We’ve gone over the basics of CAN and looked into how CAN databases work. Now we will look at a few protocols that are commonly used over CAN.
In the last article we looked at CAN databases, where each bit of a message is mapped to a specific meaning. For example, bit 1 of a CAN message with ID 0x400 might represent whether the engine is currently running or not.
However, for more complex communications we need to use protocols. These can map many meanings to a single CAN ID by agreeing on a structure for sending and receiving data.
Last time, we discussed how in-vehicle networks work over CAN. Now we’ll look into the protocol and how it’s used in the automotive industry.
On the hardware side, there’s two types of CAN: differential (or high-speed) and single wire. Differential uses two wires and can operate up to 1 Mbps. Single wire runs on a single wire, and at lower speeds, but is cheaper to implement. Differential is used in more critical applications, such as engine control, and single wire is used for less important things, such as HVAC and window control.
Many controllers can connect to the same bus in a multi-master configuration. All messages are broadcast to every controller on the bus.
We’re introducing a new series on CAN and automotive hacking. First, we’ll introduce CAN and discuss how in-vehicle networks work.
In 1986, Bosch introduced the Controller Area Network protocol. It was designed specifically for in-vehicle networks between automotive controllers. CAN became a popular option for networking controllers in automotive, industrial, and robotics applications. Starting in 2008, all vehicles sold in the US must use CAN.
Modern vehicles are distributed control systems, with controllers designed to handle specific tasks. For example, a door control module would take care of locks and windows. CAN allows these controllers to communicate. It also allows for external systems to perform diagnostic tasks by connecting to the in-vehicle network.
Some examples of CAN communication in a vehicle include:
The engine control module sending the current engine speed to the instrument cluster, where it is displayed on a tachometer.
The driver’s door controller sending a message to another door controller to actuate the window.
A firmware upgrade for a controller, sent from a diagnostics tool.
CAN is usually used with little or no security, except for the obscurity of the communications. We can use CAN to USB interfaces to listen to the traffic, and then decode it. We can also use these tools to send forged messages, or to perform diagnostic actions. Unfortunately, most of the tools for dealing with CAN are proprietary, and very expensive. The diagnostics protocols are standards, but not open ones. They must be purchased from the International Organization for Standardization.
Next time, we’ll get into the structure of CAN frames, and how traffic is encoded on the bus.
The first full day of DEF CON was packed with hacking hardware and cars. I got to learn about why your car is less secure than you might think, pick some locks, and found out that there are electronic DEF CON badges after all. Keep reading for all the detail.
When a few lights in the dashboard of [Garrett]’s truck burned out, he was looking at a hefty repair bill. The repair shop would have to replace the huge PCB to change a few soldered light bulbs, so he was looking at a $500 repair bill. Lighting up a LED is everyone’s first project, so [Garrett] decided to change out the bulbs with LEDs and save a few dollars.
The repair was very simple – after removing the dials and needles, [Garrett] found a huge PCB with a few burnt out bulbs on board. He took a multimeter to each bulb’s solder pad and replaced each one with an LED and resistor. The finished project looks like it came out of a factory and is a huge improvement over the ugly amber bulbs originally found in his truck. [Garrett] also posted a nice Instructable of his build showing the nicely soldered lamp replacements.
On many new cars, automatic wiper speed control can be had as an upgrade, though most cars do not offer front-end collision prevention at all. [Rishi Hora] and [Diwakar Labh], students at the Guru Tegh Bahadur Institute of Technology in New Delhi, developed their own version of these features, (PDF warning, skip to page 20) which they entered into last year’s Texas Instruments Analog Design Contest. Under the guidance of professors [Gurmeet Singh] and [Pawan Kumar], the pair built the systems using easily obtainable parts, including of course, an MSP430 microcontroller from TI.
The collision prevention system uses a laser emitter and an optical detector to estimate the distance between your car and the vehicle in front of you, sounding an alarm if you are getting too close. In a somewhat similar fashion, the wiper speed control system uses an IR emitter and detector pair to estimate the amount of water built up on the windshield, triggering the wipers when necessary.
While not groundbreaking, the systems would be quite handy during monsoon season in India, and seem easy enough to install in an older vehicle. The only thing we’re not so sure about is pointing lasers at cars in traffic, but there are quite a few available alternatives that can be used to measure distance.
Continue reading to see a video walkthrough and demonstration of both systems.
In 2009, [Dr. Stefan Savage] and his fellow researchers published a paper describing how they were able to take control of a car’s computer system by tapping into the CAN Bus via the OBD port. Not satisfied with having to posses physical access to a car in order to hack the computer system, they continued probing away, and found quite a few more attack vectors.
Some of the vulnerabilities seem to be pretty obvious candidates for hacking. The researchers found a way to attack the Bluetooth system in certain vechicles, as well as cellular network systems in others. Injecting malicious software into the diagnostic tools used at automotive repair shops was quite effective as well. The most interesting vulnerability they located however, was pretty unexpected.
The researchers found that some car entertainment systems were susceptible to specially-crafted MP3 files. The infected songs allowed them to inject malicious code into the system when burned to a CD and played. While this sort of virus could spread fairly easily with the popularity of P2P file sharing, it would likely be pretty useless at present.
The researchers say that while they found lots of ways in which it was possible to break into a car’s computer system, the attacks are difficult to pull off, and the likelihood that they would occur in the near future is pretty slim.
It does give food for thought however. As disparate vehicle systems become more integrated and cars become more connected via wireless technologies, who knows what will be possible? We just hope to never see the day where we are offered an anti-malware subscription with a new car purchase – at that point, we’ll just ride our bike, thanks.