The CAN Bus is crucial to the efficiency, and safety of modern vehicle infrastructure. Electronic Control Units (ECUs) exchange data across a shared bus, dropping messages whenever errors occur. If an ECU generates enough errors, their transmitter is put in a bus-off state, turning it off. Previous work abuses this process to disable ECUs, but is trivial to detect through the multiple errors transmitted over the bus. We propose a novel attack, undetectable by prior intrusion detection systems, which disables ECUs within a single message without generating any errors on the bus. Performing this attack requires the ability to flip bits on the bus, but not with any level of sophistication. We show that an attacker who can only flip bits 40% of the time can execute our stealthy attack 100% of the time. But this attack, and all prior CAN attacks, rely on the ability to read the bus. We propose a new technique which synchronizes the bus, such that even a blind attacker, incapable of reading the bus, can know when to transmit. Taking a limited attacker's chance of success from the percentage of dead bus time, to 100%. Finally, we propose a small modification to the CAN error process to ensure an ECU cannot fail without being detected, no matter how advanced the attacker is. Taken together we advance the state of the art for CAN attacks and blind attackers, while proposing a detection system against stealthy attacks, and the larger problem of CAN's abusable error frames.
翻译:CAN Bus 对现代车辆基础设施的效率和安全至关重要。 电子控制单位( ECUs) 在共享公交车上交换数据, 每当发生错误时, 都会发送信息。 如果 ECU 产生足够的错误, 他们的发报器会被放入公交车状态, 关闭它。 以前的工作滥用了这个程序来禁用ECUs, 但通过公交车传送的多重错误来检测这个程序是微不足道的。 我们建议了一种新的攻击, 无法通过入侵探测系统来检测, 使ECUs在一次信息中无法使用, 而在公交车上不会产生任何错误。 实施这次攻击需要有能力在公交上翻转点位, 而不是在任何精密程度上传递信息。 我们显示, 攻击者只要把40%的时间翻转掉, 就可以在公交车站状态下进行偷袭。 但是这次攻击, 以及所有前CAN攻击都依赖于阅读公交车的能力。 我们建议了一种新的方法, 使公交车同步, 甚至盲人袭击者、 无法阅读公交系统, 能够知道何时传输。 我们建议从一个小攻击者成功的机会, 选择CAN 攻击的系统如何在一次CAN 检查中选择一个不测进到ECAN 。 我们无法测到100 。 。 我们测算如何测算一个不测算一个不测算系统如何测进到100 。