Spoofing Attack on Clock Based Intrusion Detection System in Controller Area Networks

The Controller Area Network (CAN) protocol is still a de-facto standard for in-vehicle communication between Electronic Control Units (ECUs). The CAN protocol lacks basic security features such as absence of sender node information, absence of authentications mechanism and the plug and play nature of the network. The payload in a CAN data packet is very small i.e. 8 bytes, therefore, implementation of cryptographic solutions for data integrity verification is not feasible. Various methods have been proposed for ECU identification, one of the methods is clock intrusion detection system (CIDS) [14]. The proposed method is based on authenticating the message sender by estimating the unique characteristics of the clock crystal. In an asynchronous network, the clocking information in a transmitted payload is entirely dependent upon the crystal which invokes the clock. These unique characteristics exists because of the asymmetry in the microstructure of the material. The challenge is to correctly estimate these unique characteristics. Authors proposed the technique to estimate the parameters sufficient enough to prove the clock uniqueness. This method is efficient in detecting the advanced variants of source spoofing attacks. In this paper, we have analyzed the design and architecture of the proposed method and found different weaknesses in the gist of the technique. These weaknesses are present in the mathematical model and can easily be exploited under the same threat models which have been used to evaluate CIDS previously. These vulnerabilities attack the assumption that constructed mathematical model of the sender node at monitoring or receiver is unique. We have proved it that exploiting the proposed vulnerabilities is sufficient to construct the same model for the traffic stream generated from the compromised node. As a proof of concept, we have proposed an attack, clock-spoofing attack, which can be used easily to bypass the CIDS by replicating the clock parameters, hence challenging the assumed uniqueness of clock parameters. Under our observations and the analysis of the found weaknesses, we have concluded that current approach to realize CIDS or similar solutions are defective and are prone to the advanced spoofing attacks. To mitigate against such advanced attacks, we have proposed an idea of authenticating the ECU’s based on the immutable unique fingerprints in the electrical signals at physical layer. Electrical devices leave unique fingerprints in the transmitted signal due to natural asymmetry of the material, which can be used to fingerprint the source. As per the CAN transmission at physical level, these are the dominant bits which are transmitted instead of the recessive bits. So, a statistical analysis of the dominant bits in the received physical signal will contain the unique characteristics of the transmitter which can be used for designing an efficient and highly accurate Intrusion Detection System for CAN Bus. We have discussed this idea briefly.