A naive question about automotive CANbus sniffing and spoofing

[mark03]

Some background:  My wife and I are in the market for a car, possibly a Subaru Outback.  We'd be happy buying used, especially if we could obtain one of the elusive manual transmissions which are very hard to find now in the US.  But the used market is still weird, and buying new may be a better value.  We've test-driven the 2024 Outback and mostly like it, but the "infotainment" system is a potential show-stopper for us.  Subaru have moved to an 11" touchscreen with fairly limited tactile controls.  In particular, most of the climate controls are touchscreen only.

Apart from the obvious stupidity of driver-operated touchscreen controls, we both feel like the infotainment could be an expensive time bomb.  We try to drive our cars into the ground, at least 300,000 km and hopefully longer.  What happens 15-20 years down the road when something in the infotainment gives out?  We can live without a radio, but not without heat/AC.  This touchscreen madness is infecting multiple car brands and increasingly hard to avoid.

Thus my CANbus question.  I have plenty of experience in embedded HW/SW development but I haven't yet played with CAN.  How feasible is it to set up a sniffer, eavesdrop on the bus while changing controls like the vent configuration, and pick out the corresponding CAN ID and message?  Then, in the doomsday scenario of an uneconomical infotainment repair, just replace the stupid thing with a 3D-printed panel and some knobs connected to my own STM32 board which sends the appropriate CAN messages?

I'm hoping somebody with actual experience playing with this stuff can point out the flaws in my plan, possible roadblocks, etc.  I don't see aftermarket controls for modern cars, so either I'm not looking hard enough or it's more difficult to reverse engineer and spoof them than I thought.

Mark

[ataradov]

For modern cars it is virtually impossible. Your first issue would be finding all the relevant CAN buses. There are more than one, and the one you get on the OBD II port is not likely to have messages from the A/C controls. It will have some diagnostic messages, but it will not likely to accept control stuff from the outside device.

Then all the messages are now encrypted. This varies from car to car, and cars based on the older designs may still use raw messages, all new designs will use encryption and authentication.

And just figuring out the data format is not going to be trivial.

And then on top of that there may be legal issues and insuring or getting a payout for such car may be impossible.

And often those in-cabin controls are on a LIN bus or other simpler interfaces like this. So, you would need to do quite a bit of reverse engineering.

[moffy]

I have to agree with ataradov, that there is a lot of verification and encryption taking place in modern cars but the degree would vary from manufacturer to manufacturer with my opinion being that the european makes e.g. mercedes, bmw etc. would be the worst. If at all possible it would be expensive and time consuming, just not practical for a one off. But I did find a link:
https://www.csselectronics.com/pages/can-bus-sniffer-reverse-engineering
might be of assistance.

[ataradov]

I would say that encryption is a requirement for all new designs and major redesigns. The reason you see lack of encryption is that those cars are based on dated software that nobody wants to change.

Encryption and especially authentication is one of those things that get approval from sales and marketing people. You can look good by claiming security and the same time prevent aftermarket parts and independent repair.

[Haenk]

Just buy a used one on eBay. Cars do crash at times, and leave behind a nice pile of usable parts. The multimedia unit sitting next to the driver is probably one of the best-protected parts in the car, so likely to survive a crash. However they usually need to be coded to the car.

[pdenisowski]

For modern cars it is virtually impossible. Your first issue would be finding all the relevant CAN buses. There are more than one, and the one you get on the OBD II port is not likely to have messages from the A/C controls. It will have some diagnostic messages, but it will not likely to accept control stuff from the outside device.

Then all the messages are now encrypted. This varies from car to car, and cars based on the older designs may still use raw messages, all new designs will use encryption and authentication.

And just figuring out the data format is not going to be trivial.

It's trivial to sniff the OBD II port.  There are also many very inexpensive commercial diagnostic tools that can be used to read and set or clear some codes / messages.  Many scopes or other analysis tools have the ability to import a DBC file that can convert the CAN messages to a more humanly-readable format, although it may be difficult to find the one needed.

https://www.csselectronics.com/pages/can-dbc-file-database-intro

It's also worth noting that some cars have been (can be) stolen using CAN injection, so accessing and manipulating "sensitive" parts of the CANbus is possible.  Here is a rather detailed (but very informative) article.

https://kentindell.github.io/2023/04/03/can-injection/

Can't speak to how widely encryption / authentication have been implemented in recent years, but from the article above and my own "sniffing" I'm not sure it's universal at this point.

