Guoqi Xie,Laurence T. Yang,Yao Liu,Haibo Luo,Xin Peng,Renfa Li

DOI: https://doi.org/10.1109/tvt.2021.3061746

IF: 6.8

2021-06-01

IEEE Transactions on Vehicular Technology

Abstract:The rise of autonomous driving technology and the prosperity of mobile vehicular applications have brought tremendous pressure and put forward high bandwidth and low latency requirements for vehicular networks. Controller Area Network with Flexible Data-rate (CAN-FD) is a feasible choice to meet the high bandwidth and low latency requirements of in-vehicle communication of mobile vehicles. However, CAN-FD is vulnerable to masquerade attacks because it lacks necessary security authentication mechanisms and protection measures. This study presents a security enhancement technique called forward-backward exploration for independent in-vehicle CAN-FD messages while still guaranteeing each message is real-time. In the forward-backward exploration solution, a novel dual-pointer (including the forward pointer and the backward pointer) solution is proposed; the Message Authentication Code (MAC) size of each message is then dynamically adjusted by presenting the dual-pointer movement rules until the total payload no longer increases. Experimental results with real-life CAN-FD message set provided by an automaker demonstrate the effectiveness of our solution.

telecommunications,engineering, electrical & electronic,transportation science & technology

Wenhong Ma,Yan Liu,Guoqi Xie,Renfa Li,Laurence T. Yang

DOI: https://doi.org/10.1109/jiot.2021.3085422

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Controller area network with flexible data-rate (CAN-FD) has received great attention in automotive cyber–physical systems (ACPSs) due to its high bandwidth and long payload. However, CAN-FD adopts a broadcast message transmission mechanism and lacks security protection, making it extremely vulnerable to cyberattacks. CAN-FD message packing (packing signals into messages) with low bandwidth occupancy (utilization) under security constraints is the prerequisite for running intelligent applications in ACPS. In this work, we implement a two-stage CAN-FD message packing solution to reduce bandwidth utilization and improve signal acceptance rate under security constraints. The first stage solves the message packing problem of minimizing bus bandwidth utilization under security constraints. The second stage aims at improving the signal acceptance rate by repacking signals. Experimental results show that the first stage reduces average bus bandwidth utilization by 135% compared with the unpacking solution, and the second stage improves the average signal acceptance rate by 5% than existing advanced methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wufei Wu,Junhao Dai,Huijuan Huang,Qinmin Zhao,Gang Zeng,Renfa Li

DOI: https://doi.org/10.1109/tvt.2023.3247180

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:In recent years, automobiles have become increasingly networked with the development of information and communication technology (ICT). With the enhancement of the connectivity between the electronic control units of the vehicle and the external network, cybersecurity and driving safety issues have also arisen. However, as a traditional in-vehicle network standard, the controller area network (CAN) protocol lacks a network security mechanism design, making it vulnerable to hacker attacks. The current research on the cybersecurity enhancement method for in-vehicle CAN is a multi-objective optimization problem with response time, bandwidth consumption and computational complexity reduction. This study presents an in-vehicle message authentication method based on digital watermark and Huffman coding that are compatible with current CAN bus protocols. Our method not only minimize the delay of message authentication, but also save the storage resources to the greatest extent. Moreover, to tackle the issue of low computing resources, multiple messages can be authenticated at one time. In order to evaluate the performance, we implement our method on CAN communication platform and validate its high accuracy, low latency, and compatibility.

Franco Oberti,Ernesto Sanchez,Alessandro Savino,Filippo Parisi,Stefano Di Carlo

DOI: https://doi.org/10.1109/TVT.2024.3402986

2024-05-22

Abstract:The automotive market is increasingly profitable for cyberattacks with the constant shift toward fully interconnected vehicles. Electronic Control Units (ECUs) installed on cars often operate in a critical and hostile environment. Hence, both carmakers and governments have decided to support a series of initiatives to mitigate risks and threats belonging to the automotive domain. The Controller Area Network (CAN) is the primary communication protocol in the automotive field, and the integrity of the communication over this network is assured through Message Authentication Codes (MAC). However, limitations in throughput and frame size limit the application of this technique to specific versions of the CAN protocol, leaving several vehicles still unprotected. This paper presents CAN Multiplexed MAC (CAN-MM), a new approach exploiting frequency modulation to multiplex MAC data with standard CAN communication. CAN-MM allows transmitting MAC payloads maintaining full-back compatibility with all versions of the standard CAN protocol. Moreover, multiplexing allows sending DATA and MAC simultaneously.

