Automated Reverse Engineering and Attack for CAN Using OBD-II

Tae Un Kang; Hyun Min Song; Seonghoon Jeong; Huy Kang Kim

doi:10.1109/VTCFall.2018.8690781

Automated Reverse Engineering and Attack for CAN Using OBD-II

Tae Un Kang
, Hyun Min Song
, Seonghoon Jeong
, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

38 Citations (Scopus)

Abstract

Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

Original language	English
Title of host publication	2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781538663585
DOIs	https://doi.org/10.1109/VTCFall.2018.8690781
Publication status	Published - 2018 Jul 2
Event	88th IEEE Vehicular Technology Conference, VTC-Fall 2018 - Chicago, United States Duration: 2018 Aug 27 → 2018 Aug 30

Publication series

Name	IEEE Vehicular Technology Conference
Volume	2018-August
ISSN (Print)	1550-2252

Conference

Conference	88th IEEE Vehicular Technology Conference, VTC-Fall 2018
Country/Territory	United States
City	Chicago
Period	18/8/27 → 18/8/30

Bibliographical note

Funding Information:
This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No. R7117-16-0161, Anomaly Detection Framework for Autonomous Vehicles)

Publisher Copyright:
© 2018 IEEE.

Keywords

CAN
In-Vehicle Network Analysis
Reverse Engineering
Vehicle Security

ASJC Scopus subject areas

Computer Science Applications
Electrical and Electronic Engineering
Applied Mathematics

Access to Document

10.1109/VTCFall.2018.8690781

Cite this

Kang, T. U., Song, H. M., Jeong, S., & Kim, H. K. (2018). Automated Reverse Engineering and Attack for CAN Using OBD-II. In 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings Article 8690781 (IEEE Vehicular Technology Conference; Vol. 2018-August). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/VTCFall.2018.8690781

Automated Reverse Engineering and Attack for CAN Using OBD-II. / Kang, Tae Un; Song, Hyun Min; Jeong, Seonghoon et al.
2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2018. 8690781 (IEEE Vehicular Technology Conference; Vol. 2018-August).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kang, TU, Song, HM, Jeong, S & Kim, HK 2018, Automated Reverse Engineering and Attack for CAN Using OBD-II. in 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings., 8690781, IEEE Vehicular Technology Conference, vol. 2018-August, Institute of Electrical and Electronics Engineers Inc., 88th IEEE Vehicular Technology Conference, VTC-Fall 2018, Chicago, United States, 18/8/27. https://doi.org/10.1109/VTCFall.2018.8690781

@inproceedings{ad5ae0088256451ea02e8a25f2a937a8,

title = "Automated Reverse Engineering and Attack for CAN Using OBD-II",

abstract = "Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.",

keywords = "CAN, In-Vehicle Network Analysis, Reverse Engineering, Vehicle Security",

author = "Kang, \{Tae Un\} and Song, \{Hyun Min\} and Seonghoon Jeong and Kim, \{Huy Kang\}",

note = "Funding Information: This work was supported by Institute for Information \& communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No. R7117-16-0161, Anomaly Detection Framework for Autonomous Vehicles) Publisher Copyright: {\textcopyright} 2018 IEEE.; 88th IEEE Vehicular Technology Conference, VTC-Fall 2018 ; Conference date: 27-08-2018 Through 30-08-2018",

year = "2018",

month = jul,

day = "2",

doi = "10.1109/VTCFall.2018.8690781",

language = "English",

series = "IEEE Vehicular Technology Conference",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings",

}

TY - GEN

T1 - Automated Reverse Engineering and Attack for CAN Using OBD-II

AU - Kang, Tae Un

AU - Song, Hyun Min

AU - Jeong, Seonghoon

AU - Kim, Huy Kang

N1 - Funding Information: This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIT) (No. R7117-16-0161, Anomaly Detection Framework for Autonomous Vehicles) Publisher Copyright: © 2018 IEEE.

PY - 2018/7/2

Y1 - 2018/7/2

N2 - Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

AB - Controller area network (CAN) is one of the most popular in-vehicle networks. CAN allows electronic control units (ECUs) to communicate with each other. ECUs control various function of vehicle systems such as engine and transmission control. Therefore, CAN and ECUs are the high priority targets by hackers. If the CAN and the connected components are attacked, the vehicle may cause serious malfunction and fatal accidents. However, it is hard to find out the exact CAN messages to send and control the vehicle as intended by hackers. Likewise, vehicle security researchers have the same problem to find out the exact meaning of CAN messages to detect sophisticated attacks as well as attackers. It is relatively easy to detect the simple pattern of attacks such as denial of service (DoS) attack. However, CAN specification information is private information of car OEMs, to reveal the exact meaning of CAN messages, we need to analyze the messages by reverse engineering techniques, which is time-consuming and laborious tasks. To solve this problem, we developed the Automated CAN Analyzer (ACA). The ACA has automated reverse engineering functions which can help to analyze the relationship between the response data from a diagnostic query of on-board diagnostics II (OBD-II) and the related CAN traffic data. Furthermore, it supports the automated attack function that can inject fake messages into CAN bus based on pre-analyzed CAN message information. Researchers can easily confirm whether the reverse engineering results are correctly working or not through the provided automated attack function. As a result, the ACA could lower the barriers to entry to in-vehicle network research. To evaluate the ACA, we applied our approach to two real vehicles, Hyundai YF Sonata (2010 model) and KIA Soul (2014 model). In this paper, we can find out the meaning of CAN messages on both vehicles with the help of the ACA. Additionally, since modern vehicles are all equipped with OBD-II, our approach can be applied to most vehicle widely.

KW - CAN

KW - In-Vehicle Network Analysis

KW - Reverse Engineering

KW - Vehicle Security

UR - https://www.scopus.com/pages/publications/85064907638

U2 - 10.1109/VTCFall.2018.8690781

DO - 10.1109/VTCFall.2018.8690781

M3 - Conference contribution

AN - SCOPUS:85064907638

T3 - IEEE Vehicular Technology Conference

BT - 2018 IEEE 88th Vehicular Technology Conference, VTC-Fall 2018 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 88th IEEE Vehicular Technology Conference, VTC-Fall 2018

Y2 - 27 August 2018 through 30 August 2018

ER -

Automated Reverse Engineering and Attack for CAN Using OBD-II

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this