Boosting security in cars with CAN-FD
The controller area network (CAN) bus has been in successful use for over 20 years and can now be found in practically every vehicle, as well as in many industrial and commercial products. However, there are still issues with the security aspect – but CAN-FD is a good alternative.
Over the last few years, we have been hearing more in the media about hacker attacks on cars. One of the reasons they were possible was because the in-car buses used unsecured communication methods. For many years now, CAN has been the most widely used bus in cars and is used to interconnect a wide range of control devices. It manages communication between the central gateway and the engine electronics, the gearbox controller and the roof module as well as the diagnostics unit, among other components. And with the emergence of autonomous driving, we can expect to see an increase in the use of electronic control units (ECUs) in in modern vehicles. Many of these will be connected to the CAN bus.
However, when hackers gain access to the CAN bus, they also have access to all the ECUs connected to it, enabling them to analyse and manipulate the data traffic. They can already do this using very simple and cheap means, as Illera and Vidal showed in 2014 with their CAN Hack Tool.
Now that the new CAN standards ISO 11898-1:2015 and ISO 11898-2:2016 have been approved, manufacturers have a way to secure data traffic in cars and make this type of attack much harder or even practically impossible. CAN-FD is the means to achieve this.
CAN-FD (for Flexible Data rate) enables manufacturers to increase the communication bandwidth and implement suitable cryptography methods to secure data and authenticate devices connected to the bus.
Security overhead too high for CAN
With traditional CAN that has been used until now, the encrypted information had to be distributed across several frames. Considering that the overhead is about 50 per cent of a CAN frame, the speed is limited to 1 Mbit/s and the conventional safety margins need to be added, it quickly becomes clear that this is not practical for a real system in a car.
As the number of bytes in a CAN-FD frame is increased from 8 to 64, the payload (of information to be transmitted) can be encrypted within one frame. In addition, the faster transmission speeds of 2 Mbit/s – and even up to 5 Mbit/s – are more than enough for the data volumes, which are higher due to encryption. As a result, there is still more bandwidth available even after taking these considerations into account.
The AUTOSAR module Secure Onboard Communication (SecOC) was designed to enable the secure authentication of bus devices and prevent spoofing, tampering and replay attacks. Hackers used to be able to manipulate the behaviour of a control device simply by gaining access to the CAN bus, which enabled them to do things like remotely control the car. Now, hackers would need to know the secret key of the ECU sending the information in order to authenticate their manipulated data set. The SecOC module generates an authentication code (MAC) for every data set and adds it automatically. A freshness value is also added with the result that replay attacks can be efficiently prevented. The data, authentication and freshness value are transmitted via CANFD within a single frame. The challenge for the security of the system is to safeguard the keys it uses.
Modern microcontrollers, like the S32K family from NXP, already include the CAN-FD interface and also provide a hardware crypto unit (Cryptographic Service Engine Compressed or CSEc) to enable the use of this type of security mechanism. The CSEc supports features like AES- 128 encryption/decryption as well as CMAC generation and verification, secure key storage, and unique ID and true random number generators. That enables companies to implement secure communication, secure booting and the protection of ECUs against manipulation and replacement. This complies with the secure hardware extension (SHE) specification defined by Germany’s carmaker association Hersteller Initiative Software (HIS).
Along with a microcontroller that supports the new ISO 11898- 1:2015 protocol, the physical implementation of CAN-FD also requires a transceiver compliant with ISO 11898-2:2016 to deal with the higher data rates. Companies that provide these components include Microchip, with its ATA6560 module, as well as NXP, Infineon and ON Semiconductor.
Highly integrated system basis chips (SBCs), which include, besides the CAN-FD transceiver, components like LIN transceivers, DC/DC converters and LDOs, are especially suitable for compact ECUs and gateways and are provided by NXP, Infineon and Elmos.
The number of components available has been growing steadily since the ISO standards were approved. Due to its close collaboration with manufacturers, Avnet Silica’s Automotive Group can provide customers interested in this area with an extensive and up-to-date overview of what is available across a wide range of providers.
To summarise, CAN-FD itself, and the fact that it enables the implementation of a range of security features on the CAN bus, helps companies take a big step forward towards increased security in cars. The time and effort required to implement CAN-FD is reasonable – as it is a natural evolution of the CAN bus in widespread use – while enabling the use of today’s cryptographic methods. These make it so much harder to manipulate the car that the amount of time and effort involved make it uninteresting to a hacker.
Sooner or later, these capabilities are bound to be interesting to the manufacturing industry too due to growing requirements to safeguard machines against manipulation.