Video thumbnail (Frame 0) Video thumbnail (Frame 1271) Video thumbnail (Frame 3073) Video thumbnail (Frame 5914) Video thumbnail (Frame 8199) Video thumbnail (Frame 9146) Video thumbnail (Frame 13310) Video thumbnail (Frame 15237) Video thumbnail (Frame 19049) Video thumbnail (Frame 22532) Video thumbnail (Frame 23811) Video thumbnail (Frame 27826) Video thumbnail (Frame 28795) Video thumbnail (Frame 35033) Video thumbnail (Frame 36041) Video thumbnail (Frame 39491) Video thumbnail (Frame 48286) Video thumbnail (Frame 55066) Video thumbnail (Frame 56166) Video thumbnail (Frame 57094) Video thumbnail (Frame 64841) Video thumbnail (Frame 66786)

Formal Metadata

Alternative Title
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The Controller Area Network (CAN) bus has been mandated in all cars sold in the United States since 2008. But CAN is terrible in many unique and disturbing ways. CAN has served as a convenient punching bag for automotive security researches for a plethora of reasons, but all of the available analysis tools share a shortcoming. They invariably use a microcontroller with a built-in CAN peripheral that automatically takes care of the low-level (ISO layer 1 and 2) communication details, and ensures that the CAN peripheral plays nicely and behaves at those low levels. However, a good hardware hacker understands that the sole purpose of the electron is to be bent to our will, and breaking assumptions by making “That CANT happen!” happen is a surefire way to find bugs. CANT is a (partial) CAN bus peripheral implemented in software that allows security researchers to exercise the electrical bus-level error handling capability of CAN devices. The ability to selectively attack specific ECUs in a manner that is not detectable by automotive IDS/IPS systems (see ICS-ALERT-17-209-01) is invaluable to automotive security researchers as more automakers integrate advanced security measures into their vehicles.
Software developer Software developer Multiplication sign View (database) Software Cybersex Information technology consulting Information security Information security Physical system
Building State of matter Multiplication sign Set (mathematics) Microcontroller Product (business) Revision control CAN bus Graphical user interface Different (Kate Ryan album) Bus (computing) Energy level Software testing Physical system Area Noise (electronics) Standard deviation Focus (optics) Bus (computing) Physical law Physicalism Bit Cartesian coordinate system Digital object identifier CAN bus Type theory Benz plane Integrated development environment
Area Standard deviation Digital electronics State of matter Bus (computing) Weight Plastikkarte Physicalism Microcontroller Bit Function (mathematics) Line (geometry) Digital object identifier Focus (optics) CAN bus Message passing Graphical user interface Logic Term (mathematics) Bus (computing) OSI model Diagram
CAN bus CAN bus State of matter Bus (computing) Multiplication sign Core dump Bus (computing) OSI model Focus (optics) Fundamental theorem of algebra
Point (geometry) Asynchronous Transfer Mode Identifiability Link (knot theory) Length State of matter Multiplication sign Field (computer science) CAN bus Single-precision floating-point format Core dump Bus (computing) Extension (kinesiology) Error message Information security Noise (electronics) Bus (computing) Bit error rate Bit Maxima and minima Cartesian coordinate system Digital object identifier Frame problem CAN bus Message passing Personal digital assistant Right angle Quicksort Bounded variation Fundamental theorem of algebra
Functional (mathematics) State of matter Cyclic redundancy check Field (computer science) Mechanism design CAN bus Different (Kate Ryan album) Analogy Bus (computing) Lie group Error message Exception handling Form (programming) Noise (electronics) Bus (computing) Bit error rate Bit Staff (military) Fehlererkennung Digital object identifier Frame problem CAN bus Mechanism design Message passing Error message Conditional-access module Transmissionskoeffizient Quicksort Form (programming) Window Row (database)
Frame problem Slide rule Information overload State of matter Data recovery Mereology Cyclic redundancy check Frequency Type theory Bus (computing) Error message Bus (computing) Information overload Bit Frame problem CAN bus Mechanism design Type theory Message passing Error message Network topology Normal (geometry) Hill differential equation Form (programming) Row (database)
Frame problem Slide rule Color confinement Information overload State of matter Multiplication sign Data recovery Microcontroller Counting Frequency CAN bus Graphical user interface Bus (computing) Error message Exception handling Default (computer science) Color confinement Information overload State of matter Bit Fehlererkennung Frame problem CAN bus Message passing Process (computing) Error message Personal digital assistant Order (biology) Transmissionskoeffizient Musical ensemble
CAN bus Natural number Multiplication sign Bus (computing) Vertex (graph theory) Mereology
Injektivität Information overload Multiplication sign CAN bus Bus (computing) Videoconferencing Data conversion Förderverein International Co-Operative Studies Information security Physical system Injektivität Cybersex Bit Control flow Fehlererkennung Digital object identifier Flow separation Type theory Message passing Order (biology) Normal (geometry) Peripheral Quicksort Whiteboard Asynchronous Transfer Mode Frame problem Asynchronous Transfer Mode Game controller Open source Cybersex Microcontroller Event horizon Latent heat Peripheral Whiteboard Intrusion detection system Computer-assisted translation Message passing Standard deviation Multiplication Suite (music) Information overload Skewness Denial-of-service attack Density of states Frame problem Transmitter Shareware CAN bus Software Network topology Musical ensemble
