Getting Started with Internet of Vehicles Security - CAN Simulation - Tutorial Boy -->

Getting Started with Internet of Vehicles Security - CAN Simulation

 

Introduction

Internet of Vehicles security is currently a popular development direction, but most people are stuck here because its entry threshold is too high (no real car). So I summed up the relevant information on the Internet and wrote this article so that students who study the security of the Internet of Vehicles can simulate what it feels like to control a car. This article uses Ubuntu to simulate the sending and receiving packets of the car CAN bus for operation. Learn, and then follow me step by step to open the door to the security of the Internet of Vehicles!

CAN

CAN bus, also known as Controller Area Network the abbreviation of CAN bus, is a feature-rich vehicle bus standard. It is designed to allow microcontrollers and instruments on the network to communicate with each other without the need for a host. It is based on a messaging protocol and was originally designed to use multiplexed communication cables in vehicles to reduce copper wire usage, and has since been adopted by other industries as well. Simply put, it is a communication protocol used to control vehicle functions, such as door unlocking, turn signals, brakes, accelerators, etc. Why use the CAN protocol? Simply put, it is cheap and easy to use.

CAN bus characteristics

Security:

CAN is a low-level protocol that does not support any inherent security features. There is also no encryption in standard CAN, which allows these network data to be intercepted. In most applications, applications need to deploy their own security mechanisms, such as authenticating incoming commands or the presence of certain devices on the network. Someone else could try to insert messages on the bus if proper security measures are not implemented. Although passwords exist for some safety-critical functions such as modifying firmware, programming keys, or controlling anti-lock brakes, these systems are not commonly implemented and the number of key pairs is limited.

Communication mechanism:

multi-master - that is, each node has the ability to access the bus.

Addressing mechanism:

Message distinction: No node address is set, and messages are distinguished by message identifiers.

Frame type:

a data frame, remote frame, error frame, overload frame, frame interval

Attack method:

  • Application packet fuzz testing
  • Dos attack test
  • Replay attack

Since the data packets on the CAN bus do not have any encryption, these data packets can be intercepted and eavesdropped. Since the vehicle network uses the CAN protocol for communication, we can think that the function of the Internet of Vehicles is also to send and exchange data through the CAN network. For example, if we turn on the left turn signal, the electrical signal will be sent to each device on the network through the CAN bus. Then the left turn signal will interpret the data packet and execute the instructions in the data packet.

Attack method

The CAN bus attack methods we wrote in the CAN bus characteristics above include application message fuzzy testing, Dos attack testing, replay attacks, etc. Next, let’s practice replay attacks. As the name implies, data packets can be intercepted and then resent cause The vehicle is under our control and not the owner of the vehicle.

Required Tools     

  • Kali Linux
  • ICSim (Dashboard Simulator)
  • Socketcand (CAN network)
  • Kayak (a CAN bus analysis tool based on SocketCAN)

ICSim is an open-source vehicle instrumentation simulator. The simulator contains two modules, controls and ICSim. The controls are responsible for generating simulated vehicle data, which are sent to the virtual CAN interface in the form of CAN messages, and ICSim reads from the virtual CAN interface. CAN message, and update the status of the corresponding parts on the instrument, such as vehicle speed, door status, etc.

Install Dependencies

sudo apt install libsdl2-dev libsdl2-image-dev can-utils maven autoconf

ICSIM 

git clone https://github.com/zombieCraig/ICSim.gitcd ICSim/
sudo make

Socketcand

git clone https://github.com/linux-can/socketcand.gitwget https://raw.githubusercontent.com/dschanoeh/socketcand/master/config.h.incd socketcand/
autoconf./configure
make cleanmakesudo make install


Kayak

git clone https://github.com/dschanoeh/Kayak.gitcd Kayak/ mvn clean package


At this point, all installation is complete.

Start Attacking

First set the vcan (virtual CAN) interface

sudo modprobe cansudo modprobe vcansudo ip link add dev vcan0 type vcansudo ip link set up vcan0


Open the Dashboard Simulator

./icsim vcan0


Open the dashboard controller

./controls vcan0


Controls

Function                 control button

turn signal         Keyboard left and right keys

speed                 Keyboard up and down keys

open the door         Right SHIFT key + A

close the car door Left SHIFT key + A

open all doors         Left SHIFT key + Right SHIFT key

close all doors         Right SHIFT key + Left SHIFT key


Use candump to capture packets

candump vcan0 -l



See the captured package, because the CAN is constantly communicating, the package will be very large.


Next, we find the data packets controlling the vehicle on the CAN network to attack him.

Listen to capture packets, then open and close all car doors.

More than 10,000 packages were caught.


Next, we use the dichotomy method to delete half at a time to find the package that closes the car door.

Finally, the package that opens all the doors is found by dichotomy:

(1668507963.222323) vcan0 19B#000000000000


Among them, 19B is the device identifier, look for 19B in the data packet.

grep 19B candump-2023-03-22_052559.log (1668507960.512530) vcan0 244#000000019B (1668507962.233563) vcan0 19B#00000F000000 (1668507963.222323) vcan0 19B#000000000000 (1668507963.517110) vcan0 244#000000019B (1668507964.208966) vcan0 19B#00000F000000 (1668507965.319056) vcan0 244#000000019B


We can see one of them 19B#00000F000000. If we get to 19B#000000000000open all the doors, then we also perform the operation of closing all the doors later. It can be guessed 19B#00000F000000that all the doors are closed.

As can be seen above, this data packet is controlled by the third byte.

(1668507962.233563) vcan0 19B#00000F000000(1668507963.222323) vcan0 19B#000000000000

The packet that locks all doors will represent the nibble as a hex F. Breaking this down into binary yields 16 possible combinations of gates.

binary hexadecimal

0000 0

0001 1

0010 2

0011 3

0100 4

0101 5

0110 6

0111 7

1000 8

1001 9

1010 a

1011 b

1100 c

1101 d

1110 e

1111 f

Try different car doors controlled by characters.


character car door

8 right rear door

4 left rear door

2 right front door

1 left front door

Suppose 1 is the action of locking the door and 0 is the action of unlocking the door. So when we identify our door, the identified door gets the command to lock it and the other doors get the command to unlock it. For example, the binary value of character 8 is 1000, so it means lock the door, open the door, open the door, open the door.

You can try to see if C has closed the two rear doors and opened the front two doors.


At this point, you can control the switch of each door. In the same way, steering and throttle are the same principles.

References