Stories
Slash Boxes
Comments

SoylentNews is people

Intrusion Detection System for CANBus

posted by martyb on Thursday July 24 2014, @06:36AM   Printer-friendly
from the so-now-it's-a-CAN'TBus? dept.

cafebabe writes:

Wired reports that:

They built their anti-hacking device for $150 in parts: an mbed NXP micro controller and a simple board. This plugs into a jack underneath a car or truck's dashboard known as the OBD2 port. Power it on for a minute during routine driving, and it captures the vehicle's typical data patterns. Then switch it into detection mode to monitor for anomalies like an unusual flood of signals or a command that should be sent when the car is parked but shows up when you're instead doing 80 on the highway.

If it spots mischief, the device puts the car into what Miller and Valasek call "limp mode," essentially shutting down its network and disabling higher-level functions like power steering and lane assist until the vehicle restarts. "You just plug it in, it learns, then it stops attacks," says Valasek, the director of vehicle security research at security consultancy IOActive.

Miller and Valasek's gadget may raise fears about false positives that could mistakenly disable your car's computers during rush hour. But in their tests, they say it hasn't misinterpreted any innocent signals in the car's networks as attacks. That's in part, they say, because a car's digital communications are far more predictable than those of a typical computer network. "It's just machines talking to machines," says Valasek. "In the automotive world, the traffic is so normalized that it's very obvious when something happens that's not supposed to happen."

The inventors claim it defeats all previous CANBus attacks. However, when you've got no authentication, no encryption and no source address in your "trusted" network, defense seems like a losing battle.

 
This discussion has been archived. No new comments can be posted.
Intrusion Detection System for CANBus | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday July 24 2014, @08:02AM

    by Anonymous Coward on Thursday July 24 2014, @08:02AM (#73169)

    They claim no false positives, which is pretty important given the catastrophic problems that could arise.

    But what about false negatives? It's not going to be of much good if actual attacks don't trigger it. They say it detects all known attacks, but how much is that just "teaching to the test" rather than robust design? Can an attacker just apply minor tweaks to a known attack and be able to circumvent it?

  • (Score: 1) by speling on Thursday July 24 2014, @09:11AM

    by speling (2766) on Thursday July 24 2014, @09:11AM (#73183)

    Yes, in antivirus analogy it's like they're saying our antivirus detects all known viruses and we haven't yet seen our antivirus mistake an innocent file for a virus. I don't like this. Morphy laws man, Morphy laws

    • (Score: 2) by kaszz on Thursday July 24 2014, @11:30AM

      by kaszz (4211) on Thursday July 24 2014, @11:30AM (#73210) Journal

      Murphy's law perhaps?

      • (Score: 2) by present_arms on Thursday July 24 2014, @11:45AM

        by present_arms (4392) on Thursday July 24 2014, @11:45AM (#73214) Homepage Journal

        He's probably Irish and typed it how he would pronounce it :)

        --
        http://trinity.mypclinuxos.com/

      • (Score: 2) by forsythe on Thursday July 24 2014, @04:25PM

        by forsythe (831) on Thursday July 24 2014, @04:25PM (#73334)

        Perhaps Muphry's [wikipedia.org], although criteria for it striking don't appear to have been met in this thread yet.