Injektivität Game controller Standard deviation Software developer Bit Complete metric space Graph coloring Shareware Message passing Hacker (term) Bus (computing) Energy level Conditional-access module Whiteboard Computer-assisted translation
Point (geometry) Game controller Digital electronics Open source Code Information overload State of matter Multiplication sign Insertion loss Rule of inference Perspective (visual) Fraction (mathematics) Estimator Fluid Peripheral Bit rate Causality Different (Kate Ryan album) Robotics Bus (computing) Energy level Endliche Modelltheorie Computer-assisted translation Traffic reporting Error message Physical system Module (mathematics) Injektivität Standard deviation Software developer Sound effect Bit Line (geometry) Complete metric space Limit (category theory) Frame problem Shareware Message passing Loop (music) Process (computing) Whiteboard Musical ensemble Remote procedure call
CAN bus Videoconferencing Computer network Fingerprint Power (physics) Shareware
CAN bus Multiplication sign Computer network Fingerprint Power (physics) Shareware
Point (geometry) Game controller Clique-width State of matter Revision control Bit rate Causality Computer hardware Videoconferencing Bus (computing) Cuboid Energy level Software testing YouTube Exception handling Module (mathematics) Cybersex Noise (electronics) Default (computer science) Standard deviation Forcing (mathematics) Bit Line (geometry) Fehlererkennung Frame problem Message passing Personal digital assistant Order (biology) Quicksort Asynchronous Transfer Mode
Game controller State of matter Information overload Multiplication sign Power (physics) Usability Spherical cap Different (Kate Ryan album) Bus (computing) Videoconferencing Encryption Arrow of time Förderverein International Co-Operative Studies Error message Traffic reporting Physical system Modem Thumbnail Fingerprint Module (mathematics) Authentication Arm Cellular automaton Physical law Computer network Bit Limit (category theory) Power (physics) Frame problem CAN bus Message passing Software Order (biology) Right angle Conditional-access module Whiteboard Quicksort
alright let's go ahead and get started here about me my name is bit mang I also go by Tim occasionally I am a largely recovered software developer I started my career doing a lot of safety-critical aerospace and automotive embedded systems came over to security about three years ago and apparently has you'll discover through this talk I enjoy looking at bad situations and going how can I make this worse I were gonna be called grim grim does not take this view of making things worse all the time we actually try to help people or a cybersecurity research development company located in Arlington Virginia as a company we do most aspects of cybersecurity between our various teams a little bit of overview we're going to
talk about what is CANbus we're gonna start with the basic high level wikipedia overview of how canvas works and then we're gonna go dive into how canvas works at much greater detail then you typically get typically need to know because although over deep low-level details are handled by an onboard can peripheral and then we're gonna talk about what we did at this time a little bit of history canvas was developed by Bosch is read released in 1983 the latest version version 2.0 was released in 1991 it is a fairly old standard and like many fairly old standards when they developed it they weren't really thinking about how to incorporate cybersecurity best practices because there was no such thing back then the first production vehicle was in 1991 this year is patient zero the 1991 mercedes-benz w124 t ISO 11 898 is the set of ISO specs that define canvas for automotive so why do the car
manufacturers love canvas so much and put it everywhere they possibly can a lot of it it's cheap is really cheap nearly any microcontroller you buy will have a can't peripheral built into it because it's cheap why not it's reliable if you don't ignore it if you nor know all the people over there what they like do into cars it's very reliable it's designed from the ground up to be extremely reliable to environmental noise it's used in a lot of situations like a building automation or some industrial applications where there's a lot of electromechanical noise going on it's designed to be very reliable for that and oh yeah by the way it's been mandated by law since 2008 turns out a good way to get the OEMs to do something is to say you cannot sell your cars unless you do the thing the mandated 40 CFR eighty six eighty no 6-0 five that mandates that all the cars have to follow the ISO spec 15 765 - for world vehicle diagnostics on controller area network this is required for your emissions related system so interview who would live in a state that mandates that you do emissions tests this is so that they can basically do those emissions tests more easily they just have one tool they plug in nobody to port regardless of tool and it can go in and make sure that all your emissions stuff is reporting that it is up to snuff as I mention CANbus is used quite extensively outside of automobiles it's used a lot in a piece on Aviation areas like mentioned build automation some industrial control type applications as well those often use a different physical layer there's quite a few different physical layers that can bus ruggable will run on we're gonna focus on I so 11 898 - - which is the spec
that the can bus uses in an automobile so the way that ice eliminate 98 - - the
