Automated Reverse Engineering and Attack for CAN Using OBD-II

Tae Un Kang, Hyun Min Song, Seonghoon Jeong, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

Original languageEnglish
Title of host publication2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538663585
DOIs
Publication statusPublished - 2019 Apr 12
Event88th IEEE Vehicular Technology Conference, VTC-Fall 2018 - Chicago, United States
Duration: 2018 Aug 272018 Aug 30

Publication series

NameIEEE Vehicular Technology Conference
Volume2018-August
ISSN (Print)1550-2252

Conference

Conference88th IEEE Vehicular Technology Conference, VTC-Fall 2018
CountryUnited States
CityChicago
Period18/8/2718/8/30

Fingerprint

Reverse engineering
Reverse Engineering
Diagnostics
Attack
Controller
Controllers
Electronics
Unit
Electric network analyzers
Private Information
Denial of Service
Control Function
Network Traffic
Accidents
Connected Components
Railroad cars

Keywords

  • CAN
  • In-Vehicle Network Analysis
  • Reverse Engineering
  • Vehicle Security

ASJC Scopus subject areas

  • Computer Science Applications
  • Electrical and Electronic Engineering
  • Applied Mathematics

Cite this

Kang, T. U., Song, H. M., Jeong, S., & Kim, H. K. (2019). Automated Reverse Engineering and Attack for CAN Using OBD-II. In 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings [8690781] (IEEE Vehicular Technology Conference; Vol. 2018-August). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/VTCFall.2018.8690781

Automated Reverse Engineering and Attack for CAN Using OBD-II. / Kang, Tae Un; Song, Hyun Min; Jeong, Seonghoon; Kim, Huy Kang.

2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. 8690781 (IEEE Vehicular Technology Conference; Vol. 2018-August).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kang, TU, Song, HM, Jeong, S & Kim, HK 2019, Automated Reverse Engineering and Attack for CAN Using OBD-II. in 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings., 8690781, IEEE Vehicular Technology Conference, vol. 2018-August, Institute of Electrical and Electronics Engineers Inc., 88th IEEE Vehicular Technology Conference, VTC-Fall 2018, Chicago, United States, 18/8/27. https://doi.org/10.1109/VTCFall.2018.8690781
Kang TU, Song HM, Jeong S, Kim HK. Automated Reverse Engineering and Attack for CAN Using OBD-II. In 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2019. 8690781. (IEEE Vehicular Technology Conference). https://doi.org/10.1109/VTCFall.2018.8690781
Kang, Tae Un ; Song, Hyun Min ; Jeong, Seonghoon ; Kim, Huy Kang. / Automated Reverse Engineering and Attack for CAN Using OBD-II. 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. (IEEE Vehicular Technology Conference).
@inproceedings{ad5ae0088256451ea02e8a25f2a937a8,
title = "Automated Reverse Engineering and Attack for CAN Using OBD-II",
abstract = "Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.",
keywords = "CAN, In-Vehicle Network Analysis, Reverse Engineering, Vehicle Security",
author = "Kang, {Tae Un} and Song, {Hyun Min} and Seonghoon Jeong and Kim, {Huy Kang}",
year = "2019",
month = "4",
day = "12",
doi = "10.1109/VTCFall.2018.8690781",
language = "English",
series = "IEEE Vehicular Technology Conference",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings",

}

TY - GEN

T1 - Automated Reverse Engineering and Attack for CAN Using OBD-II

AU - Kang, Tae Un

AU - Song, Hyun Min

AU - Jeong, Seonghoon

AU - Kim, Huy Kang

PY - 2019/4/12

Y1 - 2019/4/12

N2 - Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

AB - Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

KW - CAN

KW - In-Vehicle Network Analysis

KW - Reverse Engineering

KW - Vehicle Security

UR - http://www.scopus.com/inward/record.url?scp=85064907638&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85064907638&partnerID=8YFLogxK

U2 - 10.1109/VTCFall.2018.8690781

DO - 10.1109/VTCFall.2018.8690781

M3 - Conference contribution

T3 - IEEE Vehicular Technology Conference

BT - 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

ER -