[OT] Investigating Can Bus II

Bus Flood

A Bus Flood attack is a simple DoS attack, which transmits CAN Frames as fast as possible to soak up bus bandwidth, causing legit frames to be delayed.

The success of the attack depends on what mitigations there might be in place. For an open bus, transmitting a frame with a CAN ID of 0 will block all other traffic because this is the highest priority frame. If there is a gateway that only allows certain IDs to pass through then only the lower priority frames can be delayed: the higher priority frames will continue to be transmitted undisturbed (this is one reason why standard ODB-II diagnostic frames have IDs 0x7df and higher, giving them very low priority).

Spoofing Attacks

Simple Frame Spoofing

Frame spoofing is a type of authentication attack: getting a receiver to accept a fake frame as if it came from a legitimate sender.

• If directly connected (e.g. via the OBD-II port) this is done by simply queueing the CAN frame through the drivers in the firmware of the connected device.

• If connected via a hijacked ECU (e.g. infotainment) this can be done by using the drivers in the device or with new drivers installed as part of the hijacking.

Adaptive Spoofing

Adaptive spoofing addresses the issues of simple spoofing by having the attacking device listen to the bus and time its spoofed frame to avoid clashes with legitimate frames. In many designs, received frames are stored in a buffer for later use by a control loop. If the spoofed frame is sent right after the legitimate one, it can overwrite the buffer, causing the receiver to act on the spoofed frame instead of the legitimate one.

Wire-cutting spoofing attack

An attacker with physical access to the CAN bus can partition the bus by cutting wires and then spoof frames in one partition while emulating frames from the other. This method is often used to alter odometer readings: the ECU sends correct values, but the dashboard display shows a reduced mileage due to the spoofed frames inserted into the cut wiring harness.

Double Receive Attack

This attack exploits a feature of the CAN protocol highlighted in the ISO CAN specification, which notes a timing discrepancy between when receivers and transmitters consider a frame complete. Receivers accept a frame at the second-to-last bit of the EOF field, while transmitters do so at the last bit. A bit error in this last bit can cause the transmitter to signal an error and resend the frame, but receivers will have already processed the initial frame, leading to duplicate frames being passed to the application software. This low-probability failure, influenced by Buridan’s Principle, occurs due to the bit error rate multiplied by the chance of the error occurring precisely at the last bit of an 8-byte frame.

This attack exploits a feature of the CAN protocol highlighted in the ISO CAN specification, which notes a timing discrepancy between when receivers and transmitters consider a frame complete. Receivers accept a frame at the second-to-last bit of the EOF field, while transmitters do so at the last bit. A bit error in this last bit can cause the transmitter to signal an error and resend the frame, but receivers will have already processed the initial frame, leading to duplicate frames being passed to the application software. This low-probability failure, influenced by Buridan’s Principle, occurs due to the bit error rate multiplied by the chance of the error occurring precisely at the last bit of an 8-byte frame.

Bus-off Attack

The Bus-off Attack involves forcing a targeted ECU offline while allowing all other ECUs to continue operating. This can be part of a broader attack, such as spoofing where the attacker emulates the frames from the targeted ECU, or a straightforward denial-of-service attack. Instead of manipulating the instrument cluster to show a Check Engine light, it is simpler to disconnect the engine management ECU from the CAN bus, causing the instrument cluster to detect a failure and display a warning.

This attack leverages the CAN protocol by driving the CAN TX pin to disrupt all frames from the targeted ECU, pushing the Transmit Error Counter above 255 and causing the ECU’s CAN controller to go bus-off. Some ECUs will attempt automatic recovery, necessitating repeated attacks. The vehicle’s network management and diagnostic systems may eventually halt the ECU recovery process and set a flag in the ECU’s non-volatile memory to keep it offline. This often results in reduced driving functionality, such as Limp Home mode. If the attack aims to cause disruption, achieving this state would be considered a success.

Freeze Doom Loop Attack

The Freeze Doom Loop Attack is a low-level exploit of a legacy CAN protocol feature that can freeze bus traffic for an arbitrary period. This can delay specific CAN frames, increasing their latency, or generally reduce bus bandwidth. The attack can trigger specific reactions to late-arriving frames, delay system responses, or serve as a simple denial-of-service attack. It is particularly difficult to detect because it does not increase error counters, and the only noticeable effect is delayed frame arrival. Without timing analysis to determine worst-case frame latencies, the attack can appear as a transient timing fault.