physical layer works is you have this this diagram here of a can bus so we have bits going across the bus can bus as it uses differential signaling so anywhere you see that the voltages are the same on the two lines that is an area that's transmitting a recessive bit which is interpreted as a 1 and here where there are different voltages that's a dominant bit which is also which is interpreted as a 0 so this is a signaling across the lines on the on the card actual wires the run through your car this is what they carry those come into a can transceiver and all the can transceiver really does is it takes this differential signaling and outputs your standard digital logic signal for your microcontroller to interface with there's generally not really much the weight of smarts and I can transceiver some will do things like if you transmit a dominant state for too long they'll just shut off for you but they don't really generally do a whole lot in terms of logic just if I was sending a one it leaves the output of the recessive voltage if I'm receiving everything to zero it puts the output at a dominant voltage and does the opposite for any message any signals that it receives so that's how the physical
layer works and as we'll get to later something that's important to keep in mind is that anytime that your were one of the the core fundamental principles of CANbus is that if any node on the bus is sending a zero sending this dominant
voltage then that will be the state of the bus so if any node is sending a dominant the bus will be in a dominant state the only time the bus will be in a recessive state is if every node on the can bus is sending the recessive state sending a one to the bus so that's what
a can message looks like you can can frame you have a starter frame which is a zero so can at an idle state is a one of the recessive state as soon as somebody wants to start sending the message you have the start of frame so we'll start transmitting a zero then you have this arbitration field this message is the for an 11-bit arbitration feel this is generally more common in automotive there's also a variation that has a twenty nine bit arbitration field and the different there is that this idea extended bit instead of a 0 is a 1 and then after that one you have the other 18 bits of the arbitration ID plus 2 reserved bits instead of just 1 but for all intents and purposes you can they're there they're very similar and they'll can operate with each other you have both 29 bit and 11 bit identifiers x' on the same can bus because you can look at this ID extension bit and know which I don't know which link identifier it is they have a length field you have 4 bits for a length field the maximum length of a can frame is 8 bytes and we'll talk slightly about why that can be somewhat problematic for some security applications and then in a little bit you then have your 1 to 8 bytes of data that you're sending it computes a 15 bit CRC it's sort of a weird CRC but it was chosen it will always detect any single bit error and is really good at detecting like 2 and 3 bit errors as well so this plays into why can is so reliable that is very good at detecting if a bit was flipped at some point but due to electromagnetic noise or whatever the case may be CRC delimiter just a recessive at the end of the CRC to indicate the end of the CRC then you have this acknowledgment slot so what the acknowledgment slot is used for is any time a a note on the bus properly receives the message so it's the right length and as the right CRC everything about it looks good it will send a dominant here in the acknowledgment slot and whoever transmitted the message listens at this endogenous slot to make sure that at least one node acknowledges and it receive the message otherwise you'll get an acknowledgment error if nobody acts the message you'll get an acknowledgment erred we'll talk about cans error handling when we dive into can a little bit more deeply I know other than they have the act delimiter you have 7 bit and a frame and at least three more recessive bits after the end of frame has an inner frame spacing then once all this is done the bus will stay idle until another node decides it wants to transmit on the bus as I mentioned the
arbitration ID before and the arbitration ID is how the canned bus determines who's allowed to talk on the bus so as I mentioned before one of the feature one of the the core fundamental things that can believe is about how the world works is that if any note on the bus is sending a dominant then the bus state will be a dominant so if you have note a and note B that start transmitting they will send a start bit at the same time so they're not going to know at that point that somebody else is transmitting because they're sending a dominant bit they're seeing a dominant bit on the bus so they assume that it's their dominant bit is making the bus in the dominant state and they'll continue what sends the arbitration ID until one of the notes sends a one when the other note is sending a zero as soon as a note sees that hey I'm sending to one but because somebody else is a certain abdominus state on the bus that node is has the higher priority and will get access to the bus so note B will drop out here and note a will continue with this arbitration ID and will you'll actually see on the can bust if you're not note a or note B is the arbitration ID sent by note a so that's how can ensures that people are stuffing on each other on the bus how it does its bus arbitration
