CAN Protocol Vulnerability
Recently, Trend Micro published a technical brief discussing a vulnerability they found in the CAN protocol, which enabled denial of service (DoS) attacks to be invisible to CAN-based intrusion detection solutions. In the technical brief, they recommended that car manufacturers change CAN protocol in their vehicle, in order to make cars immune to such DoS attacks.
Although we agree to Trend Micro’s assertion that CAN protocol has such inherent vulnerability, we disagree on the steps proposed to mitigate that threat. We believe that replacing or changing CAN protocol is too harsh for the industry, given the large investment made in CAN-based vehicles (today and in future models, currently on the design board).
A Feasible Solution
In order to launch CAN DoS attacks, hackers must compromise externally connected ECUs, which serve as the attack surface. If externally connected ECUs are hardened according to factory settings hacking attempts are prevented, before hackers succeed to infiltrate the car. Therefore, preventing them from being able to submit “legitimate” CAN commands to cause DoS attacks, and harm consumer safety.
Karamba’s Autonomous Security seals externally connected ECUs, allowing only operations that are part of factory settings to run. Any deviation from the legitimate function calling graph is recognized as a malicious attempt to compromise the ECU. These attempts are immediately blocked and reported. Autonomous security isn’t just for cars that are in design stages –– it can be retrofitted to cars currently on the road through a software update.
Trend Micro is right when they say that “a paradigm shift in terms of vehicle cybersecurity must happen.” Karamba Security has already made that shift. With our cybersecurity measures, removing or changing the CAN protocol is not necessary to make sure the car is secure.