Finding security flaws (0-Days) in CANbus devices and systems.

The CANbus protocol is widely used in the auto industry. Development of automotive products and systems using this protocol has been advancing at a blistering pace and security testing teams have been left behind. Hackers using a variety of ad-hoc CAN-bus fuzzing tools are regularly discovering non-trivial security weaknesses.

A quick search online produces detailed data on how to easily hack security flaws that currently exist on many production vehicles and accessories. We believe that many more as yet unknown security weaknesses, AKA zero-days, exist and will be discovered.

To address this issue we have developed the first commercially available CANbus application and device security testing kit. It consists of our dynamic security testing tool, BeSTORM dynamic application security testing and black box fuzzer and our CANbuster ECU simulator. This kit is now available to manufacturers world-wide and for more information please fill in the form on the right of this page or contact your nearest Beyond Security office.

BeSTORM is one of the most widely used, commercially supported, multi-protocol, dynamic security testing tools. It is used by industry to secure aerospace, telecom, manufacturing and financial applications and their infrastructure components and of course it is also used on these same systems by more than a few governments. For CAN-bus security testing purposes beSTORM is teamed up with the Beyond Security CANbuster, a device that simulates a vehicle Electronic Control Unit (ECU) and which allows testing/fuzzing of individual system components in a lab setting.

It is now possible for any QA department to dynamically test their CAN-bus reliant systems and products for security flaws and certify them as being secure.

CANbus Fuzz Testing Demonstration on a Heads Up Device

For purposes of demonstrating dynamic security testing (fuzzing) using beSTORM and CANbuster we chose two of many available Heads Up Devices (HUD). There are many manufacturers out there and dozens of models, but they share many common components. The devices we tested look like these:

CANbus device
CANbus device number two

There are many other models on Amazon, but we have not tested them.

Their internal workings are almost identical, having a STM32F103 processor, a few voltage and current regulators (MC1413BDG) and a CAN-bus transceiver (TJA1050). The more advanced version, which appears to support more configuration options (the one on the left image), also has a winband (25Q80BVSIG) chip which is used as flash memory.

CANbuster Device

Connect the CANbuster device (pictured below) to the HUD device, via the 3 wires, CAN-H, GND and CAN-L. These should connect to pins 6, 5 and 14 respectively on a J1962 connector. An external 12v power source with at least 300ma should be connected to V(black-) and V(red+), pin 4 and 16 respectively on the connector.

The CANbuster device is connected via a Ethernet cable to a Windows machine that has beSTORM installed and running. CANbuster by default has a pre-defined IP address of 192.168.1.254.

J1962 Connector

The SAE J1962 connector comes has two versions; female which is found in the car.

SAE J1962 connector
male SAE J1962 connector

And male; which is how the HUD connects.

For the CANbuster device to connect to the HUD you will need it to have a female connector. If you plan on connecting the CANbuster device to a car (warning, we are not responsible for any permanent damage that may result!) you will need it to have a male connector.

To simplify the setup it is better to get a Y J1962 cable. If you can get a Y cable that has single strands for wires it makes it easy to strip and connect to them.

YJ1962connector.jpg

CANbuster Car Fuzzing Simulation

At this point you should be able to turn on the system and see that the HUD device boots up. The Beyond Security CANbuster will simulate a real ECU by capturing requests being sent by the HUD device for certain parameters (like car speed) and responding with valid values.

The CANbuster needs to be turned on prior to the HUD device being powered on. If the sequence is followed correctly, when the HUD device is powered on it will show the car speed increasing and then decreasing in a loop. All other values are returned by the CANbuster are within valid range. This is not the fuzzing or testing part yet, only a simulation to let you know the CANbuster is emulating an ECU and correctly communicating with the HUD.

beSTORM’s fuzzing mechanism is NOT affected by CANbuster’s simulated environment, however, without the simulated environment the HUD device will not accept incoming data. Stopping the simulated environment causes the HUD device to shut down, as it understands that the car engine / electrical system has been turned off.

The HUD will boot up and start scanning the bus for signals, once it is running the display will change:

HudDevicelayout.jpg

(NOTE: the image has been flipped to make it readable, the HUD device is displays the information reversed as it should be reflected by the car’s windshield).

BeSTORM Dynamic Security Testing of CANbus

beSTORM fuzz testing consists of sending invalid (outside of the valid range), unexpected (incorrect response) and/or malformed (unrequested fields) back to the HUD device. The protocol being tested is OBDII over CAN-bus.

When you configure beSTORM you will need it to use CAN A port (assuming you connected the HUD device to that port) by specifying port 0 as the port to use, and set the speed to 500000 which is the default baud rate of CAN devices in cars.

Depending on the HUD device, the CAN identifier that will be tested will be either 11 bit or 29 bit. This depends on what the HUD device supports, simpler models support 11 bit, while more advanced ones support 29 bit.

Depending on which simulation environment you have used to get the HUD device up and running, use the same value on the beSTORM module. To simplify things beSTORM provides an OBDII module that works in 29 bit version, which appears to be the more common setup.

CANbuster Kit Setup

The picture below illustrates how beSTORM and the CANbuster are set up.

1. Power supply, at the top right.
2. YJ1962, at the bottom.
3. Car HUD device, middle bottom.
4. CANbuster device, center right.
5. beSTORM on laptop, left.

CANbuster_product.jpg

Results of CAN-bus Fuzz Testing with BeSTORM

The HUD devices we tested presented many fatal flaws in that they crashed repeatedly within minutes of starting the testing and their programming allowed inputs that presented as display and sound errors. These are the early indicators of problems that, with some further investigation, could result in the development of input that would assume some degree of control of the device.

Using beSTORM and CANbuster in this setup, ANY automotive system or device can be tested and we have a high degree of confidence that most have fatal flaws – some of which could be ‘weaponized’. Although beSTORM and CANbuster are only sold to governments and manufacturers for their use in securing applications, the current low level of security in automotive use of CAN-bus protocol allows far less capable and very widely available fuzzers to also find problems that can then be developed into attacks.

For More Information

The beSTORM and CANbuster kit is now available world-wide and for more information please fill in the form on the right of this page or contact your nearest Beyond Security office.