it's not a dive a little bit more deeply into how canvas does its error handling and etc so canvas designed to be resilient to transient errors like I've mentioned electromechanical noise just stuff that happens because digital signaling is a lie we pretend to tell ourselves about how thou you like how analog simile works cam has five different error detection mechanisms it can detect bit errors stuff errors CRC errors form errors and acknowledgement errors bit errors are only detected by a transmitter so a bit error happens with Africa but if a transmitter has one arbitration so it knows it has access to the bus and it is sending a specific bit on the bus but the state that it reads back from the bus is the opposite state so something is sending a recessive as a dominant or vice versa that'll be a bit error and that will cause the transmitter to now present an error frame and to go into cans error handling this one will be detected by the transmitter of course because anybody receiving won't know what the state of the bus is supposed to be and you have stuff errors another feature that can bus uses to increase its resiliency is something called bit stuffing and how bit stuffing works is that with a couple exceptions there's a couple of the fields if you send more than if you're gonna send more than five bits in a row that are the same they're dominant or recessive after you send the fifth bit you're supposed to send one bit of the opposite one opposite bit sort of recessive your same dominance and vice versa and this indicates basically prevents the bus from going into a DC state where the receiver is going am I actually still receiving something or did the other node just die and it's done now so does a bit staff in to make sure that I also helps keep clock synchronized clocks drift a little bit on different nodes it will does vary clock on each each edge that it receives and so that also helps to make sure that your clocks don't drift too far apart from each other so you're still able to properly receive a message so anytime that a node sees that the bus has been in the same state for longer than five bits that is a stuff error and it will then also do a window cans error handling functionality CRC error CRC's the CRC doesn't check out and that will also cause an error to happen form error form error is what happens if some of the
fixed form fuel so these three bits the CRC delimiter the act delimiter or the act slot if that isn't right like if you see kind of seen a zero in the act delimiter that would be a form error because that's not how it's supposed to be and the last error like mention
before is the acknowledgment error if you send a message but nobody acts your message on the bus then that will give you cause a note an acknowledgment error to occur
there are three other can frames besides the normal data frame there's something called a remote frame and how a remote frame works is it's basically and not on the canvas saying hey whoever sends this arbitration ID which is the arbitration idea that it tries it descends on the bus go ahead and send the data that you have I've never actually seen a remote frame used in automotive but it's a feature of the bus it also an error frames and I'll get into more into error frames and overload frames and how they work so on the next starting on the next slide so there's two types of error frames and we'll get into how can gets into its three error states and a couple of slides but there's an active error and if a bus is in the active error state that means it basically it hasn't seen very many errors and well whenever it detects an error on the bus well send out six dominant bits but of course six dominant bitch that's violates bit stuffing because it has more than five bits in a row that are the same so all the other nodes on the bus will also start sending out error frames because of the bit stuffing error so you'll end up with between six and twelve dominant bits on the bus depending on exactly when how know how what bits you are sending before the error frame and how long it takes for the other nodes on the bus to notice that there was a stuff err essentially a veneer in the passive error state then you'll send a six recessive bits on the bus and we'll talk about how that's used as part of and zehrer recovery as well and then after after you sent up your your error frame the six to twelve dominant dominant bits or the six recessive bits you send out a tree state recently eight more recessive bits essentially to leave the bus in the idle state for a period of eight bits overload frames I have had
some fun with overload frames on this so the intention behind an overload frame is that if you have a slower microcontroller on the bus that needs a little bit more time to process a message it can send an overload frame in order to just kind of delay processing of canned messages for a short period of time at six dominant bits followed by eight recessive bits it's during the intermission which is the three recessive bits after the end of frame that first three bit in our frame spacing they saw in the previous slide that is where the overload frame is sent if a node is sending the overload frame [Music] according to the spec it says at most two overload frames may be generated doesn't say anything about what to do if you generate more than to overload frames so this is how can does its error
recovery uses error counters to do fault confinement there's two Eric counters a transmit error counter which is the Eric counter that your node your can peripheral will use if it's transmitting something and gets an error and the receive error counter which is the error counter that it will use if it was receiving something and saw an error so there's three error states there's error active and when you're in error active is the default state it's what you're in when your error counter is less than 128 so you haven't seen any error that have seen very many errors and that is the state where you'll send the active error frames if you do see an error once you your error counter has gone over 128 then you'll move into the error passive state and the error passive state as we send the past of error frame the idea here that if your note on the canvas and you're seeing a lot of errors it's possible that actually your problem not somebody else so in order to so you'll stop stomping on the can