Dynamic Security Testing of CAN-bus systems

beyondsecurity.com/can_bus_fuzzing_canbuster

Finding security flaws (0-Days) in CAN-bus devices and systems.

The CAN-bus protocol is widely used in the auto industry. Development of automotive products and systems
using this protocol has been advancing at a blistering pace and security testing teams have been left behind.
Hackers using a variety of ad-hoc CAN bus fuzzing tools are regularly discovering non-trival security
weaknesses.

A quick search online produces detailed data on how to easily hack security flaws that currently exist on many
production vehicles and accessories. We believe that many more as yet unknown security weaknesses, AKA
zero-days, exist and will be discovered.

To address this issue we have developed the first commercially available CAN-bus application and device
security testing kit. It consists of our dynamic security testing tool beSTORM and our CANbuster ECU simulator.
This kit is now available to manufacturers world-wide and for more information please fill in the form on the right
of this page or contact your nearest Beyond Security office.

beSTORM is one of the most widely used, commercially supported, multi-protocol, dynamic security testing
tools. It is used by industry to secure aerospace, telecom, manufacturing and financial applications and their
infrastructure components and of course it is also used on these same systems by more than a few
governments. For CAN-bus security testing purposes beSTORM is teamed up with the Beyond Security
CANbuster, a device that simulates a vehicle Electronic Control Unit (ECU) and which allows testing/fuzzing of
individual system components in a lab setting.

It is now possible for any QA department to dynamically test their CAN-bus reliant systems and products for
security flaws and certify them as being secure.

CAN-bus Fuzz Testing Demonstration on a Heads Up Device

For purposes of demonstrating dynamic security testing (fuzzing) using beSTORM and CANbuster we chose two
of many available Heads Up Devices (HUD). There are many manufacturers out there and dozens of models,
but they share many common components. The devices we tested look like these:

There are many other models on Amazon, but we have not tested them.

Their internal workings are almost identical, having a STM32F103 processor, a few voltage and current
regulators (MC1413BDG) and a CAN-bus transceiver (TJA1050). The more advanced version, which appears to
support more configuration options (the one on the left image), also has a winband (25Q80BVSIG) chip which is

1/4
used as flash memory.

CANbuster Device

Connect the CANbuster device (pictured below) to the HUD device, via the 3 wires, CAN-H, GND and CAN-L.
These should connect to pins 6, 5 and 14 respectively on a J1962 connector. An external 12v power source with
at least 300ma should be connected to V(black-) and V(red+), pin 4 and 16 respectively on the connector.

The CANbuster device is connected via a Ethernet cable to a Windows machine that has beSTORM installed
and running. CANbuster by default has a pre-defined IP address of 192.168.1.254.

J1962 Connector

The SAE J1962 connector comes has two versions; female which is found in the car.

And male; which is how the HUD connects.

For the CANbuster device to connect to the HUD you will

need it to have a female connector. If you plan on
connecting the CANbuster device to a car (warning, we are
not responsible for any permanent damage that may result!)
you will need it to have a male connector.

To simplify the setup it is better to get a Y J1962 cable. If you

can get a Y cable that has single strands for wires it makes it
easy to strip and connect to them.

CANbuster Car Fuzzing Simulation

At this point you should be able to turn on the system and see that the HUD
device boots up. The Beyond Security CANbuster will simulate a real ECU
by capturing requests being sent by the HUD device for certain parameters
(like car speed) and responding with valid values.

The CANbuster needs to be turned on prior to the HUD device being

powered on. If the sequence is followed correctly, when the HUD device is
powered on it will show the car speed increasing and then decreasing in a
loop. All other values are returned by the CANbuster are within valid range.
This is not the fuzzing or testing part yet, only a simulation to
let you know the CANbuster is emulating an ECU and
correctly communicating with the HUD.

beSTORM's fuzzing mechanism is NOT affected by

CANbuster's simulated environment, however, without the
simulated environment the HUD device will not accept
incoming data. Stopping the simulated environment causes
the HUD device to shut down, as it understands that the car
engine / electrical system has been turned off.

The HUD will boot up and start scanning the bus for signals,
once it is running the display will change:

(NOTE: the image has been flipped to make it readable, the

HUD device is displays the information reversed as it should
be reflected by the car's windshield).

2/4
beSTORM Dynamic Security Testing of CAN-bus

beSTORM fuzz testing consists of sending invalid (outside of the valid

range), unexpected (incorrect response) and/or malformed (unrequested
fields) back to the HUD device. The protocol being tested is OBDII over
CAN-bus.

When you configure beSTORM you will need it to use CAN A port
(assuming you connected the HUD device to that port) by specifying port
0 as the port to use, and set the speed to 500000 which is the default
baud rate of CAN devices in cars.

Depending on the HUD device, the CAN identifier that will be tested will be either 11 bit or 29 bit. This depends
on what the HUD device supports, simpler models support 11 bit, while more advanced ones support 29 bit.

Depending on which simulation environment you have used to get the HUD device up and running, use the same
value on the beSTORM module. To simplify things beSTORM provides an OBDII module that works in 29 bit
version, which appears to be the more common setup.

CANbuster Kit Setup

The picture below illustrates how beSTORM and the CANbuster are set up.

1. Power supply, at the middle top

2. J1962, at the left
3. Car HUD device, middle bottom
4. CANbuster device, center
5. beSTORM on laptop, right

3/4
Results of CAN-bus Fuzz Testing with beSTORM

The HUD devices we tested presented many fatal flaws in that they crashed repeatedly within minutes of
starting the testing and their programming allowed inputs that presented as display and sound errors. These are
the early indicators of problems that, with some further investigation, could result in the development of input that
would assume some degree of control of the device.

Using beSTORM and CANbuster in this setup, ANY automotive system or device can be tested and we have a
high degree of confidence that most have fatal flaws - some of which could be 'weaponized'. Although beSTORM
and CANbuster are only sold to governments and manufacturers for their use in securing applications, the
current low level of security in automotive use of CAN-bus protocol allows far less capable and very widely
available fuzzers to also find problems that can then be developed into attacks.

For More Information

The beSTORM and CANbuster kit is now available world-wide and for more information please fill in the form on
the right of this page or contact your nearest Beyond Security office.

4/4