CAN Signal Extinction-based DoS Attack on In-Vehicle Network

As automobiles become more electrified, more and more Electronic Control Units (ECU) are installed in vehicles. ECUs communicate with each other through dedicated protocols such as a controller area network (CAN), but these protocols do not have their own security measures. Many cyberattacks have exploited this weakness, but an intrusion detection system (IDS) is emerging as an effective countermeasure. In this study, we introduce a new attack method that existing IDS cannot detect. CAN signal extinction-based DoS attack (CEDA) is a new attack method that uses a voltage drop to erase the CAN signal. When the target ECU transmits a signal, adding a resister that lowers the differential voltage to an undefined gray zone causes the other ECU to ignore the signal being sent from the target ECU. In cybersecurity, denial of service (DoS) is defined as restricting an authorized entity from accessing a resource or delaying a time-critical system. *is attack is a kind of a DoS attack since the adversary can make the target ECU bus-off through a CEDA. CEDA could be a serious problem as it has not been detected by any known IDS to date. In this study, we use laboratory and vehicle tests to detail the attack methods and introduce appropriate security measures.


Introduction
Modern vehicles are developing into huge information technology (IT) systems of software as the convergence of vehicles and information & communication technology (ICT), represented by connected cars and autonomous vehicles, becomes active [1,2]. However, more software means more potential for cyberattacks on the vehicle [3][4][5]. After the first recall of vehicles due to a cyberattack in 2015, manufacturers began to equip security functions in their vehicles [6,7]. And related organizations such as governments, associations, and societies have implemented standards, guidelines, and regulations related to automotive security.
One of the most notable security measures is the intrusion detection system (IDS) because it is effective against cyberattacks on vehicles, and many regulations recommend the installation of IDS [8][9][10]. Recently, artificial Intelligence and machine learning technologies have been actively introduced into the latest IDS research [11][12][13]. ey will soon be adopted for automotive IDS as well. An electronic control units (ECUs) communicate with each other through an invehicle network using a protocol such as a controller area network (CAN). An application of the ECU generates data and sends it to the CAN controller. en, the CAN controller hands the data to the CAN transceiver, and it transforms the data to an electrical signal and sends it to the CAN bus. Conversely, the CAN transceiver of the receiving ECU receives the signal to convert into logical bits, which the CAN controller further converts into a message that the application can recognize.
After that, an application reads the converted message. Figure 1 shows the architecture of the CAN compared with an open systems interconnection reference model (OSI) layer. Since most cyberattacks are performed in the application layer, an IDS is installed on the application layer. However, if the attack is conducted on the physical layer, IDS cannot detect it.
In this paper, we introduce CAN signal extinction-based DoS attack (CEDA) that erases messages by using a voltage drop by increasing the resistance. e differential voltage must be within the range defined by the standard so that the receiving ECU can recognize the signal as a 0 or 1, but it can be made outside this range by simply adding a resistor. We propose to call the area outside the range defined in the standard a "gray zone." e gray zone is not defined in the standard, so other ECUs will ignore the signal if the differential voltage is in this zone. erefore, if an adversary lowers the differential voltage to the gray zone by adding a resistor when the target message is transmitted, all ECUs in the in-vehicle network will ignore the signal. No existing IDS can detect the CEDA because: (1) It is a signal-based attack, not a message-based attack, and it is ignored by the CAN transceiver, so no message is passed to the application layer where the IDS is installed. (2) Attack device does not send messages and does not communicate with other ECUs.
In addition, since the attack device we proposed can be manufactured for less than 20 US dollars, this attack is quite realistic with the catastrophic consequences. We prove the proposed attack technique through the following three experiments.
(1) Feasibility check in the laboratory.
(2) Simulation test in the laboratory.
(3) Attack on a real vehicle. is paper is structured as follows. "Background" reviews the background of the in-vehicle network architecture, CAN protocol, and related studies. We explain the mechanism of CEDA and attack model in "Proposed attack technique." We then describe the test on the laboratory and the real vehicle, and respective countermeasures in "Practical attack experiment." "Conclusion" concludes the paper and proposes future work area.