bus every time you see an error and saying that active error frame and you'll go into error passive state where you'll check to see if basically if you get if you get recessive bits on the bus to tell you whether or not something else is happening on the bus once your error counter has gone to over 256 then you go into the bus off state and a bus off state you're supposed to completely stop participating in the can bus entirely until you either reset or get 128 occurrences of 11 consecutive recessive bits so you can't recover that way if the bus stays quiet for a while but can bus as often don't you know vehicle can buses are often very very chatty and the way that the error counters get incremented there's a bunch of edge cases in the spec and I'm not going to go over all of them but in general on a receive error you'll increment the counter by one for a time you get a receive error and you also decrement by one every time you successfully receive a message that's how you can move from error passive back to error active v things start working properly then you'll go back into the error active state on a transmitted error though you increase your error counter by eight for every time you receive a transmit error in order to kick a transmitter off the bus because the transmitter that that's behaving poorly is going to be more problematic than a receiver that's behaving poorly when that's how can does its error handling and error recovery one of my
another another of my favorite parts of the cannes pacification is this quote here it is in the nature of the Mac sub-layer that there is no freedom for modifications oh what if I want to modify some of these things can is essentially based on the premise that every note on the bus every everything that's connected to the canvas will behave the way that it's supposed to behave all the time sometimes you you really don't want your tools to behave nice as long as you want them to two things are not supposed to do wouldn't this be so nice if somebody would make something like that so
existing research tools like we have a tool we've open-source called the can cat Eric event check is here somewhere has written tools the can't act a bunch of tools that are all written using a standard can't peripheral it's something that's baked into silicon on a microcontroller that will behave the way it's supposed to behave well as far as far as like have the error recovery error detection stopping transmitting when it's supposed to stop transmitting all that stuff but the conversations with several people in the industry that there's been a need for a tool that doesn't have those restrictions on what it can do on the can bus the final kick in the pants from me about a year ago ICS alert 17-2 and 901 was published this ICS alert talked about essentially how you can do this sort of thing on the can bus now remember one of my co-workers was I told me that when he was in college one of his classmates pointed out this was a problem on a can bus so this isn't exactly news to anybody who understands canvas but now we have actual ICS alert we can point to and say hey canvas has some issues when it comes to security I'm also tired of hearing that that can't happen I got a more in aerospace but that the the mindset that people can have that people aren't going to actively do malicious things in order to bypass the assumptions you've made about the system as a mindset that really has been bothering me for a while so a tool called can't can't is purpose-built to selectively target an individual ECU by abusing the can specification it's based on an ST micro nucleo H 743 Zi dev board as they got twenty twenty-one dollar dev board that you can actually get now I gave this talk the first time in shmoocon and they were a quartered on now sir until April so that was a little bit of a buzzkill I just barely managed to get the two that I had before they were sold out currently supports five attacks denial of service attack where it does targets all messages essentially sends an arbitration idea of zero every time a node starts to transmit so nobody else can actually talk on the bus because they will always lose arbitration replaced data of selected messages I can choose an arbitration ID and say hey instead of sending this data send this data instead and just ignore the other guy yelling at you for sending the data that you shouldn't be sending transmitting multiple overload frames something that's interesting about the overload frames is that they're generally not reported up to your software the can peripheral just oh it's a overload friend gonna ignore that but they don't actually check the teeth they get more than to overload frames so you can transmit overload frames like that doesn't get reported up to the software that you're using I also created a cyber paperclip mode and an AK attack that I'll talk about a little bit more in the demo videos that I have so the advantages of can't over a lot of the tools that we have right now is that we have complete control over signaling including being able to force recessive bit with the camp shield that I made I'll begin to follow the can spec as it suits us sniff messages as you would with a normal can for referral and then as soon as you want to start abusing the can spec we can do that phanie skews giving you trouble I've used can't for this before all this use can't to knock a specific ECU offline so that I can they can stop interfering with what I'm trying to do and it's more difficult to detect than packet injection not something they talked about in that I the paper the led to the ICS alert is using this so our technique to evade car IDs and IPS type systems because you're as far as something tree sitting on the bus receiving is concerned the bus is actually behaving properly there's only the only that note this transmitting knows that something is really going on often look at that demonstration
