Timing Side-Channel Leakage and Fault Resilience Evaluation of Lightweight Authentication on Arduino-Class MCUs

Automotive electronic control units increasingly rely on resource-constrained microcontrollers to implement authentication and message validation for in-vehicle networks such as CAN. Although cryptographic primitives may be mathematically secure, their software implementations on low-cost ECUs can leak sensitive information through timing side-channels. This paper presents a practical timing side-channel evaluation of an embedded authentication routine implemented on Arduino-class microcontrollers representative of entry-level automotive ECUs. A Python-based measurement framework interacts with the target device over a serial interface, repeatedly triggers authentication operations, and records execution time under controlled conditions. Experimental results show statistically distinguishable timing distributions correlated with secret-dependent execution paths, enabling an attacker with CAN-adjacent access to infer partial information about authentication checks. Lightweight countermeasures, including constant-time comparisons and control-flow normalization, are implemented and evaluated. The mitigated design reduces observable timing leakage with minimal execution-time and memory overhead, highlighting the need for implementation-level timing analysis in automotive embedded systems.