Cryptography and Security

Yong Xie,Gang Zeng,Ryo Kurachi,Fu Xiao,Hiroaki Takada,Shiyan Hu

DOI: https://doi.org/10.1109/tdsc.2022.3194712

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The CAN FD emerges as a promising CAN technology inside the ACPS due to its advantages of high data-phase bit-rate and message payload. HSM based security solution is recommended by auto industry to protect CAN FD from potential security attacks, but it induces new challenges on timing analysis of CAN FD messages, which is left open in the literature. This article develops the first security-aware system model to describe the processing of CAN FD messages, and presents a new WCRT analysis to bound the interference induced by security-critical messages. We give the theoretical proof that our WCRT analysis can upper bound the response time of CAN FD messages. Using a small message set, we show that the WCRT computed by our new analysis is only 14% percent higher than the true WCRT obtained from an exhaustive search based simulator. By comparing with existing method, the number of impacted messages increases along with the increasing number of security critical messages, and for the two typical CAN FD systems, the percentage of WCRT increase varies from 12.43% to 14.57% and 7.0% to 10.89%, respectively; the percentage of WCRT decrease varies from 3.29% to 6.04% and 4.13% to 7.93%, respectively.

Wufei Wu,Ryo Kurachi,Gang Zeng,Yutaka Matsubara,Hiroaki Takada,Renfa Li,Keqin Li

DOI: https://doi.org/10.1109/access.2018.2870695

IF: 3.9

2018-01-01

IEEE Access

Abstract:Cybersecurity is increasingly important for the safety and reliability of autonomous vehicles. The controller area network (CAN) is the most widely used in-vehicle network for automotive safety-critical applications. Enhancing the cybersecurity ability of CAN while considering the real-time, schedulability, and cost constraints becomes an urgent issue. To address this problem, a real-time, and schedulability analysis-guaranteed security mechanism [identification hopping CAN (IDH-CAN)] is proposed in this paper, which aims to improve the security performance of CAN under the constraints of automotive real-time applications. In order to support the operation of the IDH-CAN mechanism, an IDH-CAN controller is also designed and implemented on a field-programmable gate array, which can work as a hardware firewall in the data link layer of CAN to isolate cyberattacks from the physical layer. Meanwhile, to maximize the information entropy of the CAN message ID on the physical layer, the ID hopping table generation and optimization algorithms for IDH-CAN are also proposed. Then, information security evaluation experiments based on information entropy comparison are deployed. The simulation and practical evaluations demonstrate the effectiveness of the proposed mechanism in defending reverse engineering, targeted denial of service, and replay attacks without violating real-time and schedulability constraints.

