting each ECU directly connecting to the its connector.  Each connector needs minimal IDS function when it finds an illegal frame using black list and white list.  Configurator is also needed. Configurator is an independent device on CANBUS, which maintains black lists and white lists in all connectors.  Smart CAN Cable can work well with other security measures. We mean, OEM can freely choose any security measures and Smart CAN Cable together.
© 2018 LAC Co., Ltd. - 36 - Smart CAN Cable Potential vulnerabilities  Smart CAN Cable overlooks illegal frames until IDS identify the illegal frames. At least the first illegal frame will reach to every ECU. (except the case of which each connector finds illegal message using white list / black list)  The performance of Smart CAN Cable depends on the IDS performance. We don't define any IDS specs. We mean Smart CAN Cable can collaborate any IDSs.  Smart CAN Cable may cut a good health ECU incorrectly if the IDS wrongly identify a normal frame as an illegal frame.  Current implementation cannot separate between the first frame and the replay attack frame if they are sent sequentially. In this case, two connectors have the same message, and they will cut its own ECU at the same time if the IDS detects that the frame is illegal.
© 2018 LAC Co., Ltd. - 37 - Smart CAN Cable Current status  Currently, PoC of Smart Can Cable is under developing.  Current Direction Detector is nearly completed.  Software on MCU is nearly completed.  We focus to build CANID Timing Filter with FPGA.  It will be completed by the end of this year.
© 2018 LAC Co., Ltd. - 38 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
© 2018 LAC Co., Ltd. - 39 - Conclusion  MSS for connected-cars needs a security measure of identifying a compromised ECU.  We explained how Smart CAN Cable detects and cut a compromised ECU .  Smart CAN Cable can work with an IDS that is made by any companies, and Smart CAN Cable's performance depends on this IDS.  We introduced other similar studies(MAC, IA-CAN), and explain how different among them and Smart CAN Cable.  Smart CAN Cable can work with any security measures together on the in-vehicle network such as IDS, MAC, IA-CAN, and so on.
Thank you. Any Questions ? © 2018 LAC Co., Ltd. 株式会社ラック 〒102-0093 東京都千代田区平河町2-16-1 平河町森タワー Tel 03-6757-0113 Fax 03-6757-0193 sales@lac.co.jp www.lac.co.jp ※ 本資料は2018年10月現在の情報に基づいて作成しており、記載内容は予告なく変更される場合があります。 ※ 本資料に掲載の図は、資料作成用のイメージカットであり、実際とは異なる場合があります。 ※ LAC、ラック、JSOC、サイバー救急センターは株式会社ラックの登録商標です。 ※ その他記載されている会社名、製品名は一般に各社の商標または登録商標です。

More Related Content

20181116.smart can cable_v2

  • 1. © 2018 LAC Co., Ltd. Smart CAN Cable, another IPS for CANBUS network November 16, 2018 Ryoichi KIDA and Kiyotaka ATSUMI IoT Tech. Lab., CYBER GRID JAPAN, LAC Co., Ltd.
  • 2. © 2018 LAC Co., Ltd. - 3 - Disclaimer This presentation is personal opinions and is not any opinions on behalf of organizations to belong to.
  • 3. © 2018 LAC Co., Ltd. - 4 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
  • 4. © 2018 LAC Co., Ltd. - 5 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
  • 5. © 2018 LAC Co., Ltd. - 6 - Introduction In the future situation of the automobile  OEM will be forced to install connection to cloud and V2X (C2X in Europe) by the governments. We mean almost cars will be connected.  Connection to cloud will provide latest map, latest situation of traffic jam, latest firmware, and it will be used on remote maintenance when your car is broken.  V2X(C2X) will provide a useful information:  Traffic signal will change to red soon,  A motorcycle behind an oncoming car when you are going to make a left turn,  A huge baggage fell from a truck in front 500m ahead  and many other useful information for safety.
  • 6. © 2018 LAC Co., Ltd. - 7 - Introduction In the future situation of the automobile  OEM will be forced to install connection to cloud and V2X (C2X in Europe) by the governments. We mean almost cars will be connected.  Connection to cloud will provide latest map, latest situation of traffic jam, latest firmware, and it will be used on remote maintenance when your car is broken.  V2X(C2X) will provide a useful information:  Traffic signal will change to red soon,  A motorcycle behind an oncoming car when you are going to make a left turn,  A huge baggage fell by a truck in front 500m ahead  and many other useful information. *1) IOActive: Remote Exploitation of an Unaltered Passenger Vehicle https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf *2) KEEN Security Lab: Experimental Security Assessment of BMW Cars: A Summary Report https://keenlab.tencent.com/en/Experimental_Security_Assessment_of_BMW_Cars_by_KeenLab.pdf
  • 7. © 2018 LAC Co., Ltd. - 8 - Introduction Important facts  Any software has bugs, and some of them will be vulnerabilities.  Malicious actors always search and exploit any vulnerabilities including connected-cars.  Malicious actors plant a malware into computers including ECUs to collect useful information for the next attack.  The malware survives in the computer and in the ECU, and it will do the next attack. How do we prevent this? Observe malicious activities and handle incidents.