[ataradov]

It's trivial to sniff the OBD II port.

I never said that is was not. OBD II does not (always) expose the real CAN bus. It exposes enough to do diagnostics. I don't know if any of the internal logic will trust messages from the OBD II port outside of the normal diagnostic stuff.

And obviously there may be security issues with isolation, which could be attacked. But you can't rely on that and it is a lot of work to figure it out. Realistically it may be cheaper to buy a new car, unless you already have expertise hacking the cars.

[elektryk]

OBD II does not (always) expose the real CAN bus.

Many manufacturers use CAN gateway, so only diagnostics is possible through OBD connector but there is also a possibility to listen internal CAN buses (example drivetrain or comfort CAN).

BTW In modern cars (especially in european ones) FlexRay and MOST can also be used...

[Smokey]

Encryption for drivetrain stuff... maybe.
Encryption for infotainment and AC controls??... probably not.  That stuff is almost certainly not on the same CANBus as the drivetrain stuff.

I'm guessing, but I would think "hacking" the infotainment CANbus stuff should both be doable and pretty straightforward.

[moffy]

Encryption for drivetrain stuff... maybe.
Encryption for infotainment and AC controls??... probably not.  That stuff is almost certainly not on the same CANBus as the drivetrain stuff.

I'm guessing, but I would think "hacking" the infotainment CANbus stuff should both be doable and pretty straightforward.

Logic doesn't necessarily apply to car electronics. My son-in-law used to be a service technician for BMW, they had a case where the entertainment system needed to be replaced, the entire car shutdown because everything was on this plastic fibre bus, and the entertainment system broke the bus. They had to replace the module and reprogram many modules in the car to accept the change, madness. This was some while ago, hopefully they have improved, but just look at the cost of replacement electronic keys from the dealer.

[mark03]

Anyone familiar with openpilot:  https://comma.ai/  ?
(and here: https://github.com/commaai)

I'm not sure I would trust an open-source project to control my throttle and steering    although arguably (from friends I trust who have worked with automotive software) the quality of OEM code is not great.  But more relevant to the topic...  how are they getting access to those controls so easily?

[ataradov]

how are they getting access to those controls so easily?

It is not easy. They find and exploit those vulnerabilities and reverse engineer protocols and checksum/encryption schemes. This is why they work on very specific car makes and model years. It is still a lot of cars, but it is not going to get easier for them to support newer cars. I bet their plan is to stay alive long enough until they can officially sell their tech to the car companies.

I don't think it is open/closed source issue. It is more about trusting a third-party system of any kind. It might seem to work fine in most cases, but what if there is some corner case they have not handled correctly?

Ans yes, all the automotive code I have seen was pretty poor with a lot of legacy code that just gets carried forward for ages.

[Jeff eelcr]

15 to 20 years no way, even now you might find parts no longer available on five year old systems.
Manufactures no longer care to support their products that includes parts and service.
How much longer will it take before all tape deck parts are gone then CD players, and DVD.
Early CD and DVD parts are gone now, and have been for years, many displays are no longer available.
Navigation units same thing, even the parts required to keep the vehicle running "computers" are a problem now.
As of now many coded radios may not be done as BMW seems to have lost the early codes stored in their computers.
Mitsubishi did this a long time ago with some series of radios.
Even if you can figure out the programing the parts required will not be around and the equipment to replace them is not cheep either.

Jeff

[Stray Electron]

  Seriously, if I was in your position and I wanted a car that I could drive for years to come and that won't be rendered useless by the failure of a single module, I would look for an older used model that doesn't have all of the inter connectivity and that isn't totally controlled by the entertainment screen[/u].  Any car that shuts down because of the electronic SN of a module would be OFF of my lists of possible candidates.  Also the LCD screens in those entertainment systems WILL go bad in ten years or so just from sun exposure and the heat and from what I've seen are totally non-replaceable.  Cars operated solely by the entertainment system are disposable crap IMO.

