Nimrod Gilboa Markevich,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.2003.12456

2020-03-27

Abstract:ARINC 429 is the most common data bus in use today in civil avionics. However, the protocol lacks any form of source authentication. A technician with physical access to the bus is able to replace a transmitter by a rogue device, and the receivers will accept its malicious data as they have no method of verifying the authenticity of messages. Updating the protocol would close off security loopholes in new aircraft but would require thousands of airplanes to be modified. For the interim, until the protocol is replaced, we propose the first intrusion detection system that utilizes a hardware fingerprinting approach for sender identification for the ARINC 429 data bus. Our approach relies on the observation that changes in hardware, such as replacing a transmitter or a receiver with a rogue one, modify the electric signal of the transmission. Because we rely on the analog properties, and not on the digital content of the transmissions, we are able to detect a hardware switch as soon as it occurs, even if the data that is being transmitted is completely normal. Thus, we are able to preempt the attack before any damage is caused. In this paper we describe the design of our intrusion detection system and evaluate its performance against different adversary models. Our analysis includes both a theoretical Markov-chain model and an extensive empirical evaluation. For this purpose, we collected a data corpus of ARINC 429 data traces, which may be of independent interest since, to the best of our knowledge, no public corpus is available. We find that our intrusion detection system is quite realistic: e.g., it achieves near-zero false alarms per second, while detecting a rogue transmitter in under 50ms, and detecting a rogue receiver in under 3 seconds. In other words, technician attacks can be reliably detected during the pre-flight checks, well before the aircraft takes off.

Cryptography and Security

Longkai Wang,Shilun Du,Guofang Gong,Yong Lei

DOI: https://doi.org/10.1109/M2VIP58386.2023.10413404

2023-01-01

Abstract:Controller Area Network (CAN) plays an important role in vehicle chassis control system, hence the reliability of CAN network relates to driving performance and even passenger safety. However, intermittent connection (IC) faults, including intermittent open connection (IOC) and intermittent short connection (ISC), can potentially affect the performance of the vehicle CAN network. In this work, a hardware-in-the-loop (HIL) real-time simulation platform for the in-vehicle CAN system is constructed, and the effects of IC faults on the system are studied. First, based on the virtualized vehicle dynamics model and the actual bus hardware, the HIL platform of the vehicle CAN system is built. Then, typical connectivity problems such as IOC and ISC faults are emulated on the vehicle chassis CAN system. Finally, the influence law of different electrical character (type, frequency, and intensity) of IC faults on the vehicle speed control performance is analyzed. The results demonstrate the varying performance of CAN-based control systems in terms of signal delay, control performance, system stability, and tolerable fault intensity in the presence of IC faults with different electrical characteristics.

lei xue,yangyang liu,tianqi li,kaifa zhao,jianfeng li,le yu,xiapu luo,yajin zhou,guofei gu

2022-01-01

Abstract:Modern vehicles are equipped with many ECUs (Electronic Control Unit) that are connected to the IVN (In-Vehicle Network) for controlling the vehicles. Meanwhile, various interfaces of vehicles, such as OBD-II port, T-Box, sensors, and telematics, implement the interaction between the IVN and external environment. Although rich value-added functionalities can be provided through these interfaces, such as diagnostics and OTA (Over The Air) updates, the adversary may also inject malicious data into IVN, thus causing severe safety issues. Even worse, existing defense approaches mainly focus on detecting the injection attacks launched from IVN, such as malicious/compromised ECUs, by analyzing CAN frames, and cannot defend against the higher layer MIAs (Message Injection Attacks) that can cause abnormal vehicle dynamics. In this paper, we propose a new state-aware abnormal message injection attack defense approach, named SAID. It detects the abnormal data to be injected into IVN by considering the data semantics and the vehicle dynamics and prevents the MIAs launched from devices connected to the vehicles, such as the compromised diagnostic tools and T-boxes. We develop a prototype of SAID for defending against MIAs and evaluate it using both real road data and simulation data. The experimental results show that SAID can defend against more than 99% of the network and service layer attack traffic and all state layer MIAs, effectively enforcing the safety of vehicles.