Communication Protocols for In-Vehicle Networks.
As vehicles evolve into connected cars and autonomous vehicles, more and more components are required to communicate with each other. Information is collected through sensors or other components and processed by the respective electronic control unit (ECU). e processed data is then transmitted to other ECUs. e ECUs that require data control the vehicle through an actuator or display the information on the devices. e ECUs that do not require data ignore the data. is is the reason why the in-vehicle network (IVN) is essential to the vehicle. Modern cars carry about 150 ECUs [15]. ECUs are classified into domains according to their functions or physical configurations, and communicate with each other via protocols such as CAN, CAN flexible data rate (CAN FD), local interconnect network (LIN), media oriented systems transport (MOST), FlexRay, and Ethernet. Figure 2 shows the traditional IVN architecture.

Controller Area Network.
A CAN is a serial data communications bus developed by Robert Bosch GmbH for the vehicular embedded system in the early 1980s. CAN is a multi-master broadcast protocol based on sender IDs. It allows ECUs to communicate with data rates up to 1 Megabit per second. CAN is divided according to the communication speed into high-speed CAN and low-speed CAN. is paper provides all explanations based on the high-speed CAN. In the CAN bus system, each ECU uses a data frame to transfer information to other ECUs.
All ECUs are connected to each other through two dedicated wires. e wires are called CAN high (CANH) and CAN low (CANL). e CAN bus system must have bus Termination resistors 120 Ω at both endpoints of the physical network wires. e CAN Bus topology is shown in Figure 3(a).
ECUs generate a dominant bit (0) and a recessive bit (1) using a CAN transceiver to transmit the data frame. In the recessive state, both CANH and CANL are at the same level of 2.5 voltage potential (V), while CANH is at 3.5 V and CANL is at 1.5 V in the dominant state. e bit representation of the CAN transceiver is shown in Figure 3(b).  invented. In the early days of automotive cybersecurity research, system hackers from the traditional IT environment entered the automotive eld, and there were a lot of SW-based attacks like in the IT environment. As cybersecurity became one of the important factors in the automotive industry, researchers have begun to use the characteristics of vehicles to expose their weaknesses, especially in-vehicle network protocols.

Related Work
Miller and Valasek hacked a vehicle running on the highway with only a laptop and a smartphone [7]. ey used the vulnerability of the head unit, which communicates with the outside to obtain administrator rights. en, they replaced the rmware of the head unit with theirs and sent an attack message to the vehicle. As a result of this attack, the vehicle manufacturer recalled 1.4 million related vehicles, which was the rst recall case due to a cyberattack [6]. e importance of the automotive cybersecurity increased due to this attack, and vehicle manufacturers began to implement countermeasures against cyberattacks on their vehicles. Government and related organizations started to enforce regulations, guidelines, and standards.
Palanca et al. proposed a new attack technique using a weakness of the CAN protocol [16]. In order to cause an error, they modulated a recessive bit into a dominant bit when a sender transmits a data frame. CAN is a carrier sense multiple access/collision detection (CSMA/CD) protocol, which means every node on the network can send a message. If two nodes start transmitting at the same time, the nodes will detect the collision and perform a nondestructive bitwise arbitration. If the attacker injects the dominant bit when the legitimate ECU sends the recessive bit, the recessive bit can be changed to the dominant bit.
Lee et al. introduced the app repackaging attack [17]. e researchers attacked the vehicle with OBD-II dongle and an app for operating it. e attack was made with a device that can be easily purchased in the market and downloaded apps from Google Play that can operate the device, which shows that the attack is realistic. ey demonstrated unauthorized vehicle control such as opening a locked door and halting the engine. As countermeasures, they proposed obfuscation to prevent app tampering and message ltering to prevent receiving messages that control the vehicle from the outside.
To protect CAN-based network against cyberattacks, an intrusion detection system (IDS) was proposed [18]. An IDS is e ective in detecting malicious messages since most messages in a CAN protocol have a xed length and sending frequency. But as IDS has become more sophisticated, they are looking for ways to circumvent it. Attackers have begun to exploit software-based IDS by using the physical characteristics of the CAN protocol. Accordingly, IDS has also evolved to search for malicious messages using physical characteristics of the CAN protocol.

