Threats against in-vehicle networks
In-vehicle networking protocols enable ECUs, sensors, and in some cases, actuators to communicate under strict real-time and low-cost constraints. However, since the primary design objective of these networking protocols is efficient and deterministic communication, it is not unusual for some of these protocols to exhibit serious security weaknesses. In this section, we examine the weaknesses and in-vehicle networking protocols and highlight the corresponding attacks that can exploit them.
CAN
A simple Google search on CAN security yields hundreds of papers and articles on how CAN is not secure. While earlier versions of CAN such as CAN 2.0 and CAN FD did not consider security while the protocol was being defined, a more recent variant called CAN XL [REF29] now offers a security extension that protects the data link layer. Nevertheless, CAN XL is in its infancy, so we have to judge the security of the CAN protocol based on the first two variants. To cover the CAN threats, we will explore both the physical and the data link layers.
CAN physical layer
Abusing the characteristics of the CAN physical layer is an easy way of creating a disturbance in the CAN network. One such method is to abuse the CAN bus-off mechanism by injecting an invalid bit pattern, targeting specific frames. First, let’s see briefly how CAN bus-off works. Each CAN node keeps an error counter that is incremented when the transmitter observes an error on the bus. If the transmitters observe an error in their own frame, then they increment their error counter by 8; otherwise, they increment it by 1. The intent of this strategy is to cause a node that has a physical failure to reach the error count limit earlier than the other nodes and force it to enter bus-off mode. In this mode, the transmitter is expected to stop sending messages for a period of time to allow the fault to be resolved before attempting to join the network again. If the fault were transient, then the transmitting node would be able to resume transmission successfully; otherwise, it would again experience the same error behavior, forcing it to enter bus-off again. OEMs implement different fault-handling strategies, such as short periodic retries, followed by long periodic retries to avoid continuously disturbing the bus if the node has experienced a permanent failure. Now, an attacker who can manipulate the CAN physical layer can induce faults that mimic those causing a bus-off condition. This type of attack requires special abilities such as using a non-conforming CAN controller or reconfiguring the CAN pins as general purpose I/O (GPIO) to inject faults through software control. This is essentially a denial-of-service type of attack that causes an ECU to temporarily or permanently lose the ability to send and receive CAN messages. Another objective of this attack is to target specific messages to prevent an ECU from performing its function such as corrupting a brake command message during an emergency braking event. It should be clear that this type of attack requires a high degree of skill and specialized equipment, as well as physical access to the CAN bus.
CAN data link layer
Since the CAN protocol sends all messages in plaintext format, and since the CAN ID is used to identify the message source, the CAN data link layer several network layer threats. First, spoofing is possible because any network participant can construct a CAN message with the ID of any other node, which makes it possible to spoof other ECUs. Second, since all the data link layer fields such as the data length code (DLC) and the payload are sent as plaintext, an attacker can construct or replay a message with a payload of their choosing, causing the receiving node to react to a maliciously crafted message. Third, thanks to the arbitration mechanism that allows the ECU to send the frame with the lowest CAN ID to win the arbitration, a malicious network participant can flood the bus with zero ID messages to prevent other ECUs from gaining access to the bus and essentially all normal communication.
When secure communication is enabled by appending MAC values to the payload, an additional attack is possible through resource exhaustion by forcing an ECU to perform a high workload of MAC verification requests to deplete runtime resources. To launch any one of these attacks, an attacker needs to first establish a foothold within the in-vehicle network for example by compromising the telematics unit, OBD WiFi dongle or any other ECU with external connectivity. In Chapter 8, we will see how to apply vehicle level cybersecurity controls to address those risks.
FlexRay
In Chapter 1, FlexRay was described as a deterministic, time-triggered protocol that offers a bandwidth of up to 10 Mbps per channel in the redundant configuration. The data frames are sent and received within predefined time slots, and all the ECUs connected by this protocol are synchronized to the global time. The FlexRay frame consists of a payload, a header segment, and a trailer segment. The slot ID, payload length, cycle counter, and so on are all included in the header segment, while the frame data is encapsulated in the payload segment, followed by the frame cyclic redundancy check (CRC) in the trailer segment. Like CAN, FlexRay is subject to both physical and data link layer threats. At the physical layer, the attacker needs to manipulate the FlexRay transceiver transmit pin to corrupt frame bits. As a result, the receiving nodes will be unable to receive frames, which may trigger re-synchronization attempts. If the physical bus manipulation persists, the re-synchronization will fail, effectively making the link unavailable. Due to the deterministic nature of the FlexRay network, an attacker could target specific time slots to create this disturbance and prevent a certain node from sending its messages. On the other hand, the data link layer shares several threats with the CAN bus, such as frame ID spoofing, data tampering, frame replay, and denial of service.
These attacks are possible due to the lack of authentication and encryption of any of the frame segments. During the static slot transmission, a FlexRay node that has been compromised may masquerade as another FlexRay node by faking the header segment ID. Similarly, that node can construct a malicious payload, without the receiving node being able to detect that the frame is from an illegitimate source. To carry out such attacks, the malicious node has to define the target messages in its own communication schedule and choose transmission cycles that do not contain the legitimate message. Since the legitimate message will still come through, the attacker will need to create collisions with this message to completely trick the receiver into consuming the malicious message.
