Paper name: Evading Voltage-Based Intrusion Detection on Automotive CAN
Table of contents
Utilization of CAN communication features
Introduction to DUET
Attack strategies and methods
Voltage damage
As mentioned before, the ECU voltage characteristics cannot be changed, but the voltage characteristics measured by VIDS on the bus can be destroyed. This is the voltage destruction strategy, where two compromised ECUs act as an attacker and accomplices respectively to modify the voltage samples measured by VIDS. First, the attacker is in a passive state, and then the accomplice helps him synchronize the transmission with the victim ECU, so that the voltage sample can be destroyed without leaving traces on the bus. This strategy targets the process of physically collecting data on the bus by VIDS, which means that any learning model based on voltage data is not immune to the data set poisoning caused by voltage destruction attacks.
DUET
Using the voltage destruction strategy, this paper proposes DUET, a new camouflage attack, which can evade detection by all existing VIDS. As shown in the figure below, DUET executes an attack strategy based on the training set in an invisible, two-stage manner. The two stages are: voltage fingerprint-based operation (stage 1) and voltage fingerprint-based simulation (stage 2). The attacker uses a voltage destruction strategy to first destroy the victim's voltage fingerprint in Phase 1 and the co-conspirator's voltage fingerprint in Phase 2. In this way, with the DUET duo working together, VIDS will learn the victim's damaged voltage fingerprint as its true fingerprint in Phase 1, and then classify the co-conspirator's damaged fingerprint as the victim's fingerprint in Phase 2.
Utilization of CAN communication features
DUET mainly utilizes three characteristics of CAN communication:
- Static ID
- message periodicity
- Predictable payload prefix (a predictable set of bits representing a constant, counter or multi-valued number following the arbitration field of a CAN message)
attacker model
Following the attack model of existing technologies, let the attacker do a reverse engineering to deduce a basic understanding of the payload and periodicity of CAN messages in the target vehicle or vehicles of the same make and model. It is assumed that the attacker behind DUET was able to achieve arbitrary code execution on at least two ECUs in the car. Attackers and co-conspirators can read and inject messages on the bus via CAN controllers and transceivers on their ECUs and use message payloads to coordinate their movements during attacks.