Security and Communication Networks
Cho and Shin proposed a mechanism for detecting an attack and identifying the specific ECU using clock skew that reflects the hardware characteristics of the clock source constituting the ECU [19]. Even if two ECUs transmit messages in the same period, they have different clock skew due to the characteristics of the hardware. e authors introduced a technique for detecting this clock skew as an attack if it fluctuates beyond a critical value while monitoring it. In addition, they proposed a voltage-based attacker identification (VIDEN), which is based on the characteristic of CAN signals transmitted by ECUs [20]. is characteristic is unique due to the difference in voltage supplied to each ECU, but it has limitations in mass-produced vehicles because an oscilloscope is required for the detection.
Sagong et al. introduced the hardware-based intrusion response system (IRS) [21]. ey demonstrated vulnerabilities of the voltage-based IDS with three types of attacks: (1) Overcurrent attack: supplying a current that exceeds the range the microcontroller can accommodate. (2) Denial-of-service attack: letting CAN bus be in the idle state in a way that zeroes all signal and causes an error frame. (3) Forced retransmission attack: forcing the ECU to send the message repeatedly.
An IRS is proposed to defend the attack which can circumvent the voltage-based IDS. In order for IDS to detect a malicious message or an attack device, it must receive a message or signal from the device. But, since the CAN signal extinction attack we proposed simply lowers the differential voltage of the signal transmitted from the target device, it is not detected by the existing IDS.

Proposed Attack Technique
3.1. Attack Mechanism. As described in section above, CAN has two logical states-a recessive state and a dominant state. In the recessive state, both CANH and CANL are at the same level of 2.5 voltage potential (V), while CANH is at 3.5 V and CANL is at 1.5 V in the dominant state [22]. e logical state of the bus can be determined by subtracting the voltage potential of CANH and CANL, which is called the differential voltage. However, since the differential voltage of each state can change according to various variables such as device characteristics, wire length and location, and vehicle driving conditions, it is not always possible to pinpoint 2.5 V and 0 V. erefore, the CAN standard tolerates a certain amount of margin of error.
If the differential voltage is less than 0.5 V, the bus will be considered as the recessive state, and the bus will be regarded as the dominant state when the differential voltage is greater than 0.9 V.
However, if the differential voltage is between 0.5 V and 0.9 V, it is neither a dominant state nor a recessive state. In this case, the bus state is not defined according to the CAN standard [22]. It means that ECUs do not take any actions if they receive an undefined state. We propose to call this area the gray zone. us, if attackers can place the differential voltage in the gray zone when the target ECU sends a message, other ECUs ignore the message from the target ECU, and the target ECU generates an error frame. When attackers conduct this attack to a specific ECU distinguished by ID, the ECU continuously generates an error frame. And when the number of an error frame reaches the threshold, the ECU becomes a "bus-off" state and the ECU in the busoff state cannot be operated normally. is is a DoS attack that can be conducted on the CAN-based in-vehicle network.
According to formula (1) and (2), the differential voltage is inversely proportional to the resistance, so increasing the resistance can decrease the differential voltage. erefore, if an appropriate resistance can be calculated according to the in-vehicle network characteristics of the target vehicle and the corresponding resistor can be installed in the vehicle so that the differential voltage is located in the gray zone, the specific message of the vehicle can be erased. In other words, while monitoring messages in the CAN-based in-vehicle network, if a message with target ID appears, the resistance is increased so that the differential voltage is located in the gray zone. is can cause other ECUs to ignore the message and lead to disable certain functions.

Attack Model.
e idea of the attack we propose comes from the structural architecture of the CAN-based in-vehicle network. is attack method is a kind of a DoS attack. e goal of a DoS attack is to make the target system unusable. We chose this method to remove the target system from the network instead of making the target system unavailable by sending a large amount of traffic to the system. When the ID of the target system appears while monitoring the CANbased in-vehicle network, attackers make the message invalid by adjusting the voltage. We propose the following attack model and make a few assumptions that are required for the attack to be successful.

