Hacking the CAN Bus: Presentation
HTML-код
- Опубликовано: 19 июн 2024
- Hacking the CAN Bus - Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering
Roderick Currie is a cyber security professional with 12 years of industry experience, and is a participant in the Master of Science in Information Security Engineering (MSISE) program at SANS Technology Institute (STI).
For a more detailed description of the techniques described here, please see the accompanying research paper at the following location:
www.sans.org/reading-room/whi... 
Авто/Мото
This reminds me of what 'old-school hacking' was all about - tinkering beyond typical limits to achieve something cool. I understand how these things can be used for malicious reasons, but the greatest benefit of such knowledge in my view is that it opens up a lot of opportunities to make some cool car gadgets. One of the problems that could arise if security is tightened up on automotive communications/control systems is that it could end up being a lot more difficult to have fun making custom gauges, interfaces, audio systems or perhaps even one touchscreen to rule them all. I wonder what Richard Stallman would create as far as automotive systems go...?
Great video! I know this is 6 years on, but the information is still just as relevant in 2024 as it was 6-7 years ago; highlighting what you mentioned about companies not doing much about security. Hopefully they only secure the safety features and leave the rest open for tinkering :)
I am not a computer person by any means, I just have a great curiosity regarding CAN bus and OBD2 (motorbikes / data aquisition). Your video is great. Easy to follow and has helped me understand how easy / hard it is to get into either system. And how little I know!
Thanks
Thank you for your feedback!
Thanks for publishing this video! It was very helpful in developing an ISO9141 to CANbus data transceiver.
Have you posted the code anywhere?
Hi Roderick, thank you for the nice presentation. what inexpensive hardware would you recommend to use in conjunction with Linux tools?
Rod, that is one really first class presentation. A great mix of theory and practice, and not a single wasted word in 40 mins. What a fascinating world boys (primarily.... ) have created in which to play! Many thanks.
Great! Keep it up!
Thank you for the video!
Great video very interesting
I like having an insecure canbus. Makes it easy to see what is going on.
I've successfully found the codes that control the A/C on my car and the fan speed and stuff. I was wondering if you've ever worked with writing sketches in Arduino to control the vehicle through apps like Blynk. Do you know of any resources that could teach me how to write sketches or scripts to control the vehicle?
Hey. I realise it's been a year, but please would you tell me how you found the code for air con? I can't :(
@@LochyP stop lying ,you realise nothing
Crystal clear and we'll explained, some question only so can bus is like UDP broadcast no assurance of nodes have received the message?
That is correct. The UDP analogy is a good one. The CAN protocol is a lot like UDP in that a sender has no way of knowing (usually) if a message reached its intended target or not.
@@RodCurrie I like your presentation sir even it's little older but beats some new tutorial in RUclips today,by the way I talk about B-CAN? is it the LIN BUS Or still Can Bus ?
@@hfe1833 Thanks! 👍 The presentation is definitely a bit dated now. I posted this more than 3 years ago. Tech changes fast. As for CAN and LIN, CAN is separate from LIN. B-CAN is still CAN.
Were you able to roll the miles back, I work for Mercedes and the miles are stored in the ignition switch and people open them and install a little module that rolls back the miles in the cluster.
The device needs to stay intact, so you can find it inside the eis, which is where the key goes.
For the 8th gen. Honda Civic, the odometer value is stored in the gauge cluster. The easiest way to lower the displayed mileage on this vehicle is a gauge cluster swap... preferably from a vehicle with less miles.
When carrying out the CAN bus experiment, I found that a higher value transmitted on the CAN bus would cause the odometer to increment faster. But I was not able to find any way to decrement the value. There is no way to transmit a negative value. It is possible that a separate CAN message ID exists for the sole purpose of rolling back the odometer for diagnostic or maintenance purposes, but I was not able to find one.
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off.
So, which variant of CAN BUS shield is suitable for my project? Thanks.
Great work mate
Thank you.
Very informative and crystal clear explanation.
Just wondering which online repair data service (paid subscription) you used ?
Is it ALLDATA or something else?
I used ALLDATA and Mitchell OnDemand.
@@RodCurrie Wish you all the best and thanks for the quick response.
it seems the CANtact you mentioned is abandoned project and no longer available. What else you suggest?
