![Roderick Currie](/img/default-banner.jpg)
- Видео 5
- Просмотров 184 273
Roderick Currie
США
Добавлен 9 май 2011
Hacking the CAN Bus: Presentation
Hacking the CAN Bus - Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering
Roderick Currie is a cyber security professional with 12 years of industry experience, and is a participant in the Master of Science in Information Security Engineering (MSISE) program at SANS Technology Institute (STI).
For a more detailed description of the techniques described here, please see the accompanying research paper at the following location:
www.sans.org/reading-room/whitepapers/awareness/hacking-bus-basic-manipulation-modern-automobile-through-bus-reverse-engineering-37825
Roderick Currie is a cyber security professional with 12 years of industry experience, and is a participant in the Master of Science in Information Security Engineering (MSISE) program at SANS Technology Institute (STI).
For a more detailed description of the techniques described here, please see the accompanying research paper at the following location:
www.sans.org/reading-room/whitepapers/awareness/hacking-bus-basic-manipulation-modern-automobile-through-bus-reverse-engineering-37825
Просмотров: 56 005
Видео
Hacking the CAN Bus: Incrementing the Odometer
Просмотров 6 тыс.7 лет назад
Successful manipulation of my vehicle's odometer using SocketCAN, a laptop computer, and some basic hardware. The odometer increased by a total of 5.7 miles over roughly 2 minutes. If the vehicle was being driven, this rate of odometer increase would require the vehicle to be traveling at a speed of approximately 170 mph. For a detailed description of how this hack was performed, please see my ...
Hacking the CAN Bus: "Accelerating" to 188 mph
Просмотров 4,1 тыс.7 лет назад
Successful manipulation of my vehicle's speedometer using SocketCAN, a laptop computer, and some basic hardware. For a detailed description of how this hack was performed, please see my research paper: Hacking the CAN Bus - Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering www.sans.org/reading-room/whitepapers/awareness/hacking-bus-basic-manipulation-modern-automobil...
Hacking the CAN Bus: Playing with the Tachometer
Просмотров 2,9 тыс.7 лет назад
Successful manipulation of my vehicle's tachometer using SocketCAN, a laptop computer, and some basic hardware. For a detailed description of how this hack was performed, please see my research paper: Hacking the CAN Bus - Basic Manipulation of a Modern Automobile Through CAN Bus Reverse Engineering www.sans.org/reading-room/whitepapers/awareness/hacking-bus-basic-manipulation-modern-automobile...
Time-Lapse of Bunk Bed Playhouse DIY Construction
Просмотров 115 тыс.9 лет назад
2019 Update: Fiona now has her own RUclips channel where she shares her passion for drawing animals! ruclips.net/channel/UC3axY8gXT1c8G8XBbxmurbQ Time-lapse video of the build process for Fiona's bunk bed and playhouse. This project was completed in my free time over a 4-month period. The total cost of materials was around $700. Plans for the Sweet Pea Bunk Bed courtesy of Ana White: ana-white....
Great work mate
Hi, a quick question in case you can help me, do you know what the bus ID is to check the total kilometers (odometer), just to read the value, thank you
This reminds me of what 'old-school hacking' was all about - tinkering beyond typical limits to achieve something cool. I understand how these things can be used for malicious reasons, but the greatest benefit of such knowledge in my view is that it opens up a lot of opportunities to make some cool car gadgets. One of the problems that could arise if security is tightened up on automotive communications/control systems is that it could end up being a lot more difficult to have fun making custom gauges, interfaces, audio systems or perhaps even one touchscreen to rule them all. I wonder what Richard Stallman would create as far as automotive systems go...? Great video! I know this is 6 years on, but the information is still just as relevant in 2024 as it was 6-7 years ago; highlighting what you mentioned about companies not doing much about security. Hopefully they only secure the safety features and leave the rest open for tinkering :)
I like having an insecure canbus. Makes it easy to see what is going on.
thanks for sharing
how can you clone the firmware?
Where does Volvo store the expected software numbers within the can network for all the control modules attached to ms can or hs can? Got 2 used control modules, and both of them is setting u030000 incompatible software and u012200 lost communication.
Hi, what hardware are you using?
How can I know can address when transmit data package? Do you have address for other car lick kia,ford,toyota...?
don't expect car manufacturers to start integrating pieces of architecture Bosch has not yet designed. Security is always an after thought because it eats into profits 🙂
Simply do NOT attach powertrain systems to cellular. Chrysler could have released TSB calling to detach Infotainment B bus from Star Can connector. That way wireless and powertrain are isolated from scammers just wanting more security
This really isn’t hacking, it’s just reading a network and replaying packets.