Attacker's Ability.
Attackers can create the monitoring device and monitor messages in the CAN-based in-vehicle network. Based on this, attackers can find the CAN ID of the target function or device and add the resistance to prevent other ECUs from receiving messages from the target ECU. Attack that needs additional devices requires the attacker to equip the attack device to the target vehicle.
us, it is assumed that the attackers can equip their device to the vehicle.

Target Vehicle.
It is assumed that the in-vehicle network of the target vehicle includes a CAN. It is also assumed that the target vehicle is equipped with an ECU with the function that the attacker wants to exploit.

Attack Model.
e attack method we propose can consider two attack models. e first attack model is the supply chain attack. e supply chain is very complex and layered. Most vehicle manufacturers cannot produce the cars by themselves and are provided parts, systems, and services from various suppliers. Suppliers also purchase parts and systems from other partners. Securing the entire supply chain is di cult because attackers can exploit any part of the complex supply chain. Attackers may add features or devices to enable our proposed attack method in certain parts of the supply chain, or even some vendors can be the attackers in this model. e second attack model is terrorism. Attack devices can be attached to a speci c vehicle to compromise the safety of speci c targets.

Practical Attack Experiment
In this chapter, we describe the attack experiment in laboratory environments and in a real vehicle. e following three experiments were conducted to prove our proposal.
(1) Feasibility test in a laboratory environment (2) Attack simulation in laboratory environment (3) Attack on a real vehicle Finally, we describe the countermeasures against the attack we proposed.

Feasibility Test.
In this section, we prove our idea through a simple device and facilities in a laboratory environment. We only need two nodes of CAN network for this attack. One node is a victim node that sends messages to another node. Since messages coming from the victim node will be erased by adjusting the resister, the contents of the messages are not important. Figure 4(a) shows the concept of a wire harness schematic, and Figure 4(b) shows the actual wire harness according to the schema in Figure 4(a). e nodes are created virtually on the laptop using CANoe that is an ECU simulation and test tool made by Vector Informatik GmbH, and they transmit the data through each node connector.
erefore, each node connector may be regarded as an individual node in order to simplify the system.
We assume that the "Node 1" is the victim system. Communicated messages can be monitored via a "Monitoring laptop" that is connected with a wire harness using a "CAN interface." Also, an "Oscilloscope" is used to check the voltage potential and the di erence between them. We sent messages from "Node 1" to "Node 2" and monitored the transmitted messages to see whether "Node 2" could receive the messages. Figures 4(c) and 4(d) show the testbed environment. Without the proposed attack, the di erence of the voltage potential is 2 V in the dominant state as shown in Figure 4(e). To simulate the attack, we gradually increased the resistance by controlling the adjustable register. e communication failed when 12.1 Ω was applied to the testing environment and the value of voltage potential was 0.66 V (Figure 4(f)), which means that the value was greater than 0.5 V and less than 0.9 V. rough this experiment, we proved that the CEDA is possible to attack an invehicle network. If attackers remove the signal regarding the brake system, the vehicle cannot slowdown, which could seriously endanger the safety of passengers and pedestrians.

Attack Simulation in a Laboratory Environment.
In this section, we introduce a vehicle simulation test in a laboratory environment. e laboratory testing was performed at the automotive security living lab that was established by the Korea Internet & Security Agency (KISA) [23]. We conrmed in previous experiments that our idea is feasible. Our next step was to check whether the CEDA is possible in a vehicle simulator. In order to conduct the test, we need to consider the following procedures.
(1) Find the CAN ID of a target function (2) Find out the voltage drop due to turn-on resistance of eld e ect transistor (FET) switches (3)   additional resistance to place the differential voltage between CANH and CANL in the gray zone so that the CAN signals dissipate (3) Add the resistance calculated above to the CAN BUS To accomplish the 4th step, we developed new device that can add a resistor programmable.

