{"id":2001,"date":"2026-05-04T09:10:51","date_gmt":"2026-05-04T09:10:51","guid":{"rendered":"https:\/\/www.pickplace.de\/?p=2001"},"modified":"2026-05-05T15:38:19","modified_gmt":"2026-05-05T15:38:19","slug":"spoofing-and-tampering-attacks-in-bus-systems","status":"publish","type":"post","link":"https:\/\/www.pickplace.de\/en\/spoofing-und-tampering-attacken-in-bussystemen\/","title":{"rendered":"CRA Article Series Part 2: Spoofing and Tampering Attacks in Bus Systems"},"content":{"rendered":"<p class=\"wp-block-paragraph\">In the context of embedded systems, spoofing and tampering are the most common types of message manipulation. With an attacker gaining access to the overall system via a maintenance or telemetry interface, compromised attempts are made on a bus network to manipulate message traffic. This puts recipients of these messages into an undesirable system state, which can certainly cause hazardous consequences for life and limb.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Content<\/h2><nav><ul><li class=\"\"><a href=\"#das-beruhmte-beispiel-des-fca-hacks\">The famous example of the FCA hack<\/a><\/li><li class=\"\"><a href=\"#spoofing\">Spoofing<\/a><\/li><li class=\"\"><a href=\"#tampering\">Tampering<\/a><\/li><li class=\"\"><a href=\"#abwehr-von-spoofing-und-tampering\">Defensive and counter-measures<\/a><ul><li class=\"\"><a href=\"#spoofing-1\">Spoofing<\/a><\/li><li class=\"\"><a href=\"#tampering-1\">Tampering<\/a><\/li><li class=\"\"><a href=\"#zero-trust-prinzipien-beide-angriffsmuster-verdeutlichen-die-notwendigkeit-von-zero-trust-prinzipien-bei-diesem-sicherheitsansatz-wird-keine-kommunikation-von-vornherein-als-vertrauenswurdig-eingestuft-auch-nicht-von-geraten-die-vermeintlich-legitime-nachrichten-senden-um-solche-angriffe-zu-verhindern-mussen-alle-eingehenden-nachrichten-uberpruft-und-authentifiziert-werden-bevor-sie-vom-system-akzeptiert-werden-das-zero-trust-prinzip-setzt-darauf-dass-jede-kommunikationsnachricht-als-potenziell-unsicher-gilt-und-einer-verifikation-unterzogen-wird\">Zero Trust Principles<\/a><\/li><li class=\"\"><a href=\"#intrusion-detection-systeme\">Intrusion Detection Systems<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#fazit\">Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<div class=\"wp-block-stackable-columns stk-block-columns stk-block stk-e341cf3\" data-block-id=\"e341cf3\"><style>.stk-e341cf3 {border-top-left-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-top-right-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-bottom-right-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;border-bottom-left-radius:var(--stk--preset--border-radius--xx-large, 32px) !important;overflow:hidden !important;}<\/style><div class=\"stk-row stk-inner-blocks stk-block-content stk-content-align stk-e341cf3-column\">\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-4606a65 stk-block-background\" data-v=\"4\" data-block-id=\"4606a65\"><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-4606a65-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-4606a65-inner-blocks\">\n<p class=\"wp-block-paragraph\">This article is part of our \u201eCyber Resilience Act Embedded Software\u201c article series. The following parts have already been published:<\/p>\n\n\n\n<div class=\"wp-block-stackable-icon-list stk-block-icon-list stk-block stk-e4c58ff\" data-block-id=\"e4c58ff\"><style>.stk-e4c58ff {--stk-icon-list-marker-color:var(--theme-palette-color-1, #EE4B6A) !important;}<\/style><svg style=\"display:none\"><defs><g id=\"stk-icon-list__icon-svg-def-e4c58ff\"><svg xmlns=\"https:\/\/www.w3.org\/2000\/svg\" viewbox=\"0 0 512 512\"><path d=\"M256 0c4.6 0 9.2 1 13.4 2.9L457.7 82.8c22 9.3 38.4 31 38.3 57.2c-.5 99.2-41.3 280.7-213.6 363.2c-16.7 8-36.1 8-52.8 0C57.3 420.7 16.5 239.2 16 140c-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256 0z\"\/><\/svg><\/g><\/defs><\/svg><ul class=\"stk-block-icon-list__ul stk-block-icon-list--column\">\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-6dd44ce\" data-block-id=\"6dd44ce\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\"><a href=\"https:\/\/www.pickplace.de\/en\/hub\/cyber-resilience-act-embedded-software\/\">Meaning and Classification (this page)<\/a><\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-53fa3a8\" data-block-id=\"53fa3a8\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\"><a href=\"https:\/\/www.pickplace.de\/en\/hub\/spoofing-and-tampering-attacks-in-bus-systems\/\" data-type=\"post\" data-id=\"2001\">Spoofing and Tampering Attacks in Bus Systems<\/a><\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-34c08cc\" data-block-id=\"34c08cc\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Zero-Trust Communication on Low-Level Bus