Welcome back! I hope you have gone through the previous blogs, where we discussed about “Automotive Security introduction” & “Automotive Attack Surface”. In this blog we will look into one of the most famous and widely protocol in vehicles, which is CAN bus protocol, and what is the need of CAN bus protocol?
We know that Connected vehicles are moving to Autonomous/self-driving vehicles, where vehicle data is being used for increasing efficiency of journey and also in development of Self driving vehicles software.
one of the most advanced electric vehicle company Tesla collects a lot of sensory input data and also uses CAN bus for internal communication. All these advancements are highly reliable on data that it collects from multiple sensors. Even the basic cars which use 100’s of ECU’s need a channel that is extremely robust and marvellously efficient.
CAN Bus in short for Controller Area Network is initially developed in 1983 by Robert Bosch GmbH. The ISO also released CAN standard where ISO 11898–1 covers Data link layer & ISO 11898-2 which covers the CAN physical layer for high-speed CAN. ISO 11898-3 was released later and covers the CAN physical layer for low-speed, fault-tolerant CAN.
CAN Bus is a message-based protocol not an address based; it consists of twisted pair of two wires CAN_High & CAN_Low. It is used in applications where a lot of crisp messages has to be shared with high reliability in a robust environment. This makes automotive manufacture’s pick CAN instead of using a complex direct signal lines to each and every node (ECU’s) in the vehicle network.
CAN bus works on the method of differential signalling “Differential signalling is a method for electrically transmitting information using two complementary signals, the technique is sending the same electrical signal as a differential pair of signals, each in its own conductor. The pair of conductors can be wires or traces on a circuit board.”
In simple words, it transmits the data by differing the voltage between two wires. this provides a viable data transmission which can resist with noises and disturbances. CAN has two logic states;
- Dominant – differential voltage will be greater than the minimum threshold. In addition, the dominant state is a logic ‘0’ in the bus.
- Recessive – differential voltage is less than the minimum threshold. and the recessive state is achieved by a logic ‘1’.
And, a dominant can drive over a recessive.
CAN Packet Structure
In order to understand more about CAN bus, let’s take a look into most commonly used CAN 2.0A (ISO 11898-2) frame.
- SOF – Start of Frame a ‘dominant 0’ notifies other nodes that a CAN node intends to talk.
- ID: ID is the frame identifier; lower ID values have higher priority in the network bus. (CAN uses Non-Destructive collision avoidance.)
- RTR: Remote Transmission Request indicates whether a node sends data or requests dedicated data from another node.
- Control: Identifier Extension Bit (IDE) which is a ‘dominant 0’ for 11-bit. It also contains the 4-bit Data Length Code (DLC) that specifies the length of the data bytes being transmitted in specific packet (0 to 8 bytes).
- Data: this section contains the data bytes/payload, which can be extracted and decoded for information.
- CRC: Cyclic Redundancy Check is used to ensure integrity of data flowing.
- ACK: it indicates if the node has acknowledged and received the data correctly or not.
- EOF: End of Frame marks the ending of the CAN frame.
CAN bus is Non-Destructive collision avoidance, In the case of two nodes are pushing messages into the network at the same time one with least arbitration ID will win over the other one and continues to transmit, now other one will wait for some time and starts transmitting again.
the least arbitration ID denotes the message’s priority which is decided by the designer at time of Designing the network, Message priority is very important in case of an autonomous car, like the obstacle detection message should reach the braking system before than air conditioning message. CAN bus also uses bit stuffing for detecting errors which increases efficiency.
CAN bus also has two different types of network’s High speed CAN bus which supports bitrates up to 1 Mbits/sec, it is a most commonly used one also a base for protocols like CAN FD, CANopen & SAE J1939. Low speed CAN bus (or ISO 11898-3) is a fault tolerant version as it can continue communication regardless of failure in one wire.
CAN bus network is also a completely centralised network, this makes it flexible to add new nodes and run diagnostics from one point of the network. The fully centralized network with efficiency and robustness in transmitting essential data makes it practical to be used in vehicles and industrial machinery widely across different industries like Heavy duty fleet telematics, Airplanes, manufacturing plants and medical equipment.
CAN Bus Security
Now that we understand how CAN works, let’s focus on the security aspect of CAN both from an offensive as well as defensive perspective.
Since the whole network is centralised, nodes trust each other so a malicious node attached to the network will have access to all the data flowing and can disrupt the data flow.
What are all the Tools available for car hacking?
Thanks to opensource contributors, there are some great opensource library like can-utils and python-can, well we have to write our own script job specifically using these. EXPLIot Framework has some cool plugins for reading, writing, fuzzing CAN bus values and Scapy’s CAN module can read, write into a CAN bus.
Along with software we also need hardware, there are some opensource hardware available like CANbadger, USBtin and nano-can along with plenty of paid options from industry.
Is CAN bus outdated?
One of the best alternatives to CAN bus is Ethernet TCP/IP. it also cannot provide reliability, excellent error detection and fault confinement capabilities like CAN bus.
We are already into data era and the maximum of 8 bytes data transmitting capability of CAN need a revamp. So, engineers came up with multiple protocols which are developed upon CAN bus specific to a particular network architecture type. Like, CANopen for Industrial robotics, CAN FD for higher data rates (up to 8 Mbits/sec), payload size up to 64 bytes and improved security via authentication.
The top benefits of using CAN Bus protocol are Low-cost implementation, completely centralized network, Extreme robust and efficient.
On the other hand, it also comes short if we are looking more for security as CAN bus is not secure by design. So, Automotive manufacturers are adding different network busses like LIN bus and CAN FD buses to improve the vehicle architecture more. But, ISO 11898 is not going to fade away any soon.
We hope this blog post gave you a good high-level overview of CAN Bus protocol. If you are reading up to this point, you are very much interested in Automotive security. This blog post aimed to give you an idea about CAN Bus protocol which is widely used in Automotive architecture. Going forward, the next blog post will describe about another most widely used protocol in cars/vehicles. I hope you enjoyed reading this as much as I enjoyed writing it : )
Payatu is a research-powered cybersecurity service and training organization specialized in IoT, embedded, mobile, cloud, infrastructure security, and advanced security training. We offer a full IoT/IIoTT ecosystem security assessment, including hardware, firmware, middleware, and application interfaces. If you are looking for security testing services then let’s talk, share your requirements: https://payatu.com/#getstarted Payatu is at the front line of IoT security research, with a great team, and in house tools like expliot.io. In the last 8+ years, Payatu has performed, security assessment of 100+ IoT/IIoT product ecosystems and we understand the IoT ecosystem inside out. Get in touch with us. Click on the get started button below.