CAN bus is a wildly successful fieldbus protocol that is perfectly designed for vehicle applications (even including spacecraft that have gone to Mars). But that success in handling sensors and actuators means it's going to be attacked by anyone wanting to compromise a vehicle. So there has been lots of activity in how to improve the security of CAN bus. I have produced a four part video series that covers the topic of CAN security, going over the types of attack on CAN and the four major techniques for defending a CAN bus against those attacks.
Each episode in the series covers one mitigation technique, and this first episode gives a taxonomy of attacks and shows how the less commonly understood CAN protocols attacks work and why they are particularly insidious. Also covered is the first of the four defensive techniques: the intrusion detection system (IDS).
Each episode in the series covers one technique for defending the CAN bus, and this second episode describes cryptography. It discusses how the needs of a distributed real-time control system impact on the requirements for a cryptographic system. The implementation issues are covered, including a case study of the CryptoCAN system from Canis Labs, and a description of the SHE standard for automotive hardware security modules (HSMs).
This third episode describes security gateways, using as a case study the Canis Labs security gateway. Covered is the things that security gateways must do, particularly the buffering and real-time handling of frames.
This fourth episode describes hardware protection of CAN using the new CAN-HG protocol. The episode describes how CAN-HG augments the CAN protocol and provides both authentication and protection against denial-of-service attacks directly in hardware. There is a demonstration of this plus CAN-HG carrying a hundred byte payload hidden inside 8 byte classic CAN frame.
This video gives a quick introduction to CryptoCAN and how to get started with it on the CANPico with MicroPython. It covers key provisioning with the HSM, how to send encrypted messages over CAN and how to decode them at receivers.
CAN protocol attacks are mounted by software getting direct access to the RX and TX pins of a CAN transceiver, bypassing the on-chip CAN module. This short video gives an example of how the pin mux on the STM32F405 microcontroller is set up for CAN and how it is altered to give software access to the pins. Watch to the end for a tip on how to make CAN protocols attacks much harder!
Shows an example of how priority inversion happens on CAN bus, and how the transmission of the most urgent frame in a CAN bus can be delayed for an arbitrarily long time.
A short introduction to the Canis Labs CANPico CAN hardware for the Raspberry Pi Pico. Demonstrates sending CAN frames with the MicroPython CAN API and a logic analyzer with a CAN protocol decoder.
A demonstration of the CANHack CAN protocol hacking software, including three new protocol attacks.
The inspiration for putting high-speed data inside classic CAN frames? Movie film. The movie industry had a similar problem: how to get lots of new digital sound data into old film format, retaining compatibility with old projectors. Their solution was really neat…
In this presentation we describe the concept of attacks on the CAN protocol itself and then demonstrate several different attacks on a small benchtop CAN network of open source CANPico boards from Canis Labs, using the open-source CANHack toolkit to mount the attacks and the Canis Labs open source Sigrok CAN logic analyzer to see how these attacks look. We will also discuss ways to mitigate these attacks.
CAN is an old protocol, dating back to the late 1980s when few had heard of the Internet let alone the idea of connecting cars to it. It remains ubiquitous because it’s almost perfectly designed to fit the needs of the automotive industry. But now it is time to directly address the security of CAN. This talk describes how the CAN protocol can be augmented with hardware to provide security features such as anti-spoofing and protection against denial-of-service attacks.
What happens when two CAN controllers on an otherwise empty bus each at the same time transmit frames with same ID of 0x123 and payloads of 66 69 72 73 74 and 73 65 63 6f 6e 64 respectively? To find out, watch the video.
Showing a Canis Labs CANPico board used as a USB CAN adapter for Wireshark.
The Janus Attack is a low-level attack on CAN protocol itself, where a CAN frame contains two different payloads, with a targeted CAN controller seeing a different payload to other CAN controllers.
Shows Sigrok PulseView with the can2 CAN protocol decoder being used to decode CAN signals from a bus. Also shows how the low-level view of the protocol can show attacks on the CAN bus that are invisible at the higher frame level.
Shows a real system suffering priority inversion due to FIFO queueing of CAN frames, and how switching to priority queueing fixes this.
An overview of the MIN protocol and how it can be used to control an embedded device from host PC software via a Python API.