4.2.1.
Reversing to Find CAN IDs. As described in "Attack Mechanism," we perform an attack that removes data when a specific message appears on the in-vehicle network. We selected a function that controls the motor-driven power steering (MDPS). In order to attack, we need to identify the CAN ID of the related message. In general, CAN specification includes CAN IDs and the data frame structures is one of the intellectual properties of respective vehicle manufacturers. us, we should reverse engineer the data frame structure to find the CAN ID of the message. e process is as follows: (1) To monitor messages on the in-vehicle network, connect the monitoring tool to the vehicle. CANoe TM of Vector was used in this study. (2) After turning on the ignition, leave the vehicle alone for a while so that the vehicle is in a stable state. (3) A stable state means the ECUs in the vehicle send the same value or send a repeating predictable value periodically. (4) Look for the message whose value changes significantly by manipulating the handle. e CAN ID of the MDPS control message analyzed by the above process is shown in the following Table 1. Since the target messages are removed, we do not analyze the contents of the message.

Calculating the Voltage Drop due to Turn-On Resistance of FET Switches.
To calculate the proper resistance to place the differential voltage in the gray zone, we must calculate the voltage drop due to turn-on resistance of FET switches. In order to make this calculation, we also need to know the structure of the CAN transceiver. Figure 5(a) shows the structure of the transceiver. According to Ohm's law, we can calculate the differential voltage between CANH and CANL using the following formula: formula, where, R r � resultant resistance. R 1 , R 2 � voltage drop due to turn-on resistance in FET switches, (B) in Figure 5(a). V diff � a differential voltage between CANH and CANL. V in � input voltage, (A) in Figure 5(a).
In the case of in-vehicle network, a terminating resistance is 120 Ω in general [22]. us, a resultant resistance can be calculated by the formula.
where, R a , R b � resistances which are in parallel connection in a circuit, in this experiments 120 Ω.
A terminating resistance R r is 60 Ω in the normal state (not the attacked state), and can be changed if an attacker puts additional resistance. We calculate the input voltage (V in ) to be 3.3 V through the data sheet of VP230 transceiver which is used in this study [24]. e differential voltage between CANH and CANL (V diff ) can be checked using an oscilloscope at the automotive security living lab; and we calculated the value to be 2.44 V as shown in Figure 5(b). Now, we can calculate R 1 + R 2 and the value is 21.15 Ω. As you can see in Figure 5(a), R 1 , R 2 are only affected by the input voltage. Since the input voltage is a constant value fixed at 3.3 V in this study, it is meaningless to figure out each value.

Calculating Additional Resistance to Attack the Vehicle.
Again, our goal is to place the differential voltage (V diff ) between 0.5 V and 0.9 V so that other ECUs cannot recognize the message from the target ECU. To do this, we must calculate the additional resistance using Formula (1).
Since V diff , V in , and R 1 + R 2 are known values, we can calculate R r . And the resistance we want to know can be calculated from R r using Formula (2). e calculated additional resistance that places the differential voltage in the gray zone was 3.55 Ω ≤ R b ≤ 7.00 Ω. us, we chose 6 Ω as the additional resistance. To attack the CAN-based network, we developed a device as shown in Figure 5. Figure 5(d) shows the overall appearance of the KISA's automotive security living lab, and Figure 5(e) shows how to connect the vehicle simulator and the device. Figure 5(c) is the schematic of the device structure. e device consists of an additional resistance to attack the target and a field programmable gate array (FPGA), which gives the additional resistance to the network if the received ID is the target ID. Details of each part are shown in Table 2.
When the FPGA receives signals through the CAN transceiver, it checks whether the received ID is the target ID or not. If the received ID is the target ID, the FPGA approves the attack resistance to the network by turning on the switch. Figure 6(a) shows the screen capture of the oscilloscope after an attack, and Figure 6(b) is the chart used to find the exact value. To check the exact value, we downloaded the data from the oscilloscope and drew a chart with time and voltage. As you can see Figure 6(b), if 22 Ω resistance is added to the network, the differential voltage is 0.72 V, which is in the range of the gray area. is means that the MDPS function is invalidated, and we confirmed that a lane keeping assist system (LKAS) does not work even though it is activated through the simulator.