  • 8. © 2018 LAC Co., Ltd. - 9 - Introduction Possibilities of MSS for connected-cars  MSS is a service that security analysts check the logs sent from the customer's FW and IDS, and they call the customer when they find a critical attack.  Does it adapt to connected-cars?
  • 9. © 2018 LAC Co., Ltd. - 10 - Introduction Possibilities of MSS for connected-cars Malicious Actor Security Operation Center Applying MSS to connected-cars using current in-vehicle security measures (IDS, MAC, and so on) for connected-cars. Attack! Oh my gosh! Your car is compromised by the actor. You must put your car to the edge of the road and stop the engine. I pray for your safety. I cannot control this car! Please help me! Security Operation Center cannot prevent this attack because they do not identify which ECU is compromised.
  • 10. © 2018 LAC Co., Ltd. - 11 - Introduction Possibilities of MSS for connected-cars Malicious Actor Security Operation Center Applying MSS to connected-cars using an in-vehicle security measure of identifying a compromised ECU. Attack! Oh my gosh! An ECU in your car is compromised by the actor. Due to prevent the attack, we stop the compromised ECU. You must put your car to the edge of the road and stop the engine. OK! maybe I can manage it. The behavior of the car is stable because the compromised ECU is identified and stopped.
  • 11. © 2018 LAC Co., Ltd. - 12 - Introduction Possibilities of MSS for connected-cars That is, MSS for connected-cars needs a measure of identifying a compromised ECU.
  • 12. © 2018 LAC Co., Ltd. - 13 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
  • 13. © 2018 LAC Co., Ltd. - 14 - Current security measures Studies of security measures We found some studies on security measures for an in- vehicle network related to our study.  IDS/IPS  Message Authentication Code (MAC).  Identity-Anonymized CAN (IA-CAN).  ... Actually, many researchers engage in security measures for connected-cars.
  • 14. © 2018 LAC Co., Ltd. - 15 - Current security measures Proposed IDS/IPS Ideas Many ideas are proposed to identify an illegal frame. ECU IDS ECU ECU …  Blacklist / Whitelist  Corrupted frame  Unlikely frame  Irregular frame during cyclic frames  Somehow a suspicious frame... OBD-II ECU
  • 15. © 2018 LAC Co., Ltd. - 16 - Rare ideas are proposed to intercept the illegal frame. ECU IPS ECU ECU …  Overwrite the illegal frame with an error frame  ...  Does it work well?  How do we get back control from the actor? OBD-II ECU Current security measures Proposed IDS/IPS Ideas
  • 16. © 2018 LAC Co., Ltd. - 17 - Current security measures Message Authentication Code (MAC)  MAC is value calculated using a cryptographic hash function and freshness value from a frame.  AUTOSAR defines Message Authentication Code (MAC). AUTOSAR: Specification of Secure Onboard Communication https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf SOF CAN ID (11bits) RTR IDE R Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) SOF CAN ID (11bits) RTR IDE R DLC (4bits) Data Field (0-32bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) Original CAN frame CAN frame with MAC Fresh- ness (4bits) MAC (28bits) DLC (4bits)
  • 17. © 2018 LAC Co., Ltd. - 18 - Current security measures Message Authentication Code (MAC)  Advantage:  Almost illegal frame may be refused by all ECUs because its frame does not have any legal MACs.  Disadvantage:  MAC may not refuse any illegal frames if an actor can control to calculate correctly MAC.  MAC cannot identify which ECU is compromised if MAC uses the same crypt key on all ECUs.  MAC requires a rich computing resources to ECUs.  MAC reduces the length of data field from 64bits to 32bits.  MAC may be weak for a flood attack. AUTOSAR: Specification of Secure Onboard Communication https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf
  • 18. © 2018 LAC Co., Ltd. - 19 - Current security measures Identity-Anonymized CAN (IA-CAN)  Sender identification is encrypted with freshness value and set the extended CANID field.  All ECUs have the same synchronized freshness value  All ECUs can identify the sender ECU when they receive every frame. Xia, Z., Kawabata, T., Komano, Y., ”A Secure Design for Practical Identity-Anonymized CAN Application,” Embedded Security in Cars (escar) Europe, November 16, 2016 SOF CAN ID (11bits) SRR IDE R1 Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) Original CAN frame with extended ID IA-CAN frame DLC (4bits) Extended ID (18bits) RTR R2 SOF CAN ID (11bits) SRR IDE R1 Data Field (0-64bits) EOF (7bits) ACK Delimita ACK CRC Delimita CRC (15bits) DLC (4bits) Encrypted Sender ID (18bits) RTR R2
