CAN bus lacks source authentication, rendering it vulnerable to spoofing attacks; existing intrusion detection and MAC-based solutions fail to provide effective protection. This paper proposes the first multicast source authentication scheme for in-vehicle networks, introducing a receiver-side dynamic bit-overwrite mechanism that jointly verifies message integrity and sender identity without modifying the CAN physical layer. The scheme integrates a customized lightweight MAC, hardware-level real-time tag embedding, and a reactive key derivation protocol. It is fully compatible with AUTOSAR SecOC and legacy CAN devices, incurs zero communication overhead and zero verification latency, and requires no additional hardware or protocol stack modifications. Evaluated on a real CAN testbed, the scheme achieves 100% spoofing attack detection while strictly preserving original communication timing and bandwidth constraints.

Controller Area Networks (CANs) are the backbone for reliable intra-vehicular communication. Recent cyberattacks have, however, exposed the weaknesses of CAN, which was designed without any security considerations in the 1980s. Current efforts to retrofit security via intrusion detection or message authentication codes are insufficient to fully secure CAN as they cannot adequately protect against masquerading attacks, where a compromised communication device, a so-called electronic control units, imitates another device. To remedy this situation, multicast source authentication is required to reliably identify the senders of messages. In this paper, we present CAIBA, a novel multicast source authentication scheme specifically designed for communication buses like CAN. CAIBA relies on an authenticator overwriting authentication tags on-the-fly, such that a receiver only reads a valid tag if not only the integrity of a message but also its source can be verified. To integrate CAIBA into CAN, we devise a special message authentication scheme and a reactive bit overwriting mechanism. We achieve interoperability with legacy CAN devices, while protecting receivers implementing the AUTOSAR SecOC standard against masquerading attacks without communication overhead or verification delays.