CopyCAN: An Error-Handling Protocol based Intrusion Detection System for Controller Area Network

In the last years, the automotive industry has incorporated more and more electronic components in vehicles, leading to complex on-board networks of Electronic Control Units (ECUs) that com- municate with each other to control all vehicle functions, making it safer and easier to drive. This communication often relies on Controller Area Network (CAN), a bus communication protocol that defines a standard for real-time reliable and efficient trans- mission. However, CAN does not provide any security measure against cyber attacks. In particular, it lacks message authentication, leading to the possibility of transmitting spoofed CAN messages for malicious purposes. Nowadays, Intrusion Detection Systems (IDSs) detect such attacks by identifying inconsistencies in the stream of information allegedly transmitted by a single ECU, hence assuming the existence of a second malicious node generating these messages. However, attackers can bypass this defense technique by discon- necting from the network the ECU of which they want to spoof the messages, therefore removing the authentic source of information. To contrast this attack, we present CopyCAN, an Intrusion De- tection System (IDS) that detects whether a node has been discon- nected by monitoring the traffic and deriving the error counters of ECUs on CAN. Through this process, it flags subsequent spoofed messages as attacks and reacts accordingly even if there is no incon- sistency in the stream of information. Our system, differently from many previous works, does not require any modification to the protocol or to already installed ECUs. Instead, it only requires the installation of a monitoring unit to the existing network, making it easily deployable in current systems and compliant with required CAN standards.