Abstract: A method includes identifying an impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node. The method further includes, in response to identifying the impersonating message, driving the attacking node into an error-passive state in which an ability of the attacking node to communicate over the bus is limited, relative to before entering the error-passive state. The method further includes, subsequently to driving the attacking node into the error-passive state, driving the attacking node into a bus-off state in which the attacking node cannot communicate over the bus, by transmitting, over the bus, a plurality of passive-error-flag-trumping messages that collide with, and trump, respective instances of a passive-error flag that the attacking node transmits over the bus. Other embodiments are also described.

Abstract: A method includes identifying an impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node. The method further includes, in response to identifying the impersonating message, driving the attacking node into an error-passive state in which an ability of the attacking node to communicate over the bus is limited, relative to before entering the error-passive state. The method further includes, subsequently to driving the attacking node into the error-passive state, driving the attacking node into a bus-off state in which the attacking node cannot communicate over the bus, by transmitting, over the bus, a plurality of passive-error-flag-trumping messages that collide with, and trump, respective instances of a passive-error flag that the attacking node transmits over the bus. Other embodiments are also described.

Abstract: A processor is configured to identify a first impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node, to transmit via a transceiver, in response to identifying the first impersonating message, a stream of messages over the bus, until a defense message belonging to the stream collides with, and trumps, a second impersonating message from the attacking node, and to drive the attacking node, subsequently, into an error-passive state in which an ability of the attacking node to communicate over the bus is limited relative to before entering the error-passive state, by repeatedly retransmitting the defense message over the bus in sync with retransmissions of the second impersonating message by the attacking node, such that the defense message collides with, and trumps, multiple subsequent instances of the second impersonating message.

Abstract: A processor is configured to identify a first impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node, to transmit via a transceiver, in response to identifying the first impersonating message, a stream of messages over the bus, until a defense message belonging to the stream collides with, and trumps, a second impersonating message from the attacking node, and to drive the attacking node, subsequently, into an error-passive state in which an ability of the attacking node to communicate over the bus is limited relative to before entering the error-passive state, by repeatedly retransmitting the defense message over the bus in sync with retransmissions of the second impersonating message by the attacking node, such that the defense message collides with, and trumps, multiple subsequent instances of the second impersonating message.