Dignita's Blog
Understanding CAN Bus and performing Replay Attack

Understanding CAN Bus and performing Replay Attack

REHAN SAYYED's photo
REHAN SAYYED
·

5 min read

Getting started with Car Hacking, with an introduction to CAN Bus and hands-on with a basic replay attack.

Objective

Understanding CAN Bus vehicle communication network and getting hands-on with a basic replay attack in the network.

Theory

Introduction to CAN Bus:

The Controller Area Network (CAN) Bus serves as a communication infrastructure within vehicles that interconnects sensors and controllers(Electronic Control Unit - ECU), facilitating the exchange of data. Air Conditioner, ABS, and Window control are some of the ECUs in cars.

Simplified CAN Bus topology

For each device, the data in a frame is transmitted serially in the network, but in such a way that if more than one device transmits at the same time, the highest priority device can continue while the others back off. Frames are received by all devices, including by the transmitting device. This data is local to a vehicle.

In this lab exercise, we will try to gain familiarity with this data traffic

More In-Depth on CAN Bus can be checked out here- CAN Bus Wikipedia

The OBD-II (On-board diagnostics 2) port on vehicles acts as the access point for communication on the CAN Bus. Hardware tools can be connected directly to it to be able to retrieve data which can then be parsed or analyzed.

Lab Environment

In this lab environment, you will get access to the GUI of the attacker's Ubuntu Machine with a Car Dashboard Simulation Web UI, a virtual CAN network interface "vcan0" and a "can-utils" tool. The Car Dashboard Simulator can be accessed at

http://demo.ine.local

Tools

The tools used in the lab:

  • Car Dashboard Simulator: Observing actions as dictated by the data packets.

  • can-utils: Linux utilities for interfacing with Controller Area Network (CAN) devices, facilitating monitoring and control in automotive and embedded systems.

Now here, we have our web UI simulating a car dashboard.

We can see that there are 3 actions which can be performed

  1. Toggling turn signals

  2. Locking/Unlocking doors.

  3. Updating the speedometer.

Let’s try out each button and observe it’s actions before we start the testing.

Clicking on the Left indicator button changes the state of light for a fraction of a second. The color changes to orange. Now let’s click longer for it to register the signal change.

Now looking at the door we can see that it’s initially locked indicated by “red”. let’s try to unlock it by using the door unlock button.

Clicking the Door 1 Unlock button we can see that the light has changed to green which indicates that the door is now unlocked.

Clicking the Door 1 lock will again change the color to red.

Now the last button is the Accelerate button. If we click on it the speedometer changes and the speed of the car increases.

If we release our mouse the speed starts decreasing. All these actions generate data packets in the CAN Bus. Now that we’re done with trying out the features let’s start with the testing part.

Let’s first check if the system is detecting the virtual CAN interface.

ifconfig vcan0

Yes, it’s running perfectly. Let’s now use candump from “can-utils”.

candump vcan0

So, It shows us the packets currently flowing in the network.

This displays a random CAN traffic noise currently in the network. In a real car network there would be way more number of data packets.

A sample data frame has the following structure

vcan0  164   [8]  00 00 C0 1A A8 00 00 22
___
vcan0: The virtual CAN interface
164: The arbitration ID(in hexadecimal). Used by network members to identify, whether the message is intended for it or not.
[8]: The message size
00 00 C0 1A A8 00 00 22: The message data (limited to 8 bytes)

Every ECU (Electronic control unit) responds according to the arbitration ID which is used to identify if the message is for it or not. The lower the arbitration ID, the higher the priority of the message in case multiple ECUs start sending messages at the same time. Once identified the action is undertaken by ECU from the message data.

We can also see this data inside wireshark by selecting the vcan0 interface.

Now let’s try to log our actions using these data packets.

candump -l vcan0

This will start to record and log data packets from this point in time until it’s stopped.

Now, on the simulator window let’s perform some random actions and stop the logger to store the corresponding data packets of our actions.

  1. "Left Indicator" click once

  2. "Door 1 Unlock" click once

  3. "Door 1 Lock" click once

  4. "Accelerate" click and hold for a while and release the click.

Now let’s stop the logger and it will save our log file.

So, here we have our log file candump-2024-12-12_163402.log. let’s read the content of it.

cat candump-2024-12-12_163402.log

The log file has all the packets stored along with the noise traffic plus the packets generated from our actions.

Now, Using the packets we will perform a basic replay attack.

canplayer -I candump-2024-12-12_163402.log

We can see that the same set of observations are being repeated on the UI. The data packets are sent in the network and corresponding actions are replayed.

car hackingCAN BusReplay attackhackingethicalhackinginfosec#cybersecurity