Sang Uk Sagong,Radha Poovendran,Linda Bushnell

DOI: https://doi.org/10.48550/arXiv.1907.10783

2019-07-25

Abstract:Data for controlling a vehicle is exchanged among Electronic Control Units (ECUs) via in-vehicle network protocols such as the Controller Area Network (CAN) protocol. Since these protocols are designed for an isolated network, the protocols do not encrypt data nor authenticate messages. Intrusion Detection Systems (IDSs) are developed to secure the CAN protocol by detecting abnormal deviations in physical properties. For instance, a voltage-based IDS (VIDS) exploits voltage characteristics of each ECU to detect an intrusion. An ECU with VIDS must be connected to the CAN bus using extra wires to measure voltages of the CAN bus lines. These extra wires, however, may introduce new attack surfaces to the CAN bus if the ECU with VIDS is compromised. We investigate new vulnerabilities of VIDS and demonstrate that an adversary may damage an ECU with VIDS, block message transmission, and force an ECU to retransmit messages. In order to defend the CAN bus against these attacks, we propose two hardware-based Intrusion Response Systems (IRSs) that disconnect the compromised ECU from the CAN bus once these attacks are detected. We develop four voltage-based attacks by exploiting vulnerabilities of VIDS and evaluate the effectiveness of the proposed IRSs using a CAN bus testbed.

Cryptography and Security

Damilola Oladimeji,Amar Rasheed,Cihan Varol,Mohamed Baza,Hani Alshahrani,Abdullah Baz

DOI: https://doi.org/10.3390/s23198223

2023-10-02

Abstract:Current vehicles include electronic features that provide ease and convenience to drivers. These electronic features or nodes rely on in-vehicle communication protocols to ensure functionality. One of the most-widely adopted in-vehicle protocols on the market today is the Controller Area Network, popularly referred to as the CAN bus. The CAN bus is utilized in various modern, sophisticated vehicles. However, as the sophistication levels of vehicles continue to increase, we now see a high rise in attacks against them. These attacks range from simple to more-complex variants, which could have detrimental effects when carried out successfully. Therefore, there is a need to carry out an assessment of the security vulnerabilities that could be exploited within the CAN bus. In this research, we conducted a security vulnerability analysis on the CAN bus protocol by proposing an attack scenario on a CAN bus simulation that exploits the arbitration feature extensively. This feature determines which message is sent via the bus in the event that two or more nodes attempt to send a message at the same time. It achieves this by prioritizing messages with lower identifiers. Our analysis revealed that an attacker can spoof a message ID to gain high priority, continuously injecting messages with the spoofed ID. As a result, this prevents the transmission of legitimate messages, impacting the vehicle's operations. We identified significant risks in the CAN protocol, including spoofing, injection, and Denial of Service. Furthermore, we examined the latency of the CAN-enabled system under attack, finding that the compromised node (the attacker's device) consistently achieved the lowest latency due to message arbitration. This demonstrates the potential for an attacker to take control of the bus, injecting messages without contention, thereby disrupting the normal operations of the vehicle, which could potentially compromise safety.

Matthew Smith,Martin Strohmeier,Jon Harman,Vincent Lenders,Ivan Martinovic

DOI: https://doi.org/10.48550/arXiv.1905.08039

2019-05-20

Cryptography and Security

Abstract:Many wireless communications systems found in aircraft lack standard security mechanisms, leaving them fundamentally vulnerable to attack. With affordable software-defined radios available, a novel threat has emerged, allowing a wide range of attackers to easily interfere with wireless avionic systems. Whilst these vulnerabilities are known, concrete attacks that exploit them are still novel and not yet well understood. This is true in particular with regards to their kinetic impact on the handling of the attacked aircraft and consequently its safety. To investigate this, we invited 30 Airbus A320 type-rated pilots to fly simulator scenarios in which they were subjected to attacks on their avionics. We implement and analyse novel wireless attacks on three safety-related systems: Traffic Collision Avoidance System (TCAS), Ground Proximity Warning System (GPWS) and the Instrument Landing System (ILS). We found that all three analysed attack scenarios created significant control impact and cost of disruption through turnarounds, avoidance manoeuvres, and diversions. They further increased workload, distrust in the affected system, and in 38% of cases caused the attacked safety system to be switched off entirely. All pilots felt the scenarios were useful, with 93.3% feeling that simulator training for wireless attacks could be valuable.

M. Kamaraju,A.V.N. Tilak,K.Lal Kishore,K.Baburao

DOI: https://doi.org/10.48550/arXiv.1011.5374

2010-11-24

Abstract:Modern Avionics are controlled by sophisticated mission components in the Aircraft. The control function is implemented via a standard ARINC-429 bus interface. It is a two-wire point-topoint serial data bus for control communications in Avionics. The bus operates 12.5 or 100kb/sec, the implementation is envisaged for one transmits and receive channel respectively. Further the code can be modified for more no of independent Tx and Rx channels. An on chip memory allotment on the FPGA will provide a buffer bank for storing the incoming or outgoing data. For this purpose SRAM based FPGAs are utilized. This flexible ARINC429 solution gives exactly what is needed for real time applications. The IP can be programmed to send an interrupt to the host and also prepare it to process the data. Majority of the hardware function of digital natures are embedded into a single FPGA by saving in terms of PCB board space, power consumption and volume results. This paper deals with the development, implementation, simulation, and verification of ARINC_429 formats. The IP core development is described in VHDL.