Due to the time slot allocation and synchronization features of FlexRay, a few attacks are unique to the FlexRay protocol. A denial-of-service attack can be carried out if the attacker creates collisions with synchronization frames. After a number of failed re-synchronization attempts, the affected nodes will lose synchronization, leading to their loss of the ability to communicate on the channel.
Similarly, an attacker can create bus collisions by modifying their transmission schedule to send messages during static slots belonging to other nodes. This produces a similar result to the previous attack. If the dynamic slot is enabled, the attacker can attempt to block other nodes from using that slot by continuously sending frames with high priority or by creating collisions.
Due to the redundant nature of the FlexRay network, if the management of the channels is properly isolated, then these types of attacks should be harder to carry out as the attacker would need to breach the separation of control of both channels.
Ethernet
As with IT networks, Automotive Ethernet is susceptible to MAC address spoofing, payload manipulation, and denial of service. When transmitting confidential information over the Ethernet, an additional threat of information disclosure is applicable.
Ethernet networks are also vulnerable to the virtual local area network (VLAN) attacks listed here, which can violate network isolation and potentially compromise the security of the vehicle:
- VLAN hopping: This type of attack involves an attacker sending packets with modified VLAN tags to bypass security restrictions and gain unauthorized access to sensitive network segments
- VLAN tag injection: This type of attack involves an attacker injecting their own VLAN tags into a packet to place it on a different VLAN from that which it should be on
- VLAN double tagging attack: This type of attack involves adding extra VLAN tags to a packet, making it traverse different VLANs to which it should not have access
To protect against these types of attacks, it is important to implement security measures such as VLAN access control lists (ACLs) and port security that limit the ability of unauthorized devices or users to access or modify VLAN tags.
Automotive Ethernet protocols offering quality of service (QoS) are susceptible to malicious nodes that can disrupt traffic shaping or priority handling by ignoring protocol rules.
Note
Automotive Ethernet QoS protocols allow for traffic prioritization, where vital communications, such as safety messages, take precedence over less important data, such as infotainment video streaming. Additionally, the protocols support bandwidth management and latency reduction and help in avoiding network congestion, which could lead to network data loss.
In the case of the Precision Time Protocol (PTP), an attacker can intentionally manipulate timestamps to interfere with time synchronization. When the Ethernet is used to transfer time-sensitive sensor data, such attacks can have a severe impact on the overall vehicle safety, as the sensor data may be fused from incorrect points of time that do not reflect the reality of the vehicle environment. Misuse of the PTP protocol can potentially lead to a violation of time synchronization, which can be achieved through one of the following attacks:
- Time-skew attack: This type of attack involves an attacker modifying the PTP messages to change the time displayed by the clock
- MitM attack: This type of attack involves an attacker intercepting PTP messages and modifying them in transit
- Replay attack: This type of attack involves an attacker intercepting PTP messages, recording them, and replaying them later
- Master clock spoofing attack: This type of attack involves an attacker spoofing the master clock, allowing them to control the time that all the devices on the network will synchronize to
To protect against these types of attacks, it is important to implement security measures such as PTP message authentication and cryptographic protection.
Ethernet Time-Sensitive Networking (TSN) is an extension of the traditional Ethernet that provides a set of features for enabling real-time communication and QoS in automotive and industrial control systems. Misuse of the Ethernet TSN protocol can potentially lead to a violation of QoS features, which can have safety implications for the vehicle:
- Denial of service (DoS) attack: This type of attack involves an attacker sending a large number of packets to a specific device or network in an attempt to overwhelm it and cause it to fail.
- Priority inversion attack: This type of attack involves an attacker manipulating the priority levels of packets to cause a lower-priority packet to prevent a higher-priority packet from being transmitted.
- Traffic shaping attack: This type of attack involves an attacker manipulating the traffic flow to cause certain packets to be delayed or dropped. This can disrupt the real-time communication and QoS features of the Ethernet TSN network.
To protect against these types of attacks, it is important to implement security measures such as network segmentation, ACLs, and packet filtering to limit access to the Ethernet TSN network to authorized devices only. A common security mechanism that is increasingly used in automotive applications is enabling MACsec, which offers frame authenticity, integrity, freshness, and confidentiality protection.
The Unified Diagnostic Services (UDS) protocol
The UDS protocol introduced in Chapter 1 enables a diagnostic client to access a variety of vehicle services that impact vehicle data and operation. A diagnostic client can either be an external tool, such as in the service shop, or an internal ECU that behaves like an onboard diagnostic tester to perform tasks, such as aggregate fault data from various ECUs or initiate programming sessions. The UDS protocol relies on the transport protocol, which enables the transmission and reception of segmented messages over different communication protocols such as CAN.
To learn about the threats enabled through the UDS protocol, we need to analyze the services that UDS supports. The most relevant attacks that can be carried out through UDS are as follows:
- Manipulation of vehicle code and data: This can be achieved through the initiation of a flash programming session using the requestDownload and TransferData services, as well as memory erasure through the RoutineControl service.
