CANTO -- Covert AutheNtication with Timing channels over Optimized traffic flows for CAN

TL;DR

This paper introduces CANTO, a covert authentication method over CAN bus using optimized timing channels, achieving 4-5 bits per frame and enabling higher security levels through accumulated data, validated on automotive controllers.

Contribution

It presents a novel timing-based covert authentication channel on CAN bus that leverages optimization algorithms for scheduling, enhancing security beyond previous methods.

Findings

Achieved 4-5 bits of authentication data per CAN frame.

Demonstrated effectiveness on automotive-grade controllers and industry-standard tools.

Enabled higher security levels by accumulating data over multiple frames.

Abstract

Previous research works have endorsed the use of delays and clock skews for detecting intrusions or fingerprinting ECUs on the CAN bus. Similar techniques have been also proposed for establishing a time-covert cryptographic authentication channel, in this way cleverly removing the need for cryptographic material inside the limited payload of CAN frames. The main shortcoming of such works is the limited security level that can be achieved under normal CAN-bus traffic. In this work we endeavour to test the limits of the achievable security level by relying on optimization algorithms for scheduling CAN frames. Under practical bus allocations that are based on real-world scenarios, we are able to extract around 4--5 bits of authentication data from each frame which leads to an efficient intrusion detection and authentication mechanism. By accumulating covert channel data over several consecutive frames, we can achieve higher security levels that are in line with current security demands. To prove the correctness of our approach, we present experiments on state-of-the-art automotive-grade controllers (Infineon Aurix) and bus measurements with the use of industry standard tools, i.e., CANoe.