Automated Reverse Engineering and Attack for CAN Using OBD-II

Tae Un Kang, Hyun Min Song, Seonghoon Jeong, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

19 Citations (Scopus)


Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

Original languageEnglish
Title of host publication2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781538663585
Publication statusPublished - 2018 Jul 2
Event88th IEEE Vehicular Technology Conference, VTC-Fall 2018 - Chicago, United States
Duration: 2018 Aug 272018 Aug 30

Publication series

NameIEEE Vehicular Technology Conference
ISSN (Print)1550-2252


Conference88th IEEE Vehicular Technology Conference, VTC-Fall 2018
Country/TerritoryUnited States


  • CAN
  • In-Vehicle Network Analysis
  • Reverse Engineering
  • Vehicle Security

ASJC Scopus subject areas

  • Computer Science Applications
  • Electrical and Electronic Engineering
  • Applied Mathematics


Dive into the research topics of 'Automated Reverse Engineering and Attack for CAN Using OBD-II'. Together they form a unique fingerprint.

Cite this