Ruiqi Lu,Guoqi Xie,Renfa Li,Yan Liu,Xinzhong Liu,Wei Xu,Jianmei Lei,Kenli Li

DOI: https://doi.org/10.1109/tcad.2024.3368971

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:As promising industrial embedded networks, Controller Area Networks with Flexible Data-rate (CAN-FD) are widely used in time-sensitive domains, such as automotive networks. However, the absence of built-in security mechanisms in CAN-FD necessitates the development of security protection mechanisms. The existing Lightweight Authentication for Secure Automotive Networks (LASAN) framework focuses on enhancing the security of CAN/CAN-FD communication but neglects the conflict between security and delay. In this study, we conduct a thorough analysis of the causal mechanism related to the security and delay of LASAN and propose a static message scheduling method called Cooperative Swapping Approach (CSA) to achieve secure and low-delay CAN-FD communication. CSA is to minimize the end-to-end delay of precedence-constrained CAN-FD applications by swapping message positions in a valid message sequence. Nevertheless, exchanging message positions may impact the precedence dependencies between messages; therefore, we propose a novel Cooperative Transform Approach (CTA) within the CSA to efficiently preserve these precedence constraints. Valid message sequences with minimal end-to-end delays of a motivation example and an Adaptive Cruise Control (ACC) application are obtained in LASAN by CSA. These sequences are implemented on the embedded microcontroller platform of STM32H743IITs for evaluation. Experimental results show that our proposed CSA can effectively reduce the end-to-end delay of LASAN and outperform the state-of-the-art static message scheduling method in terms of low delay.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Youngmi Baek,Seongjoo Shin

DOI: https://doi.org/10.3390/s22072636

2022-03-29

Abstract:Automotive cyber-physical systems are in transition from the closed-systems to open-networking systems. As a result, in-vehicle networks such as the controller area network (CAN) have become essential to connect to inter-vehicle networks through the various rich interfaces. Newly exposed security concerns derived from this requirement may cause in-vehicle networks to pose threats to automotive security and driver's safety. In this paper, to ensure a high level of security of the in-vehicle network for automotive CPS, we propose a novel lightweight and practical cyber defense platform, referred to as CANon (CAN with origin authentication and non-repudiation), to be enabled to detect cyber-attacks in real-time. CANon is designed based on the hierarchical approach of centralized-session management and distributed-origin authentication. In the former, a gateway node manages each initialization vector and session of origin-centric groups consisting of two more sending and receiving nodes. In the latter, the receiving nodes belonging to the given origin-centric group individually perform the symmetric key-based detection against cyber-attacks by verifying each message received from the sending node, namely origin authentication, in real-time. To improve the control security, CANon employs a one-time local key selected from a sequential hash chain (SHC) for authentication of an origin node in a distributed mode and exploits the iterative hash operations with randomness. Since the SHC can constantly generate and consume hash values regardless of their memory capacities, it is very effective for resource-limited nodes for in-vehicle networks. In addition, through implicit key synchronization within a given group, CANon addresses the challenges of a key exposure problem and a complex key distribution mechanism when performing symmetric key-based authentication. To achieve lightweight cyber-attack detection without imposing an additive load on CAN, CANon uses a keyed-message authentication code (KMAC) activated within a given group. The detection performance of CANon is evaluated under an actual node of Freescale S12XF and virtual nodes operating on the well-known CANoe tool. It is seen that the detection rate of CANon against brute-force and replay attacks reaches 100% when the length of KMAC is over 16 bits. It demonstrates that CANon ensures high security and is sufficient to operate in real-time even on low-performance ECUs. Moreover, CANon based on several software modules operates without an additive hardware security module at an upper layer of the CAN protocol and can be directly ported to CAN-FD (CAN with Flexible Data rate) so that it achieves the practical cyber defense platform.

Franco Oberti,Alessandro Savino,Ernesto Sanchez,Filippo Parisi,Stefano Di Carlo

DOI: https://doi.org/10.1109/TDMR.2022.3157000

2022-03-07

Abstract:The automobile industry is no longer relying on pure mechanical systems; instead, it benefits from advanced Electronic Control Units (ECUs) in order to provide new and complex functionalities in the effort to move toward fully connected cars. However, connected cars provide a dangerous playground for hackers. Vehicles are becoming increasingly vulnerable to cyber attacks as they come equipped with more connected features and control systems. This situation may expose strategic assets in the automotive value chain. In this scenario, the Controller Area Network (CAN) is the most widely used communication protocol in the automotive domain. However, this protocol lacks encryption and authentication. Consequently, any malicious/hijacked node can cause catastrophic accidents and financial loss. Starting from the analysis of the vulnerability connected to the CAN communication protocol in the automotive domain, this paper proposes EXT-TAURUM P2T a new low-cost secure CAN-FD architecture for the automotive domain implementing secure communication among ECUs, a novel key provisioning strategy, intelligent throughput management, and hardware signature mechanisms. The proposed architecture has been implemented, resorting to a commercial Multi-Protocol Vehicle Interface module, and the obtained results experimentally demonstrate the approach's feasibility.

