By Omar Yang (Senior Threat Researcher, Automotive)
A car theft incident from 2022 highlighted the potential for using the same “CAN injection” technique on many car models. In this blog entry, we cover an overview of the CAN bus, how car thieves exploited its vulnerabilities to steal a vehicle, and how to mitigate the risk with intrusion detection.
The CAN bus at a glance
The CAN (Controller Area Network) bus was introduced in the 1980s as a communication protocol designed specifically for automotive applications. Before the introduction of the CAN bus, car manufacturers (OEMs) relied on multiple point-to-point connections, resulting in a complex and bulky wiring system. Today, the CAN bus is a widely adopted standard in the automotive industry, used in almost all modern vehicles.
It has several important features that enable efficient and reliable communication between different electronic control units (ECUs) and various subsystems in modern vehicles:
- Reduced wiring complexity: With the CAN bus, a single network cable can replace multiple point-to-point connections, reducing wiring complexity and costs. A vehicle typically has approximately 1,500 copper wires that add up to almost one mile in length. With the CAN bus, up to 50 pounds of wire weight can be trimmed off.
Figure 1. The CAN bus’s single network cable replaces vehicles’ previous multiple point-to-point connections.
Based on original image from CSS Electronics
- Improved reliability: The CAN bus uses a multi-master architecture, enabling all devices on the bus to communicate with one another without relying on a central controller. This improves the reliability of the system and eliminates single points of failure. In addition, a new device can be attached to the bus easily. The CAN bus also uses a nondestructive bitwise arbitration mechanism to ensure that only one device can transmit data at a time. This helps prevent data collisions and ensures the bus is used efficiently.
Figure 2. The CAN bus allows new devices to attach to it easily.
Based on original image from CSS Electronics
- Improved fault detection: The CAN bus includes built-in error detection and correction mechanisms, such as CRC (cyclic redundancy check) and ACK (acknowledgment), that help identify and correct transmission errors. This ensures the accuracy and integrity of data transmitted between different subsystems.
Figure 3. The CAN bus’s built-in error detection and correction mechanisms help identify and correct transmission errors.
Based on original image from CSS Electronics
As the automotive industry evolves, the CAN bus will continue to be an essential technology in this field. While newer communication protocols are available, the CAN bus remains the most widely used, thanks to its proven reliability, efficiency, and cost-effectiveness.
In addition, the automotive industry is increasingly using connected vehicle technologies. CAN bus will play a critical role in enabling communication between different connected vehicle systems, such as vehicle-to-everything (V2X), which includes vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communication systems.
Be that as it may, the CAN bus has shortcomings, and its vulnerabilities — such as those exploited in bus-off attacks, CANCAN, and weepingCAN — are nearly impossible to patch.
Incident timeline and analysis
The story begins with a cybersecurity researcher, Ian Tabor, who tweeted that somebody had messed with his SUV in April 2022. Initially, the front bumper was pulled off and left with a yanked-out headlight wiring plug.
Nearly three months later, the vehicle’s bumper was torn again. And two days later, the vehicle’s mobile companion app indicated that the car was moving. Tabor finally realized that his car had been stolen.
Figure 4. Ian Tabor’s tweet saying that his car had been stolen
Source: @mintynet on Twitter
After the car was stolen, Tabor and Ken Tindell, chief technology officer of Canis Automotive Labs, started investigating the incident. Tabor found a website that sells products for bypassing car security on various car models. For his vehicle, it was an emergency start mechanism, the electronics hardware of which was cleverly tucked inside a Bluetooth speaker. He broke down the speaker and found the PIC18F chip that was mainly responsible for the CAN injection attack.
Attack preparation
To pull off the attack, malicious actors need only a CAN injection device that can issue CAN packets; in this case, a PIC18F chip and its preloaded firmware. This device is intended to impersonate the smart key ECU.
Figure 5. Encircled in red are the cable’s two pins, CAN High and CAN Low, which are used to connect to the vehicle’s CAN bus.
Based on original image from Ken Tindell
Attack scenario
- Access the CAN bus wiring (through the headlights) to which the smart key receiver ECU is connected.
Figure 6. Left: The headlight is still connected to the vehicle’s CAN bus. Right: It is replaced by the CAN injector.
- Power on the CAN injector and send a wake-up frame to wake the CAN bus repeatedly until the device receives a response.
- After receiving the response, the CAN injector engages the dominant-override circuit, caused by the previously mentioned arbitration mechanism. This circuit blocks other devices from transmitting on the CAN bus and disables the error mechanism of the CAN bus protocol, preventing other ECUs from stopping the CAN injector and bypassing some security hardware.
- The CAN injector, now pretending to be the smart key ECU, sends a fake message, “Key is validated, unlock immobilizer,” in bursts to the car’s Gateway ECU.
- The Gateway ECU copies the fake message over to another CAN bus.
Figure 7. A simplified CAN bus diagram in the stolen vehicle
Based on original image from Ken Tindell
- The engine control system accepts the fake message and deactivates the immobilizer function.
- The CAN injector sends another fake CAN message, “Key is valid, unlock the doors,” in bursts to the door ECU and unlocks the car door.
Mitigation
As suggested by Tindell, the attack can be prevented in two ways: temporarily and permanently. The temporary solution is based on the functionality of the CAN injector to filter out messages. What makes it only a temporary measure is that attackers can quickly adapt and devise similar attacks. To address this issue, reprogramming the Gateway ECU can be an effective solution by forwarding the message only when no errors are detected within a specific time, leveraging the knowledge that the injector causes faults on the CAN bus and that it can send smart key CAN frames.
A permanent solution is to adopt a zero trust approach where CAN devices no longer trust messages from other ECUs by default. Instead, extra validation measures can be implemented in CAN frames to verify the authenticity of the ECUs. To accomplish this, the ECUs must be provisioned with secret keys and paired with a specific vehicle.
VicOne’s xCarbon can be integrated in the Gateway ECU. With CAN bus anomaly detection, it can accurately detect anomalous behaviors, including fake CAN messages from injection attacks. xCarbon can send information on anomalous events, such as anomalous CAN bus command sequences and frequency errors, back to the vehicle security operations center (VSOC) platform, for example, VicOne’s xNexus, for further investigation. Using the threat assessment and remediation analysis (TARA) methodology, OEMs can determine whether there is a real threat and can mitigate it in the life cycle impulse or next round of vehicle development.
To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
This article was updated on May 8, 2023, at 10:00 a.m. UTC, to clarify VicOne’s xCarbon mitigation recommendation.
