



or how we implemented a broken protocol and can we fix it?

Stefano Longari, Politecnico di Milano

### \$whoami

Researcher @ Polimi

Research Focus on Security of:

Cyber-Physical Systems Transportation Systems Industry 4.0

Lecturer / Teaching assistant of:

Social Engineering Computer Security



#### **Automotive Attacks**



The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse











ANDY GREENBERG SECURITY 08.01.16 03:30 PM

# THE JEEP HACKERS ARE BACK TO PROVE CAR HACKING CAN GET MUCH WORSE



Security researchers Charlie Miller and Chris Valasek. 👸 WHITNEY CURTIS FOR WIRED

#### Why is it relevant?

# **Security Risk** = (Threats x Vulnerabilities) x Assets

Independent

Controllable



#### The automotive ecosystem



#### On-Board Networks



1980's protocol

Developed with focus on safety

Baud rate of 1Mbps max

Multi-master bus topology

#### Data-Link and physical layers





CAN Data Frames: IDs are "owned" by an ECU Most packets are periodic Payload depends on the ID

| S 11-bit R I T D r0 DLC | 08 Bytes Data | CRC | ACK | E<br>O<br>F | I<br>F<br>S |
|-------------------------|---------------|-----|-----|-------------|-------------|
|-------------------------|---------------|-----|-----|-------------|-------------|

```
ID data ...
                                  < cansniffer can0 #
 .000000 EXT 0x02214000
                     00 28 00 00 00 00
                     00 00 00 00 02 00 00 00
                     00 81 90 41 00 00 00 00 ...A....
          0x04214006
                     01 01 00 00 40 00 00 00 ....@...
                    29 04 48 00 00 3A 0B 00 ).H..:..
                    00 05 01 00 80 00 00 00 ......
 .000000 EXT 0x06254000
 .000000 EXT 0x06314000
                     40 00 00 00 00 00 00 00 00 0......
 .000000 EXT 0x06314003 20 10 70 00 02 08 00 00
                     04 00 00 00 10 00 00 00 ......
                     00 00 00 00 00 00 00 84 ......
                     84 4C 00 00
 .000000 EXT 0x063D4000
                           48 78 00 00 00 00 . Hx....
0.000000 EXT 0x08194003 C0
                     0A 80 00 00 00
 .000000 EXT 0x0A094005 00 58 6C
                                           .xl
                     E3 00 00 00 02 00
                     00 00 00 00 00 00 80
                     55 2A 4D 46 80 00 00 00 U*MF....
0.000000 EXT 0x0C014003 05 51 D2 E9 88 EC 00 00 .0.....
16 56 14 07 20 19
 .000000 EXT 0x0C2D4003  1F 72 82 00 00 00 00 00 .r.....
```

# What's the idea? (CAN is broken pt.1)



#### What about countermeasures?



#### What about countermeasures?

Industrial secret, however we can make an educated guess at some methods

- Frequency based
  - CAN messages are usually <u>periodic</u>
- Specification based
  - Focus on protocol specifications / physical characteristics
- Payload based
  - Evaluate the content of the data field of the packet

#### Now, can we evade them?



- Specification based: Comply with the rules
- Frequency based: Comply with the frequency

#### Now, can we evade them?



What if we manipulate/substitute a real frame?

- Specification based: Comply with the rules
- Frequency based: Comply with the frequency



#### Now, can we evade them?



What if we manipulate/substitute a real frame?

- Specification based: Comply with the rules
- Frequency based: Comply with the frequency



### But... how? (CAN is broken pt.2)

What if CAN **embeds** a way to let us do it?

**CAN Physical Layer** 



#### **CAN Arbitration Protocol**



CAN Bit Stuffing & Error Frames

|          | Arbitration |   |   |   | Control |   |   |   |   |   | Data |   |   | / | Error Flag |   |   |   |   | t<br>I<br>I |
|----------|-------------|---|---|---|---------|---|---|---|---|---|------|---|---|---|------------|---|---|---|---|-------------|
| Victim   |             | 0 | 1 | 0 | 0       | 0 | 1 | 1 | 0 | 1 | 0    | 0 | 1 | 0 | 0          | 0 | 0 | 0 | 0 |             |
| Attacker |             | 0 | 1 | 0 | 0       | 0 | 1 | 1 | 0 | 1 | 0    | ď | 0 |   |            |   |   |   |   |             |

Can send error active flags "000000"

ERROR ACTIVE



reset or counter < 128





How do we substitute a frame?