Hacking is a catch-all term for any type of misuse of a computer to break the security of another computing system to steal data, corrupt systems or files, commandeer the environment or disrupt data-related activities in any way. Unfortunately, this isn't quite as glamorous as the way Hollywood portrays hacking on the big screen.
@@RodCurrie Right, CAN BUS is only physically secured, there is no security layer and therefore there is nothing to actually break.
Thanks
Saying the CAN bus is a problem is like saying a USB port on a server is a problem. Trying to encrypt it will not solve the issue of a compromised device giving you access to the CAN bus. It also raises other issues of your ability to control your own device. Which shouldn't you be able to access the CAN bus? So the CAN bus doesn't seem to be the problem. The problem is things which allows you to remotely gain access to it. You shouldn't be able to compromise a web browser and gain access to the CAM bus. And the segregation of the 2 separate CAN busses seems to do that well.
Bit alarmed by the use of the word attack here, like you say, with a direct connection the only level of security is the black boxness of the software in each module, establishing what each data packet does is mostly just elimination and testing time. Those speed conversion factors are often listed (due to wheel size and market and different dash configuration) within any odb tool for the car for soft coding. You slightly mentioned different can protocols but didn’t say on many vehicles with a gateway module you’ll have to pick carefully where you join the network if you want to play effectively. A more attacky thing would be how to circumvent the software to carry out custom updates without pulling the eeprom like imitating a factory tool.... yes yes I know, hide a data sniffer inside and send in your car for a software update but that’s not fun. Most half decent automotive oscilloscopes can record and decode can these days, n if you prefer doing things the fun way Arduino is totally the way to go imo. Re the radio hack you mention at the start it’s sparked my interest, I assume that somehow forces the radio to then send spoofed can signals into the network? On most cars the infotainment is on a higher baud rate than the drivetrain and comfort can networks, I’m guessing actually gateway modules are there now to block those spurious packets? Thank you for the vid!
Also pushing this security... yes remote hacks need to be stopped but as a car user in a pandemic I find it very frustrating I’m not easily able to get information require to service and repair my car... it’s 13 years old and still the only way to get a new key is basically dealer and if any ecu module goes bad 99% of the focus is on throw it away cos we don’t know how to repair it not because we don’t know what’s on the pcb but because we don’t know what’s written to the chips. Example being 00003 codes on VW it’s the ‘part defective’ code for each module and is only erasable with a full software rewrite even if it was just caused by a bad led and it’s repaired you’ll be spending 1000s because the code only goes with a reflash that most VW workshops don’t even know about thanks to Vag secrecy. 13 years!!! Damn it lol!
Hi Was great video But all Hacking you mentioned can easily be done with a good diagnostic too you go to special function of the tool can do everything you mentioned
Thanks for watching the video! I understand your point, and you are absolutely right. However, this is more of a "proof of concept" to show some of the basic things you can do once you are on board the CAN bus. Imagine you are able to gain access to the CAN bus remotely via a Bluetooth exploit or a vulnerability in a vehicle's on-board Wi-Fi. This video shows that you can send commands over CAN to manipulate the vehicle. Messing with the digital display is not particularly exciting. But the same concept could be used to manipulate the accelerator, brakes, steering, etc. Gotta look at the big picture.
@@RodCurrie Thanks a lot for your reply ,you are right
How did you handle the case with CRC used in CAN message. In case of transmitting new data(not replaying old data) with specific CAN ID, how did you manage to calculate the CRC, that is correctly received by the receiver ECU?
For this research I ignored CRC completely and just sent the data without verifying that it was received or processed by the receiving unit. This is not the best way to go about sending data on the CAN bus, but it worked at least as a basic proof of concept.
@@RodCurrie How would you go about decoding the CRC polynomial from the given CAN dump? Do you have any ideas? Does it even make sense and is possible to retrieve the CRC polynomial? This would enable us to introduce a spoof ECU in the bus and send spoofed messages to valid receivers.
@@vk-lt9wv I am sure it could be done if you have a large enough sample of data and the time needed to analyze it all. It's really just a case of observing the data and looking for patterns. I cut my research short due to time limitations, but I would have liked to take this further including figuring out the CRC field. I often experienced a problem during CAN playback where messages would be ignored by the receiver or the interface would reset completely. I believe an incorrect CRC was the root cause of this.