That's unfortunate that CANtact is no longer available. CANable looks like it might serve the same function, although I have never used it. I'd also recommend looking into the Macchina M2, which is actually far more capable than CANtact but requires a different wiring setup.
Very cool! Do you do any consulting on CAN related projects?
Unfortunately, my current employer forbids it.
Totally understand. Would love to chat sometime. Not trying to get free work, just curious about some of the core concepts and how they might be applied in an automotive customization platform instead of security.
good job!
Well done!
Thank you, David!
So would the engine fuel shutoff occur if the engine RPM was spoofed over the rev limiter? Fairly easy way to disable the vehicle.
For this research, the engine RPM data that I spoofed was only intended for the gauge cluster. So it had no impact on any other parts of the vehicle. However, there are many ways that spoofed data could be used to fool the vehicle into thinking a negative situation is occurring. Imagine spoofing a signal from a collision sensor and causing the airbags to deploy. Or for vehicles with automatic braking, you could spoof a message from a sensor to make the vehicle think an object is directly ahead, causing the vehicle to brake suddenly. We're just at the tip of the iceberg on this stuff...
@@RodCurrie "security researchers", nice .
Can you possibly have something like this for use car customizer. For example I love the new Land rover range rover full digital dash/gauges and would like to install into a 1990s honda or and 1985-1993 ford mustang and be able to show all the data for the engine transmission brake ect you get the point. Just a way to fully customize it to our liking and be fully compatible/working with some wiring and maybe changing or few sensors and use the outputs of stock to custom ecus( engine control unit)
How can I know can address when transmit data package? Do you have address for other car lick kia,ford,toyota...?
Where does Volvo store the expected software numbers within the can network for all the control modules attached to ms can or hs can?
Got 2 used control modules, and both of them is setting u030000 incompatible software and u012200 lost communication.
How did you handle the case with CRC used in CAN message. In case of transmitting new data(not replaying old data) with specific CAN ID, how did you manage to calculate the CRC, that is correctly received by the receiver ECU?
For this research I ignored CRC completely and just sent the data without verifying that it was received or processed by the receiving unit. This is not the best way to go about sending data on the CAN bus, but it worked at least as a basic proof of concept.
@@RodCurrie How would you go about decoding the CRC polynomial from the given CAN dump? Do you have any ideas? Does it even make sense and is possible to retrieve the CRC polynomial? This would enable us to introduce a spoof ECU in the bus and send spoofed messages to valid receivers.
@@vk-lt9wv I am sure it could be done if you have a large enough sample of data and the time needed to analyze it all. It's really just a case of observing the data and looking for patterns. I cut my research short due to time limitations, but I would have liked to take this further including figuring out the CRC field. I often experienced a problem during CAN playback where messages would be ignored by the receiver or the interface would reset completely. I believe an incorrect CRC was the root cause of this.
@@RodCurrie Do you mean to say that some of the ECUs in your vehicle were able to receive messages without the CRC field set? i.e. the ECUs were able to receive RAW CAN packets(with correct IDs).
I was under the assumption that all ECUs that receives the messages without CRC field would just reject the message. But in your case that doesn't seem to be the case. Could you explain a bit more on this?
Secondly, just by observing the data and looking for patterns, reverse engineering the CRC part would not be possible? Or would it be?
@@vk-lt9wv It's my opinion that you could reverse-engineer the CRC by analyzing recorded CAN data. I haven't tried, but I am confident it could be done.
And yes, I did find that some ECUs will accept and process CAN messages without the CRC being correct, or even with no CRC value being provided. However, if you fire off too many messages with invalid CRC fields then the receiving unit will eventually get upset and start ignoring them.
Great..
Hi
Was great video
But all Hacking you mentioned can easily be done with a good diagnostic too you go to special function of the tool can do everything you mentioned
Thanks for watching the video! I understand your point, and you are absolutely right. However, this is more of a "proof of concept" to show some of the basic things you can do once you are on board the CAN bus.
Imagine you are able to gain access to the CAN bus remotely via a Bluetooth exploit or a vulnerability in a vehicle's on-board Wi-Fi. This video shows that you can send commands over CAN to manipulate the vehicle.
Messing with the digital display is not particularly exciting. But the same concept could be used to manipulate the accelerator, brakes, steering, etc.
Gotta look at the big picture.
