Analysis of current attacks on the CAN bus and development of a new solution to detect these types of malicious threats

Mohammed, Karrouchi; Mohammed, Rhiat; Ismail, Nasri; Ilias, Atmane; Kamal, Hirech; Abdelhafid, Messaoudi; Mustapha, Melhaoui; Kamal, Kassmi · 2023 · DOAJ

DOI: 10.1051/e3sconf/202346900082

archive: archived pipeline: cataloged verified

Get this paper ↗ (DOI — opens at the source; we link to it, we don't host it)

Summary

This paper addresses the security vulnerabilities inherent in the Controller Area Network (CAN) bus, the primary communication protocol used by Electronic Control Units (ECUs) in modern vehicles. The authors highlight that while the CAN bus facilitates efficient data transfer, it lacks built-in security mechanisms such as confidentiality and authentication, making it susceptible to both physical and remote attacks. The research aims to demonstrate these vulnerabilities through practical hacking experiments and proposes a new intrusion detection algorithm to mitigate malicious threats. The study was conducted using two specific vehicles, a DACIA Lodgy and a Sandero 2014. The researchers performed a physical attack demonstration by connecting a custom hardware setup to the vehicles' On-Board Diagnostics (OBD2) connectors. This setup included a computer, a management and control system, and a CAN adaptation system capable of harvesting, analyzing, and injecting frames onto the CAN bus. The experimental process involved three phases: first, collecting all frames traveling on the bus to identify their identifiers; second, isolating specific frames and correlating byte changes with vehicle actions (such as steering or accelerating); and third, injecting unauthorized frames with manipulated data to control specific ECUs. The results confirmed that attackers could successfully compromise vehicle functions by identifying and manipulating specific CAN frames. The researchers identified that frame ID 0x5DE controlled dashboard indicator lights, specifically through its first byte, while frame ID 0x186 controlled the engine speed (RPM) display via its first two bytes. By injecting frames with these identifiers at a higher frequency than the legitimate ECUs, the attackers were able to mask legitimate signals and manipulate the dashboard displays. Based on this attack vector, the authors developed an intrusion detection system (IDS) that monitors the frequency of message injection. The IDS calculates the time interval between consecutive messages with the same ID; if a message arrives earlier than the established typical model, it is flagged as abnormal, indicating a potential high-frequency injection attack. The significance of this work lies in its practical demonstration of CAN bus vulnerabilities and the provision of a specific detection mechanism for frequency-based attacks. The proposed IDS offers a method to distinguish between legitimate ECU communications and malicious intrusions, thereby enhancing vehicle safety. The authors conclude that implementing such detection algorithms can considerably improve the security of in-vehicle networks against unauthorized control and data manipulation.

Provenance

The full processing record for this entry. Every stage of this paper's journey through the pipeline is logged — what ran, with which tool and model, how many attempts it took, and when it last completed.

StageOutcomeToolModelPromptAttemptsCompleted
discover success DOAJ 1 2026-06-24
archive success unpaywall 1 2026-06-26
extract success cached 2 2026-06-26
clean success clean 1 2026-06-25
chunk success chunk 1 2026-06-25
embed success embed Qwen/Qwen3-Embedding-8B 1 2026-06-25
promote success 1 2026-06-24
summarize success llm qwen3.6-27b-prismaquant summ-v5 1 2026-06-26
tag success vector_similarity 6 2026-06-25
verify success 1 2026-06-26

Summary generated by qwen3.6-27b-prismaquant on 2026-06-26; verification: verified.

Topics

Ranked by relevance to this paper. Hover a topic for its definition.