NXP Semiconductors has announced a new secure CAN transceiver family that offers a seamless, efficient solution for secure CAN communications — and does not require software or cryptography. CAN networks are used in every car to connect electronic control units (ECUs) and are expected to remain the dominant network for the next decade. As automotive electronic content continues to rise, the amount of real-time data exchanged across CAN networks will increase.
Since CAN is a robust multi-point connection network, and up to now, most data communication within the vehicle is unsecured, a single compromised ECU has direct access to connected ECUs. Security solutions on the market today protect CAN communication with message authentication code (MAC) based on cryptography and complex key management, but they require increased CAN bus load, message latency and computing power consumption.
Existing ECU designs cannot be easily upgraded to support secure CAN messages if the processors do not have sufficient compute power. With secure CAN transceivers, however, automakers can secure messages from the ECUs already used in the design, offering a simpler, faster rollout of security than it would take to transition the existing ECUs to secure ones.
NXP has developed a pure transceiver based solution for the CAN network which is designed to secure efficiently - no bandwidth overhead, no delays and no processor load. This novel approach complements crypto-based security solutions with an additional layer in a Defense-in-Depth (DiD) concept, or as a standalone option.
"NXP´s secure CAN transceivers signal a disruptive approach compared with the status quo," said Jens Hinrichsen, Senior Vice President & GM of Advanced Automotive Analog Business Line. "This translates to more efficiency and a reduction in the vital system resources needed for increasingly complex cars."
Security features of the secure CAN transceiver:
- Spoofing prevention on transmit side: Designed to protect the CAN bus from a compromised ECU by filtering messages based on CAN message IDs in the transmit path. If the ECU tries to send a message with an ID that is originally not assigned to it, the secure CAN transceiver can refuse to transmit it to the bus.
- Spoofing prevention on receive side: A complementary protection is used to invalidate messages on the bus with a CAN message ID assigned for transmission. This method means each ECU has the ability to protect its own IDs in the eventuality that a rogue ECU manages to send a message with the same ID.
- Tamper protection: Invalidating messages on the CAN bus can be used to prevent tampering, offering a clear sign of a compromised ECU has stepped into the transmission.
- Flooding prevention and rate limit control: Limiting the number of transmitted messages per ECU from the sender side at any time, helps prevent flooding the bus but leaves the busload open for certain types of critical tasks.