Other Computer Science

Hwejae Lee,Hyosun Lee,Saehee Jun,Huy Kang Kim

2024-06-03

Abstract:Following the enactment of the UN Regulation, substantial efforts have been directed toward implementing intrusion detection and prevention systems (IDPSs) and vulnerability analysis in Controller Area Network (CAN). However, Society of Automotive Engineers (SAE) J1939 protocol, despite its extensive application in camping cars and commercial vehicles, has seen limited vulnerability identification, which raises significant safety concerns in the event of security breaches. In this research, we explore and demonstrate attack techniques specific to SAE J1939 communication protocol. We introduce 14 attack scenarios, enhancing the discourse with seven scenarios recognized in the previous research and unveiling seven novel scenarios through our elaborate study. To verify the feasibility of these scenarios, we leverage a sophisticated testbed that facilitates real-time communication and the simulation of attacks. Our testing confirms the successful execution of 11 scenarios, underscoring their imminent threat to commercial vehicle operations. Some attacks will be difficult to detect because they only inject a single message. These results highlight unique vulnerabilities within SAE J1939 protocol, indicating the automotive cybersecurity community needs to address the identified risks.

Cryptography and Security

Paul M. Berges,Basavesh Ammanaghatta Shivakumar,Timothy Graziano,Ryan Gerdes,Z. Berkay Celik

DOI: https://doi.org/10.48550/arXiv.2006.14679

2020-06-26

Abstract:Traffic Collision Avoidance Systems (TCAS) are safety-critical systems required on most commercial aircrafts in service today. However, TCAS was not designed to account for malicious actors. While in the past it may have been infeasible for an attacker to craft radio signals to mimic TCAS signals, attackers today have access to open-source digital signal processing software, like GNU Radio, and inexpensive software defined radios (SDR) that enable the transmission of spurious TCAS messages. In this paper, methods, both qualitative and quantitative, for analyzing TCAS from an adversarial perspective are presented. To demonstrate the feasibility of inducing near mid-air collisions between current day TCAS-equipped aircraft, an experimental Phantom Aircraft generator is developed using GNU Radio and an SDR against a realistic threat model.

Signal Processing,Computers and Society,Systems and Control

Orly Stan,Yuval Elovici,Asaf Shabtai,Gaby Shugol,Raz Tikochinski,Shachar Kur

DOI: https://doi.org/10.48550/arXiv.1707.05032

2017-07-17

Cryptography and Security

Abstract:MIL-STD-1553 is a military standard that defines the physical and logical layers, and a command/response time division multiplexing of a communication bus used in military and aerospace avionic platforms for more than 40 years. As a legacy platform, MIL-STD-1553 was designed for high level of fault tolerance while less attention was taken with regard to security. Recent studies already addressed the impact of successful cyber attacks on aerospace vehicles that are implementing MIL-STD-1553. In this study we present a security analysis of MIL-STD-1553. In addition, we present a method for anomaly detection in MIL-STD-1553 communication bus and its performance in the presence of several attack scenarios implemented in a testbed, as well as results on real system data. Moreover, we propose a general approach towards an intrusion detection system (IDS) for a MIL-STD-1553 communication bus.

ZHANG Yi,LIU Li-jie,ZHANG Hang,FANG Wen,TANG Liang

DOI: https://doi.org/10.3969/j.issn.1671-654X.2008.01.029

2008-01-01

Abstract:The ARINC429 bus is extensive used in avions and civil aviations.To solve the problems that the high requirements automatic test system is mainly based on VXI bus and on the other hand the VXI-ARINC429 bus interface is too expensive,this article discusses the design of VXI-ARINC429 bus interface which is used in automatic test system of air to terra attack system of a certain aeroplane.This interface is based on high speed DSP,high integrated chip CPLD and high capability interface chip of ARINC429.Tests indicate that the interface whose capabilities is credible and steady,well satisfied the requirements of automatic test systems.