- 1) Discover the ID of the victim
- 2) Detect the ID of the victim on the bus
- 3) Find a "1" (recessive) bit in the packet
- 4) Overwrite it with a 0
- 5) Repeat 32 consecutive times

e.g., <u>Reverse engineer</u> the CAN IDs of an identical vehicle

- 1) Discover the ID of the victim
- 2) <u>Detect</u> the ID of the victim on the bus
- 3) Find a "1" (recessive) bit in the packet
- 4) Overwrite it with a 0
- 5) Repeat 32 consecutive times

#### e.g., read all IDs passing on the bus



- 1) Discover the ID of the victim
- 2) Detect the ID of the victim on the bus
- 3) Find a "1" (recessive) bit in the packet
- 4) Overwrite it with a 0
- 5) Repeat 32 consecutive times

#### CRC delimiter is "1" by design



- 1) Discover the ID of the victim
- 2) Detect the ID of the victim on the bus
- 3) Find a "1" (recessive) bit in the packet
- 4) Overwrite it with a 0
- 5) Repeat 32 consecutive times

#### This triggers an <u>error</u> generated by the victim



1) Discover the ID of the victim

This kind of error adds +8 to the counter of the victim

- 2) Detect the ID of the victim on the bus
- 3) Find a "1" (recessive) bit in the packet
- 4) Overwrite it with a 0
- 5) Repeat 32 consecutive times



### Proof of Concept Implementation



# Proof of Concept Implementation



Palanca, A., Evenchick, E., Maggi, F., & Zanero, S. (2017, July). A stealth, selective, link-layer denial-of-service attack against automotive networks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 185-206). Springer, Cham.

### Alfa Giulietta Exploited



# Alfa Giulietta Exploited



# Alfa Giulietta Exploited



https://is.gd/candos

#### Attack scenarios

Denial of Service for the sake of Denial of Service

e.g. Ransomware





#### Attack scenarios

## Detection avoidance for spoofing attacks

- Shut down the victim ECU
- Send spoofed data



### Can we do this attack from remote?



# In reality it looks more like this:



# CAN is broken pt.3:



# CAN Instrumented ECUs other peripherals

| Microcontroller      | Vendor              | # CAN<br>Devices | Conflicts                 |
|----------------------|---------------------|------------------|---------------------------|
| V850ES/JC3-H         | Renesas             | 1                | UART, I2C, GPIO           |
| MPC5554              | NXP                 | 3                | SPI, GPIO                 |
| AT90CAN32            | Atmel               | 1                | Timer, GPIO               |
| SPC564A80B4          | ST Microelectronics | 3                | SPI, eSCI, GPIO           |
| C8051F50x            | Silicon Labs        | 1                | SPI, I2C, LIN, GPIO       |
| <b>AURIX TC399XP</b> | Infineon            | 4                | SPI, UART, I2C, ADC, GPIO |
| STM32L562            | ST Microelectronics | 1                | SPI, UART, I2C, GPIO      |

## Introducing Polyglot Frames

CAN Frames that are composed of a sequence of "smaller" \*\*\* Frames





## SPI



| Name              | Description                                            |
|-------------------|--------------------------------------------------------|
| CS                | Chip select line used by the primary to select which   |
|                   | secondary to communicate with.                         |
| CLK               | Clock signal generated by the primary and sets the bit |
|                   | timing of the communication.                           |
| CIPO <sup>2</sup> | Data from secondary to primary.                        |
| COPI <sup>2</sup> | Data from primary to secondary.                        |

### **UART**



| Name              | Description                                  |
|-------------------|----------------------------------------------|
| Start Bit         | Always set to 0.                             |
| <b>Data Frame</b> | Payload can be from 5 to 9 bits long.        |
| <b>Parity Bit</b> | Optional, used for error detection.          |
| Stop Bit(s)       | One or two consecutive logical 1s, depending |
|                   | on peripheral configuration.                 |

### **UART**



| Name                   | Description                                     |  |  |
|------------------------|-------------------------------------------------|--|--|
| <b>Start Condition</b> | The SDA line is pulled low while SCL is high to |  |  |
|                        | indicate the beginning of communication.        |  |  |
| Payload                | 8 controllable bits on the SDA line, both for   |  |  |
|                        | address and data frames.                        |  |  |
| ACK Slot               | The SDA line is held high by the primary, and   |  |  |
|                        | the secondary is expected to pull low (0) the   |  |  |
|                        | clock for a positive acknowledgment.            |  |  |
| <b>Stop Condition</b>  | The SDA line is pulled high while SCL is high   |  |  |
|                        | to indicate the end of communication.           |  |  |

# CAN we implement "bus off" attacks?



# CAN we implement "bus off" attacks?

Yes, with limitations ...