Systems<\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-d1fe372\" data-block-id=\"d1fe372\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Anti-Denial-of-Service Measures for Peripherals<\/span><\/div><\/li>\n\n\n\n<li class=\"wp-block-stackable-icon-list-item stk-block-icon-list-item stk-block stk-529c437\" data-block-id=\"529c437\"><div class=\"stk-block-icon-list-item__content\"><span class=\"stk--svg-wrapper\"><div class=\"stk--inner-svg\"><svg aria-hidden=\"true\" width=\"32\" height=\"32\"><use xlink:href=\"#stk-icon-list__icon-svg-def-e4c58ff\"><\/use><\/svg><\/div><\/span><span class=\"stk-block-icon-list-item__text\">Secure updates via communication buses<\/span><\/div><\/li>\n<\/ul><\/div>\n<\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"das-beruhmte-beispiel-des-fca-hacks\">The famous example of the FCA hack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most well-known cases of such an intrusion is the FCA case, in which two American white hats, accompanied by a journalism team, gained access to a Jeep's telemetry interface. Once one gets past this supposed \u201efirewall,\u201c it's supposedly child's play to gain control of the vehicle. The <a href=\"https:\/\/www.wired.com\/2015\/07\/hackers-remotely-kill-jeep-highway\/\" target=\"_blank\" rel=\"noopener\">Autumn<\/a> was noted with extreme attention within the automotive industry and laid the foundation for a series of cybersecurity measures around ISO\/SAE 21434.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-einbettungs-handler wp-block-embed-einbettungs-handler wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Hackers Remotely Kill a Jeep on a Highway | WIRED\" width=\"1290\" height=\"726\" src=\"https:\/\/www.youtube.com\/embed\/MK0SrxBC1xs?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">What is crucial here is less the initial access itself, but rather what became possible afterward: Once the attackers were \u201ebehind the firewall\u201c within the internal vehicle network, they could specifically inject messages via the CAN bus and thereby influence functions such as the air conditioning, steering, or brakes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Technically speaking, the core issue was spoofing attacks on the vehicle bus. The control units in the CAN network accepted the injected messages as legitimate because identification is solely based on message IDs and there is no sender authentication. The attackers no longer needed to employ complex exploits \u2013 it was sufficient to correctly imitate legitimate communication patterns to intentionally manipulate states within the vehicle.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, the actual vulnerability was upstream: an insufficiently protected OTA\/telematics device that served as the entry point. This device acted as a bridge between external communication (mobile radio) and the internal vehicle network. Once this node was compromised, the otherwise \u201eclosed\u201c CAN bus effectively became an open attack surface. This is precisely where the structural problem becomes apparent: the bus itself offers no security mechanisms \u2013 it implicitly assumes that all participants are trustworthy.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"spoofing\">Spoofing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The simplest and therefore most obvious spoofing attack exploits a weakness in the communication between networked devices, as illustrated in the graphic below. In this attack, a device first sends a legitimate message that is correctly processed by the recipient. However, immediately afterward, a manipulated message is sent by a compromised bus participant, which follows the first message closely in time. The recipient generally trusts all messages of this type, or has no special exclusion criteria for message identity or content.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/spoofing-attack.png\" alt=\"Spoofing attack CAN bus Cyber Resilience Act\" class=\"wp-image-2006\"\/><figcaption class=\"wp-element-caption\"><em>Spoofing attack via a compromised device<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\"><br>The graphic shows that the receiver reacts to the first message and changes its state accordingly. However, the immediately following fake message causes the receiver's state to change again \u2013 into an undesirable state. As a result, the receiving device is practically permanently in an unwanted state, i.e., between the planned message cycles.