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.1109/tdsc.2021.3068213

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks (e.g., suspension, injection, and masquerade attacks) with life-threatening consequences (e.g., disabling brakes). In this article, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels, without introducing CAN protocol modifications or traffic overheads (no extra bits or CAN messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a centralized, trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) the Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) the Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data; and 3) a hybrid covert channel, exploiting the combination of the first two. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010. We demonstrate the feasibility of TACAN and the effectiveness of detecting CAN bus attacks, highlighting no traffic overheads and attesting the regular functionality of-ECUs.

computer science, information systems, software engineering, hardware & architecture

Zachariah Tyree,Robert A. Bridges,Frank L. Combs,Michael R. Moore

DOI: https://doi.org/10.48550/arXiv.1808.10840

2018-08-28

Abstract:Modern vehicles rely on scores of electronic control units (ECUs) broadcasting messages over a few controller area networks (CANs). Bereft of security features, in-vehicle CANs are exposed to cyber manipulation and multiple researches have proved viable, life-threatening cyber attacks. Complicating the issue, CAN messages lack a common mapping of functions to commands, so packets are observable but not easily decipherable. We present a transformational approach to CAN IDS that exploits the geometric properties of CAN data to inform two novel detectors--one based on distance from a learned, lower dimensional manifold and the other on discontinuities of the manifold over time. Proof-of-concept tests are presented by implementing a potential attack approach on a driving vehicle. The initial results suggest that (1) the first detector requires additional refinement but does hold promise; (2) the second detector gives a clear, strong indicator of the attack; and (3) the algorithms keep pace with high-speed CAN messages. As our approach is data-driven it provides a vehicle-agnostic IDS that eliminates the need to reverse engineer CAN messages and can be ported to an after-market plugin.

Cryptography and Security

Robert Buttigieg,Mario Farrugia,Clyde Meli

DOI: https://doi.org/10.1109/sta.2017.8314877

2017-12-01

Abstract:Modern vehicles may contain a considerable number of ECUs (Electronic Control Units) which are connected through various means of communication, with the CAN (Controller Area Network) protocol being the most widely used. However, several vulnerabilities such as the lack of authentication and the lack of data encryption have been pointed out by several authors, which ultimately render vehicles unsafe to their users and surroundings. Moreover, the lack of security in modern automobiles has been studied and analyzed by other researchers as well as several reports about modern car hacking have (already) been published. The contribution of this work aimed to analyze and test the level of security and how resilient is the CAN protocol by taking a BMW E90 (3-series) instrument cluster as a sample for a proof of concept study. This investigation was carried out by building and developing a rogue device using cheap commercially available components while being connected to the same CAN-Bus as a man in the middle device in order to send spoofed messages to the instrument cluster.

Mehmet Bozdal,Mohammad Samie,Sohaib Aslam,Ian Jennions

DOI: https://doi.org/10.3390/s20082364

IF: 3.9

2020-04-21

Sensors

Abstract:The automobile industry no longer relies on pure mechanical systems; instead, it benefits from many smart features based on advanced embedded electronics. Although the rise in electronics and connectivity has improved comfort, functionality, and safe driving, it has also created new attack surfaces to penetrate the in-vehicle communication network, which was initially designed as a close loop system. For such applications, the Controller Area Network (CAN) is the most-widely used communication protocol, which still suffers from various security issues because of the lack of encryption and authentication. As a result, any malicious/hijacked node can cause catastrophic accidents and financial loss. This paper analyses the CAN bus comprehensively to provide an outlook on security concerns. It also presents the security vulnerabilities of the CAN and a state-of-the-art attack surface with cases of implemented attack scenarios and goes through different solutions that assist in attack prevention, mainly based on an intrusion detection system (IDS).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

姚旭栋,何黎明,王林

DOI: https://doi.org/10.3969/j.issn.1000-0380.2012.04.007

2012-01-01

Abstract:ARINC 429 bus is the data bus communication standard applied in certain type of regional jet in our country.In order to meet the requirements of bus simulation function in development and test processes of avionics system,with virtual instrument as the core,and based on LabVIEW software developing platform,the customizable ARINC 429 bus simulation system is designed.The system provides an excellent operational environment of conducting research,development,and test for avionic laboratory.