| Platform    | LPC11C24 |          | STM32L562 |          | TC399XP |        |
|-------------|----------|----------|-----------|----------|---------|--------|
|             | W        | R        | W         | R        | W       | R      |
| Bitbanging  | 200 kb/s | 120 kb/s | 1 Mb/s    | 500 kb/s | 1 Mb/s  | 1 Mb/s |
| SPI         | 1 Mb/s   | 1 Mb/s   | 1 Mb/s    | 1  Mb/s  | 1 Mb/s  | 1 Mb/s |
| <b>UART</b> | 1 Mb/s   | 1 Mb/s   | 1 Mb/s    | 1 Mb/s   | 1 Mb/s  | 1 Mb/s |
| I2C         | 200 kb/s | -        | 100 kb/s  | -        | n.a.    | _      |
| ADC         | _        | <50 kb/s | -         | 300 kb/s | -       | 1 Mb/s |

## CAN we sent full CAN Messages?

Yes, with limitations ...



# CAN we sent full CAN Messages?

### Yes, with limitations ...



# Other ways...



Kulandaivel, Sekar, et al. "Cannon: Reliable and stealthy remote shutdown attacks via unaltered automotive microcontrollers." 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021.

de Faveri Tron, A., Longari, S., Carminati, M., Polino, M., & Zanero, S. (2022, November). CANflict: Exploiting Peripheral Conflicts for Data-Link Layer Attacks on Automotive Networks. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 711-723).

# Finally, can we do something about it?

- Frequency based <- Useless</li>
  - CAN messages are usually <u>periodic</u>
- Specification based <- Depends on which specification</li>
  - Focus on protocol specifications / physical characteristics
- Payload based <- May be capable, but harder</li>
  - Evaluate the content of the data field of the packet

# Finally, can we do something about it?

We can read data from the bus
We can detect the attacker once he tries to spoof data after the DoS



## Let's see what the protocol says

#### List of rules that change the counters:

- When a RECEIVER detects an error, the RECEIVE ERROR COUNT will be increased by 1, except when the detected error was a BIT ERROR during the sending of an ACTIVE ERROR FLAG or an OVERLOAD FLAG.
- 2. When a RECEIVER detects a 'dominant' bit as the first bit after sending an ERROR FLAG the RECEIVE ERROR COUNT will be increased by 8.
- When a TRANSMITTER sends an ERROR FLAG the TRANSMIT ERROR COUNT is increased by 8.

#### Exception 1:

If the TRANSMITTER is 'error passive' and detects an ACKNOWLEDGMENT ERROR because of not detecting a 'dominant' ACK and does not detect a 'dominant' bit while sending its PASSIVE ERROR FLAG.

#### Exception 2:

If the TRANSMITTER sends an ERROR FLAG because a STUFF ERROR occurred during ARBITRATION, and should have been 'recessive', and has been sent as 'recessive' but monitored as 'dominant'.

In exceptions 1 and 2 the TRANSMIT ERROR COUNT is not changed.

- If an TRANSMITTER detects a BIT ERROR while sending an ACTIVE ERROR FLAG or an OVERLOAD FLAG the TRANSMIT ERROR COUNT is increased by 8.
- If an RECEIVER detects a BIT ERROR while sending an ACTIVE ERROR FLAG or an OVERLOAD FLAG the RECEIVE ERROR COUNT is increased by 8.

- 6. Any node tolerates up to 7 consecutive 'dominant' bits after sending an ACTIVE ERROR FLAG, PASSIVE ERROR FLAG or OVERLOAD FLAG. After detecting the 14th consecutive 'dominant' bit (in case of an ACTIVE ERROR FLAG or an OVERLOAD FLAG) or after detecting the 8th consecutive 'dominant' bit following a PASSIVE ERROR FLAG, and after each sequence of additional eight consecutive 'dominant' bits every TRANSMITTER increases its TRANSMIT ERROR COUNT by 8 and every RECEIVER increases its RECEIVE ERROR COUNT by 8.
- After the successful transmission of a message (getting ACK and no error until END OF FRAME is finished) the TRANSMIT ERROR COUNT is decreased by 1 unless it was already 0.
- After the successful reception of a message (reception without error up to the ACK SLOT and the successful sending of the ACK bit), the RECEIVE ERROR COUNT is decreased by 1, if it was between 1 and 127. If the RECEIVE ERROR COUNT was 0, it stays 0, and if it was greater than 127, then it will be set to a value between 119 and 127.
- A node is 'error passive' when the TRANSMIT ERROR COUNT equals or exceeds 128, or when the RECEIVE ERROR COUNT equals or exceeds 128. An error condition letting a node become 'error passive' causes the node to send an ACTIVE ERROR FLAG.
- 10. A node is 'bus off' when the TRANSMIT ERROR COUNT is greater than or equal to 256.
- 11. An 'error passive' node becomes 'error active' again when both the TRANSMIT ERROR COUNT and the RECEIVE ERROR COUNT are less than or equal to 127.
- 12. An node which is 'bus off' is permitted to become 'error active' (no longer 'bus off') with its error counters both set to 0 after 128 occurrence of 11 consecutive 'recessive' bits have been monitored on the bus.