walks through the market we can do with with can't I'm using tax is that picking up at all no all right [Music]
Jules has developed one of these tools is cam cam cam kept as a tool that Grimm has been developing for a few years now it is an it is your common hacking tool we use it for doing can brush pack injection and was sniffing the one disadvantage that cam cat has those it is built on top of a standard can peripheral so it's limited and how badly we can misbehave with that from the illustrate a little bit later the other tool is the cat's tool that very recently released cat is a new Cleo H 743 zi8 development board with a can transy were wired to it and we use that to essentially MIT they can or GPIO on this business complete control over the can messaging at the electrical level and allows us much greater control over what is going out on the canvas we're going to start the demo by showing how to use cats to act as a bus killer what this attack does is anytime any node on the bus Francis send a message can't will take over and send a message a valid can message with an arbitration ID at zero this limits effective this limits any other node from transmitting on the campus Modric and will go ahead and choose the quest color attack and you see that very quickly there are flu-like pops or start shutting down clearly nothing is able to transmit on this
[Music] first of all priorities in Threepio are portable are academic to demonstrate some of the can attacks things that we can do with you and be open source tools that room has developed one of these tools is camp cat cat cat is a tool that Grimm has been developing for a few years now it is an Arduino do it with a pen shield it is love your common car hacking tool we use it for doing can bus and packet injection and the sniffing the one disadvantage that mcat has those it is built on top of a standard can peripheral so it's limited and how badly we can misbehave with that from demonstrating a little bit later the other tool is the can't tool that very recently released can't is a new Cleo H 743 Zi development board with a Ken transceiver wired to it and we use that to essentially bit they can over GPIO this business complete control over the can messaging at the electrical level and allows us much greater control over what is going out on the canvas we're going to start the demo by showing how to use cats to act as a bus killer but this attack does is anytime any note on the bus crisis and the message can't will take over and send a message a valid can message with an arbitration ID at 0 this limits effective this limits any other node from transmitting on the canvas so ahead is it up that attack set the pod reach and will go ahead and choose the quest killer attack and you see that very quickly there brake fluid light pops up the cluster start shutting down clearly nothing is able to transmit on this develop message well it's probably sending this message never any other bus tries to send its own message effectively killing the canvas now the effect of this isn't all that much different than you get from jabbing a paperclip into the can bus inserting the two wires the advantage of Kent's approach that it does that same that has that same effect without violating any of the rules of the canvas this is it perfectly valid properly functioning Kinross just nobody else is allowed to transmit on it go ahead and stop this that's how the canvas goes back to normal on the oscilloscope next step is we're going to illustrate those differences I was talking about between how can cat works and how can't reports so camp cat is actually been invented for a while like I mentioned it runs on the Arduino do a with a can shield on it using a standard can't peripheral code allows us to do things like just send a canned packet with this can't pack of them in about to send it does is it causes the brake fluid will light to come off and let's see that happen up in the instrument cluster I'll send it brake fluid will pops up there these for a fraction of a second and this is because the body control module is sending out the brake fluid status message about three times a second and of course the brake fluid level is actually okay on our demo so this message that we're injecting is being overridden by the body control module almost immediately once we send it now they try to flip the bus with this message just put this in a while loop if you counted on it we see that the brake fluid light will pop up and go away and pop up and go away and pop up and go away this gives us very herky-jerky control over whatever it is we are trying to control this is a problem that you run into quite frequently with canned your to injected message to do something malicious but your message is getting overridden by a different ECU on the system can't has a very nice data replacement true mo that has been written go ahead and set the arbitration indeed the urban nd is 290 will set the bond rate to 125 four bits per second and we'll choose the data replacer attack well they just ate quite long as we go back with you the message is a zero zero zero one zero six zero zero zero zero zero zero zero eight zero zero one zero six and so these are doing this we see that our brake fluid level when white comes on in the estimate Questor and stays off and the reason for this because this attack since we are replacing the data with our own data violating the rules of
