CAN Bus Hacking - The Modern Threat to Your Vehicle

If you’re a Criminal Minds fan, you’ll know this TV drama produces fictional and enticing crime episodes where police and FBI agents investigate unique crimes and their perpetrators. One recent episode, “Collision Course”, focused on a crime where a hacker targeted vehicles and took control of the vehicle’s controller area network, otherwise known as the CAN bus.

Throughout the episode, the perpetrator was able to control multiple parts of the targeted car by hacking into the vehicle’s dash cam to watch the road, and then were able to gain control over steering, brakes, and throttle remotely, all from the hacking the CAN bus. The hacker even put up a firewall to prevent others from stopping him.

While this television episode did include some "Hollywood" aspects to make it more entertaining, it does address the wider technological issue that faces our society, especially as we move towards a world of connected devices, automated cars, and the IoT. Is CAN bus hacking in vehicles a genuine concern? Why is it becoming such a big issue now, and what can consumers do to protect themselves and their families against the threat of a vehicle hack?

Let's try to unlock some of the answers by digging deeper into the realities of CAN Bus hacking.

selection of vehicles

CAN Bus Application in Vehicles

The term CAN is an abbreviation of Controller Area Network. CAN is a communication protocol, or a set of rules for communication between network devices, that is part of an automobile’s embedded system. CAN was first created by the company Bosch in the 1980s to help efficiently and safely control the numerous electronic devices used in a car at one time. This can include everything from power windows, brakes, power steering, radio systems, GPS, car mounts for phones, and more. CAN is known for its ability to operate multiple devices, or nodes, on the same bus without a centralized host computer. Each device is its own master and the devices work together using an arbitration process that relays messages and prioritizes those with immediate requirements.

The development of the CAN protocol did not begin until 1983, and the protocol itself was not released for use in vehicles until 1986. At this time, many of the functions of your typical consumer-class automobile were still mechanical, not controlled by a computer.  The CAN protocol allowed car manufacturers for the first time to expand the number of on-board microcontroller systems that could function in the vehicle and save money on copper wiring in the process.

CAN Bus Hacking can be a threat to any car within close proximity

Is CAN Bus Hacking a Genuine Threat to Consumers?

You might be wondering: Is CAN bus hacking something that Hollywood created to sell a TV series, or can people actually hack into cars without physically touching them? As it turns out, CAN bus hacking is a genuine threat that anyone interested in purchasing a self-driving car should be prepared to face. In 2015, as reported by Wired, Chrysler issued a recall on 1.4 million units of Jeep after a group of hackers demonstrated how they accessed a Jeep's digital systems using a laptop and the internet. Hackers can also use the vehicle on-board diagnostics, or OBD port, as an entry point to facilitate a hack.

With recent advances in the automotive industry, it’s very common for car makers to incorporate wireless systems in their vehicles. These can range from bluetooth connectivity features that allow users to interface their mobile phones with the vehicle for functions like making calls or playing music, to Wi-Fi enabled IoT components for self-driving cars. When on-board systems with microcontrollers that access the CAN bus are also capable of Wi-Fi connectivity, it becomes possible for hackers to gain entry to the CAN system and disrupt vehicle systems.

Connected Systems Expose Vehicles to CAN Bus Hacking

The cars that are progressively adopting a wireless set up are considered to be part of the “Internet of Things” (IoT), or as the Washington Post article, “Hacks on the Highway” calls it, “Internet of Targets”. The article comments, “cars sold today are computers on wheels, with dozens of embedded chips running millions of lines of code.” Car makers are essentially turning the modern automobile into a smartphone. Many cars provide entertainment and navigation systems, and even allow phone calls to be taken using Bluetooth.  Wi-Fi hot spots in vehicles are becoming increasingly popular as well. This allows people who know the car’s IP address to track them from anywhere in the world. Once hackers get inside, it’s possible for them to rewrite firmware and take control.

A car dashboard can be a possible entry way for CAN Bus Hacking

Bluetooth systems in vehicles can be accessed externally by hacker devices and contain data that could be exposed by CAN bus hacking. A bluetooth-enabled GPS like the one pictured here may contain data about your travel history or other identifying information.

How Can Consumers Protect Themselves from CAN Bus Hacking?

If you're a consumer that wants to protect your vehicle from CAN bus hacking, the best thing you can do is limit access to the vehicle by ensuring that you store it in a private garage away from public view.

For developers of on-board systems for vehicles, however, there is plenty of additional work to be done when it comes to preventing car vulnerabilities in CAN bus hacking. For starters, car manufacturers can begin to separate the systems in vehicles onto different networks. This helps to ensure that an exposed vulnerability does not grant the hacker access to all of the vehicle's systems right away. Manufacturers can also introduce features like automatic software security updates, taking advantage of Wi-Fi and connected capabilities in vehicles to enhance their security on an ongoing basis and as new vulnerabilities are discovered.

Just like some technology companies have offered special bounties or rewards to hackers that can penetrate their security systems, car manufacturers could establish bounties for successful car hacks, challenging benevolent security experts to expose flaws in vehicle security for a reward. Manufacturers should also make it easier for researchers to report vulnerabilities that they discover.

Finally, car manufacturers should begin exploring encryption methods that can help encode and secure data that is transmitted on the CAN network. In the past this would have been unnecessary, but today's connected vehicles are simply too accessible to be operated without any kind of encryption security.

A Final Word

Car manufacturers are now fully aware that CAN bus hacking is a real possibility, and some plan to manufacture cars to make them incapable of being hacked. The good news is with the promise of self-driving cars about to become a reality, top car manufacturers are already collaborating with major technology companies that are poised to solve the security problems we're seeing in the world of vehicle electronics.

Still, other manufacturers are questioning the cost-to-benefit ratio associated with developing advanced security systems for vehicular applications.  These days, cybersecurity is everywhere, but for vehicles to have a similar shield of protection as phones and computers, it will be years before we catch up to speed.

Total Phase offers a variety of CAN tools for debugging and monitoring CAN systems.  Learn more about the CAN tools offered by Total Phase here.

Have specific questions? Contact sales@totalphase.com for details about Komodo CAN Interfaces and other Total Phase products. You can also request a demo that applies to your application.

Request a Demo