Welcome back, my aspiring automobile cyber warriors!
In part 1 of the series on the ICS simulator, we installed the can-utils and the ICS simulator instrument panel and controls. In this tutorial, we will use the can-utils or SOCKET CAN to view and analyze the CAN traffic.
As you remember from my Automobile Hacking, Part 2 tutorial, can-utils contains the following utilities;
1. Basic tools to display, record, generate and replay CAN traffic
candump : display, filter and log CAN data to files
canplayer : replay CAN logfiles
cansend : send a single frame
cangen : generate (random) CAN traffic
cansniffer : display CAN data content differences (just 11bit CAN IDs)
2. CAN access via IP sockets
canlogserver : log CAN frames from a remote/local host
bcmserver : interactive BCM configuration (remote/local)
socketcand : use RAW/BCM/ISO-TP sockets via TCP/IP sockets
3. CAN in-kernel gateway configuration
cangw : CAN gateway userpace tool for netlink configuration
4. CAN bus measurement and testing
canbusload : calculate and display the CAN busload
can-calc-bit-timing : userspace version of in-kernel bitrate calculation
canfdtest : Full-duplex test program (DUT and host part)
In this tutorial, we will focus on;
1. cansniffer
2. candump
3. canplayer
4. cansend
Step #1: Start the cansniffer
Let's begin by sniffing the CAN traffic using cansniffer. With this utility you must specify the interface (vcan0, in our case) and if you want to see the colorized output, use the -c option.
kali > cansniffer -c vcan0
As soon as you enter this command, you should begin to see the CAN network traffic displayed in your terminal similar to the screenshot below.
When we use the -c option, the values that are changing turn a red color to help us identify these key values.
Step #2 Use cansniffer to Filter for Specific Traffic
Rather than watch all the traffic go past our terminal, we can filter traffic similarly to the more widely used sniffer, Wireshark.
Let's look at the help screen in cansniffer to learn to do so.
kali > cansniffer -h
Then, if we only wanted to see traffic from ID=161, we could enter;
kali > cansniffer -c vcan0
Once the sniffer has started, we can then enter;
-000000
+161
It's important to note that when you enter the above commands, they will not appear on the screen. Once you have entered the ID number, the sniffer will begin to filter out all traffic but those with the ID= 161
As you can see in the screenshot above, cansniffer now displays just the data for ID=161
Step #3 Using candump to capture CAN traffic
While the cansniffer is capable of sniffing traffic on the CAN network similarly to Wireshark, the candump utility in can-utils is capable of capturing CAN traffic and storing it into a file for analysis or replay at a later time.
To do so, we can need only to use the -l option to log and the -c option to colorize the output.
kali > candump -c -l vcan0
If we want to log AND view the output, we can use the -s 0 option (silent mode 0). In addition, if we want to output to be converted from hex to ASCII (human readable), we can add the -a (ASCII) option. This starts candump in colorize mode, with ASCII output, storing the data into a log file and simultaneously sending it to the terminal (stdout).
kali > candump -c -l -s 0 -a vcan0
Step #4 Using canplayer
We also have another key CAN network tool, canplayer. This tool enables us to "play" the output from candump. So, we could capture the data from the CAN network and then replay it on the network. We only need to use the -I option followed by the name of the log file from candump.
kali >canplayer -I candump-xxxxxxxxxxx.log
Step #5: Using cansend to Send Custom Frames
Finally, we have the cansend tool. This tool enables us replay a specific frame or to send a custom crafted CAN frame. If we want to resend a single frame we isolated above with ID=161,
we do so by entering;
kali > cansend vcan0 161#000005500108000d
Where:
vcan0 is the interface
161# is the frame ID
000005500108000D is the data we want to send
Now, when we hit enter, the custom CAN frame will be sent over the network. I hope it is obvious that when we reverse engineer the network, this is the command we will use to initiate the actions we desire on the CAN network such as; accelerate, open the door, initiate brakes, etc.
Summary
Now that we have installed the ICS Simulator and understand the basics of the key can-utils tools, we can now begin to use these tools to reverse engineer the CAN bus on our ICS Simulator and take control of the vehicle!