works/nodes through USB, cellular, Bluetooth, and WiFi connections [48]. Unfortunately, these interfaces provide various attack surfaces making these ECUs vulnerable to a remote adversary [6], [31], [32], [35], [36]. After infiltrating CAN by compromising any of these ECUs, the adversary can carry out a variety of attacks [24], [32], [35], [36], [49] against other ECUs since the CAN lacks mainstream network security capabilities due to resource constraints. In particular, a compromised ECU (e.g., Telematics Control Unit) may impersonate a benign ECU (e.g., Engine Control Unit) that cannot be remotely compromised, and forge the latter's CAN messages to disrupt safety-critical automotive functions (e.g., engine speed). We call such attacks ECU masquerade attacks.