Security enhancing CAN transceivers. Bernd Elend Principal Engineer March 8 th, 2017

Transcription

1 Bernd Elend Principal Engineer March 8 th, 2017

2 Introduction: SECURITY REQUIRES A LAYERED APPROACH NXP s Layer approach for vehicle cyber security: Multiple security techniques, at different levels ( defense-in-depth ) Mitigate the risk of one component of the defense being compromised or circumvented

3 How can a CAN transceiver contribute to the cyber security of a vehicle?

4 In a CAN network node A wants to send data to node B Node A Node B 4.

5 and also other nodes are present Node C Node D Node E Node A Node B Node F Node G Node H 5.

6 let us focus only on A, B and E for simplicity Node E Node A Node B 6.

7 and see what kind of other connections E might have USB Node E Node A Node B 7.

8 all of them do offer an attack surface Attack surface Node E USB Node A Node B 8.

9 finally the hacker succeeds to overcome the security measures Node E Node A Node B 9.

10 node E now pretends to be node A Spoofing attack! Node E Node A ID = 0x123 ID = 0x123 Node B 10.

11 Node B is now in a dilemma. Which message is the correct one? Both have the same CAN ID, but different data. B does not know who the sender of which message is. 11.

12 Drawback: Does not help in case node E is not under control of the OEM; e.g. after market device. 1 st Solution: Transmission whitelist The transceiver of Node E allows to send only CAN or CAN FD messages with an ID that is stored in a whitelist in the transceiver. Implications: The message occurs once the bus, and is invalidated in the end-of-frame field. After that node E is excluded by the transceiver from any further communication. Benefits: Only one error flag on the bus. This method can also be used to protect against flooding attacks that would lead to a denial of service, by limiting the transmitted bus load. 12.

13 Error flag 2 nd Solution: Spoofing protection The transceiver of Node A sends an active error flag, when it receives an identifier that it usually would sent. Drawbacks: Does not work, if A is not present (e.g. like an off-board tester) or node A is in Sleep mode or un-powered. Node E can be re-started by the hacker at any time. 32 error frames and peak busload do occur. Implications: The error flag send by node A causes 16 repetitions before node E enters error passive (with suspend transmission) and further 16 repetitions prior to entering bus off state. Benefits: Helps to protect in case of foreign node attachment; i.e. in case E is not under control of the OEM like aftermarket devices. This method also helps in case Node E starts tampering the message data, after A has sent the identifier and when node A is in error passive state. 13.

14 Error flag Features in receive path: Spoofing protection Tamper protection Features in transmit path: Transmission whitelisting Flooding prevention Intrusion detection Intrusion prevention Independent operation from a possibly compromised host! 14.

15 Error flag Features in receive path: Spoofing protection needs list of identifiers Tamper protection does not need configuration Features in transmit path: Transmission whitelisting needs list of identifiers Flooding prevention needs limit, e.g. 6% bus load List of IDs for spoofing protection and transmission whitelist can be the same! Configuration is done at Tier-1: program test lock No update attack in the field possible 15.

16 How to get to such a security enhancing transceiver? CAN Transceiver Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell FULL 5 MBps PORTFOLIO CAN decoder CAN FD controller CAN BUS MONITOR PARTIAL NETWORKING CAN FD BUS MONITOR FD SHIELD ENERGY SAVING, FAST ECU FLASHING RE-USE CAN ECUs IN CAN FD NETWORKS Set of policies stored in memory CAN/ CAN FD Spoofing & Tampering protection TX control & Flooding protection Basic access prevention NETWORK SECURITY ECU and Network Security 16.

17 What could be next? CAN Transceiver Ultra-low Emission, Ultra-low Power, 5 Mbps CAN cell FULL 5 MBps PORTFOLIO CAN decoder CAN FD controller CAN BUS MONITOR PARTIAL NETWORKING CAN FD BUS MONITOR FD SHIELD ENERGY SAVING, FAST ECU FLASHING RE-USE CAN ECUs IN CAN FD NETWORKS HW Crypto Accelerators Programmable Core Secure Storage Security In built CAN PHY ECU and Network Security CAN/ CAN FD NETWORK SECURITY 17.

18 18. Feature summary: 1. Spoofing protection transceiver may issue an active error flag on reception of a CAN ID that is included in its transmission whitelist 2. Transmission whitelisting the sending transceiver has a transmission whitelist of CAN IDs that are allowed to be sent 3. Tamper protection If the node starts a transmission and a compromised node tampers the message, while the sender is error passive, then the transceiver is preventing message take over by sending an active error flag 4. Flooding prevention The transceiver ensures that the contribution to the bus load is limited Advantages to realize these features in a transceiver: 1. Drop-in replacement transceiver for standard transceivers, no other HW change 2. Quick fix for vulnerable modules, no host SW update necessary 3. No cryptography included, no key management necessary 4. Independent from host µc, physically isolated 5. Complementary to other security measures

19