Car safety has emerged as a captivating subject for many researchers in the field of safety technology. With the rise of autonomous vehicles like Tesla, the significance of automotive safety is only set to increase. When you operate a modern vehicle, you're essentially managing a highly advanced computer that is equipped with wheels and a steering mechanism.

At the heart of this discussion lies the Controller Area Network (CAN), often referred to as the CAN Bus, which functions as the vehicle's central communication hub. This article delves into the realm of car hacking through the lens of reverse engineering CAN Bus protocols.

We'll utilize the ICSim software package developed by Craig Smith for hands-on experience with the CAN-Bus. ICSim provides a user-friendly dashboard featuring a speedometer, indicators for door locks, turn signals, and a control panel. This control panel enables users to interact with a simulated car network, allowing for actions such as acceleration, braking, and controlling various lights.

Contents Overview: - Part 1: Configuring the Virtual Car - Prerequisites - Introduction to CAN - Understanding CAN Operations - Important Note: Lower ID = Higher Priority - The Hypothetical Absence of CAN - The Importance of CAN - Required Hardware and Software for OBD Access - Tools and Accessories - Machine M2 - CLX000 - Software Options - Configuring the Virtual Environment - SDL Library Requirements - Installing CAN Utilities - Downloading the Instrument Simulator - Setting Up the Virtual CAN Network - Running the Simulator

Part 1: Configuring the Virtual Car The main aim of this guide is to provide a foundational understanding of automotive security. Hacking vehicles is notably more complex than other areas of cybersecurity.

While automotive security encompasses a wide range of topics, this guide zeroes in on the Controller Area Network (CAN), specifically focusing on sniffing CAN traffic, analyzing it, reverse engineering, and executing replay attacks on vehicles.

Car safety is indeed a thrilling area of research, especially with the advent of self-driving technology.

When you operate a vehicle today, you are in control of a highly sophisticated computer on wheels.

Although our demonstrations will utilize an instrument cluster simulator, similar techniques can be applied to actual vehicles with additional hardware. I will cover the additional materials needed at the end of this article.

This guide is intended to facilitate your entry into automotive security without the necessity of substantial hardware investments. The goal is to assist you in hacking a vehicle within a simulated environment.

In this article, you will learn about: - CAN operations - Accessing CAN via OBD-II - Sniffing CAN traffic - Analyzing and reverse engineering CAN traffic - Replay attacks - Denial of Service in CAN [Part 3 TODO] - Manipulating CAN packages using Python

Prerequisites For this tutorial, you will need: - Any Linux distribution (Ubuntu will be used here) - Can-utils - ICSim (an open-source car simulator available at https://github.com/zombieCraig/ICSim)

Introduction to CAN The Controller Area Network (CAN) serves as the essential communication system among various components of a vehicle.

Before the CAN system was created by BOSCH in 1985, automotive manufacturers relied on point-to-point wiring systems. As vehicles incorporated more electronic components, these systems became cumbersome and costly. The introduction of CAN effectively addressed this issue.

Simply put, CAN enables different electronic modules within vehicles to communicate and share data. The primary advantage of CAN is its ability to facilitate communication among multiple Engine Control Units (ECUs) using a single cable, with modern vehicles featuring up to 70 ECUs.

In a vehicle, various systems such as the engine control unit, airbags, transmission, anti-lock braking systems, infotainment, and climate control must communicate. Direct wiring among all these units would be impractical, resulting in a tangled mess. CAN simplifies this with a single cable, enhancing communication efficiency.

CAN-Bus can be likened to a slower variant of Ethernet LAN, with traffic functioning via UDP rather than TCP.

It’s crucial to note that not all vehicle control systems utilize CAN, nor is CAN the sole communication protocol employed in automotive systems.

Other protocols like Bluetooth, GSM/LTE networks, and LIN also exist. Remember, CAN is just one avenue for potential vulnerabilities.

CAN Operations Vehicles can have multiple nodes capable of sending and/or receiving messages. Each message includes an ID that indicates its priority and can carry a CAN message of up to eight bytes.

If multiple nodes transmit messages simultaneously, the message with the lower ID takes precedence over those with higher IDs. This process is known as priority-based bus arbitration. Messages with numerically lower IDs have higher priority and are transmitted first.

For example, a message from the braking system will take priority over that from the audio system.

Note: Lower ID = Higher Priority If two or more nodes transmit messages concurrently, the message with the dominant ID will override the less dominant ones.

The CAN bus consists of two cables, allowing multiple devices to connect. A CAN framework has three key components: - Arbitration Identifier - Data Length Code - Data Field

Let's explore the CAN data framework:

What if CAN Never Existed? You may wonder why the CAN system was developed when other methodologies could have sufficed. Prior to the CAN bus, manufacturers employed point-to-point wiring systems.

For instance, if three components—steering, transmission, and ABS—were included in a car, all three would require interconnections. In a typical point-to-point setup, the steering system would connect to both the gearbox and ABS, leading to a complex web of wiring.

While manageable in vehicles with fewer components, imagine the chaos in a modern car with up to 100 different ECUs and components. Diagnosing wiring faults would be an arduous and costly process.

This led automotive engineers to propose CAN, which replaces the intricate wiring with two cables: CANH and CANL (CAN HIGH and CAN LOW). This streamlined approach allows for faster communication and simpler diagnostics.

