French researchers have built and soon will release a free homegrown tool that spots cybersecurity weaknesses in vehicles.
The concept for the so-called CANSPY auditing tool for cars evolved out of vulnerability assessment work that Jonathan-Christofer Demay and Arnaud Lebrun were doing for a major European carmaker, which they declined to identify. Demay and Lebrun in August will release the tool’s firmware as well as demonstrate CANSPY at Black Hat USA in Las Vegas.
Just like its name suggests, CANSPY is about testing for vulnerabilities in the vehicle’s Controller Area Network (CAN) bus, basically the car’s on-board, local communications network. While there are now a growing number of CAN bus tools available for vulnerability testing in cars, Demay says the difference with CANSPY is that it can intercept packets.
CANSPY is aimed at security researchers or security auditors, and requires physical access to a vehicle: it doesn’t perform remote hacks. “We’re on the CAN side. What and if a CAN device is compromised, can it compromise other devices,” he says. CANSPY sits between those devices and performs a “man-in-the-middle” traffic capture and analysis, he says.
CANSPY can be configured with rules to stop, drop, or modify, malicious or suspicious traffic on the CAN bus, he says. It sits on the CAN bus, and is connected via the vehicle On Board Diagnostics (OBD) II port.
“You can craft any type of attacks as long as you know how, [and] you can exploit any vulnerability that can be triggered over the CAN bus if you can get knowledge of its existence, and CANSPY will make you more efficient at doing all this,” says Demay, who is the penetration testing lead for Airbus Defence and Space. Lebrun is command and control engineer for Airbus.
Demay says CANSPY could also be converted to an intrusion prevention system (IPS)-type tool for a vehicle. “You can very easily turn into into an IPS, actually,” he says. “But you would need to write the rules” for dropping packets with certain characteristics, for instance, he says.
Demay and Lebrun in their “CANSPY: A Platform For Auditing Can Devices” Black Hat session will conduct a demo that emulates electronic control units (ECUs) in the vehicle; they won’t be using an actual vehicle, but a tool simulating the car network, to show CANSPY in action.
Their hope is that other car hackers will want to test-drive CANSPY. Their next step is creating more auditing scripts, and they’re looking for input from other researchers.
“It’s mostly made of cheap … off-the-shelf [hardware] so it will be easy to buy and build for everyone,” he says. The researchers’ tool is built on STMicroelectronics’ 32-bit ARM Cortex MCU.
Meanwhile, here’s a fun fact: CAN bus isn’t just for cars. “Some ground systems use PLCs and you can use the CAN bus to set up communications between them,” he says. It’s also used within satellites, he says, all mainly due to its reliability.