Comprehensive Review of CAN Bus Security: Vulnerabilities, Cryptographic and IDS Approaches, and Countermeasures Manuscript Received: 10 January 2024, Accepted: 28 May 2024, Published: 15 March 2025, ORCiD: 0009-0005-3915-6816, https://doi.org/10.33093/jetap.2025.7.1.4

Main Article Content

Omer Fayyaz Khan
Muhammad Mubashir
Jawaid Iqbal

Abstract

Vehicle connectivity environments and advancements in vehicular technologies offer users both functional convenience and safety features, including remote diagnosis and assistance. To enable these capabilities, modern vehicles utilize various automotive serial protocols such as FlexRay, Local Interconnect Network (LIN), and the popular Controller Area Network (CAN). The CAN bus serves as a key protocol for in-vehicle networks (IVNs), facilitating the exchange of vehicle parameters among Electronic Control Units (ECUs). Despite its merits, the CAN bus has been found to have internal and external vulnerabilities. While numerous countermeasures are currently in place, the continuous advancements in vehicular interfaces have introduced new attack vectors, necessitating the development of additional safeguards. Existing research has primarily focused on CAN attacks initiated through direct interfaces, telematics and infotainment systems, and sensors. In this study, we aim to present an adversarial model for the CAN bus while also evaluating cryptographic and Intrusion Detection System (IDS) approaches considering real-time constraints and other relevant variables. Furthermore, we will classify available countermeasures into relevant categories and discuss their effectiveness. By conducting a comprehensive analysis of published works, our goal is to provide a comprehensive overview of CAN-related studies. This includes exploring potential mitigation techniques and identifying new research opportunities for IVNs. The synthesis of this information will offer valuable insights into the current state of CAN security, the challenges it faces, and the directions for future exploration. In summary, our study aims to address the vulnerabilities of the CAN bus, considering both existing and emerging attack vectors. By examining cryptographic and IDS approaches, we will assess their viability in real-time scenarios. Additionally, we will categorize and discuss the effectiveness of available countermeasures. Through this analysis, we strive to provide a holistic understanding of CAN-related research, paving the way for prospective mitigation techniques and identifying new horizons for IVNs.

Article Details

Section
Articles

References

J. Deng, L. Yu, Y. Fu, O. Hambolu and R. R. Brooks, "Security and Data Privacy of Modern Automobiles," Data Analy. Intell. Transport. Syst., pp. 131-163, 2017.

R. Currie, "Information Security Reading Room Developments in Car Hacking," Retrieved August, 2020.

K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham and S. Savage, "Experimental Security Analysis of A Modern Automobile," in 2010 IEEE Symp. Secur. and Privacy, Oakland, USA, pp. 447-462, 2010.

A. Kr Mandal, F. Panarotto, A. Cortesi, P. Ferrara and F. Spoto, "Static Analysis of Android Auto Infotainment and On-board Diagnostics II Apps," Softw.: Pract. and Exper., vol. 49, pp. 1131-1161, 2019.

S. Bayer and A. Ptok, "Don’t Fuss About Fuzzing: Fuzzing Controllers in Vehicular Networks," in 13th Escar Europe, pp. 88, 2015.

T. K. Kuppusamy, L. A. DeLong and J. Cappos, "Uptane: Security and Customizability of Software Updates for Vehicles," IEEE Vehicul. Technol. Magaz., vol. 13, pp. 66-73, 2018.

S. Woo, H. J. Jo and D. H. Lee, "A Practical Wireless Attack on The Connected Car and Security Protocol for In-Vehicle CAN," IEEE Trans. Intell. Transp. Syst., vol. 16, pp. 993-1006, 2015.

A. Humayed, F. Li, J. Lin and B. Luo, "CANSentry: Securing CAN-based Cyber-physical Systems Against Denial and Spoofing Attacks," in 25th Europ. Symp. Res. Comput. Secur. 2020, Guildford, UK, 14-18 September, Part I 25, pp. 153-173, 2020.

H. J. Jo and W. Choi, "A Survey of Attacks on Controller Area Networks and Corresponding Countermeasures," IEEE Trans. Intell. Transport. Syst., vol. 2021, pp. 6123-6141, 2021.

E. Aliwa, O. Rana, C. Perera and P. Burnap, "Cyberattacks and Countermeasures for In-Vehicle Networks," ACM Comput. Surv., vol. 54, pp. 1-37, 2021.