@@RodCurrie
Thanks a lot for your reply ,you are right
Saying the CAN bus is a problem is like saying a USB port on a server is a problem.
Trying to encrypt it will not solve the issue of a compromised device giving you access to the CAN bus.
It also raises other issues of your ability to control your own device. Which shouldn't you be able to access the CAN bus?
So the CAN bus doesn't seem to be the problem.
The problem is things which allows you to remotely gain access to it.
You shouldn't be able to compromise a web browser and gain access to the CAM bus. And the segregation of the 2 separate CAN busses seems to do that well.
That B-CAN bus is not that also called LIN-Bus which is a 1 wire bus ?
On the Honda Civic I worked on, LIN and B-CAN are separate. They are each single-wire buses, but they perform different functions. I found that LIN is used to connect the alternator, battery sensor, DC converter, and engine control module. B-CAN is used for less critical functions such as climate control, air temperature sensors, etc.
@@RodCurrieIt's good to know, thank you.
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off.
So, which variant of CAN BUS shield is suitable for my project? Thanks.
A very interesting and educational video on the CAN bus. But you can't compare hacking a cars CAN bus to deface a web site. A web site is accessed remotely and you accessed the CAN bus directly on the hardware. That is like accessing a computer hosting a web site directly on the hardware. This is always insecure. The problems with modern cars are remote access (Wifi or Bluetooth) through, for example, a insecure entertainment system that is directly connected to the CAN us on the vehicle.
If you let the mischief's inside your vehicle, then you certainly are going to be pwned!
Thank you for the feedback. You are correct that this does not replicate a real-world attack scenario. This is more just a proof of concept. However, it has been shown that modern vehicles are extremely vulnerable via various remote interfaces. The Miller and Valasek hack of a Jeep Cherokee worked via the car's cellular interface. They exploited a factory design flaw. How many vehicle owners are out there driving around right now in vehicles with insecure, exposed remote interfaces?
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off.
So, which variant of CAN BUS shield is suitable for my project? Thanks.
10:47 Did you break the law by altering you odometer? You did not list it as an exception to the law in your presentation.
Short answer: Yes
Long answer: No one would prosecute this because it was not done with intent to deceive.
Modifying a vehicle’s odometer is illegal in the United States under Title 49, U.S. Code Chapter 327, which prohibits the “disconnection, resetting, or alteration of a motor vehicle's odometer with intent to change the number of miles indicated thereon."
I've just received my USB2CAN module, I'm struggling to get it installed, I only have a MacBook Pro for which there is no support, so I've installed VirtualBox and Ubuntu in a virtual machine, but the instructions for building the drivers on linux are not very good, can you help?
Simon, I prefer to use CANtact as my CAN-USB interface. However, I did some research online and found a pretty detailed walkthrough of using USB2CAN on Linux here: 78.20.42.79:8080/posts/Installing%20USB2CAN%20on%20Linux/ Assuming you are using the drivers from 8devices: github.com/krumboeck/usb2can/ You should only need to extract the files, cd to the extracted directory, and run the "make" command (as root).
Thank you, I've now got the USB2CAN device recognised and working in both a Windows 7 virtual machine and Ubuntu 16.04 virtual machine running on VirtualBox on my MacBook Pro.
Glad to hear it. Now you're ready to start hacking your car. Be sure to post your results!
I've just tried connecting the USB2CAN with my car with the cable I purchase which I've checked the pin outs and I'm pretty sure is ok, but having connected it to my cars ODBII socket, and using the tools in linux cansniifer and kayak, I don't see anything at all ???
A couple of important things to check... make sure you are binding the interface correctly and make sure you have specified the correct bitrate. Take a look at my paper entitled "Hacking the CAN Bus" (link is in the description). If you skip to pages 27 and 28, you'll see some discussion on binding the interface and setting the bitrate. Keep in mind the paper is written around using the CANtact device, so there may be some slight differences in how USB2CAN works.
Thanks
Simply do NOT attach powertrain systems to cellular. Chrysler could have released TSB calling to detach Infotainment B bus from Star Can connector. That way wireless and powertrain are isolated from scammers just wanting more security
Hi Roderick its nice research and nice presentation. i am a digital forensic student in AUT auckland. one quick quection have you phisically connect to the OBD port in vehicle? and can i conntact you via email if i need any help? regards loku.
