Intrusion Detection Systems (IDS): Finally for the Vehicles

Vehicles have notoriously been vulnerable to attack from various sources. These have varied from the equipment, endpoints, and communication being insecure to open ports. Regardless of the source, these have historically and continue to provide ample attack surfaces for those with malicious intent.

Engineers in the automotive industry have attacked this issue from the defensive end. The information security engineers have reviewed the data flow, endpoints, and other equipment to write and apply the specifications to the vehicles and vendors. Where needed, these specifications are updated as technology advances. The issue with this position has been systemic with certain auto manufacturers. Info sec has been treated as an afterthought, brought in late during the project. This has also been labeled as trampling on a project’s success. This has allowed lax security in the vehicle and as it communicates with third party vendors. When there is not a sufficient amount of time to adequately specify the security requirements, have all parties approve them, and implement this into the design, there are vulnerabilities in the design and implementation. This has been seen over and over with the vehicle attacks on the brakes, the connected vehicle app being insecure, the fob not being secure as it communicates with the vehicle, and many other vulnerabilities that had been researched over the last four years. These methods have not been robust to the level needed for the vehicle attacks (Cho & Shin, 2016).

The prior methods for info security focused on the equipment in the car and methods of communication being secure via encryption, TLS 1.2, SAML, and other methods. Researchers at the University of Michigan (Cho & Shin, 2016) have shifted the focus from this. The researchers proposed an intrusion detection system (IDS) focused on seeking anomalies. These, in theory, could be anywhere in the vehicle’s communication channels. The researcher’s with this application have focused on the clock or chip-based IDS (CIDS). In short, this is designed to stop the interference with the CAN Bus (Gray, 2016). This works by sniffing the CAN Bus profile. The individual devices communicate with the Bus. As these pieces of equipment do this, they provide a fingerprint of their clock derived from the oscillators, crystals, etc. This is constructed using the Recursive Least Squares (RLS) algorithm (Cho & Shin, 2016) and takes only seconds to accomplish this (Greenberg, 2016). Over time, the tool monitors these to acquire their specific fingerprint.

With these documented, the tool looks for anything unusual or an anomaly with the equipment seeking to communicate with the CAN Bus in the form of an incongruity between the approved and authenticated equipment/source in the database and the fingerprint of the equipment attempting to communicate with and to the vehicle. An issue that would be red-flagged would be in the form of an attack from a third party spoofing messages, commands, or directions. These may be directed at the brakes or transmission of the vehicle (Greenberg, 2016). Any message without the acceptable signature would be flagged as not coming from the chip and equipment. This checking is accomplished with the Cumulative Sum (CUSUM) method (Cho & Shin, 2016). Their research indicates this new method of securing the vehicle shows a false positive rate of 0.0055%. This was accomplished with an experiment with the Honda Accord, Toyota Camry, and Dodge Ram, simulating attacks that would normally be from a third party.

In Part 2, I will take a closer look at the ‘tool’.


Cho, K.-T., & Shin, K.G. (2016). Fingerprinting electronic control units for vehicle intrusion detection. Retrieved from

Gray, P. (Producer). (2016, July 21). #419—Brian Krebs on future of bank cybercrime. [Audio Podcast]. Retrieved from

Greenberg, A. (2016, July 14). Clever tool shields your car from hacks by watching its internal clocks. Retrieved form

About Charles Parker, II

Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.