W. B. Dennyson and C. Jothikumar, "A Review on Controller Area Network and Electronic Control Unit in Automotive Environment," J. Positive School Psychol., pp. 269-277, 2022.

S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner and T. Kohno, "Comprehensive Experimental Analyses of Automotive Attack Surfaces," in Proc. 20th USENIX Secur. Symp., pp. 77-92, 2011.

S. M. Hossain, S. Banik, T. Banik and A. M. Shibli, "Survey on Security Attacks in Connected and Autonomous Vehicular Systems," arXiv preprint, arXiv:2310.09510, 2023.

H. J. Jo, W. Choi, S. Y. Na, S. Woo and D. H. Lee, "Vulnerabilities of Android OS-based Telematics System," Wirel. Person. Commun., vol. 92, pp. 1511-1530, 2017.

C. Miller and C. Valasek, "Remote Exploitation of An Unaltered Passenger Vehicle," Black Hat USA, pp. 1-91, 2015.

S. Nie, L. Liu and Y. Du, "Free-fall: Hacking Tesla from Wireless to Can Bus," Briefing, Black Hat USA, pp. 1-16, 2017.

K. T. Cho and K. G. Shin, "Error Handling of In-Vehicle Networks Makes Them Vulnerable," in Proc. 2016 ACM SIGSAC Conf. Comput. and Commun. Secur., pp. 1044-1055, 2016.

M. Chen and M. Yan, "How to Protect Smart and Autonomous Vehicles From Stealth Viruses And Worms," ISA Trans., vol. 141, pp. 52-58, 2023.

L. Yu, J. Deng, R. R. Brooks and S. B. Yun, "Automobile ECU Design to Avoid Data Tampering," in Proc. 10th annual Cyber and Inform. Secur. Res. Conf., pp. 1-4, 2015.

H. Wei, Q. Ai, W. Zhao and Y. Zhang, "Real-time Security Warning and ECU Identification for In-vehicle Networks," IEEE Sensors J., vol. 23, no. 17, pp. 20258-20266, 2023.

J. Schmandt, A. T. Sherman and N. Banerjee, "Mini-MAC: Raising the Bar for Vehicular Security with A Lightweight Message Authentication Protocol," Vehicul. Commun., vol. 9, pp. 188-196, 2017.

Q. Wang and S. Sawhney, "VeCure: A Practical Security Framework to Protect The CAN Bus of Vehicles," in 2014 Int. Conf. Internet of Things, pp. 13-18, 2014.

B. Groza and S. Murvay, "Efficient Protocols for Secure Broadcast in Controller Area Networks," IEEE Trans. Indust. Inform., vol. 9, pp. 2034-2042, 2013.

H. J. Jo, J. H. Kim, H. Y. Choi, W. Choi, D. H. Lee and I. Lee, "Mauth-can: Masquerade-attack-proof Authentication for In-Vehicle Networks," IEEE Trans. Vehicul. Technol., vol. 69, pp. 2204-2218, 2019.

G. Bella, P. Biondi, G. Costantino and I. Matteucci, "Toucan: A Protocol to Secure Controller Area Network," in Proc. ACM Workshop on Automot. Cybersecur., pp. 3-8, 2019.

A. I. Radu and F. D. Garcia, "LeiA: A Lightweight Authentication Protocol for CAN," in 21st Europ. Symp. Res. Comput. Secur., Heraklion, Greece, 26-30 September, 2016.

T. Y. Youn, Y. Lee and S. Woo, "Practical Sender Authentication Scheme for In-Vehicle CAN with Efficient Key Management," IEEE Access, vol. 8, pp. 86836-86849, 2020.

B. Palaniswamy, S. Camtepe, E. Foo and J. Pieprzyk, “An Efficient Authentication Scheme for Intra-Vehicular Controller Area Network," IEEE Trans. Inform. Forens. and Secur., vol. 15, pp. 3107-3122, 2020.

K. D. Kang, Y. Baek, S. Lee and S. H. Son, "An Attack-resilient Source Authentication Protocol in Controller Area Network," in 2017 ACM/IEEE Symp. Architect. Netw. and Commun. Syst., pp. 109-118, 2017.

S. Woo, H. J. Jo and D. H. Lee, "A Practical Wireless Attack on The Connected Car and Security Protocol for In-Vehicle CAN," IEEE Trans. Intell. Transp. Sys., vol. 16, no. 2, pp. 993-1006, 2015.

Most read articles by the same author(s)