# Low-level Attacks#

To understand low-level attacks on CAN-Networks, it’s crucial to be aware of MCU internal interconnection of the CAN Peripherals to GPIOs. As shown in the above figure, a GPIO can be mapped to different internal peripheral devices in the MCU. For normal operations, an external GPIO pin is always connected to the CAN-RX and CAN-TX signals of the CAN-peripheral. This configuration limits the possible low-level attacks since an attacker can’t control the GPIO pin directly. Many of the following attacks are only possible if the GPIO pins are disconnected from the intern CAN-peripheral and directly controlled by the CPU, which executes an attacker’s code.

## Bus Flood Attack#

[Tin19]

• Denial-of-Service attack

• Flooding the bus with frames that have a CAN-ID = 0

• All other messages are suppressed, because of CDMA/CR

• Doable with a microcontroller and low-level CAN access

• Difficult from Linux Userland and through USB-CAN interfaces

sock = CANSocket("can0")
msg = CAN(identifier=0, data=b'12345678')
while(1):
sock.send(msg)


## Simple frame spoofing#

[Tin19]

• Send fake data more often than the legitimate sender

• Fake- and legitimate frames are not synchronized

• ECU may also receive legitimate frames

• Fake- and legitimate frames can clash

• Easy detectable by IDS

sock = CANSocket("can0")
msg = CAN(identifier=0x123, data=b'fakedata')
while(1):
sock.send(msg)
time.sleep(0.1)


[Tin19]

• Send fake data immediately after a correct frame is sent

• CAN-Controllers will update message boxes

• If a host isn’t fast enough, fake data is read

• Easy detectable by IDS

sock = CANSocket("can0")
msg = CAN(identifier=0x123, data=b'fakedata')
while(1):
rx = sock.recv()
if rx.identifier == 0x123:
sock.send(msg)


## Error Passive Spoofing Attack#

[Tin19]

• Drive the TEC of the targeted ECU above 127 to enter error passive mode

• After the targeted ECU leaves the error passive and tries to send a frame, inject a new error

• Targeted ECU stays recessive up on a new error

• Attacker can override data and CRC

• This attack can not be detected by simpler IDS systems

## Bus-off Attack#

[Tin19] [CS16]

• Drive the TEC of the targeted ECU above 255 to enter Bus Off mode

• Targeted ECU will stop sending any frame → DoS

• The attacker can send any data and will not be interrupted by the legitimate ECU

• Kulandaivel et al. used this attack combined with statistical analysis for CAN mapping [KGAS19].

• Monitoring all CAN frames

• Sending one ECU into Bus-off mode by attacking one specific identifier

• This ECU will not send any CAN message, even if the identifier would be different

• Monitoring the new state of the CAN bus

• Comparison reveals all CAN identifiers of the attacked ECU

## Summary#

• Attacks that do not require low-level CAN access are easy to detect by IDS

• Attacks with low-level CAN access require the highest execution privileges on an attacked ECU and detailed knowledge about the used MCU, the pinout, and the connections to CAN transceivers

• Low-level attacks don’t affect outer CAN domains, separated by a gateway ECU

[CS16]

Kyong-Tak Cho and Kang G. Shin. Error Handling of In-Vehicle Networks Makes Them Vulnerable. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, 1044–1055. New York, NY, USA, 2016. Association for Computing Machinery. URL: https://doi.org/10.1145/2976749.2978302, doi:10.1145/2976749.2978302.

[KGAS19]

Sekar Kulandaivel, Tushar Goyal, Arnav Kumar Agrawal, and Vyas Sekar. CANvas: Fast and Inexpensive Automotive Network Mapping. In 28th USENIX Security Symposium (USENIX Security 19), 389–405. Santa Clara, CA, August 2019. USENIX Association. URL: https://www.usenix.org/conference/usenixsecurity19/presentation/kulandaivel.

[Tin19] (1,2,3,4,5)

Ken Tindell. CAN Bus Security - Attacks on CAN bus and their mitigations. 2019. https://canislabs.com/wp-content/uploads/2020/12/2020-02-14-White-Paper-CAN-Security.pdf.