Cryptography and Security

Haichun Zhang,Xu Meng,Xiong Zhang,Zhenglin Liu

DOI: https://doi.org/10.3390/s20174900

IF: 3.9

2020-08-30

Sensors

Abstract:The Internet of Things (IoT) is an industry-recognized next intelligent life solution that increases the level of comfort, efficiency, and automation for citizens through numerous sensors, smart devices, and cloud stations connected physically. As an important application scenario of IoT, the Internet of Vehicles (IoV) plays an extremely critical role in the intelligent transportation field. In fact, the In-Vehicle Network of smart vehicles that are recognized as the core roles in intelligent transportation is currently the Controller Area Network (CAN). However, the In-Vehicle CAN bus protocol has several vulnerabilities without any encryption, authentication, or integrity checking, which severely threatens the safety of drivers and passengers. Once malicious attackers hack the vehicular gateway and obtain the access right of the CAN, they may control the vehicle based on the vulnerabilities of the CAN bus protocol. Given the severe security risk of CAN, we proposed the CANsec, a practical In-Vehicle CAN security evaluation tool that simulates malicious attacks according to major attack models to evaluate the security risk of the In-Vehicle CAN. We also show a usage case of the CANsec without knowing any information from the vehicle manufacturer.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.1109/tdsc.2021.3068213

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks (e.g., suspension, injection, and masquerade attacks) with life-threatening consequences (e.g., disabling brakes). In this article, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels, without introducing CAN protocol modifications or traffic overheads (no extra bits or CAN messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a centralized, trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) the Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) the Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data; and 3) a hybrid covert channel, exploiting the combination of the first two. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010. We demonstrate the feasibility of TACAN and the effectiveness of detecting CAN bus attacks, highlighting no traffic overheads and attesting the regular functionality of-ECUs.

computer science, information systems, software engineering, hardware & architecture

WANG Jian,ZHANG Zi-jian,YUAN Jian

DOI: https://doi.org/10.13190/j.jbupt.2015.04.006

2015-01-01

Abstract:The development of vehicular Ad hoc networks ( VANETs) require a secure in-vehicle net-work. Controller area network (CAN) is a popular protocol applied in in-vehicle network. In order to en-hance CAN bus security, abroadcast authentication algorithm, which establishesthe samemessage authen-tication code( MAC) list among all the electronic control unit ( ECUs) with stream ciphers, was pro-posed. The senderjust needs to attach a MAC sequence to the data frame and the receiver compares the received MAC sequence with the corresponding one in the established list. This algorithm can be adapt to the characteristic ofthe CAN bus communication. The structure of the authentication system was described in detail. Finally,the security and delay performance was analyzed. The probability of miss and the bus overhead was provided.

Jie Cui,Yaning Chen,Hong Zhong,Debiao He,Lu Wei,Irina Bolodurina,Lu Liu

DOI: https://doi.org/10.1109/tvt.2023.3281276

IF: 6.8

2023-01-01

IEEE Transactions on Vehicular Technology

Abstract:With the rapid development of autonomous vehicles (AVs), vehicle safety has attracted attention. Controller area network (CAN) bus without authentication and encryption mechanisms is a weakness of the in-vehicle network (IVN), and attackers always primarily target the CAN bus. Attacks on the AVs' CAN bus are more frequent because AVs have more external interfaces and sensors than ordinary vehicles. To address the abovementioned issues, this paper proposes a lightweight encryption and authentication scheme for the CAN bus of AVs using message authentication codes and Grain stream cipher. The scheme realizes efficient authentication between electronic control units and a counter re-synchronization protocol is used to ensure that authentication failure owing to counter inconsistency is prevented. Blom key management scheme is employed to rapidly distribute and update session keys, avoiding the complicated process of updating pairwise keys. In addition, considering the scalability of the IVN, a key distribution protocol for new nodes was provided. The security proof using Burrows-Abadi-Needham logic and security analysis prove that the proposed scheme can satisfy the security requirements of the IVN. In addition, performance analysis shows that the proposed scheme can meet real-time requirements and has little impact on the busload.

