vatiCAN

Vetted, authenticated CAN bus communication library

A secure CAN bus communication library

vatiCAN, short for vetted, authenticated CAN bus, is a software library designed as a software-only drop-in replacement for electronic control units (ECUs) for cars.

Status Quo

In recent years, several attacks have impressively demonstrated that the software running on embedded controllers in cars can be successfully exploited – often even remotely. The fact that components that were hitherto purely mechanical, such as connections to the brakes, throttle, and steering wheel, have been computerized makes digital exploits life-threatening. Because of the interconnectedness of sensors, controllers and actuators, any compromised controller can impersonate any other controller by mimicking its control messages, thus effectively depriving the driver of his control.

The fact that carmakers develop vehicles in evolutionary steps rather than as revolution, has led us to propose a backward-compatible authentication mechanism for the widely used CAN vehicle communication bus. VatiCAN allows recipients of a message to verify its authenticity via HMACs, while not changing CAN messages for legacy, non-critical components.

Library

MCP_CAN(9);

SecureCAN vatiCAN("swordfish", can, CAN_500KBPS); // password, if more than 16 chars it'll be hashed

void setup()
{
	secure.AddSecureSender(0x300);
	secure.AddSecureSender(0x304);

	secure.RegisterMsgCallback(&MsgReceived);
	secure.RegisterErrorHandler(&MsgError);
}

void MsgReceived(CANSENDER sender, bool secureSender, uint8_t* payload, bool authenticated)
{
	if (secureSender && authenticated)
	{
		// secure msg that was authenticated by vatiCAN
	}

}

void loop()
{
	...
}

A block diagram of how the library works: Block diagram of vatiCAN

Download

Due to an implementation bug, the current version is revised and will be put back online soon.

How it works

A CAN network sends so-called frames on the bus that are received synchronously by all members connected to the same bus. Hence, CAN is a broadcast network topology. CAN Bus Frame

Each Electronic Control Unit (ECU) in a car is then connected to one or more CAN bus(ses). CAN Bus connecting ECUs

Normally, the messages the ECUs exchange are not authenticated or encrypted. That means everybody on the bus can fake messages. This potentially enables attackers to impersonate other ECUs, e.g., an attacker could send commands to the brake or to the steering.

VatiCAN authenticates messages by applying a keyed message authentication code (HMAC) to each message, which protects their integrity, i.e., they cannot be altered by somebody else and those messages can only be produced by the ECU holding the correct secret cryptographic key. Sequence diagram of HMAC'ed messages

Spoofing Prevention

Spoof detection, that is the detection of messages that allegedly originate from oneself but are in fact from an attacker, can be detected by bus monitoring in software. In addition, vatiCAN supports spoof prevention of own messages by means of bus arbitration.

In Software

We leverage the fact that CAN is a bus-oriented network, and components thus receive messages from all other components on the bus. In fact, if a component monitors the CAN communication, it can identify spoofed messages by monitoring messages with its own sender identification. If a com- ponent detects a message with its own sender ID, it must be a spoofed message.

In Hardware

Alternatively, it is also possible to drop a detected spoofed message by intentionally destroying the CRC checksum. In CAN networks, the sender information is at the start of each frame and is synchronously processed for bus arbitration. This means an early detection stage is possible by invalidating the CRC bits using dominant bits (e.g. all zeros) while a CAN frame is still being processed. Spoofing Prevention

Author image