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"tampering\">Tampering<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There is another form of attack, tampering, which bitwise alters and thus manipulates messages directly at the moment of transmission. Additionally, in the field of industrial bus communication, there are hybrid forms where the uncompromised sender is invalidated by an attacker. This invalidation occurs through the injection of non-recessive bits. This results in an electrical signal difference between Alice's Rx and Tx lines, causing her to be disconnected from the bus network by protocol. Although this attack is technologically more difficult, it prevents simple validation measures on the part of uncompromised devices. A spoofing attack can, in principle, be easily defended against if the sender recognizes its feigned identity on the bus system itself. A tampering attack, on the other hand, can practically not be defended against by the sender and receiver without shared secrets.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"211\" src=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-1024x211.png\" alt=\"Tampering attack - Invalidating a bus participant\" class=\"wp-image-2007\" srcset=\"https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-1024x211.png 1024w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-300x62.png 300w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-768x158.png 768w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-1536x316.png 1536w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-2048x421.png 2048w, https:\/\/www.pickplace.de\/wp-content\/uploads\/2026\/05\/image-3-18x4.png 18w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Tampering attack by a bus participant at the bit level<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"abwehr-von-spoofing-und-tampering\">Defensive and counter-measures<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"spoofing-1\">Spoofing<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Spoofing is particularly difficult to defend against when the only source for legitimizing a participant is the open fieldbus itself. In this case, trust is based solely on observable characteristics such as message IDs, MAC addresses, or timing \u2013 precisely the properties that an attacker can imitate. Since there is no real binding between a physical device and the sent message, identity becomes something that is merely represented and not verified. An attacker therefore does not need to \u201ebreak in\u201c but only to imitate correctly: same IDs, same cycle times, plausible behavior. As soon as this imitation is sufficiently accurate, it is accepted as legitimate by the system \u2013 and therein lies the structural weakness of open bus systems.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tampering-1\">Tampering<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Tampering has a similar fundamental problem \u2013 albeit with an important limitation: it becomes significantly easier to defend against once hardware-based security mechanisms are in place. Without such mechanisms, an attacker can not only imitate messages on the bus but also deliberately alter them without detection. However, as soon as the communication path itself is monitored \u2013 for instance, through hardware-based CRC checks, frame checks directly in the controller, or a comparison between the transmitted (TX) and received (RX) signal in the transceiver \u2013 the hurdle increases considerably. In these cases, any manipulation at the bit level becomes immediately visible, or at least an anomaly is detected, as the received signal no longer matches the expected one. Tampering thus becomes a problem of the physical integrity of the transmission path and is technically much more manageable than spoofing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"zero-trust-prinzipien-beide-angriffsmuster-verdeutlichen-die-notwendigkeit-von-zero-trust-prinzipien-bei-diesem-sicherheitsansatz-wird-keine-kommunikation-von-vornherein-als-vertrauenswurdig-eingestuft-auch-nicht-von-geraten-die-vermeintlich-legitime-nachrichten-senden-um-solche-angriffe-zu-verhindern-mussen-alle-eingehenden-nachrichten-uberpruft-und-authentifiziert-werden-bevor-sie-vom-system-akzeptiert-werden-das-zero-trust-prinzip-setzt-darauf-dass-jede-kommunikationsnachricht-als-potenziell-unsicher-gilt-und-einer-verifikation-unterzogen-wird\">Zero Trust Principles<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\" id=\"zero-trust-prinzipien-beide-angriffsmuster-verdeutlichen-die-notwendigkeit-von-zero-trust-prinzipien-bei-diesem-sicherheitsansatz-wird-keine-kommunikation-von-vornherein-als-vertrauenswurdig-eingestuft-auch-nicht-von-geraten-die-vermeintlich-legitime-nachrichten-senden-um-solche-angriffe-zu-verhindern-mussen-alle-eingehenden-nachrichten-uberpruft-und-authentifiziert-werden-bevor-sie-vom-system-akzeptiert-werden-das-zero-trust-prinzip-setzt-darauf-dass-jede-kommunikationsnachricht-als-potenziell-unsicher-gilt-und-einer-verifikation-unterzogen-wird\">Both attack patterns highlight the necessity of zero-trust principles. This security approach does not trust any communication from the outset, not even from devices that ostensibly send legitimate messages. To prevent such attacks, all incoming messages must be verified and authenticated before being accepted by the system. The zero-trust principle assumes that every communication message is considered potentially unsafe and undergoes verification.