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1903.05231

2019-03-12

Cryptography and Security

Abstract:Nowadays, the interconnection of automotive systems with modern digital devices offers advanced user experiences to drivers. Electronic Control Units (ECUs) carry out a multitude of operations using the insecure Controller Area Network (CAN) bus in automotive Cyber-Physical Systems (CPSs). Therefore, dangerous attacks, such as disabling brakes, are possible and the safety of passengers is at risk. In this paper, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs by exploiting the covert channels without introducing CAN protocol modifications or traffic overheads (i.e., no extra bits or messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) offset-based, exploiting the clock offsets of CAN messages; 3) Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data. We implement the covert channels on the University of Washington (UW) EcoCAR testbed and evaluate their performance through extensive experiments. We demonstrate the feasibility of TACAN, highlighting no traffic overheads and attesting the regular functionality of ECUs. In particular, the bit error ratios are within 0.1% and 0.42% for the IAT-based and offset-based covert channels, respectively. Furthermore, the bit error ratio of the LSB-based covert channel is equal to that of a normal CAN bus, which is 3.1x10^-7%.

Sadek Misto Kirdi,Nicola Scarano,Franco Oberti,Luca Mannella,Stefano Di Carlo,Alessandro Savino

2024-06-11

Abstract:Modern vehicles are increasingly vulnerable to attacks that exploit network infrastructures, particularly the Controller Area Network (CAN) networks. To effectively counter such threats using contemporary tools like Intrusion Detection Systems (IDSs) based on data analysis and classification, large datasets of CAN messages become imperative. This paper delves into the feasibility of generating synthetic datasets by harnessing the modeling capabilities of simulation frameworks such as Simulink coupled with a robust representation of attack models to present CARACAS, a vehicular model, including component control via CAN messages and attack injection capabilities. CARACAS showcases the efficacy of this methodology, including a Battery Electric Vehicle (BEV) model, and focuses on attacks targeting torque control in two distinct scenarios.

Cryptography and Security,Artificial Intelligence,Machine Learning

Alan J. Michaels,Venkata Sai Srikar Palukuru,Michael J. Fletcher,Chris Henshaw,Steven Williams,Thomas Krauss,James Lawlis,John J. Moore,Alan Michaels,Michael J Fletcher,Christopher Henshaw,John Moore

DOI: https://doi.org/10.1109/tvt.2022.3143708

IF: 6.8

2022-01-01

IEEE Transactions on Vehicular Technology

Abstract:Over the past decade, consumer vehicles have increasingly begun to resemble computers on wheels, with many newer vehicles containing over 100 independent electronic control units (ECU) that make independent decisions within the vehicle. Cost and power constraints for the vehicle significantly constrain processing capabilities and limitations on practical cybersecurity measures that may be employed in the vehicle today. Also, as automotive manufacturers are continuous integrators, many legacy communications links within vehicles were originally designed as standalone entities that assumed internal trust of communications between ECUs by virtue of closed bus structures and an emphasis on reliability, but not security. This paper presents a low-cost authentication mechanism to significantly improve message validation on wired message buses such as the Controller Area Network (CAN) bus by employing a co-channel underlay watermark that arrives time-aligned with the primary bus messages. Concept validation using a gate-level Simulink HDL Coder simulation provided initial feasibility, while a complete CAN bus hardware testbed was constructed with a custom CAN transceiver built on a Red Pitaya software defined radio (SDR) connected to multiple commercial CAN transceivers to validate backwards compatibility. This testbed incorporates a custom transmission security (TRANSEC) engine that supports dynamic variation of the watermark, further improving security during deployment. Finally, this custom CAN testbed with the watermarking CAN transceiver was tested across a range of operational conditions, with initial performance results presented and discussed. Future work describes potential for near-term ruggedization and productization of the watermarking CAN transceiver.

telecommunications,engineering, electrical & electronic,transportation science & technology

Matthew Smith,Martin Strohmeier,Vincent Lenders,Ivan Martinovic

DOI: https://doi.org/10.48550/arXiv.2010.01034

2020-10-02

Abstract:Airborne collision avoidance systems provide an onboard safety net should normal air traffic control procedures fail to keep aircraft separated. These systems are widely deployed and have been constantly refined over the past three decades, usually in response to near misses or mid-air collisions. Recent years have seen security research increasingly focus on aviation, identifying that key wireless links---some of which are used in collision avoidance---are vulnerable to attack. In this paper, we go one step further to understand whether an attacker can remotely trigger false collision avoidance alarms. Primarily considering the next-generation Airborne Collision Avoidance System X (ACAS X), we adopt a modelling approach to extract attacker constraints from technical standards before simulating collision avoidance attacks against standardized ACAS X code. We find that in 44% of cases, an attacker can successfully trigger a collision avoidance alert which on average results in a 590 ft altitude deviation; when the aircraft is at lower altitudes, this success rate rises considerably to 79%. Furthermore, we show how our simulation approach can be used to help defend against attacks by identifying where attackers are most likely to be successful.

Cryptography and Security