   Older model but very good condition and low mileage cars are available but it will take some looking and you'll almost certainly not find them at any dealership.    It took me several weeks and a lot of searching but last week I  bought something that I've wanted for a long time, an older model Mercedes SL500 roadster, in super condition and very low mileage.  This one has lead a sheltered life and all of the plastics, including the entertainment system, in it are still in great shape.

   My other advice is to buy a model that was widely sold so that there is at least a chance of finding used parts after the manufacturer and dealers decide to no long support that model.  That's assuming that you buy something that doesn't check the electronic serial number of all of the modules.  If you buy one that checks ESNs then you're screwed when anything in your car breaks.

[uer166]

Anyone familiar with openpilot:  https://comma.ai/  ?
(and here: https://github.com/commaai)

I'm not sure I would trust an open-source project to control my throttle and steering    although arguably (from friends I trust who have worked with automotive software) the quality of OEM code is not great.  But more relevant to the topic...  how are they getting access to those controls so easily?

They don't really "control throttle and steering" in a sense that it takes 100% over. You can always override steering manually and disable throttle via brake, you can't usually force it through CAN.

The overrides are done at a much lower level and the signaling there does not go over CAN, but is hardwired into the steering EPAS and drive units.

[darkspr1te]

I dislike touch screens in cars, i like to be able to reach out and feel the button.
My quirks aside sniffing the subaru info-tainment bus is quite easy and has been done before , open pilot has a lot of the can codes too.
I had to do the same to make my JDM rav4 compatible with my android radios canbox, so a arduino and canbus adapter allowed me to sniff the bus, figure out the codes for ac controls and add that to the canbox adapter.
I have seen you can buy these adapters for subaru so chance are you can swap your OEM info system out for a Android model .




darkspr1te

[max_torque]

buy car, drive it.

In 20 to 30 years time, you might be dead and for certain the car will be worthless.  Why worry about "what if's"?

Infotainment would be the last of my worries tbh, things like turbo wastegatedrivers, EGR valves, VVT, high pressure fuel pumps, DPFs, DMFs, DCTs and a million complex mechanical parts in a modern car that wear out each and everytime you drive it.......

[xrunner]

Some background:  My wife and I are in the market for a car, possibly a Subaru Outback.  We'd be happy buying used, especially if we could obtain one of the elusive manual transmissions which are very hard to find now in the US.  But the used market is still weird, and buying new may be a better value.  We've test-driven the 2024 Outback and mostly like it, but the "infotainment" system is a potential show-stopper for us.  Subaru have moved to an 11" touchscreen with fairly limited tactile controls.  In particular, most of the climate controls are touchscreen only.

Apart from the obvious stupidity of driver-operated touchscreen controls, we both feel like the infotainment could be an expensive time bomb.  We try to drive our cars into the ground, at least 300,000 km and hopefully longer.  What happens 15-20 years down the road when something in the infotainment gives out?  We can live without a radio, but not without heat/AC.  This touchscreen madness is infecting multiple car brands and increasingly hard to avoid.

Hey Mark. I just bought a 2024 Subaru Crosstrek Wilderness a few weeks ago. It has the same display you are talking about. The Crosstrek I had before (2017 model) had more of the controls as physical knobs, so some of this touch screen design I had to get used to. Some parts of the design I like other parts I don't, but what are you going to do? I used to work on my cars back in the day in high school when things were simpler, but I won't touch a lot of it anymore.

I was looking around at how it was built, and you can see a module in the engine bay with two giant cables going to it. Is it a compute module for the engine? I haven't tried to find out but the point is the thing is a complex compute device on four wheels, just like most of the new cars out there now. I don't think I'm telling you anything you don't know already. I'm just saying you probably are going to have to buy an older vehicle if you are worried about the touch screen going bad. Me I'm not worrying about it. It's a part that can be replaced just like any other in the vehicle, so it doesn't bother me.

