Infotainment Connection

Learning Objectives

By the end of this lesson you should be able to:

  • connect a Kali Linux virtual machine to an infotainment device using CANAble hardware,
  • read CAN messages on a real CAN network,
  • and send CAN messages on a real CAN network.

About CAN Bus

CAN Bus is a ubiquitous communication bus that is used to transmit information between the various Electronic Control Units (ECUs) in a vehicle. CAN bus is designed to be a cheap, reliable and inexpensive communication network, but was designed with no inherent security mechanisms. Verifying the source of a message on the CAN bus is difficult, and not generally done on a vehicle platform. This allows any attacker with physical access to the CAN bus to impersonate any device, causing other devices to respond as if the messages being transmitted by the attacker are legitimate. We will explore this capability by causing our infotainment unit to display a message. Setup

CANAble

This lab uses a CAN device called a CANable, coupled with Linux's Socketcan tools. Socketcan allows CAN devices to be used like any other network device on a Linux system. You will need the can-utils software package installed on your Linux system. Once installed, connect the CANable device to the infotainment system wiring harness as pictured, with the yellow wire connected to CANL and the green wire connected to CANH. Connect the micro USB cable from the CANable to your computer.

Wire the CANAble

  • Plug in the wires to the USB device, matching HI and LO.
  • Be sure to connect the wires how they are physically labelled. The wiring should look similar to the picture below.

CANable

Connect the CANAble to a Kali VM.

  • Plug the USB drive into your laptop.
  • Ensure that your Windows laptop recognizes the USB device.
  • Reboot your Kali virtual machine and log in using kali and kali for the username and password.
  • In the VirtuBox menu above your Kali VM, select Devices > USB > > bytewerks cantech gs_usbAdd. (The USB device name may be slightly different.) This will allow your VM to see the USB device.

Infotainment Power

Turn the infotainment system on by connecting the power supply to the barrel connector on the wiring harness and turning the switch on. There are different types of power switches depending on your particular infotainment unit.

Power Switch Type 1

Power Switch Type 1

Power Switch Type 2

Power Switch Type 2

Connect the wires to the harness at the infotainment system as shown in the photo below.

Wiring Harness

Establish a Connection in Kali

  • Open a terminal in Kali.
  • Set up the CAN network on the Linux machine by running these commands in a terminal window.
sudo ip link set can0 type can bitrate 500000
sudo ip link set up can0

Your Kali Linux VM should now be able to send and receive packets on the can0 network.

Send CAN Commands

  • The can-utils package has several utilities for reading messages from and sending messages on the CAN bus. Start by looking at the CAN traffic being sent by the infotainment system by running the following command:
candump can0
  • You should see CAN messages being printed to the screen. Press control+c to quit the candump program.
  • Try running cansniffer, connecting it to the can0 network.
cansniffer -c can0

  • You will likely need to resize the terminal running cansiffer. Is it useful?

  • Open a new terminal while cansiffer is still running.

  • Send a specific message on the CAN bus by running the following command.
cansend can0 445#872c4763
  • Watch the infotainment screen. This CAN message encodes the backup warning message including proximity to objects. The CAN message is identified by an arbitration ID, which for this message is the value 0x445. The data of this message is the hex string 872c4763. Try changing this data to see how the proximity warning display changes (for example, try sending the data section as 872c4993 to see if the display changes). The arbitration ID needs to be left as 445.

Spam Codes

You can use cangen to generate a lot of random traffic.

cangen vcan0

Occasionally, cangen might send so many codes that you overwhelm or crash the system. If the infotainment system appears unresponsive, you may need to power it off and power it back on.

Challenge: Evaluate Traffic

Use candump to capture "noise".

candump -l -f noise.txt
  • After a minute, stop the capture by pressing control+c. Check how many lines were captured using the word count (wc) program.
wc -l noise.txt
  • How many events were captured?

Key Takeaways

CAN provides no protection against replay attacks. Nothing prevents an attacker with physical access from sending arbitrary CAN messages to cause ECUs to misbehave. This misbehavior could include displaying spurious warning messages, and even control of steering, braking and acceleration in some vehicles.

Challenge: Interpret the Hex

  • Modify the hex sent to the arbitration ID 445. Can you find any patterns?
cansend can0 445#872c4763
cansend can0 445#872c4993
cansend can0 445#00000000
cansend can0 445#ffffffff
cansend can0 445#11111111

You can try to reverse engineer the codes.

Reflection

Which of the following concepts did this exercise involve? How?

  • Defense in Depth
  • Confidentiality
  • Integrity
  • Availability
  • Think Like an Adversary
  • Keep It Simple

Conclusion

With a bit of special hardware and some software tools, you can read and send CAN codes on a real computer network. These tools can be used to reverse engineer systems and to craft replay attacks that could cause harm.