Why Should You Care About CAN? The significance of CAN lies in its ubiquity across nearly all vehicles, a requirement mandated by law, ensuring its continued relevance. Furthermore, the CAN bus was not designed with contemporary security considerations in mind.

To interface with your vehicle's CAN bus, you must access the diagnostic port, commonly referred to as the OBD. Although numerous diagnostic standards exist, most modern vehicles utilize the OBD-II protocol, which mechanics use to troubleshoot issues.

Locating the OBD-II port is relatively straightforward; it is typically situated near the front passenger or driver's seat and should be easily accessible.

For those interested in OBD pinouts, the following image illustrates the various pin connections.

Upon closer inspection, you'll find that pins 6 and 14 correspond to the CANH and CANL mentioned earlier.

Hardware and Software Necessary for OBD Access To interact with the CAN bus, you need an OBD port and a “USB to CAN” adapter, as your computer cannot communicate directly with the CAN system.

You will require a device that connects to the OBD-II port on one end and to a USB port on the other, allowing you to send and receive CAN packets. Additionally, software capable of reading, writing, encoding, and decoding CAN packets is essential. With the right hardware and software, accessing CAN becomes feasible.

Tools and Accessories The hardware necessary for connecting to the OBD-II port is widely available, with both expensive and budget-friendly options. High-end devices like Kvaser and EMS tend to be costly.

Alternatively, the USB2CAN interface for Linux offers excellent value for approximately 60 euros.

You'll also encounter devices based on ELM327 and Bluetooth. While these are inexpensive (around 10 euros), they are subpar for hacking purposes due to slower data rates, which may result in packet loss.

Machine M2 My personal preference is the Macchina M2, priced at 85 euros. This open-source car interface enables communication with the CAN bus through OBD-II. Its modular design allows for the addition of WiFi, GSM, LTE, and BLE modules. The M2 features two CAN channels and is compatible with LIN.

To find out more about the Macchina M2, visit their website.

Both the USB2CAN and Macchina M2 have proven effective for my needs, delivering impressive performance.

CLX000 A cost-effective alternative is the CLX000 from CSS Electronics, designed for recording and transmitting CAN data, which can be visualized using the free Wireshark software. An add-on facilitates useful reverse engineering tasks.

The CLX000 is ideal for both visualization and telematics applications. For further information, refer to their website and explore their informative articles on CAN.

Software Options For software, consider using SocketCAN, can-utils, and vcan, all integrated within the Linux kernel. These tools facilitate the sending, receiving, encoding, and decoding of CAN packets.

Wireshark is also a valuable tool for analyzing CAN packets.

If you wish to learn more about CAN operations without the risk of damaging your vehicle, ICSim is the tool to use!

Setting Up the Virtual Environment The most cost-effective method to practice car hacking is by utilizing an instrument simulator. Thanks to Craig Smith and the open-source project ICSim, setting up and learning how to operate the CAN-Bus is straightforward.

Let’s proceed with the setup.

The Instrument Simulator Requires SDL Libraries SDL is a cross-platform development library for handling graphics and audio. Since ICSim creates and animates a virtual control panel, SDL must be installed, which can be accomplished via apt-get.

sudo apt-get install libsdl2-dev libsdl2-image-dev -y

CAN Utilities Installation To send, receive, and analyze CAN packets, we need CAN utilities. Can-utils is a suite of Linux utilities that enable communication with the in-vehicle CAN network. It includes five main tools that are frequently used: - cansniffer for sniffing packets - cansend to transmit packets - candump to display all received packets - canplayer for replaying CAN packets - cangen for generating random CAN packets

Can-utils can be installed with the following command:

sudo apt-get install can-utils -y

Downloading the Instrument Simulator The instrument cluster simulator generates simulated CAN traffic.

You can download it from the Git repository: https://github.com/zombieCraig/ICSim. If everything is successful, you should see the simulator.

Preparing the Virtual CAN Network Within the ICSim directory, there exists a shell script named setup_vcan.sh. The modprobe command is utilized here to load kernel modules, such as can and vcan. The final two lines create a vcan0 interface to simulate the car network.

Run the following commands to establish a virtual interface:

./setup_vcan.sh

To verify the vcan0 interface, use the command:

ifconfig vcan0

Running the Simulator Now, it’s time to execute the simulator. The ICSim simulator requires at least two components: a dashboard and a controller to simulate acceleration, braking, door control, and turn signals. You’ll need at least three terminal windows for operation: one for the dashboard, one for the controller, and another for executing commands.

Running the Control Panel To launch the control panel, run the file named icsim with the argument vcan0 (the interface we created earlier).

./icsim vcan0

At this stage, the instrument panel will not operate, including the speedometer, lights, brakes, or doors. This is because there is currently no movement in the vcan0 interface, and we must start the controller to simulate it.

You can initiate the control panel with the following command:

./controls vcan0

Vcan0 represents the virtual CAN interface through which ICSim will transmit and receive CAN frames. Once the control panel is operational, you may observe fluctuations in the speedometer due to simulated noise.

Once the control panel is active, you can use keyboard keys to simulate movement.

By using specific key combinations, you can manipulate the ICSim control panel. For instance, pressing the up arrow and left arrow keys will yield the following results:

This concludes the setup process. If you have followed the instructions carefully, you should now have comprehensive control over the simulated vehicle. In Part 2, I will discuss methods for exploiting traffic and further vehicle hacking techniques.