Attack on Real Vehicle.
In the "Attack simulation in a laboratory environment" section, we showed that the proposed attack is feasible in a simulator that simulates a real vehicle. In this section, we show that the attack we proposed is possible in a real-life setting and therefore dangerous. We applied the device developed in the laboratory environment to a real vehicle. Hyundai Avante (Code name CN7) was used for this experiment. According to the manufacturer, the vehicle has a LKAS named Lane Maintenance Assist function that helps keep the vehicle within the chosen driving lane [25]. e vehicle was supported by KISA living lab [23]. is attack we proposed does not use the weakness of the specific vehicle. It will affect all  vehicles that use the CAN-based in-vehicle network. We installed our device in the vehicle (Figure 7(a)). en, we compared driving in normal and attack situations and recorded the video [26]. e video data used to support the findings of this study have been deposited in the GitHub repository (https:// github.com/team-aegis/ceda). As you can see in the video, the first part is driving under normal conditions with the driver's hands off the steering wheel, and the vehicle is driving well between the lanes with the LKAS (Figure 7(b)). In the second part, after the attack starts (by connecting the battery and supplying power), the LKAS related message is not recognized in the in-vehicle network. e vehicle ignores the lane and collides with another vehicle driving in the next lane (Figure 7(c)).

Countermeasures.
As discussed in section 3. B, CEDA can be realized through a supply chain attack or terrorism. In the case of a supply chain attack, MITRE tries to address it by generating a catalog of attack patterns that provides a structure for maturing aspects of supply chain risk  management [27]. Potential countermeasures against supply chain attacks are a good illustration of the catalog. e attack with ID CM-2 is named Prevent or Detect Critical Component Tempering, and the mitigation approach is to prevent or detect tampering with critical hardware or firmware components while in transit, across all lifecycle phases, through use of state-of-the-art anti-tamper devices [27]. In addition, the attack with ID CM-11 is named Multiple Suppliers, and the mitigation approach is Use multiple suppliers for key critical components [27]. As you can see examples in the catalog, almost all countermeasures are managerial measures rather than technical ones.
e United Nations (UN) recently enacted a regulation related to vehicle security, UN Regulation No.155, and ISO/SAE 21434 supported the regulation [28,29].
is regulation consists of two certification programs-Cyber security management system (CSMS) and Vehicle type approval (VTA). e CSMS is a regulation for the security governance and all countries under the 1958 agreement of the UN must enact and follow the relevant laws. You can see why the regulation focuses on supply chain management through security governance, which is consistent with the countermeasures against supply chain attacks proposed by MITRE, are consistent.
In the case of terrorism, the attack is much more difficult to detect. Since the attack device we developed just inspects the received message and increases the resistance in the network, it cannot be detected by a function such as component identification [30]. e IDS also cannot detect it because the device does not send the message to the other ECUs. erefore, a practical countermeasure is to continuously monitor the voltage in the network and notify the IDS when a voltage is in the gray zone. In this case, a false positive must be considered and additional investigation is needed.

Conclusion
In this study, we have shown that it is easy to attack a CANbased in-vehicle by controlling the resistance and eliminating specific and/or whole messages on the network. As described in Table 2, the attack device can be manufactured at a low cost of less than 20 US dollars. Also since this attack uses the weak point of the CAN-based network protocol, it is hard to detect. It means the attack we proposed can have a huge ripple effect in the real world. erefore, to protect vehicles from this kind of attack, we need to consider designs based on "security by design" and "defense in depth" and carefully select the security features through security risk assessment [31]. In addition, we need to consider the supply chain management that is required by UN regulation No. 155 and ISO/SAE 21434 to mitigate the risk that comes from supply chain attacks. Furthermore, we believe the monitoring resistance of the network is an appropriate countermeasure against the CAN signal extinction-based DoS attack.
In the future, we will study this attack as an intrusion protection system (IPS). If the IDS can perfectly detect the attack message, the attack message can be completely removed using the CAN signal extinction mechanism we proposed. In the case of a firewall, only the ECUs are located.

Data Availability
e video data used to support the findings of this study have been deposited in the GitHub repository (https://github. com/team-aegis/ceda).

Conflicts of Interest
e authors declare that they have no conflicts of interest.