Threat Modeling the CAN Bus in Modern Vehicles
How an inherently trusting protocol becomes an attack surface — and what to do about it.
The Controller Area Network (CAN) bus is the nervous system of nearly every modern vehicle. It was designed in the 1980s for reliability and real-time performance — security was never part of the requirements. That gap is now a serious attack surface.
The core problem: implicit trust
On a classic CAN bus, any node can send any message, and every node trusts every message. There is no authentication and no sender identity.
No source authentication
A compromised infotainment unit can broadcast frames that a braking ECU will happily act on, because the braking ECU has no way to know who actually sent them.
A realistic attack path
Attacks rarely start at the braking ECU. They start at the most exposed, least-critical component and pivot inward.
- Compromise an internet-facing component (telematics, infotainment).
- Pivot onto the CAN bus the component shares with critical ECUs.
- Inject or replay frames to influence vehicle behavior.
Note
This is why network segmentation inside the vehicle — gateways between domains — is one of the highest-leverage controls available.
Defensive controls
1. Domain segmentation with a central gateway
Split the vehicle network into domains (powertrain, chassis, body, infotainment) with a gateway that filters which messages may cross between them.
2. Message authentication (CAN MAC / SecOC)
AUTOSAR's Secure Onboard Communication (SecOC) adds a truncated MAC and freshness value to critical frames, defeating naive injection and replay.
// Simplified: verify a MAC + freshness value before acting on a frame.
bool secoc_accept(const Frame *f) {
if (!freshness_is_valid(f->fv)) return false; // anti-replay
uint8_t mac[MAC_LEN];
compute_mac(f->id, f->data, f->fv, mac);
return constant_time_eq(mac, f->mac, MAC_LEN); // anti-spoof
}Constant-time comparison
Always compare MACs in constant time. A timing side channel on the comparison can leak the valid MAC byte by byte.
3. Intrusion detection on the bus
A CAN IDS models normal timing and message frequency and flags anomalies — an ECU suddenly sending frames it never sends, or at an impossible rate.
Prioritizing the work
| Control | Effort | Risk reduction |
|---|---|---|
| Domain gateway segmentation | Medium | High |
| SecOC on critical frames | High | High |
| CAN IDS | Medium | Medium |
| Secure boot on ECUs | High | High (foundational) |
Standards to know
ISO/SAE 21434 (road-vehicle cybersecurity engineering) and UNECE WP.29 R155 now make much of this mandatory for new vehicle type approvals.
The CAN bus won't be redesigned overnight, so automotive security is about adding trust to a trustless protocol — segment aggressively, authenticate the frames that matter, and monitor everything.
Related articles
Prompt Injection: A Defense-in-Depth Playbook for LLM Applications
Prompt injection is the SQL injection of the LLM era. Here is a practical, layered defense strategy — from trust boundaries to output handling — with concrete patterns you can ship.