In the context of embedded systems, spoofing and tampering are the most common types of message manipulation. With an attacker gaining access to the overall system via a maintenance or telemetry interface, compromised attempts are made on a bus network to manipulate message traffic. This puts recipients of these messages into an undesirable system state, which can certainly cause hazardous consequences for life and limb.
Content
This article is part of our „Cyber Resilience Act Embedded Software“ article series. The following parts have already been published:
The famous example of the FCA hack
One of the most well-known cases of such an intrusion is the FCA case, in which two American white hats, accompanied by a journalism team, gained access to a Jeep's telemetry interface. Once one gets past this supposed „firewall,“ it's supposedly child's play to gain control of the vehicle. The Autumn was noted with extreme attention within the automotive industry and laid the foundation for a series of cybersecurity measures around ISO/SAE 21434.
What is crucial here is less the initial access itself, but rather what became possible afterward: Once the attackers were „behind the firewall“ within the internal vehicle network, they could specifically inject messages via the CAN bus and thereby influence functions such as the air conditioning, steering, or brakes.
Technically speaking, the core issue was spoofing attacks on the vehicle bus. The control units in the CAN network accepted the injected messages as legitimate because identification is solely based on message IDs and there is no sender authentication. The attackers no longer needed to employ complex exploits – it was sufficient to correctly imitate legitimate communication patterns to intentionally manipulate states within the vehicle.
However, the actual vulnerability was upstream: an insufficiently protected OTA/telematics device that served as the entry point. This device acted as a bridge between external communication (mobile radio) and the internal vehicle network. Once this node was compromised, the otherwise „closed“ CAN bus effectively became an open attack surface. This is precisely where the structural problem becomes apparent: the bus itself offers no security mechanisms – it implicitly assumes that all participants are trustworthy.
Spoofing
The simplest and therefore most obvious spoofing attack exploits a weakness in the communication between networked devices, as illustrated in the graphic below. In this attack, a device first sends a legitimate message that is correctly processed by the recipient. However, immediately afterward, a manipulated message is sent by a compromised bus participant, which follows the first message closely in time. The recipient generally trusts all messages of this type, or has no special exclusion criteria for message identity or content.
The graphic shows that the receiver reacts to the first message and changes its state accordingly. However, the immediately following fake message causes the receiver's state to change again – into an undesirable state. As a result, the receiving device is practically permanently in an unwanted state, i.e., between the planned message cycles.
Tampering
There is another form of attack, tampering, which bitwise alters and thus manipulates messages directly at the moment of transmission. Additionally, in the field of industrial bus communication, there are hybrid forms where the uncompromised sender is invalidated by an attacker. This invalidation occurs through the injection of non-recessive bits. This results in an electrical signal difference between Alice's Rx and Tx lines, causing her to be disconnected from the bus network by protocol. Although this attack is technologically more difficult, it prevents simple validation measures on the part of uncompromised devices. A spoofing attack can, in principle, be easily defended against if the sender recognizes its feigned identity on the bus system itself. A tampering attack, on the other hand, can practically not be defended against by the sender and receiver without shared secrets.
Defensive and counter-measures
Spoofing
Spoofing is particularly difficult to defend against when the only source for legitimizing a participant is the open fieldbus itself. In this case, trust is based solely on observable characteristics such as message IDs, MAC addresses, or timing – precisely the properties that an attacker can imitate. Since there is no real binding between a physical device and the sent message, identity becomes something that is merely represented and not verified. An attacker therefore does not need to „break in“ but only to imitate correctly: same IDs, same cycle times, plausible behavior. As soon as this imitation is sufficiently accurate, it is accepted as legitimate by the system – and therein lies the structural weakness of open bus systems.
Tampering
Tampering has a similar fundamental problem – albeit with an important limitation: it becomes significantly easier to defend against once hardware-based security mechanisms are in place. Without such mechanisms, an attacker can not only imitate messages on the bus but also deliberately alter them without detection. However, as soon as the communication path itself is monitored – for instance, through hardware-based CRC checks, frame checks directly in the controller, or a comparison between the transmitted (TX) and received (RX) signal in the transceiver – the hurdle increases considerably. In these cases, any manipulation at the bit level becomes immediately visible, or at least an anomaly is detected, as the received signal no longer matches the expected one. Tampering thus becomes a problem of the physical integrity of the transmission path and is technically much more manageable than spoofing.
Zero Trust Principles
Both attack patterns highlight the necessity of zero-trust principles. This security approach does not trust any communication from the outset, not even from devices that ostensibly send legitimate messages. To prevent such attacks, all incoming messages must be verified and authenticated before being accepted by the system. The zero-trust principle assumes that every communication message is considered potentially unsafe and undergoes verification.
In practice, however, this approach quickly reaches its limits because it requires a shared secret. This brings with it several fundamental problems. First, the secret itself must not be transmitted openly, which presupposes secure key exchange mechanisms. Second, in many systems, keys must be shared or coordinated across manufacturer boundaries, which is very complex organizationally and technically. Third, the entire key management – from provisioning to rotation to revocation – is complex and often overwhelms smaller manufacturers or projects with limited resources in particular.
Intrusion Detection Systems
A pragmatic addition to cryptographic measures are therefore intrusion detection systems, which do without secrets. They analyze communication patterns, timing, frequencies, and sequences of messages and detect deviations from expected behavior. Such cryptography-free methods cannot prevent spoofing or anomalies, but can reliably detect them. The crucial point is the reaction: if an attack is detected, the system must transition to a defined safe state. This does not prevent intrusion, but controls the impact – which is the crucial difference in many security-critical applications.
Conclusion
From a security perspective, an open fieldbus remains fundamentally difficult to control. The architecture is not designed to map a consistent chain of trust – trust arises implicitly through participation in the bus, not through verified identity. Depending on the level of protection used, this chain can be partially established (e.g., through authentication, trust anchors, or secure boot), but rarely completely across all participants and manufacturers.
In practice, this means: There is no „safe“ open bus system and no secure fieldbus standard, only different degrees of security..
Where cryptographic measures cannot be consistently implemented, a residual attack surface always remains – especially for spoofing. A realistic approach is therefore crucial: Risk Analysis, Combination of preventive measures, detection, and defined safe states. Security arises here not from a single concept, but from graduated control along the entire communication.