  • 19. © 2018 LAC Co., Ltd. - 20 - Current security measures Identity-Anonymized CAN (IA-CAN)  Advantage:  Unknown sender ECU may be refused.  Disadvantage:  IA-CAN cannot refuse an illegal frame from a right sender ECU.  IA-CAN needs the extended CANID field (18 bits). We mean we cannot use the extended CANID field.  IA-CAN may be weak for a flood attack. Xia, Z., Kawabata, T., Komano, Y., ”A Secure Design for Practical Identity-Anonymized CAN Application,” Embedded Security in Cars (escar) Europe, November 16, 2016
  • 20. © 2018 LAC Co., Ltd. - 21 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
  • 21. © 2018 LAC Co., Ltd. - 22 - Our Proposal Connector … Connector Connector Connector Connector ECU IDS ECU ECU ECU Smart CAN Cable  Smart CAN Cable identifies the compromised ECU that sends an illegal frame.  Smart CAN Cable is independently controllable that each ECU may send a frame or may not. OBD-II Smart CAN Cable The idea of identifying a compromised ECU
  • 22. © 2018 LAC Co., Ltd. - 23 - How to identify the compromised ECU Connector … Connector Connector Connector Connector ECU IDS ECU ECU ECU Smart CAN Cable OBD-II 1. All connectors have a ring buffer to record frames from ECU directly connected to itself. 2. IDS asks all connectors whether they have an illegal frame in their own ring buffer if IDS identifies the illegal frame. 3. That is the compromised ECU directly connected to the connector having the illegal frame. Smart CAN Cable The idea of identifying a compromised ECU
  • 23. © 2018 LAC Co., Ltd. - 24 - Example: ECU2 sends an illegal frame. Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised Illegal frame Hash value of the illegal frame Information of compromised ECU Smart CAN Cable The idea of identifying a compromised ECU
  • 24. © 2018 LAC Co., Ltd. - 25 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised The hash value of the frame is recorded into the connector's ring buffer and broadcasts on CANBUS Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
  • 25. © 2018 LAC Co., Ltd. - 26 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised IDS decides the frame is illegal. Illegal! Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
  • 26. © 2018 LAC Co., Ltd. - 27 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised IDS asks all connectors whether they have the illegal frame. Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
  • 27. © 2018 LAC Co., Ltd. - 28 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised Only the connector connected to ECU2 has the same frame. That is, ECU2 is compromised. = Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
  • 28. © 2018 LAC Co., Ltd. - 29 - Connector … Connector Connector Connector Connector ECU1 IDS ECU2 ECUn ECU Smart CAN Cable OBD-II Compromised The connector broadcasts the information of compromised ECU, and cut the compromised ECU. = × Smart CAN Cable The idea of identifying a compromised ECU Illegal frame Hash value of the illegal frame Information of compromised ECU
  • 29. © 2018 LAC Co., Ltd. - 30 - Requires of Smart CAN Cable's connectors  Due to record the frame from a ECU, each connector must identify the direction of a frame from CANBUS or from the ECU directly connected to itself.  Each connector scans a frame in its own ring buffer when the IDS asks to find the message.  All connectors must not lose any frame.  All connectors must not delay any frame. Smart CAN Cable The idea of identifying a compromised ECU
  • 30. © 2018 LAC Co., Ltd. - 31 - Smart CAN Cable Structure of each connector (Previous ver.) Inside of Connector ECU Transceiver Repeater CAN BUS Controller Ring Buffer Transceiver  Record a hash value of a message from ECU into its own ring buffer.  Search the hash value in its own ring buffer when IPS sends the hash value.  Order to stop to relay any messages to repeater after it finds the hash value. Controller role
