New NXP Transceiver Secures Controlled-area-Network Communications without Software

NXP Semiconductors has unveiled a new secure CAN (Controlled-area-Network)​ transceiver family that offers a seamless, efficient solution for securing CAN communications without software or cryptography.

CAN networks are used in every car to connect electronic control units (ECUs) and are expected to remain the dominant network for the next decade. As automotive electronic content continues to rise, the amount of real-time data exchanged across CAN networks will increase. Since CAN is a robust multi-point connection network, and up to now, most data communication within the vehicle have been unsecured, i.e. a single compromised ECU has direct access to all other connected ECUs. Security solutions on the market today protect CAN communication with message authentication code (MAC) based on cryptography and complex key management, but they require increased CAN bus load, message latency and computing power consumption.

Existing ECU designs cannot be easily upgraded to support secure CAN messages if the processors do not have sufficient compute power. With secure CAN transceivers, however, automakers can secure messages from the ECUs already used in the design, offering a simpler, faster rollout of security than it would take to transition the existing ECUs to secure ones.

NXP has developed a pure transceiver based solution for the CAN network which is designed to secure efficiently – no bandwidth overhead, no delays and no processor load. This novel approach complements crypto-based security solutions with an additional layer in a Defense-in-Depth (DiD) concept, or as a standalone option.

Security Features of the Secure CAN Transceiver Include:

  • Spoofing prevention on transmit side: Designed to protect the CAN bus from a compromised ECU by filtering messages based on CAN message IDs in the transmit path. If the ECU tries to send a message with an ID that is originally not assigned to it, the secure CAN transceiver can refuse to transmit it to the bus.
  • Spoofing prevention on receive side: A complementary protection is used to invalidate messages on the bus with a CAN message ID assigned for transmission. This method means each ECU has the ability to protect its own IDs in the eventuality that a rogue ECU manages to send a message with the same ID.
  • Tamper protection: Invalidating messages on the CAN bus can be used to prevent tampering, offering a clear sign of a compromised ECU has stepped into the transmission.
  • Flooding prevention and rate limit control: Limiting the number of transmitted messages per ECU from the sender side at any time, helps prevent flooding the bus but leaves the busload open for certain types of critical tasks.