In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols.
Security auditors are used to dealing with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a platform such as Burp Suite is popular when it comes to auditing web applications.
In talk below, the team presents CANSPY, a platform giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy. It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector.
In the past years, the increasing addition of embedded computers in cars known as Electronic Control Unit, or ECU, has improved vehicle performances as well as safety and comfort for the occupants. As far as the latter point is concerned, it comes along with the need to make the car connected (i.e., Wi-Fi, Bluetooth, USB or even mobile broadband). As the car’s use of new technologies increases, so does the attack surface. That much has been proven in the recent years and on numerous occasions by security researchers. As a matter of fact, they have demonstrated that the worst possible scenario can become reality: a malicious individual remotely endangering the vehicle’s occupants as well as the nearby vehicles on the road. It is worth noting that, to achieve such result, it is usuallyneeded to go beyond the compromise of an embedded computer exposed by the attack surface and expand the compromise deeper in the car.
To ensure that such scenarios will not happen outside the laboratories of security researchers, automobile manufacturers have started to mandate information security firms to conduct audits on current ECUs to assess the risks the vehicle is exposed to and, if need be, craft remediation plans before damage has already been done. To go farther with this approach, they also mandate audits on prototype ECUs with the explicit aim of fixing security issues at the earliest possible stage. Regarding the case of prototypes, it is worth mentioning that, not only it greatly reduces the risk of a vulnerability to ever be present in a commercial vehicle, it is also the most cost-effective approach
Auditing ECUs is fairly new for information security firms and there is still a great deal of work to be done regarding the methodology and the tools. Indeed, security auditors are costly resources for automobile manufacturers, meaning that they usually have much less time to find vulnerabilities than security researchers. On the other hand, unlike security researchers, they work with the assistance of engineers from the automobile manufacturer. Nonetheless, improving efficiency and thus cost-effectiveness is always at stake for security auditors.
(CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices.
> _ In this paper, we will focus on two aspects: auditing ECUs that are not directly exposed by the attack surface and, more precisely, auditing them using a penetration testing approach. To that end, after giving an overview of the datalink protocol ECUs use to communicate with each other, we will go through the penetration testing methodology when applied to this particular case. Then, we will present CANSPY, a platform providing security auditors with the ability to intercept communications and block them, forward them or modify them on the fly with standard penetration testing tools. Finally, we will demonstrate the versatility and the efficiency of CANSPY by turning around a security issue usually considered when it comes to cars: instead of auditing an ECU through the OBD-II connector,we are going to partially emulate ECUs in order to lay the groundwork needed to audit a device that connects to this very connector. _