Injection Basic Safety Message

CAN Injection - Basic Safety Message

Overview of the Vulnerability

The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended.

Business Impact

This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle.

Steps to Reproduce

  1. The CAN input is identified by using {{hardware}} on {{target}}

  2. Connect to {{target}} by using {{application}} with {{hardware}}

  3. Inject the following CAN message payload:

{{payload}}

  1. Observe that {{action}} occurs as a result

Proof of Concept (PoC)

The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s):

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For a CAN misconfiguration vulnerability, please include detailed instructions that can be followed to easily demonstrate and reproduce the issue.

Attempt to completely stop the vehicle from functioning through the CAN system. If this is possible, provide a full Proof of Concept (PoC) here.

Recommendation(s)

There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:

  • Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.

  • Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.

  • Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

PreviousCANNextInjection Battery Management System

Last updated