CANalyzat0r – Security Analysis Toolkit for Proprietary Car Protocols

While car manufacturers steadily refine and advance vehicle systems, requirements of the underlying networks increase even further.

Striving for smart cars, a fast-growing amount of components are interconnected within a single car. This results in specialized and often proprietary car protocols built based on standardized technology. Most of these protocols are based on bus protocols: All network nodes within such a bus network are connected using a single shared data link. This technology provides a feasible way of real time communication between several security and comfort systems. However, often no or insufficient authentication and encryption or other security mechanisms can be found in today’s car systems. As described previously, most of the interchanged data structures on a car network bus, including associated systems, are proprietary. For this reason, there’s a need for open source, extensible, easy to use and publicly available software to analyze the security state of such networks and protocols.

 

CAN bus

Starting from mid-1980, the CAN bus is being implemented into vehicles. Still to this day, many components and proprietary protocols rely on the CAN bus. While analyzing today’s car protocols, we focused on this technology – however, there exist multiple additional technologies like FlexRay and automotive Ethernet which will most likely gain an increased relevance and also need to be analyzed in the future.

CAN network packets are defined by the associated packet format, which looks as follows [1]:

 

• Arbitration ID: Describes the meaning of the data segments
• Control: Flags to manage packet transport
• Data: Payload of the packet with up to eight bytes of data
• CRC: Checksum

 

A general goal of analyzing car protocols is to reverse engineer the CAN matrix. This data structure maps CAN arbitration IDs and corresponding payloads to specific actions. An example for this is the identification of a CAN packet which controls the acceleration of a vehicle.

Depending on intended goals, the CAN bus can be accessed in two ways:

1. OBD-II interface: Since 2004, this diagnostic interface is mandatory for each car in the European Union. Most of the time, this port can be accessed from the driver’s seat. Inbound packets can and most likely will be filtered by the diagnostic gateway, so fuzzing from this interface can be of limited success rate.
2. Interacting with bus wires: It’s possible to directly splice analysis hardware into a CAN bus. This way, filtering can be circumvented and otherwise isolated bus segments can be analyzed.

 

Introducing the CANalyzat0r

This Python software project is built from scratch with new ideas for analysis mechanisms. It’s released on GitHub and bundles many features of other other CAN tools in one place. Also, it’s GUI based and organized with one tab per specific analysis task:

Most of the existing open source CAN analysis software makes use of SocketCAN. This consists of a bundle of kernel modules that abstract CAN communication in such a way that CAN interfaces can be used similarly to conventional network interfaces on the Linux operating system. So does CANalyzat0r, including many additional features:

• Manage interface configuration (automatically load kernel modules, manage physical and virtual SocketCAN devices)
• Multi interface support: Sniff while sending data on a separate SocketCAN interface
• Manage your work in projects. You can also import and export them in human readable/editable JSON format and track data using a version control system.
• Transparent logging
• Graphical sniffing
• Manage findings, dumps and known packets per project
• Add multiple analyzing threads on the GUI
• Ignore packets when sniffing – Automatically filter unique packets by ID or data and ID
• Compare dumps
• Allows setting up complex setups using only one window
• Clean organization in tabs for each analysis task
• Binary packet filtering with randomization
• Search for action specific packets using background noise filtering
• SQLite support
• Fuzz and change the values on the fly

 

Why another CAN tool?

• Built from scratch with new ideas for analysis mechanisms
• Bundles features of many other tools in one place
• Modular and extensible: Read the docs and implement your own analysis mechanisms
• Comfortable analysis using a GUI
• Manage work in separate projects using a database
• Documentation: Read the docs if you need a manual or technical info.