Security enhancing CAN transceivers Bernd Elend Principal Engineer March 8 th , 2017
Introduction: SECURITY REQUIRES A LAYERED APPROACH NXP’s “4 + 1 Layer approach” for vehicle cyber security: Multiple security techniques, at different levels (“defense -in- depth”) Mitigate the risk of one component of the defense being compromised or circumvented 2 4 3 1
Security enhancing CAN transceivers How can a CAN transceiver contribute to the cyber security of a vehicle?
Security enhancing CAN transceivers In a CAN network node A wants to send data to node B Node A Node B 4.
Security enhancing CAN transceivers … and also other nodes are present Node C Node D Node E Node A Node B Node F Node G Node H 5.
Security enhancing CAN transceivers … let us focus only on A, B and E for simplicity Node E Node A Node B 6.
Security enhancing CAN transceivers … and see what kind of other connections E might have Node E USB Node A Node B 7.
Security enhancing CAN transceivers … all of them do offer an attack surface Attack surface Node E USB Node A Node B 8.
Security enhancing CAN transceivers … finally the hacker succeeds to overcome the security measures Node E Node A Node B 9.
Security enhancing CAN transceivers … node E now pretends to be node A Spoofing attack ! Node E ID = 0x123 Node A Node B ID = 0x123 10.
Security enhancing CAN transceivers Node B is now in a dilemma. Which message is the correct one? Both have the same CAN ID, but different data. B does not know who the sender of which message is. 11.
Security enhancing CAN transceivers Drawback: Does not help in case node E is not under control of the OEM; e.g. after market device. 1 st Solution: Transmission whitelist Implications: Benefits: The transceiver of Node E allows to The message occurs once the bus, Only one error flag on the bus. send only CAN or CAN FD messages and is invalidated in the end-of-frame with an ID that is stored in a whitelist in field. After that node E is excluded by This method can also be used to the transceiver. the transceiver from any further protect against flooding attacks that communication. would lead to a denial of service, by limiting the transmitted bus load. 12.
Security enhancing CAN transceivers Drawbacks: Does not work, if A is not present (e.g. like an off-board tester) or node A is in Sleep mode or un-powered. Node E can be re-started by the Error flag hacker at any time. 32 error frames and peak busload do occur. 2 nd Solution: Spoofing protection Implications: Benefits: The transceiver of Node A sends an The error flag send by node A causes Helps to protect in case of foreign node active error flag, when it receives an 16 repetitions before node E enters attachment; i.e. in case E is not under “error passive” (with suspend trans - identifier that it usually would sent. control of the OEM like aftermarket mission) and further 16 repetitions devices. prior to entering “bus off” state. This method also helps in case Node E starts tampering the message data, after A has sent the identifier and when node A is in “error passive” state. 13.
Security enhancing CAN transceivers Error flag Features in receive path: Features in transmit path: Spoofing protection Transmission whitelisting Tamper protection Flooding prevention Intrusion detection Intrusion prevention Independent operation from a possibly compromised host ! 14.
Security enhancing CAN transceivers Error flag Features in receive path: Features in transmit path: Spoofing protection needs list of identifiers Transmission whitelisting needs list of identifiers needs limit, e.g. 6% bus load Tamper protection does not need configuration Flooding prevention List of IDs for spoofing protection and transmission whitelist can be the same ! program test lock Configuration is done at Tier-1: No update in the field possible attack 15.
Security enhancing CAN transceivers How to get to such a security enhancing transceiver? CAN Transceiver FULL 5 MBps Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell PORTFOLIO ENERGY SAVING, CAN CAN BUS MONITOR PARTIAL NETWORKING FAST ECU decoder FLASHING RE-USE CAN ECUs CAN FD BUS MONITOR FD SHIELD IN CAN FD NETWORKS CAN FD controller CAN/ CAN FD Spoofing & Tampering protection Set of policies stored in TX control & Flooding protection Basic access prevention NETWORK memory SECURITY ECU and Network Security 16.
Security enhancing CAN transceivers What could be next ? CAN Transceiver FULL 5 MBps Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell PORTFOLIO ENERGY SAVING, CAN CAN BUS MONITOR PARTIAL NETWORKING FAST ECU decoder FLASHING RE-USE CAN ECUs CAN FD BUS MONITOR FD SHIELD IN CAN FD NETWORKS CAN FD controller HW Crypto Accelerators CAN/ CAN FD Programmable Core ECU and Network Security Security In built CAN PHY NETWORK Secure Storage SECURITY 17.
Security enhancing CAN transceivers Feature summary: 1. Spoofing protection transceiver may issue an active error flag on reception of a CAN ID that is included in its transmission whitelist 2. Transmission whitelisting the sending transceiver has a transmission whitelist of CAN IDs that are allowed to be sent 3. Tamper protection If the node starts a transmission and a compromised node tampers the message, while the sender is error passive, then the transceiver is preventing message take over by sending an active error flag 4. Flooding prevention The transceiver ensures that the contribution to the bus load is limited Advantages to realize these features in a transceiver: 1. Drop-in replacement transceiver for standard transceivers, no other HW change 2. Quick fix for vulnerable modules, no host SW update necessary 3. No cryptography included, no key management necessary 4. Independent from host µC, physically isolated 5. Complementary to other security measures 18.
Recommend
More recommend
