From Transients to Flips: Hardware-level Bit Manipulation of In-Vehicle Serial Communication

Abstract

In a modern automobile, the in-vehicle communication network interconnects multiple subsystems, including those that perform safety-critical functions such as engine control, anti-lock braking, and airbag deployment, among many others. Therefore, the loss of data integrity in the network can have serious consequences for the safety of the vehicle. To that extent, CAN protocol, the most common in-vehicle communication standard, employs error-handling mechanisms such as bit-monitoring and cyclic-redundancy check to detect intentional or unintentional data manipulation. In this work, we exploit the transmission line nature of the CAN physical layer (a twisted pair cable) to induce voltage transients that result in bit manipulations. Specifically, we demonstrate bidirectional bit flip attacks, recessive to dominant (R→D) and dominant to recessive (D→R) with the aid of multiple compromised nodes (electronic control units) in the network. In addition, both the attacks, the simpler R→D, and the complex D→R are designed to be undetectable to the aforementioned error-handling mechanisms. The attacks become effective for distances ≥ 4m for D→R and ≥ 1m for R→D between the transmitter and receiver nodes. By demonstrating these bit flips, we challenge two fundamental physical layer assumptions of CAN: the impossibility of turning a dominant bit to recessive without an external current source, and having nonidentical signals on two nodes at the same time. The theory behind the attacks is presented, backed by circuit simulations, in-lab validations, and real-world demonstrations in a vehicle. These bit-level attacks, designed at the physical layer, circumvent software-based CAN defenses and lay the groundwork for a broader spectrum of potential attacks, including the manipulation of a data frame that we demonstrate.