can only of violating the rules of the canvas from the perspective of the body control module robotic control models should be the one send the message the only one on the bus but we're taking the bus away from the body control module so the body control module is going into an error State the smoke here we'll see here right here you see that the body control model sitting out these longer hostesses our error friends the aircraft we were discussing earlier we'll see there's quite a few of them come look there's gonna be sixteen of them because the body control module is going into its puss off state resending Sunday to active error friend until humans 128 said errors again and once it's accumulative culated 128 centers because of an error passive and then eventually into plus off so Kant allows us to then just override any method on the bus I eventually knock in that you see you off lines without us to have complete control than for whatever message it is we are trying to control the last attack I want to demonstrate is an attack by the overload inserter attack so the or those frames jumped out of me when I was reading the can specification the can spec says that no device on the bus should send more than two horrible friends but doesn't say what should happen if somebody does send more than to overload friends know the purpose of the overload frame is to allow slower no than the can bus to request a little bit of extra processing time after they receive a message so there's an avenue little frame this gives them just a little bit more time to process a message that they've received let's go ahead and set the pod rate again and choose the overloaded circuit let's just end this one - or those phrase just know behave in a nice nice appropriate manner and we see that things seem to be functioning well you see up and have one two old friends everything looks nice little less sound more that says tribal remotes things see what happens now that wondered the smoke you see to have our frames and we also see that everything still seems to be running properly so apparently sending more than two overloads frameless does it immediately cause any issues it's just any more let's try sending 50 of these overload frames what the Santa Clinton quite a few now that we see take us on the fact that brake fluid level little light comes on for some reason and that it's not a camera glitch that mission requester really is kind of dimming you can still see is so kind of running but it's definitely something weirds going off and if we come over here to this let's go you see of these paths over 1700 people on the front also see that the amount of time we're spending is in oil and frankly that's the more than we're sending funding sending actual messages who are actually seeing the a significant increase in bus holding here Bretton Woods tastes only a hundred of these things a thousand so the sales in the Rieslings an existing the thousand cause of the instrument cluster to completely shut off at this point higher cost time is better than these old friends things that you can't do and see what the effects of that is so after since that demo I've added a
couple new features which are also interesting and I have a demo for those as well maybe No
you know I recorded these videos I
didn't have to go through all the problems you get with a live demo
what I released in January there was one thing that can't couldn't do at the time and I figure if I'm going to release a
tool called can't probably then the camp couldn't do at the time was can't
couldn't assert a recessive state on the
bus this is how can handles all of its arbitration all of its error handling and error recovery is by assuming that a node cannot assert a recess estate on the bus and if any note on the bus is asserting a dominant state then the state of the bus will be in the dominant state so in order to accomplices I created this piece of hardware it's a shield that plugs into the nucleo stm32 h7z I don't want that we've been using and it is a standard can transceiver it has a you can focus it has a can transceiver connector called passives on it the thing that I added that makes this special is this little device here at YouTube it's an analog switch and when this analog switch allows me to do is it allows me to sort can hi and cattle bow together and when can high in can bow are shorted together it allows that bull cause of any note on the bus to read a recessive state because they'll be to the same potential so this allows me to violate that last in viable for the canvas is by asserting a recessive state on the bus and this allows me to free to new attacks plus adding a enhancement to a third attack so the first attack I'm going to demonstrate is the cyber paper clip mode this just turns on the bus there's the same thing that so I'm going a paper clip into the can bus would do it just causes the buses work together and nobody can communicate go ahead and start that attack the bus short attack and we see that this purple line here on the scope is the state of the switch so we see that this went high turn the switch on and that now we don't really have any traffic on the can bus and at some point we should be able to see some sort of message starting to come up I hope you can see that vis McCluster is dead this seems kind of trying to send a message here and there but it's not able to actually send anything because the bus is sort of together go ahead and reset our can't reset the car because recovering from this is difficult again the second attack I want to demonstrate is a nak attack and so what the nak attack does is it tries to essentially clobber the acknowledgment that the note of the bus are supposed to send back once they properly receive a message so go ahead and set our pod rate choose the nak attack and this should as we see here this this is where the nak slot should be here on the scope obviously that our switch goes high for one can fray or one can't bit and it does all this because all this crazy stuff to happen on the bus all this noise to happen so as we can see our his McCluster is still running it seems like it's still