02 Dec 2015

Exploring Controller Area Networks

https://www.usenix.org/system/files/login/articles/login_dec15_02_foster.pdf

The highly publicized attack by Miller and Valasek during the summer of 2015 once again drew attention to weaknesses in automobile security. All modern automobiles rely on a broadcast network called CAN, and interfaces into that network are actually required by law. In this article, we explain how the CAN bus works and how it can be exploited.

Background

The Controller Area Network (CAN) is a serial bus standard designed for reliable, real-time message delivery between distributed control systems. Originally intended for vehicle applications, the CAN bus standard has found its way into many types of control systems, such as those used in elevators, medical devices, and robots.

In automotive contexts, CAN buses are now commonly used to connect the various computers (known in the industry as electronic control units, or ECUs) of a car together

The Controller Area Network Standard

Bosch, a German manufacturer of automotive control systems, began work on the Controller Area Network standard in 1983. Intel and Mercedes-Benz … “Automotive Serial Controller Area Network”

The CAN standard is optimized for low latency, high throughput, and reliable transmission.

CAN Buses in Vehicles

Since CAN was invented with automotive applications in mind, we should step back and explain why vehicle ECUs may want to communicate with each other. Early engine control systems were introduced to meet stringent new emissions limits.

Exploiting Vehicular Controller Area Networks

We now turn our attention towards how these automotive CAN buses can be abused.

Summary

Modern automobiles have dozens of control units that communicate with each other via CAN buses. CAN buses are a shared broadcast medium, and while they are designed for reliability, they aren’t designed to withstand malicious attacks.

Many critical aspects of a vehicle’s operation can be controlled with access to these buses, either by spoofing ordinary inter-ECU messages or by abusing diagnostic services. These CAN buses are becoming increasingly vulnerable to attack. Aftermarket devices plugged into the ODB-II port are in a position of privileged access and may be vulnerable to wireless attacks. Furthermore, vehicles themselves are now incorporating wireless connectivity (e.g., Bluetooth, WiFi, and cellular) in their infotainment and telematics systems, further broadening the potential attack surface.

However, with recent media attention on these types of vulnerabilities, we are hopeful that automakers and aftermarket device manufacturers will devote more resources to securing their products.