@@RodCurrie Do you mean to say that some of the ECUs in your vehicle were able to receive messages without the CRC field set? i.e. the ECUs were able to receive RAW CAN packets(with correct IDs). I was under the assumption that all ECUs that receives the messages without CRC field would just reject the message. But in your case that doesn't seem to be the case. Could you explain a bit more on this? Secondly, just by observing the data and looking for patterns, reverse engineering the CRC part would not be possible? Or would it be?
@@vk-lt9wv It's my opinion that you could reverse-engineer the CRC by analyzing recorded CAN data. I haven't tried, but I am confident it could be done. And yes, I did find that some ECUs will accept and process CAN messages without the CRC being correct, or even with no CRC value being provided. However, if you fire off too many messages with invalid CRC fields then the receiving unit will eventually get upset and start ignoring them.
ABSOLUTE CRAP
Join the upcoming "Practical Automobile (Car) Penetration Testing" online course from the Digital Defense Academy. Please visit the link below for details - Pre-launch offer (40% discount) and installment based payment plans available www.digitaldefense.academy/offerpch
So, maybe giving it a negative speed/mph would reverse the odometer? hmm
This was a few years ago, but from what I can recall, there was no way to go negative. Any value it receives is interpreted as a positive value. You can either increment it slowly or you can increment it quickly.
@@RodCurrie it uses the absolute value... There must be a way to do it digitally, and connecting in this way. Amazing find nonetheless thanks for uploading
Great..
I am reading your paper, and it is incredible. Tks for sharing your knowledge.
Thank you for your support! 👍
Crystal clear and we'll explained, some question only so can bus is like UDP broadcast no assurance of nodes have received the message?
That is correct. The UDP analogy is a good one. The CAN protocol is a lot like UDP in that a sender has no way of knowing (usually) if a message reached its intended target or not.
@@RodCurrie I like your presentation sir even it's little older but beats some new tutorial in RUclips today,by the way I talk about B-CAN? is it the LIN BUS Or still Can Bus ?
@@hfe1833 Thanks! 👍 The presentation is definitely a bit dated now. I posted this more than 3 years ago. Tech changes fast. As for CAN and LIN, CAN is separate from LIN. B-CAN is still CAN.
Thank you. Very informative and crystal clear explanation. Just wondering which online repair data service (paid subscription) you used ? Is it ALLDATA or something else?
I used ALLDATA and Mitchell OnDemand.
@@RodCurrie Wish you all the best and thanks for the quick response.
You show 2 design plans but I would like the plans for the one you built with material list. Do you have the plans for yours?
The plans and material list are at the Ana White link.
Hi, I'm searching for the pid list to a Game Simulator Civic Based dashboard and this is perfect to me. Thank You!!
Looking at beds so I can find one for my daughter I wish I could just build one like this! These beds are so expensive to buy but so beautiful
I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off. So, which variant of CAN BUS shield is suitable for my project? Thanks.
This is great, have you ever looked into tachograph manipulation, ? you will love it. Long story short, In EU there is this device called a tachograph that is used by lorry drivers to record the activity, time, speed, distance traveled of the driver on a personal card. The recording is done automatically by the device. it is done so that the driver does not drive over allowed driving times and takes appropriate breaks in between, etc.. Since their invention people tried to find a way to manipulate this device for their own gain.As time moved on the tachograph and legislations improved but so do the manipulation methods. The latest manipulation method i've seen is by modifying a USB port from the truck so that 2 wires from the USB port connect to the CANbus of the truck and by connecting a USB stick ( it is a special one, i've plugged it into the computer but it is not recognised ) you disable the tachograph, so when you drive the tachograph will record that you are resting. I would love to ask you some questions and have a talk about this, i have some material to share too. feel free to email me: suvalf@gmail.com thank you
Sounds like the device is fairly easy to manipulate. I have seen similar manipulation of insurance company "dongles" that are supposed to encourage safe driving. Governments and private companies try to use tech to influence and enforce certain driving habits, but someone is always one step ahead.
I can send you some photo examples of what i've found so far and can further explain the basics of how the tachograph works, send me a email if you want
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off. So, which variant of CAN BUS shield is suitable for my project? Thanks.
Great video very interesting
Thanks for publishing this video! It was very helpful in developing an ISO9141 to CANbus data transceiver.
Have you posted the code anywhere?
If you are going to copy his work, you could at least give Eric Evenchick some credit.
This is a very ill-informed comment. I have not "copied" any of Eric's work. I conversed numerous times with Eric about this project back in 2017 while I was working on it. I also credit Eric in the video as well as on Page 16 of the associated research paper (link in description). I am a fan of Eric's work and he knows it.