- Vehicle code and data extraction: This can be achieved through the requestUpload service, which allows a client to read out code and firmware, by providing the address and length of the blocks to upload to the tool.
- Vehicle mode manipulation: This attack can be achieved by issuing a resetECU request to trigger a soft or hard reset, which can be dangerous if allowed while the vehicle is in motion.
- Vehicle parameter tampering: This attack can be achieved through the WriteDataByIdentifier request, which allows a client to change the stored values of select parameters. If such parameters contain sensitive data such as the odometer value, then this can have financial and legal implications.
- Vehicle operation tampering: This attack can be carried out if a diagnostic routine that is reserved for troubleshooting or testing an actuation capability is triggered, while the vehicle is in operational mode. This can be achieved through the call to the RoutineControl service, with the specific routine identifier that would trigger such a function.
- Vehicle configuration tampering: Many times, diagnostic routines are used in the factory to configure the vehicle in a specific way or to provision cryptographic secrets. Abuse of diagnostic routines during vehicle assembly or service at the shop can result in a potentially unsafe or insecure configuration.
Similar to the UDS protocol being a target for abuse, the transport protocol underneath it can also be attacked through carefully crafted messages that can violate the protocol requirements and result in terminated connections. You are encouraged to study the transport protocol and determine the ways in which it can be abused.
SAE J1939 protocols
In Chapter 1, SAE J1939 was described as being widely used in commercial vehicles such as trucks and buses. Built on top of CAN, the J1939 application layer inherits the weaknesses of CAN, making it vulnerable to message tampering, spoofing, DoS, and replay attacks. Similarly, the J1939 diagnostic layer inherits the authentication weaknesses of the UDS protocol.
Therefore, in this section, we will look at two unique attacks that are derived from the way in which the J1939 protocol is designed:
- Address claim attack: For vehicles that enable the network management protocol, this attack is possible due to the protocol’s address claim procedure, which allows a dishonest network participant to claim that a requested source address is already assigned to it. The protocol uses the NAME field to determine the priority of the node claiming the address. Therefore, if a legitimate node is requesting source address X, an attacker can simply respond that it already owns address X and that its NAME field is a higher priority value. As a result, the legitimate node must again send a request for another source address, Y, hoping that is not already claimed. But the attacker will simply respond again that the address is claimed and will fake the NAME field using a higher priority value. Repeating this procedure effectively blocks the legitimate node from being able to claim any address and makes it unable to transmit frames.
- Network congestion attack: The protocol requires that all nodes respond to a global request for Address Claimed messages. A malicious node can frequently send such a request, with a high priority to trigger a broadcast storm of Address Claimed messages. Based on the number of nodes sharing the bus, the attacker can cause a 100% busload relatively quickly, which would significantly delay other safety-critical messages that must be received within a predetermined maximum time latency, before the vehicle starts shutting down functions that depend on those messages.
Given the preceding attacks, perhaps it is not surprising that several OEMs may choose to completely remove the support for the network management protocol or disable significant portions of it.
SAE J2497 (PLC4TRUCKS)
SAE J2497 is a communication protocol used in commercial trucks to allow the exchange of data between the tractor and the trailer such as the ABS trailer status lamp. The protocol leverages the power line communication (PLC), due to its relatively low cost and reliability over long distances. One popular use case is the transmission of the trailer’s ABS status lamp to the tractor ABS control module, which is then displayed on the instrument panel for the driver to see. This allows the driver to know the status of the ABS system on the trailer, which is crucial when a failure has occurred with the trailer braking system.

Figure 3.12 – PLC bus layout between a tractor and one trailer
Researchers have identified several attacks against this protocol:
- RF interference: Using devices that generate RF interference, an attacker can disrupt the communication between the tractor and the trailer. This can lead to the driver not receiving important information about the trailer’s braking system or receiving incorrect information. When the attacker uses a device that sends RF signals on the same frequency band used by the PLC system, they could disrupt the communication between the tractor and trailer, or even inject false data into the communication stream. This type of interference can occur when radio waves from an external source, such as a nearby transmitter, are picked up by the PLC system’s antenna and cause errors in the communication between the tractor and trailer.
- Physical spoofing: Using a device that mimics the signals of the tractor or trailer, the attacker can generate or replay messages to masquerade as a legitimate party. A replay attack in this context involves intercepting and recording a legitimate transmission between the tractor and trailer and then replaying that message to one or both parties at a later time.
- Physical line manipulation: This attack can be referred to as a bit-banging attack and requires the addition of hardware to manipulate the signal on the data lines of the communication link. Due to the severe impact of a successful attack against commercial vehicles, physical attacks must be taken seriously, especially when we consider the types of hazardous loads the trailer may carry.
Attacks on J2497 can be mitigated by a host of physical countermeasures that reduce the likelihood of RF interference, as well as physical security countermeasures, such as inspecting tractor and trailer cables periodically to ensure no nefarious devices have been inserted to cause bus manipulation.