getting enough back that it's not the car isn't too unhappy but we're able to generate a bunch of noise on the nak frame the last attack I want to show is an improvement to the data replacer attack previously the data replace our attack would only work if we were wanting to send a dominant bit worried recessive bit was being set the brake fluid tests that I showed on the previous video showed that it the brake fluid level low is a dominant state so I was able to assert that dominant state on the bus and have the brake width of a low show up on the bus what we want to go the other way so in this case I've actually used our control box to cause the body control module to actually be sending the brake fluid level low which is it does by setting that bit to zero to the dominant state and now I want to overwrite that with the recessive and state for that bit too cause the brake fluid level bovine to turn off I was unable to do that with a previous version of camp but now I can do that let me go ahead and set the arbitration ID choose the baud rate again and do the data replacer attack sent eight bytes force plate will be 98 0 0 0 1 0 6 0 0 0 0 0 0 0 0 but I added this line here in the force recessive bit now force in recessive is not currently at the default and then go ahead and say yes to force the recessive bit and we'll see here that the brake
fluid bovine goes away now we will see occasionally that the brake fluid though light will flash back on for just a second and turn back off I haven't been able to figure out why that is happening if we go and look at the actual state of the bus using the cam cap tool that I have hooked up we can see that it's all of the brake fluid message rights are being set to what I said it to its be a sudden 898 all the way across there are some other behavior and the instrument Buster's causing that message to pop back up occasionally but the attack works all of the messages that we're targeting are now coming across the bus with the correct value and one thing I've had to mention in the video is that another advantage of being able to force the recessive bit is that I can also clobber the error frame that the body control module or whatever ECU is sending the message is sending so that the only note on the bus it has any idea anything wrong is the one that I'm specifically targeting that nobody else sees an error frame nobody else does anything to his error counters whatever else get out in the system it would continue to operate as if nothing was wrong and have no idea anything else was going on so there are some limitations
and mitigations to this one limitation is that you need physical access to the car in order to do this maybe it's also possible to a theoretically possible to find a way to get into the car remotely or wireless or cell modem or something and can reprogram an ECU to be a can't essentially because there's nothing - the analog switch to force the recessive which I'm guessing most OEM don't actually stick on the can bus for you to play with - that feature everything else you can do so this is a bog-standard can peripheral that is so as shipped with every car every you see you that has a can bus so increased care for the the tax adjust increase can bus load those could be detected by something that's looking at can bus you wouldn't necessarily be able to tell why with the overload attack because I come into those overload frames aren't actually report up to software so you would see your bus load increasing you wouldn't and that stuff couldn't make it as timings it's supposed to make but you wouldn't be a bit difficult to determine why without hooking a scope or similar up to the the car power fingerprinting is something that some companies are working on with able the fingerprint the nodes on the can bus to see if there's anything out of the ordinary can't is definitely out of the ordinary I haven't actually used one of these to see what camp looks like but I'm sure it sticks out like a sore thumb because I am bit deigning can or a GPIO that's going to to look a bit different of course and the question is then what so something's happening but what do you do now with with that car to make it work properly now increased network segmentation can help limit the Albus attack some sort of an encryption or authentication could help mitigate some of this possibly although can makes a lot it's difficult because of how small its data size is and how low-power a lot of the ECU's are and of course you can always switch away from can bus - the stuff is mandated by law that will give you some more options as in further reading the can spec is available right up there and this is the paper that led to that ICS report ICS alert going out I've made a couple of other improvements to can't backspace works now at dinner as of a week ago so that's really handy a couple other usability improvements and I am pushing those up to github right now so that will all be available very shortly up on github I also have about 20 of those can't shields available I don't have the dev boards just the shields but those dev are things that they're about 20 bucks get them from Mouser arrow whoever you generally order from and anybody who wants one do you feel free to come up and get one and then won't have any questions I switch to this because I wanted to make sure that I would have enough though this boards a arm cortex-m 7 at 400 megahertz it's a pretty beefy board I wanted to make sure that I would have time to actually launch the attacks I wanted to be able to launch and have the flexibility to do more complex attacks without then not being able to make timings on the can bus all right thank you all very much like I said if you have any more questions for me feel free to come up I have a handful of those shields that I am handing out [Applause]