Can you possibly have something like this for use car customizer. For example I love the new Land rover range rover full digital dash/gauges and would like to install into a 1990s honda or and 1985-1993 ford mustang and be able to show all the data for the engine transmission brake ect you get the point. Just a way to fully customize it to our liking and be fully compatible/working with some wiring and maybe changing or few sensors and use the outputs of stock to custom ecus( engine control unit)
Thanks for sharing that looks great 👍
Hi, what car is this on? I need to increase the milegage on my cluster to correct the mileage. I've got it hooked up the a CAN usb where I can send speed CAN frame and the speed shows up on the cluster. Is mileage increment on the same speed frame or a different frame all together?
This is done on a 2011 Honda Civic. Please check out the paper linked in the video description. Section 23 on Page 46 is where I talk about how exactly to manipulate the odometer.
it seems the CANtact you mentioned is abandoned project and no longer available. What else you suggest?
That's unfortunate that CANtact is no longer available. CANable looks like it might serve the same function, although I have never used it. I'd also recommend looking into the Macchina M2, which is actually far more capable than CANtact but requires a different wiring setup.
Hi Roderick, thank you for the nice presentation. what inexpensive hardware would you recommend to use in conjunction with Linux tools?
22:50
But can you subtract miles? 🤔
Now that would be illegal...
Yes, it can be done, don't be so naive....
@@mrreddog teach me how
That B-CAN bus is not that also called LIN-Bus which is a 1 wire bus ?
On the Honda Civic I worked on, LIN and B-CAN are separate. They are each single-wire buses, but they perform different functions. I found that LIN is used to connect the alternator, battery sensor, DC converter, and engine control module. B-CAN is used for less critical functions such as climate control, air temperature sensors, etc.
@@RodCurrieIt's good to know, thank you.
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off. So, which variant of CAN BUS shield is suitable for my project? Thanks.
* The FBI Wants to Know Your Location *
Trust me, they know.
A very interesting and educational video on the CAN bus. But you can't compare hacking a cars CAN bus to deface a web site. A web site is accessed remotely and you accessed the CAN bus directly on the hardware. That is like accessing a computer hosting a web site directly on the hardware. This is always insecure. The problems with modern cars are remote access (Wifi or Bluetooth) through, for example, a insecure entertainment system that is directly connected to the CAN us on the vehicle. If you let the mischief's inside your vehicle, then you certainly are going to be pwned!
Thank you for the feedback. You are correct that this does not replicate a real-world attack scenario. This is more just a proof of concept. However, it has been shown that modern vehicles are extremely vulnerable via various remote interfaces. The Miller and Valasek hack of a Jeep Cherokee worked via the car's cellular interface. They exploited a factory design flaw. How many vehicle owners are out there driving around right now in vehicles with insecure, exposed remote interfaces?
@@RodCurrie I'm planning to hack my car i20 to automatically door lock after reaching some speed and unlock as engine is off. So, which variant of CAN BUS shield is suitable for my project? Thanks.
Very cool! Do you do any consulting on CAN related projects?
Unfortunately, my current employer forbids it.
Totally understand. Would love to chat sometime. Not trying to get free work, just curious about some of the core concepts and how they might be applied in an automotive customization platform instead of security.
Can you tell me how to retract transmission temperature? Like canID for transmission temp
I wish I could, but transmission temperature is not something I experimented with unfortunately.
Hi Roderick, I have only just seen this 2918. Dec. Great presentation! thanks, it was very informative, going to attempt a hack on an older Mercedes SBC pump coding to the car now!
Good luck!
good job!
10:47 Did you break the law by altering you odometer? You did not list it as an exception to the law in your presentation.
Short answer: Yes Long answer: No one would prosecute this because it was not done with intent to deceive. Modifying a vehicle’s odometer is illegal in the United States under Title 49, U.S. Code Chapter 327, which prohibits the “disconnection, resetting, or alteration of a motor vehicle's odometer with intent to change the number of miles indicated thereon."
Hello Sir, Do you know any ready made or DIY device available in market which can detect a running Engine’s RPM (via non-contact method or via Crankshaft sensor) and then via “CAN protocol output” pass-on this RPM value to any of following DC Controller (to control DC Motor’s RPM)? 1. www.nocoev.com/product/curtis/manual/1229%20(15B).pdf 2. www.nocoev.com/product/curtis/manual/1244%20(13E).pdf 3. OR Any other 200+ Amp DC Motor SPEED & TORQUE Controller (which you will recommend) Please do let me know if you have any appropriate device? Thanks!
that's such a cute bed
Do you make these? If so how much?
Sorry, this was a one time thing! But the plans are available online if you want to take a shot at it.
Roderick Currie Where are the plans? Can you give a link please?