## We only need part of these

#### List of rules that change the counters:

- When a RECEIVER detects an error, the RECEIVE ERROR COUNT will be increased by 1, except when the detected error was a BIT ERROR during the sending of an ACTIVE ERROR FLAG or an OVERLOAD FLAG.
- When a RECEIVER detects a 'dominant' bit as the first bit after sending an ERROR. FLAG the RECEIVE ERROR COUNT will be increased by 8.
- 3. When a TRANSMITTER sends an ERROR FLAG the TRANSMIT ERROR COUNT is increased by 8.

#### Exception 1:

If the TRANSMITTER is 'error passive' and detects an ACKNOWLEDGMENT ERROR because of not detecting a 'dominant' ACK and does not detect a 'dominant' bit while sending its PASSIVE ERROR FLAG.

#### Exception 2:

If the TRANSMITTER sends an ERROR FLAG because a STUFF ERROR occurred during ARBITRATION, and should have been 'recessive', and has been sent as 'recessive' but monitored as 'dominant'.

In exceptions 1 and 2 the TRANSMIT ERROR COUNT is not changed.



- If an TRANSMITTER detects a BIT ERROR while sending an ACTIVE ERROR FLAG or an OVERLOAD FLAG the TRANSMIT ERROR COUNT is increased by 8.
- 5 If an RECEIVER detects a BIT ERROR while sending an ACTIVE ERROR ELAG or an OVERLOAD FLAG the RECEIVE ERROR COUNT is increased by 8.

- 6. Any node tolerates up to 7 consecutive 'dominant' bits after sending an ACTIVE ERROR FLAG, PASSIVE ERROR FLAG or OVERLOAD FLAG. After detecting the 14th consecutive 'dominant' bit (in case of an ACTIVE ERROR FLAG or an OVERLOAD FLAG) or after detecting the 8th consecutive 'dominant' bit following a PASSIVE ERROR FLAG, and after each sequence of additional eight consecutive 'dominant' bits every TRANSMITTER increases its TRANSMIT ERROR COUNT by 8 and every RECEIVER increases its RECEIVE ERROR COUNT by 8.
- After the successful transmission of a message (getting ACK and no error until END OF FRAME is finished) the TRANSMIT ERROR COUNT is decreased by 1 unless it was already 0.
- 8. After the successful reception of a message (reception without error up to the ACK SLOT and the successful sending of the ACK bit), the RECEIVE ERROR COUNT is decreased by 1, if it was between 1 and 127. If the RECEIVE ERROR COUNT was 0, it stays 0, and if it was greater than 127, then it will be set to a value between 119 and 127.
- 9. A node is 'error passive' when the TRANSMIT ERROR COUNT equals or exceeds 128, or when the RECEIVE ERROR COUNT equals or exceeds 128. An error condition letting a node become 'error passive' causes the node to send an ACTIVE ERROR FLAG.
- 10. A node is 'bus off' when the TRANSMIT ERROR COUNT is greater than or equal to 256.
- 11. An 'error passive' node becomes 'error active' again when both the TRANSMIT ERROR COUNT and the RECEIVE ERROR COUNT are less than or equal to 127.
- 12. An node which is 'bus off' is permitted to become 'error active' (no longer 'bus off') with its error counters both set to 0 after 128 occurrence of 11 consecutive 'recessive' bits have been monitored on the bus.

#### Rule 6

Cannot let the attacker <u>bypass</u> the whole IDS, so we always consider <u>case 1</u>



## Our new CAN Controller



## The whole process

- Define which ECUs/IDs to defend
- 2) Monitor the bus from the beginning of communication
- 3) Count the TEC (Transmit Error Counter) of each ECU
- 4) Detect when the ECU goes Bus Off
- 5) If the ECU writes on the bus again, flag as attack.
- 6) React?

CopyCAN: An Error-Handling Protocol based Intrusion Detection System for Controller Area Network Stefano Longari, Matteo Penco, Michele Carminati and Stefano Zanero

CPS-SPC 2019 (ACM Workshop on Cyber-Physical Systems Security & Privacy)

#### Other solutions?

#### NXP's Secure transceiver



# Thanks!

For any questions:



