Tampering describes the unauthorized manipulation of systems, data, or ongoing communication processes. Tampering is an attack on bus systems and peripherals, and therefore in the context Embedded Cybersecurity relevant. In embedded systems, this not only affects software or stored content but often also the communication between control units, sensors, actuators, and networked subsystems. Since many functions depend directly on error-free data exchange, even a targeted intervention can have significant effects on the overall system.
Content
Technical background of tampering
Embedded systems operate in numerous distributed applications. Individual components continuously exchange status information, measured values, control commands, or diagnostic information. If this communication is disrupted or manipulated, it not only leads to data errors but also to delays, faulty states, or malfunctions.
Tampering can occur at different points. Interference with firmware, configuration data, or memory contents is possible. However, manipulation during transmission itself is particularly relevant. This does not necessarily change the actual payload value. Even deliberately disrupting a valid communication process can be sufficient to render messages unusable.
Example CAN Bus
A typical example of this is the CAN bus. This bus system is widely used in industry, automotive, commercial vehicles, military technology, and mechanical engineering. Multiple participants share a common line and communicate according to fixed protocol rules. Anyone who has physical access to the bus and masters the timing can interfere with an ongoing transmission.
During a legitimate CAN message, if a critical point is switched to dominant, other participants will detect a protocol error. The message will be discarded and must be retransmitted. If such interventions repeat, error counters in the control units will increase, participants will switch to restricted operating modes, and the network's stability will decrease. The actual payload can remain unchanged. The communication sequence is what is manipulated.
Experimental Setup
Tampering can be explained using an experimental setup. The experimental setup consists of a legitimate CAN node, an intruder node, and a common CAN bus. The legitimate node periodically sends valid CAN frames with a higher arbitration ID. These messages form the normal bus traffic and serve as the target of the manipulation.
The Intruder node is structured differently to a regular CAN participant. It does not use its CAN controller to generate valid CAN frames, but bypasses the CAN peripherals. Instead, it accesses the bus control directly via GPIO pins. This allows it to place dominant bits on the bus at precisely defined times.
The attack is based on temporal synchronization with the ongoing transmission. As soon as the intruder detects the Start of Frame, they use this point as a reference. Subsequently, they wait for the calculated offset until the End of Frame field. There, they inject dominant bits onto the bus.
Since the EOF field in the CAN protocol must consist of recessive bits, this intervention leads to a protocol error. This does not alter the content of the ongoing message, but rather invalidates it. The goal of this setup is to demonstrate that an attacker with direct access to the physical layer can intentionally corrupt a valid CAN transmission during its broadcast.
Consequences of Tampering
This is particularly critical for embedded systems because many functions operate dependently on time. Delayed telegrams, missing acknowledgments, or disrupted synchronization can interrupt control chains. In distributed architectures, this often affects more than just a single Control unit, but multiple dependent functions simultaneously.
Protection against tampering therefore doesn't start with the software. Controlled physical access to internal bus systems, secured service and debug interfaces, clean network segmentation, and gateways between different communication zones are important. In addition, monitoring mechanisms for communication errors, integrity checks at higher protocol levels, and secured firmware processes such as Secure Boot are included.
Older fieldbuses were not originally designed for today's threat scenarios. Therefore, security often needs to be supplemented by system architecture, hardening, and additional protective measures.
Countermeasures
Hardware-based countermeasures
Tampering can only be effectively contained if a system does not blindly assume that sent data arrives at the recipient unchanged. Continuous monitoring of actual communication is therefore crucial.
A central principle is the comparison of TX and RX. The locally transmitted signal is compared with the signal actually received on the bus. If the two signals do not match, this indicates collisions, physical interference, or deliberate manipulation. This cross-check is a particularly effective approach for shared-medium buses like the CAN bus, as external participants can actively interfere with the signal flow.
Complementary integrity mechanisms increase the probability of detection. These include CRC checks, sequence counters, authentication codes, or comparable protection mechanisms. An implementation close to the hardware is particularly effective, as manipulations are detected early and are not noticed only in higher software layers. Robust hardware CRC protection can reliably make changes during transmission visible.
In practice, however, it must be taken into account that additional monitoring and security logic increase costs, development effort, latency, and complexity. Separate security transceivers, additional controller functions, or proprietary protection mechanisms are not economically viable in every product.
Therefore, tampering protection should be implemented as intrinsically tied to the protocol as possible. Security mechanisms that are directly part of the communication standard scale significantly better than later added individual solutions. Examples include integrated authentication, stronger frame integrity, defined error responses, or secure state models.
The problem is that not all industrially established protocols were developed with today's threat scenarios in mind. Many classic fieldbuses prioritize real-time behavior, simplicity, and low cost, but not security. Consequently, native mechanisms against targeted manipulation are lacking.
Application Example CAN Bus
However, tampering can be deliberately contained if not only the protocol but also the physical signal level is monitored. An effective measure is security transceivers that permanently compare the local transmit and receive signals with each other.
An example of this is the NXP TJA115x-Series. While a legitimate host is transmitting, the transceiver monitors whether the actually received bus signal corresponds to the locally output TX signal. If bits on the bus are altered or superimposed by an external participant, the transceiver detects the deviation between TX and RX.
This is particularly relevant in the Error Passive state. According to classic CAN behavior, manipulations in this state can occur under certain circumstances without an active error frame being triggered, thus creating security vulnerabilities for targeted tampering. A security transceiver can close this gap by detecting an impermissible signal deviation independently of the controller and initiating protection measures itself.
Depending on the implementation, this can include blocking further transmissions, setting an error signal, disconnecting the node from the bus, or reporting a security event to the host. This does not make tampering completely impossible, but at least faster to detect.
Summary
Tampering shows that an embedded system is not compromised solely by altering data. Even a targeted interference in ongoing communication can be enough to disrupt functions and reduce system availability. Therefore, protecting communication integrity is a central component of modern embedded security.
Zurück zum Glossar