Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
beyondsecurity.com/can_bus_fuzzing_canbuster
The CAN-bus protocol is widely used in the auto industry. Development of automotive products and systems
using this protocol has been advancing at a blistering pace and security testing teams have been left behind.
Hackers using a variety of ad-hoc CAN bus fuzzing tools are regularly discovering non-trival security
weaknesses.
A quick search online produces detailed data on how to easily hack security flaws that currently exist on many
production vehicles and accessories. We believe that many more as yet unknown security weaknesses, AKA
zero-days, exist and will be discovered.
To address this issue we have developed the first commercially available CAN-bus application and device
security testing kit. It consists of our dynamic security testing tool beSTORM and our CANbuster ECU simulator.
This kit is now available to manufacturers world-wide and for more information please fill in the form on the right
of this page or contact your nearest Beyond Security office.
beSTORM is one of the most widely used, commercially supported, multi-protocol, dynamic security testing
tools. It is used by industry to secure aerospace, telecom, manufacturing and financial applications and their
infrastructure components and of course it is also used on these same systems by more than a few
governments. For CAN-bus security testing purposes beSTORM is teamed up with the Beyond Security
CANbuster, a device that simulates a vehicle Electronic Control Unit (ECU) and which allows testing/fuzzing of
individual system components in a lab setting.
It is now possible for any QA department to dynamically test their CAN-bus reliant systems and products for
security flaws and certify them as being secure.
For purposes of demonstrating dynamic security testing (fuzzing) using beSTORM and CANbuster we chose two
of many available Heads Up Devices (HUD). There are many manufacturers out there and dozens of models,
but they share many common components. The devices we tested look like these:
There are many other models on Amazon, but we have not tested them.
Their internal workings are almost identical, having a STM32F103 processor, a few voltage and current
regulators (MC1413BDG) and a CAN-bus transceiver (TJA1050). The more advanced version, which appears to
support more configuration options (the one on the left image), also has a winband (25Q80BVSIG) chip which is
1/4
used as flash memory.
CANbuster Device
Connect the CANbuster device (pictured below) to the HUD device, via the 3 wires, CAN-H, GND and CAN-L.
These should connect to pins 6, 5 and 14 respectively on a J1962 connector. An external 12v power source with
at least 300ma should be connected to V(black-) and V(red+), pin 4 and 16 respectively on the connector.
The CANbuster device is connected via a Ethernet cable to a Windows machine that has beSTORM installed
and running. CANbuster by default has a pre-defined IP address of 192.168.1.254.
J1962 Connector
The SAE J1962 connector comes has two versions; female which is found in the car.
At this point you should be able to turn on the system and see that the HUD
device boots up. The Beyond Security CANbuster will simulate a real ECU
by capturing requests being sent by the HUD device for certain parameters
(like car speed) and responding with valid values.
The HUD will boot up and start scanning the bus for signals,
once it is running the display will change:
2/4
beSTORM Dynamic Security Testing of CAN-bus
When you configure beSTORM you will need it to use CAN A port
(assuming you connected the HUD device to that port) by specifying port
0 as the port to use, and set the speed to 500000 which is the default
baud rate of CAN devices in cars.
Depending on the HUD device, the CAN identifier that will be tested will be either 11 bit or 29 bit. This depends
on what the HUD device supports, simpler models support 11 bit, while more advanced ones support 29 bit.
Depending on which simulation environment you have used to get the HUD device up and running, use the same
value on the beSTORM module. To simplify things beSTORM provides an OBDII module that works in 29 bit
version, which appears to be the more common setup.
The picture below illustrates how beSTORM and the CANbuster are set up.
3/4
Results of CAN-bus Fuzz Testing with beSTORM
The HUD devices we tested presented many fatal flaws in that they crashed repeatedly within minutes of
starting the testing and their programming allowed inputs that presented as display and sound errors. These are
the early indicators of problems that, with some further investigation, could result in the development of input that
would assume some degree of control of the device.
Using beSTORM and CANbuster in this setup, ANY automotive system or device can be tested and we have a
high degree of confidence that most have fatal flaws - some of which could be 'weaponized'. Although beSTORM
and CANbuster are only sold to governments and manufacturers for their use in securing applications, the
current low level of security in automotive use of CAN-bus protocol allows far less capable and very widely
available fuzzers to also find problems that can then be developed into attacks.
The beSTORM and CANbuster kit is now available world-wide and for more information please fill in the form on
the right of this page or contact your nearest Beyond Security office.
4/4