Security Experts:

New Tool From Cisco Hunts Flaws in Automotive Computers

Cisco has released a new hardware tool designed to help researchers, developers and automakers discover vulnerabilities in automobile computers. 

Modern vehicles contain hundreds of sensors that feed information about the surrounding environment to the vehicle computer. These components deliver real-time information to the driver, connect the car to a network, and even automatically drive the vehicle, but they are susceptible to vulnerabilities in software, remote control, or abuse via physical-access. 

The global connected car market is expected to exceed $225 billion by 2025 and Cisco aims to help secure this emerging technology, with the release of a new hardware tool called 4CAN

Released as open-source, the tool is meant for all automobile security researchers who want to test their on-board computers for potential vulnerabilities. 

Access to the vehicle computer, Cisco notes, is possible via Wi-Fi, Bluetooth, or cellular communication protocols, but the backbone of a vehicle’s network is a Controller Area Network (CAN). Typically, a car has multiple CAN buses combined with a gateway, and vehicles that Cisco’s researchers tested have 4 CAN buses. 

While devices that allow testing of the CAN bus do exist, each with pros and cons, none provides the ease of use Cisco was looking for. 

The 4CAN tool was designed to help validate communication policy for intra-CAN bus communication, for fuzzing (sending randomized payloads) components to identify vulnerabilities, to explore the CAN commands used to control/interact with the vehicle, and simplify a testbench setup to keep everything organized and in sync.

George Tarnovsky, a member of Cisco’s Customer Experience Assessment & Penetration Team (CX APT), is the originator or the 4CAN’s design, which was inspired by and is loosely based on the IndustrialBerry QUAD CAN BUS adapter for Raspberry CanBerry. 

“Using 4CAN, the test bench setup is vastly simplified. With a single Raspberry Pi, we can simultaneously test four CAN channels, and since the 4CAN exposes the entire 40-pin GPIO header, we can remotely control the test vehicle,” Cisco explains. 

The 4CAN tool has been released in open source and is available on GitHub, licensed under a Creative Commons Attribution Share-Alike license.

Related: Connected Cars Could be a Threat to National Security, Group Claims

Related: Mitsubishi Develops Cybersecurity Technology for Cars

view counter