telecommunications,engineering, electrical & electronic,transportation science & technology

Qiang Dong,Zenglu Song,Haoshu Shao

DOI: https://doi.org/10.1049/ell2.13112

2024-01-30

Electronics Letters

Abstract:This research presents a novel method for detecting and defending against intrusions in the Controller Area Network (CAN) bus used in automotive systems. By analysing frequency anomalies in message transmission and utilizing the arbitration mechanism of the CAN bus, this approach effectively identifies and disrupts illegal messages in real‐time, ensuring the security of the network. As automobile intelligence continues to develop, the electronic control units connected to the Controller Area Network (CAN) bus within vehicles face an increasing number of threats from potential attacks originating from the internet. To address this issue, an intrusion detection and defence method is proposed that is capable of detecting illegal messages through the use of frequency anomaly detection, and subsequently disrupting them through utilization of the CAN bus arbitration mechanism. This proposed method offers a simple implementation compared to traditional approaches, while being able to identify suspicious units and neutralize threats in real‐time. Experimental results demonstrate the effectiveness of this approach.

engineering, electrical & electronic

Stien Vanderhallen,Jo Van Bulck,Frank Piessens,Jan Tobias Mühlberg

DOI: https://doi.org/10.1016/j.comnet.2021.108079

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>Automotive control networks offer little resistance against security threats that come with the long-range connectivity in modern cars. Remote attacks that undermine the safety of vehicles have been shown to be practical. A range of security mechanisms have been proposed to harden resource-constrained embedded microcontrollers against malicious interference, including cryptographic protocols that establish the authenticity of in-vehicle message exchange. However, authenticated communication comes with repercussions on deployability and vehicle safety in terms of reliability, real-time compliance, backwards compatibility, and bandwidth and resource use.</p><p>In this article we investigate benign, defencive uses of <em>covert channels</em> to implement and support vehicular message authentication mechanisms as a transparent, resource-conserving approach to automotive network security. We provide the first comprehensive evaluation of covert channels in Controller Area Networks (CAN) with respect to the attainable bandwidth and reliability of covert communication. Our analysis identifies timing-based covert channels as candidates to design a <em>complementary</em> nonce synchronisation channel that can enhance robustness against message loss in existing authentication schemes. We practically implement and evaluate this design on top of an open-source authenticated CAN communication library, showing that covert timing channels can improve communication robustness in benign circumstances, while not reducing the security guarantees of the underlying authentication primitives when under attack.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Xie Yong,Zeng Gang,Ryo Kurachi,Xie Guoqi,Dou Yong,Zhou Zhili

DOI: https://doi.org/10.1016/j.sysarc.2017.10.008

IF: 5.836

2017-01-01

Journal of Systems Architecture

Abstract:CAN with flexible data rate (CAN FD) is considered the next generation in-vehicle network standard for automotive cyber-physical systems. CAN FD supports a data phase bit-rate of up to 10 Mbps and message payload of up to 64 bytes. However, the substantial differences regarding the allowed message payloads and the heterogeneity of the signal periods indicate the need for a systematic design method to fully utilize its large transmission bandwidth. We propose an optimized design method for CAN FD to minimize bandwidth utilization while meeting the signal timing constraint. First, two slack evaluation metrics are defined for the quantitative analysis of the potential packing choices. Based on these metrics, we propose a clustering-based signal packing algorithm, and the schedulability of the signals and the packed messages are both verified. The proposed method is compared with other design methods proposed for both CAN and CAN FD. The experimental results demonstrated that our method is the most bandwidth efficient and can meet the timing constraint simultaneously.