Yes, I had a physical connection to the OBD-II port for this project. Feel free to email me. My address is on the paper. Link in description. Thanks
how can you clone the firmware?
don't expect car manufacturers to start integrating pieces of architecture Bosch has not yet designed.
Security is always an after thought because it eats into profits 🙂
The body control module passes select packages between the two isolated buses.
Via the can bus one could...
Roll up the windows and keep them up,
Lock the doors and keep them locked,
Set off all the airbags,
Disable the power steering,
Fool the anti-lock brakes so that the brake pedal has no effect,
Wide open throttle the engine,
Full field overcharge the battery,
Keep the fuel pump turned on after a crash
Even alter the ignition timing in the engine to intentionally cause backfiring to promote a vehicle fire...
Scary stuff!
You could have really upped the impact of your speech if you had gone into the implications a little farther.
Also, a fair number of ECU's were equipped with RF linking to enable checking emission codes "on the fly".
So wireless access doesn't necessarily require a cellular connection like the Tesla from your example, just proximity to the vehicle.
The implications are huge. The only limit is your imagination!
DrKnow65
a new application for a drone...
Bit alarmed by the use of the word attack here, like you say, with a direct connection the only level of security is the black boxness of the software in each module, establishing what each data packet does is mostly just elimination and testing time. Those speed conversion factors are often listed (due to wheel size and market and different dash configuration) within any odb tool for the car for soft coding. You slightly mentioned different can protocols but didn’t say on many vehicles with a gateway module you’ll have to pick carefully where you join the network if you want to play effectively.
A more attacky thing would be how to circumvent the software to carry out custom updates without pulling the eeprom like imitating a factory tool.... yes yes I know, hide a data sniffer inside and send in your car for a software update but that’s not fun.
Most half decent automotive oscilloscopes can record and decode can these days, n if you prefer doing things the fun way Arduino is totally the way to go imo.
Re the radio hack you mention at the start it’s sparked my interest, I assume that somehow forces the radio to then send spoofed can signals into the network? On most cars the infotainment is on a higher baud rate than the drivetrain and comfort can networks, I’m guessing actually gateway modules are there now to block those spurious packets?
Thank you for the vid!
Also pushing this security... yes remote hacks need to be stopped but as a car user in a pandemic I find it very frustrating I’m not easily able to get information require to service and repair my car... it’s 13 years old and still the only way to get a new key is basically dealer and if any ecu module goes bad 99% of the focus is on throw it away cos we don’t know how to repair it not because we don’t know what’s on the pcb but because we don’t know what’s written to the chips.
Example being 00003 codes on VW it’s the ‘part defective’ code for each module and is only erasable with a full software rewrite even if it was just caused by a bad led and it’s repaired you’ll be spending 1000s because the code only goes with a reflash that most VW workshops don’t even know about thanks to Vag secrecy. 13 years!!! Damn it lol!
I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off.
So, which variant of CAN BUS shield is suitable for my project? Thanks.
If you are going to copy his work, you could at least give Eric Evenchick some credit.
This is a very ill-informed comment. I have not "copied" any of Eric's work. I conversed numerous times with Eric about this project back in 2017 while I was working on it. I also credit Eric in the video as well as on Page 16 of the associated research paper (link in description). I am a fan of Eric's work and he knows it.
Hello Sir, Do you know any ready made or DIY device available in market which can detect a running Engine’s RPM (via non-contact method or via Crankshaft sensor) and then via “CAN protocol output” pass-on this RPM value to any of following DC Controller (to control DC Motor’s RPM)?
1. www.nocoev.com/product/curtis/manual/1229%20(15B).pdf
2. www.nocoev.com/product/curtis/manual/1244%20(13E).pdf
3. OR Any other 200+ Amp DC Motor SPEED & TORQUE Controller (which you will recommend)
Please do let me know if you have any appropriate device?
Thanks!
22:50
This really isn’t hacking, it’s just reading a network and replaying packets.
Hacking is a catch-all term for any type of misuse of a computer to break the security of another computing system to steal data, corrupt systems or files, commandeer the environment or disrupt data-related activities in any way. Unfortunately, this isn't quite as glamorous as the way Hollywood portrays hacking on the big screen.
@@RodCurrie Right, CAN BUS is only physically secured, there is no security layer and therefore there is nothing to actually break.
ABSOLUTE CRAP