  • 31. © 2018 LAC Co., Ltd. - 32 - CANH CANL Circuit Breaker ECU R R Current Direction Detector CANL CANB CANID Timing Filter MCU Ring Buffer DIRM CANT CANH DIRS CANL CANH Inside of the connector Smart CAN Cable Structure of each connector (Current ver.) We can identify the direction of a message using voltage drop with a sense resister. Sense resister
  • 32. © 2018 LAC Co., Ltd. - 33 - Receiver ECU Sender ECU has voltage drop Receiver ECU has no voltage drop 120Ω 120Ω ∞Ω 1Ω 1Ω ∞Ω 1Ω 1Ω 1Ω 1Ω ~ 0~2v Calculation: Whole resistance value R = 1 / ( 1 / 120 + 1 / 120 + 1 / ( 1 + ∞ + 1) + 1 / ( 1 + ∞ + 1)) = 60 [Ω] VA VS VR Voltage Drop : VS, VR VS = 1 / ( 1 + R + 1) × 2[v] = 0.0323[v] VR = 1 / ( 1 + ∞ + 1) × VA = 0 [v] Voltage Drop : VA, VA = R / ( 1 + R + 1) ×2[v] = 60 / ( 1 + 60 + 1) ×2 = 1.94[v] Only while sending period, the sense resister has voltage drop Smart CAN Cable Abstract of the electric circuit
  • 33. © 2018 LAC Co., Ltd. - 34 - Smart CAN Cable Signal timing chart  The resister with a sender ECU has voltage drop while sending ID, and we can know the direction of the frame.  The resister with a receiver ECU has no voltage drop except ACK bit in the frame. But ACK bit is not in CANID timing filter, so Signal Direction outputs always "Low".
  • 34. © 2018 LAC Co., Ltd. - 35 - Smart CAN Cable Other Implementations  Black list: a set of CANIDs that is never received by the ECU.  White list: a set of CANIDs that is sent by the ECU. It will be an illegal frame if the ECU sends a frame using a CANID not including white list. (The ECU never sends IDS's frame, for example)  Each connector has each black list and white list adapting each ECU directly connecting to the its connector.  Each connector needs minimal IDS function when it finds an illegal frame using black list and white list.  Configurator is also needed. Configurator is an independent device on CANBUS, which maintains black lists and white lists in all connectors.  Smart CAN Cable can work well with other security measures. We mean, OEM can freely choose any security measures and Smart CAN Cable together.
  • 35. © 2018 LAC Co., Ltd. - 36 - Smart CAN Cable Potential vulnerabilities  Smart CAN Cable overlooks illegal frames until IDS identify the illegal frames. At least the first illegal frame will reach to every ECU. (except the case of which each connector finds illegal message using white list / black list)  The performance of Smart CAN Cable depends on the IDS performance. We don't define any IDS specs. We mean Smart CAN Cable can collaborate any IDSs.  Smart CAN Cable may cut a good health ECU incorrectly if the IDS wrongly identify a normal frame as an illegal frame.  Current implementation cannot separate between the first frame and the replay attack frame if they are sent sequentially. In this case, two connectors have the same message, and they will cut its own ECU at the same time if the IDS detects that the frame is illegal.
  • 36. © 2018 LAC Co., Ltd. - 37 - Smart CAN Cable Current status  Currently, PoC of Smart Can Cable is under developing.  Current Direction Detector is nearly completed.  Software on MCU is nearly completed.  We focus to build CANID Timing Filter with FPGA.  It will be completed by the end of this year.
  • 37. © 2018 LAC Co., Ltd. - 38 - Outline 1. Introduction 2. Current security measures 3. The idea of Smart CAN Cable 4. Conclusion
  • 38. © 2018 LAC Co., Ltd. - 39 - Conclusion  MSS for connected-cars needs a security measure of identifying a compromised ECU.  We explained how Smart CAN Cable detects and cut a compromised ECU .  Smart CAN Cable can work with an IDS that is made by any companies, and Smart CAN Cable's performance depends on this IDS.  We introduced other similar studies(MAC, IA-CAN), and explain how different among them and Smart CAN Cable.  Smart CAN Cable can work with any security measures together on the in-vehicle network such as IDS, MAC, IA-CAN, and so on.
  • 39. Thank you. Any Questions ? © 2018 LAC Co., Ltd. 株式会社ラック 〒102-0093 東京都千代田区平河町2-16-1 平河町森タワー Tel 03-6757-0113 Fax 03-6757-0193 sales@lac.co.jp www.lac.co.jp ※ 本資料は2018年10月現在の情報に基づいて作成しており、記載内容は予告なく変更される場合があります。 ※ 本資料に掲載の図は、資料作成用のイメージカットであり、実際とは異なる場合があります。 ※ LAC、ラック、JSOC、サイバー救急センターは株式会社ラックの登録商標です。 ※ その他記載されている会社名、製品名は一般に各社の商標または登録商標です。