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In practice, however, this approach quickly reaches its limits because it requires a shared secret. This brings with it several fundamental problems. First, the secret itself must not be transmitted openly, which presupposes secure key exchange mechanisms. Second, in many systems, keys must be shared or coordinated across manufacturer boundaries, which is very complex organizationally and technically. Third, the entire key management \u2013 from provisioning to rotation to revocation \u2013 is complex and often overwhelms smaller manufacturers or projects with limited resources in particular.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"intrusion-detection-systeme\">Intrusion Detection Systems<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">A pragmatic addition to cryptographic measures are therefore intrusion detection systems, which do without secrets. They analyze communication patterns, timing, frequencies, and sequences of messages and detect deviations from expected behavior. Such cryptography-free methods cannot prevent spoofing or anomalies, but can reliably detect them. The crucial point is the reaction: if an attack is detected, the system must transition to a defined safe state. This does not prevent intrusion, but controls the impact \u2013 which is the crucial difference in many security-critical applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"fazit\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">From a security perspective, an open fieldbus remains fundamentally difficult to control. The architecture is not designed to map a consistent chain of trust \u2013 trust arises implicitly through participation in the bus, not through verified identity. Depending on the level of protection used, this chain can be partially established (e.g., through authentication, trust anchors, or secure boot), but rarely completely across all participants and manufacturers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In practice, this means: <strong>There is no \u201esafe\u201c open bus system and no secure fieldbus standard, only different degrees of security.<\/strong>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Where cryptographic measures cannot be consistently implemented, a residual attack surface always remains \u2013 especially for spoofing. A realistic approach is therefore crucial: <a href=\"https:\/\/www.pickplace.de\/en\/threat-and-risk-assessment\/\" data-type=\"page\" data-id=\"1298\">Risk Analysis<\/a>, Combination of preventive measures, detection, and defined safe states. Security arises here not from a single concept, but from graduated control along the entire communication.<\/p>","protected":false},"excerpt":{"rendered":"<p>Im Embedded-Systems-Kontext sind Spoofing und Tampering die g\u00e4ngigsten Arten der Nachrichten-Manipulation. Ausgehend von einem Angreifer, der sich \u00fcber eine Wartungs- oder Telemetrie-Schnittstelle Zugang zum Gesamtsystem verschafft hat, werden auf einem Bus-Netzwerk kompromittierte Versuche unternommen, den Nachrichtenverkehr zu manipulieren. Damit werden Empf\u00e4nger dieser Nachrichten in einen unerw\u00fcnschten Systemzustand gebracht, woraus durchaus f\u00fcr Leib und Leben gef\u00e4hrliche [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2018,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,41,32],"tags":[],"class_list":["post-2001","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-resilience-act","category-artikelserie-cra","category-cysec"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/2001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/comments?post=2001"}],"version-history":[{"count":7,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/2001\/revisions"}],"predecessor-version":[{"id":2093,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/posts\/2001\/revisions\/2093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/media\/2018"}],"wp:attachment":[{"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/media?parent=2001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/categories?post=2001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pickplace.de\/en\/wp-json\/wp\/v2\/tags?post=2001"}],"curies":[{"name":"WP","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}