So why bother?
In numerous prior studies, CAN bus networks have been shown to have numerous weaknesses. Specifically in studies conducted by students at The University of Adelaide, subtle and deceptive attacks were shown to be possible but also difficult to detect. As attacks become more sophisticated and better able to undermine CAN bus security (or lack thereof), detection and prevention of these attacks has become more important for vehicles that are “stuck” with this technology.
“CANflex” is a tunnelling type protocol that has been developed through this research. The protocol sits on top of existing CAN bus hardware and is inspired by elements of FlexRay that improve network security. CANflex has the ability to tunnel CAN messages onto a scheduled timing format to improve transmission speed, reduce the effectiveness of DOS attacks, and allow for packet control that did not previously exist in CAN.
CANflex takes transmission strategies from both CAN bus and FlexRay bus and enforces flow control of “allowed paths” to improve CAN bus throughput and resilience to attacks while still utilising the existing CAN bus wiring loops. The end result is that previously successful MITM or MOTS attacks on CAN bus do not hold up once CANflex tunnelling protocol has been applied.
In older vehicles that cannot be easily replaced, CAN bus vulnerabilities pose a real threat. When these vehicles are used for classified purposes, the risk of attack is far greater than the average 4-door sedan. CANflex provides a solution for this use case at a cost that is far lower than vehicle replacement.
ALL THE TECH
The role of the software on the CANflex gateways is to convert CAN-bus packet transmission into CANflex packets, then transmit on a TDMA schedule.
This requires synchronization between devices with a little bit of “slip”.
What you can see here is that the packet size is smaller than the allotted time so that there is never any overlap caused by potential delay across the system.
CAN packets will be transformed using the highest priority and thus does not need to buffer nor retransmit as the receiving CAN node will resolve the conflict without any additional logic required.
CANflex Transmission Schedule for 4 nodes with a packet each to transmit
In real-world applications, vehicles may be modified or undergo maintenance. This causes a problem for any intrusion detection system that is unaware of this change and could cause the CANflex controller to deliberately block friendly CAN frames.
Development of a “learning mode” where the car is in a trusted environment allows the CANflex controller to learn “allowed transmission” through observing packet flow.