[langwadt]

I dislike touch screens in cars, i like to be able to reach out and feel the button.

afaiu ADAC is going to start deducting safety point if certain functions are not physical buttons

[elektryk]

  Seriously, if I was in your position and I wanted a car that I could drive for years to come and that won't be rendered useless by the failure of a single module, I would look for an older used model that doesn't have all of the inter connectivity and that isn't totally controlled by the entertainment screen.

Good idea unless your country plans to ban old cars or already does so.

[Stray Electron]

Good idea unless your country plans to ban old cars or already does so.

     FYI: It's already happened in the U.S.  The Cash for Clunkers program was an attempt to get rid of (buy up and destroy)  as many old cars as possible. Also the switch to non-leaded fuel in the mid 1980s meant that many older cars (that required leaded fuel to prevent damage to the exhaust valves) became pretty much unusable.

    But this isn't about getting rid of old cars that might generate more air pollution.  This is the auto makers designing their cars so that they CAN'T be repaired once their limited supply of (grossly overpriced) spare parts modules are sold out.  With the E serial numbers, it will be impossible to reuse modules from a wrecked car so the car owners will be 100% reliant on the auto makers for any replacement parts.  That's very bad news for anyone that wants to keep their car for more than a very limited number of years.  And it will also drive the price of spare parts (and car ownership) through the roof.   

   Ca-Ching$ for the auto dealers and manufacturers.

[elektryk]

    But this isn't about getting rid of old cars that might generate more air pollution.  This is the auto makers designing their cars so that they CAN'T be repaired once their limited supply of (grossly overpriced) spare parts modules are sold out. 

It is a bit related indeed. Newer engines have much more sophisticated equippment than older ones, so any repair simply will be much more pricey

BTW European manufacturers not only use component protection, they also very like feature codes for which you must pay... So even if you buy a brand new part it can't be just connected by technician without online tools with paid subscription.
It also prevents from retrofitting things such as ACC or navigation unit.

[pdenisowski]

Also the switch to non-leaded fuel in the mid 1980s meant that many older cars (that required leaded fuel to prevent damage to the exhaust valves) became pretty much unusable.

Speaking as someone who had to choose between "leaded" and "unleaded" when I first started pumping gasoline:  even to this day you can still drive cars that originally used leaded gasoline.

You may need / want to use a lead substitute (available at most auto parts stores in the United States), but for some uses cases, such as light use or cars rebuilt with hardened cylinder head seats, you can use "normal" unleaded gasoline without issues.

[Smokey]

...
The Cash for Clunkers program was an attempt to get rid of (buy up and destroy)  as many old cars as possible.
...

To full lean into the off-topicness of this....

I know a guy that ran a two bay automotive repair show here in town.  He said that the "cash for clunkers" program crushed his business, which for a large part was repairing those clunkers.  Collateral damage.

[uer166]

    But this isn't about getting rid of old cars that might generate more air pollution.  This is the auto makers designing their cars so that they CAN'T be repaired once their limited supply of (grossly overpriced) spare parts modules are sold out.  With the E serial numbers, it will be impossible to reuse modules from a wrecked car so the car owners will be 100% reliant on the auto makers for any replacement parts.  That's very bad news for anyone that wants to keep their car for more than a very limited number of years.  And it will also drive the price of spare parts (and car ownership) through the roof.   

   Ca-Ching$ for the auto dealers and manufacturers.

What an absolute load of crap.

1) The vast majority of ECMs are not locked down by SN with exception of maybe the immobilizer/security module.
2) The over-priceness of replacement parts is a choice. E.g. Tesla often sells them at or below cost. You end up with a situation where the main pyro fuse can be had for the price of lunch.
3) Service does not really make auto mfg money. Warranty costs billions so they'd rather the stuff be reliable in the first place.
4) The diagnostic tools of modern cars are so far ahead of years prior, the vehicle knows exactly what's wrong with itself like 80% of the time. Those tools are now more than ever available to end users and independent service centers for a fee.
5) The reliability of modern vehicles is orders of magnitude higher than anything from the 1980s/90s, in part due to computerization and modern control loops, negating need for any physical tuning. The overall $/mile is quite low as well.
6) As someone who lives in a big city, I am absolutely thankful there are no more small diesels, and something like ~30% of vehicles are now EVs. The externalities of shitty old cars cannot be overstated.