CAN bus attacks

A CAN is a Controller Area Network. Electronic Control Units (ECUs) are networked together in a car using a bus based on the CAN standard. A car will have one more CAN buses which are typically accessible via the Onboard Diagnostics (OBD II) port.

The CAN allows a distributed network of micro-controllers and devices to do real time messaging with each other with CAN packets, to exercise real time control. It is used in industrial control systems, vechicles such as airplanes and ships, and automotive systems.

ECU examples are Airbag, HVAC, ABS and Engine Control Unit.

Some CAN related security resources –

  1. Hopping on the CAN bus. https://www.blackhat.com/docs/asia-15/materials/asia-15-Evenchick-Hopping-On-The-Can-Bus.pdf
  2. Charlie Miller, Chris Valasek.  http://illmatics.com/car_hacking.pdf
  3. Craig Smith, opengarages. http://opengarages.org/handbook/
  4. Original Spec by Bosch. http://www.bosch-semiconductors.de/media/pdf_1/canliteratur/can2spec.pdf
  5. http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/?ALLSTEPS
  6. http://tucrrc.utulsa.edu/DodgeCAN.html

A podcast interview with Chris Valasek: https://securityledger.com/2015/07/podcast-interview-with-car-hacker-chris-valasek-of-ioactive/

Most cars do allow CAN access via OBD. Tesla does not, but the CAN information is still accessible via another port.

It may sound unusual that the OBD port meant for diagnostics should allow sending commands to the CAN bus, but this is in fact possible, in part because there is no source identifier or authentication build into CAN packets.

What if an ECU itself has some kind of problem or degradation ? This can increase vulnerability when combined with open CAN bus access.

For example, there were two independent recalls in early 2015 related to defective airbag deployments. The Jeep recall was due to software that detected rollover aggressively and deployed the airbags. The NHTSA recall was due to Takata airbags with faulty inflators.

As we bravely head to an IOT world where various devices and controllers are networked to external entities, such concerns will increase.

There are attacks on other car interfaces such as bluetooth, telematics unit and remote key. Recently (July) there was an attack on Jeep which caused an update to fix the bug. The Israeli media reported a couple startups, Argus and TowerSec could have prevented this attack.   Update Jan 2016: TowerSec is acquired by Harman – CES 2016 announcement.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s