Zhaojun Lu,Qian Wang,Xi Chen,Gang Qu,Yongqiang Lyu,Zhenglin Liu

DOI: https://doi.org/10.1109/itsc.2019.8917500

2019-01-01

Abstract:The Controller Area Network (CAN) is considered as the de-facto standard for the in-vehicle communications due to its real-time performance and high reliability. Unfortunately, the lack of security protection on the CAN bus gives attackers the opportunity to remotely compromise a vehicle. In this paper, we propose a Lightweight Encryption and Authentication Protocol (LEAP) with low cost and high efficiency to address the security issue of the CAN bus. LEAP exploits the security-enhanced stream cipher primitive to provide encryption and authentication for the CAN messages. Compared with the state-of-the-art Message Authentication Code (MAC) based approaches, LEAP requires less memory, is 8X faster, and thwarts the most recently proposed attacks.

Xinyu Yao,Hui Sun,Xiangdong Jin,Yifan Ding

DOI: https://doi.org/10.23919/ccc50068.2020.9189356

2020-01-01

Abstract:The electric vehicles nowadays are managed by networked controllers. Because of the advantages of fast, reliable, simple wiring, and light weight, CAN bus has become one of the most widely used field buses in the world. Most of the networks were designed with little concern about security which has recently motivated researchers to demonstrate various kinds of attacks against the system. This paper proposes an optimization method for encrypting CAN Messages. In addition, a single frame CAN message can only transmit 64-bit valid data, it is often necessary to complete the communication task by sending a multi-frame message with the same ID. The AES algorithm has become the first choice for encrypting multi-frame CAN messages with its extremely high reliability and fast encryption and decryption speed. In this paper, a method of encrypting multi-frame CAN messages based on the AES algorithm is proposed, and on the basis of which a hash value is optimized to ensure the security of data transmitted on the CAN bus.

Yong Xie,Gang Zeng,Ryo Kurachi,Hiroaki Takada,Guoqi Xie

DOI: https://doi.org/10.1109/tii.2018.2851939

IF: 12.3

2018-01-01

IEEE Transactions on Industrial Informatics

Abstract:The controller area network with flexible data-rate (CAN FD) is the new generation of the CAN technology to meet the daily increasing bandwidth requirement for automotive cyber-physical systems (ACPS). However, ACPS is a security-critical system, an efficient security/timing-aware design space exploration (DSE) method is required to fully utilize CAN FD's high data phase data rate. In this paper, we propose an AUTOSAR-compliant system model that integrates both timing and security constraint, an integrated mixed-integer linear programming formulation (i-MILP) for the optimal DSE of CAN FD, and a divide-and-conquer approach to the i-MILP (dc-MILP) to address its timing complexity problem. The experiment results show that dc-MILP scales well for industrial-size systems and saves 1.94%-4.76% bandwidth utilization and guarantees the schedulability for more signal sets by comparing with the state-of-the-art algorithm.

Xuhang Ying,Giuseppe Bernieri,Mauro Conti,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1903.05231

2019-03-12

Cryptography and Security

Abstract:Nowadays, the interconnection of automotive systems with modern digital devices offers advanced user experiences to drivers. Electronic Control Units (ECUs) carry out a multitude of operations using the insecure Controller Area Network (CAN) bus in automotive Cyber-Physical Systems (CPSs). Therefore, dangerous attacks, such as disabling brakes, are possible and the safety of passengers is at risk. In this paper, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs by exploiting the covert channels without introducing CAN protocol modifications or traffic overheads (i.e., no extra bits or messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) offset-based, exploiting the clock offsets of CAN messages; 3) Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data. We implement the covert channels on the University of Washington (UW) EcoCAR testbed and evaluate their performance through extensive experiments. We demonstrate the feasibility of TACAN, highlighting no traffic overheads and attesting the regular functionality of ECUs. In particular, the bit error ratios are within 0.1% and 0.42% for the IAT-based and offset-based covert channels, respectively. Furthermore, the bit error ratio of the LSB-based covert channel is equal to that of a normal CAN bus, which is 3.1x10^-7%.